mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-04-09 11:17:08 +00:00
Compare commits
4 Commits
chore/prek
...
PROWLER-12
| Author | SHA1 | Date | |
|---|---|---|---|
|
4e128725d9 | ||
|
|
89fe867944 | ||
|
|
2be2753c55 | ||
|
|
283259f34c |
4
.github/workflows/sdk-tests.yml
vendored
4
.github/workflows/sdk-tests.yml
vendored
@@ -216,11 +216,11 @@ jobs:
|
||||
echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
|
||||
|
||||
if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
|
||||
poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
|
||||
poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
|
||||
elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
|
||||
echo "No AWS service paths detected; skipping AWS tests."
|
||||
else
|
||||
poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
|
||||
poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
|
||||
fi
|
||||
env:
|
||||
STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
|
||||
|
||||
BIN
docs/images/providers/select-vercel-prowler-cloud.png
Normal file
BIN
docs/images/providers/select-vercel-prowler-cloud.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 148 KiB |
BIN
docs/images/providers/vercel-launch-scan.png
Normal file
BIN
docs/images/providers/vercel-launch-scan.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 81 KiB |
BIN
docs/images/providers/vercel-team-id-form.png
Normal file
BIN
docs/images/providers/vercel-team-id-form.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 78 KiB |
BIN
docs/images/providers/vercel-token-form.png
Normal file
BIN
docs/images/providers/vercel-token-form.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 90 KiB |
@@ -13,9 +13,63 @@ Set up authentication for Vercel with the [Vercel Authentication](/user-guide/pr
|
||||
- Create a Vercel API Token with access to the target team
|
||||
- Identify the Team ID (optional, required to scope the scan to a single team)
|
||||
|
||||
<CardGroup cols={2}>
|
||||
<Card title="Prowler Cloud" icon="cloud" href="#prowler-cloud">
|
||||
Onboard Vercel using Prowler Cloud
|
||||
</Card>
|
||||
<Card title="Prowler CLI" icon="terminal" href="#prowler-cli">
|
||||
Onboard Vercel using Prowler CLI
|
||||
</Card>
|
||||
</CardGroup>
|
||||
|
||||
## Prowler Cloud
|
||||
|
||||
<VersionBadge version="5.23.0" />
|
||||
|
||||
### Step 1: Add the Provider
|
||||
|
||||
1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
|
||||
2. Navigate to "Configuration" > "Cloud Providers".
|
||||
|
||||
|
||||
|
||||
3. Click "Add Cloud Provider".
|
||||
|
||||
|
||||
|
||||
4. Select "Vercel".
|
||||
|
||||
|
||||
|
||||
5. Enter the **Team ID** and an optional alias, then click "Next".
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
The Team ID can be found in the Vercel Dashboard under "Settings" > "General". It follows the format `team_xxxxxxxxxxxxxxxxxxxx`. For detailed instructions, see the [Authentication guide](/user-guide/providers/vercel/authentication).
|
||||
</Note>
|
||||
|
||||
### Step 2: Provide Credentials
|
||||
|
||||
1. Enter the **API Token** created in the Vercel Dashboard.
|
||||
|
||||
|
||||
|
||||
For the complete token creation workflow, follow the [Authentication guide](/user-guide/providers/vercel/authentication#api-token).
