ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(elbv2): Handle post-quantum (PQ) TLS policies (#10219)

Browse Source
This commit is contained in:
Pepe Fagoaga
2026-03-03 09:18:00 +00:00
committed by GitHub
parent fa93cabc0b
commit 9c2cb5efa8
4 changed files with 119 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
tests/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers_test.py
View File

@@ -1,5 +1,6 @@
from unittest import mock
import pytest
from boto3 import client, resource
from moto import mock_aws
@@ -216,3 +217,106 @@ class Test_elbv2_insecure_ssl_ciphers:
)
assert result[0].resource_id == "my-lb"
assert result[0].resource_arn == lb["LoadBalancerArn"]
@pytest.mark.parametrize(
"ssl_policy",
[
"ELBSecurityPolicy-TLS13-1-3-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09",
"ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09",
],
)
@mock_aws
def test_elbv2_listener_with_pq_tls_policy(self, ssl_policy):
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZA,
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=AWS_REGION_EU_WEST_1_AZB,
)
lb = conn.create_load_balancer(
Name="my-lb",
Subnets=[subnet1.id, subnet2.id],
SecurityGroups=[security_group.id],
Scheme="internal",
Type="application",
)["LoadBalancers"][0]
response = conn.create_target_group(
Name="a-target",
Protocol="HTTP",
Port=8080,
VpcId=vpc.id,
HealthCheckProtocol="HTTP",
HealthCheckPort="8080",
HealthCheckPath="/",
HealthCheckIntervalSeconds=5,
HealthCheckTimeoutSeconds=3,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
Matcher={"HttpCode": "200"},
)
target_group = response.get("TargetGroups")[0]
target_group_arn = target_group["TargetGroupArn"]
conn.create_listener(
LoadBalancerArn=lb["LoadBalancerArn"],
Protocol="HTTPS",
Port=443,
SslPolicy=ssl_policy,
DefaultActions=[{"Type": "forward", "TargetGroupArn": target_group_arn}],
)
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1]
),
),
mock.patch(
"prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers.elbv2_client",
new=ELBv2(
set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
create_default_organization=False,
)
),
),
):
from prowler.providers.aws.services.elbv2.elbv2_insecure_ssl_ciphers.elbv2_insecure_ssl_ciphers import (
elbv2_insecure_ssl_ciphers,
)
check = elbv2_insecure_ssl_ciphers()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "ELBv2 my-lb does not have insecure SSL protocols or ciphers."
)
assert result[0].resource_id == "my-lb"
assert result[0].resource_arn == lb["LoadBalancerArn"]