fix(googleworkspace): use per-service resources for Gmail (#11169)

This commit is contained in:
lydiavilchez
2026-05-14 12:01:07 +02:00
committed by GitHub
parent 1bb547e5e1
commit 78af0c24fe
35 changed files with 94 additions and 53 deletions
+4
View File
@@ -17,6 +17,10 @@ All notable changes to the **Prowler SDK** are documented in this file.
- `entra_emergency_access_exclusion` check for M365 provider now scopes the exclusion requirement to enabled Conditional Access policies with a `Block` grant control instead of every enabled policy, focusing on the lockout-relevant policy set [(#10849)](https://github.com/prowler-cloud/prowler/pull/10849)
- AWS IAM customer-managed policy checks no longer emit `FAIL` on unattached policies unless `--scan-unused-services` is enabled [(#11150)](https://github.com/prowler-cloud/prowler/pull/11150)
### 🐞 Fixed
- Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11169)](https://github.com/prowler-cloud/prowler/pull/11169)
---
## [5.26.2] (Prowler UNRELEASED)
@@ -18,7 +18,10 @@ class gmail_anomalous_attachment_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.enable_anomalous_attachment_protection
@@ -18,7 +18,10 @@ class gmail_auto_forwarding_disabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
forwarding_enabled = gmail_client.policies.enable_auto_forwarding
@@ -18,7 +18,10 @@ class gmail_comprehensive_mail_storage_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
storage_enabled = gmail_client.policies.comprehensive_mail_storage_enabled
@@ -18,7 +18,10 @@ class gmail_domain_spoofing_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.detect_domain_name_spoofing
@@ -18,7 +18,10 @@ class gmail_employee_name_spoofing_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.detect_employee_name_spoofing
@@ -18,7 +18,10 @@ class gmail_encrypted_attachment_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.enable_encrypted_attachment_protection
@@ -18,7 +18,10 @@ class gmail_enhanced_pre_delivery_scanning_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
scanning_enabled = (
@@ -18,7 +18,10 @@ class gmail_external_image_scanning_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
scanning_enabled = gmail_client.policies.enable_external_image_scanning
@@ -18,7 +18,10 @@ class gmail_groups_spoofing_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.detect_groups_spoofing
@@ -18,7 +18,10 @@ class gmail_inbound_domain_spoofing_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.detect_inbound_domain_spoofing
@@ -18,7 +18,10 @@ class gmail_mail_delegation_disabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
delegation_enabled = gmail_client.policies.enable_mail_delegation
@@ -18,7 +18,10 @@ class gmail_per_user_outbound_gateway_disabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
gateway_allowed = gmail_client.policies.allow_per_user_outbound_gateway
@@ -18,7 +18,10 @@ class gmail_pop_imap_access_disabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
pop_enabled = gmail_client.policies.enable_pop_access
@@ -18,7 +18,10 @@ class gmail_script_attachment_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.enable_script_attachment_protection
@@ -18,7 +18,10 @@ class gmail_shortener_scanning_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
scanning_enabled = gmail_client.policies.enable_shortener_scanning
@@ -18,7 +18,10 @@ class gmail_unauthenticated_email_protection_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
enabled = gmail_client.policies.detect_unauthenticated_emails
@@ -18,7 +18,10 @@ class gmail_untrusted_link_warnings_enabled(Check):
if gmail_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=gmail_client.provider.domain_resource,
resource=gmail_client.policies,
resource_id="gmailPolicies",
resource_name="Gmail Policies",
customer_id=gmail_client.provider.identity.customer_id,
)
warnings_enabled = (
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailAnomalousAttachmentProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "WARNING" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -35,10 +34,13 @@ class TestGmailAutoForwardingDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_id == CUSTOMER_ID
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].resource_id == "gmailPolicies"
assert findings[0].customer_id == CUSTOMER_ID
assert findings[0].resource == mock_provider.domain_resource.dict()
assert (
findings[0].resource
== GmailPolicies(enable_auto_forwarding=False).dict()
)
def test_fail_disabled(self):
mock_provider = set_mocked_googleworkspace_provider()
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -37,7 +36,7 @@ class TestGmailComprehensiveMailStorageEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailDomainSpoofingProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "SPAM_FOLDER" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailEmployeeNameSpoofingProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "SPAM_FOLDER" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailEncryptedAttachmentProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "QUARANTINE" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -37,7 +36,7 @@ class TestGmailEnhancedPreDeliveryScanningEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -35,7 +34,7 @@ class TestGmailExternalImageScanningEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -39,7 +38,7 @@ class TestGmailGroupsSpoofingProtectionEnabled:
assert findings[0].status == "PASS"
assert "all groups" in findings[0].status_extended
assert "SPAM_FOLDER" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_pass_private_groups_only(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailInboundDomainSpoofingProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "QUARANTINE" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -35,7 +34,7 @@ class TestGmailMailDelegationDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_delegation_enabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -35,7 +34,7 @@ class TestGmailPerUserOutboundGatewayDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -37,7 +36,7 @@ class TestGmailPopImapAccessDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_both_enabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailScriptAttachmentProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "QUARANTINE" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -35,7 +34,7 @@ class TestGmailShortenerScanningEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestGmailUnauthenticatedEmailProtectionEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "WARNING" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_no_action(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -37,7 +36,7 @@ class TestGmailUntrustedLinkWarningsEnabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Gmail Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_disabled(self):