|
||||
|
||||
### Step 3: Launch the Scan
|
||||
|
||||
1. Review the connection summary.
|
||||
2. Choose the scan schedule: run a single scan or set up daily scans (every 24 hours).
|
||||
3. Click **Launch Scan** to start auditing Vercel.
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
## Prowler CLI
|
||||
|
||||
<VersionBadge version="5.22.0" />
|
||||
<VersionBadge version="5.23.0" />
|
||||
|
||||
### Step 1: Set Up Authentication
|
||||
|
||||
|
||||
@@ -33,6 +33,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- `--list-checks` and `--list-checks-json` now include `threat-detection` category checks in their output [(#10578)](https://github.com/prowler-cloud/prowler/pull/10578)
|
||||
- Missing `__init__.py` in `codebuild_project_uses_allowed_github_organizations` check preventing discovery by `--list-checks` [(#10584)](https://github.com/prowler-cloud/prowler/pull/10584)
|
||||
- Azure Key Vault checks emitting incorrect findings for keys, secrets, and vault logging [(#10332)](https://github.com/prowler-cloud/prowler/pull/10332)
|
||||
- `is_policy_public` now recognizes `kms:CallerAccount`, `kms:ViaService`, `aws:CalledVia`, `aws:CalledViaFirst`, and `aws:CalledViaLast` as restrictive condition keys, fixing false positives in `kms_key_policy_is_not_public` and other checks that use `is_condition_block_restrictive` [(#10600)](https://github.com/prowler-cloud/prowler/pull/10600)
|
||||
- `_enabled_regions` empty-set bug in `AwsProvider.generate_regional_clients` creating boto3 clients for all 36 AWS regions instead of the audited ones, causing random CI timeouts and slow test runs [(#10598)](https://github.com/prowler-cloud/prowler/pull/10598)
|
||||
- Retrieve only the latest version from a package in AWS CodeArtifact [(#10243)](https://github.com/prowler-cloud/prowler/pull/10243)
|
||||
|
||||
### 🔐 Security
|
||||
|
||||
|
||||
@@ -96,7 +96,7 @@ class AwsProvider(Provider):
|
||||
_audit_resources: list = []
|
||||
_audit_config: dict
|
||||
_scan_unused_services: bool = False
|
||||
_enabled_regions: set = set()
|
||||
_enabled_regions: set | None = None
|
||||
_mutelist: AWSMutelist
|
||||
# TODO: this is not optional, enforce for all providers
|
||||
audit_metadata: Audit_Metadata
|
||||
@@ -747,7 +747,7 @@ class AwsProvider(Provider):
|
||||
)
|
||||
|
||||
# Get the regions enabled for the account and get the intersection with the service available regions
|
||||
if self._enabled_regions:
|
||||
if self._enabled_regions is not None:
|
||||
enabled_regions = service_regions.intersection(self._enabled_regions)
|
||||
else:
|
||||
enabled_regions = service_regions
|
||||
@@ -1104,14 +1104,14 @@ class AwsProvider(Provider):
|
||||
file=pathlib.Path(__file__).name,
|
||||
)
|
||||
|
||||
def get_aws_enabled_regions(self, current_session: Session) -> set:
|
||||
"""get_aws_enabled_regions returns a set of enabled AWS regions
|
||||
def get_aws_enabled_regions(self, current_session: Session) -> set | None:
|
||||
"""get_aws_enabled_regions returns a set of enabled AWS regions, or None on failure.
|
||||
|
||||
Args:
|
||||
- current_session: The AWS session object
|
||||
|
||||
Returns:
|
||||
- set: set of strings representing the enabled AWS regions
|
||||
- set | None: set of enabled AWS region strings, or None if regions could not be determined
|
||||
"""
|
||||
try:
|
||||
# EC2 Client to check enabled regions
|
||||
@@ -1131,7 +1131,7 @@ class AwsProvider(Provider):
|
||||
logger.error(
|
||||
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
return set()
|
||||
return None
|
||||
|
||||
# TODO: review this function
|
||||
# Maybe this should be done within the AwsProvider and not in __main__.py
|
||||
|
||||
@@ -96,6 +96,7 @@ class CodeArtifact(AWSService):
|
||||
namespace=package_namespace,
|
||||
package=package_name,
|
||||
sortBy="PUBLISHED_TIME",
|
||||
maxResults=1,
|
||||
)
|
||||
)
|
||||
else:
|
||||
@@ -111,6 +112,7 @@ class CodeArtifact(AWSService):
|
||||
format=package_format,
|
||||
package=package_name,
|
||||
sortBy="PUBLISHED_TIME",
|
||||
maxResults=1,
|
||||
)
|
||||
)
|
||||
latest_version = ""
|
||||
|
||||
@@ -617,6 +617,11 @@ def is_condition_block_restrictive(
|
||||
"aws:sourceorgpaths",
|
||||
"aws:userid",
|
||||
"aws:username",
|
||||
"aws:calledvia",
|
||||
"aws:calledviafirst",
|
||||
"aws:calledvialast",
|
||||
"kms:calleraccount",
|
||||
"kms:viaservice",
|
||||
"s3:resourceaccount",
|
||||
"lambda:eventsourcetoken", # For Alexa Home functions, a token that the invoker must supply.
|
||||
],
|
||||
@@ -635,6 +640,11 @@ def is_condition_block_restrictive(
|
||||
"aws:sourceorgpaths",
|
||||
"aws:userid",
|
||||
"aws:username",
|
||||
"aws:calledvia",
|
||||
"aws:calledviafirst",
|
||||
"aws:calledvialast",
|
||||
"kms:calleraccount",
|
||||
"kms:viaservice",
|
||||
"s3:resourceaccount",
|
||||
"lambda:eventsourcetoken",
|
||||
],
|
||||
|
||||
@@ -95,8 +95,10 @@ class Route53(AWSService):
|
||||
region, so we need to query all enabled regions to avoid false positives.
|
||||
"""
|
||||
logger.info("Route53 - Gathering Elastic IPs from all regions...")
|
||||
all_regions = self.provider._enabled_regions or set(
|
||||
self.provider._identity.audited_regions
|
||||
all_regions = (
|
||||
self.provider._enabled_regions
|
||||
if self.provider._enabled_regions is not None
|
||||
else set(self.provider._identity.audited_regions)
|
||||
)
|
||||
|
||||
for region in all_regions:
|
||||
|
||||
@@ -78,7 +78,9 @@ class TestAWSService:
|
||||
def test_AWSService_non_global_service_uses_profile_region(self):
|
||||
"""Non-global services should use the profile region when available."""
|
||||
service_name = "s3"
|
||||
provider = set_mocked_aws_provider(profile_region=AWS_REGION_EU_WEST_1)
|
||||
provider = set_mocked_aws_provider(
|
||||
audited_regions=[], profile_region=AWS_REGION_EU_WEST_1
|
||||
)
|
||||
service = AWSService(service_name, provider)
|
||||
|
||||
assert service.region == AWS_REGION_EU_WEST_1
|
||||
|
||||
@@ -312,7 +312,9 @@ class Test_awslambda_function_not_publicly_accessible:
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_aws_provider(),
|
||||
return_value=set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1]
|
||||
),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.awslambda.awslambda_function_not_publicly_accessible.awslambda_function_not_publicly_accessible.awslambda_client",
|
||||
@@ -552,7 +554,9 @@ class Test_awslambda_function_not_publicly_accessible:
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_aws_provider(),
|
||||
return_value=set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1]
|
||||
),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.awslambda.awslambda_function_not_publicly_accessible.awslambda_function_not_publicly_accessible.awslambda_client",
|
||||
@@ -615,7 +619,9 @@ class Test_awslambda_function_not_publicly_accessible:
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_aws_provider(),
|
||||
return_value=set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1]
|
||||
),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.awslambda.awslambda_function_not_publicly_accessible.awslambda_function_not_publicly_accessible.awslambda_client",
|
||||
@@ -690,7 +696,9 @@ class Test_awslambda_function_not_publicly_accessible:
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_aws_provider(),
|
||||
return_value=set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1]
|
||||
),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.awslambda.awslambda_function_not_publicly_accessible.awslambda_function_not_publicly_accessible.awslambda_client",
|
||||
|
||||
@@ -54,6 +54,9 @@ def mock_make_api_call(self, operation_name, kwarg):
|
||||
}
|
||||
|
||||
if operation_name == "ListPackageVersions":
|
||||
assert (
|
||||
kwarg.get("maxResults") == 1
|
||||
), "list_package_versions must pass maxResults=1 to avoid fetching all versions"
|
||||
return {
|
||||
"defaultDisplayVersion": "latest",
|
||||
"format": "pypi",
|
||||
@@ -204,3 +207,102 @@ class Test_CodeArtifact_Service:
|
||||
.latest_version.origin.origin_type
|
||||
== OriginInformationValues.INTERNAL
|
||||
)
|
||||
|
||||
|
||||
def mock_make_api_call_no_namespace(self, operation_name, kwarg):
|
||||
"""Mock for packages without a namespace to exercise the else branch"""
|
||||
if operation_name == "ListRepositories":
|
||||
return {
|
||||
"repositories": [
|
||||
{
|
||||
"name": "test-repository",
|
||||
"administratorAccount": AWS_ACCOUNT_NUMBER,
|
||||
"domainName": "test-domain",
|
||||
"domainOwner": AWS_ACCOUNT_NUMBER,
|
||||
"arn": TEST_REPOSITORY_ARN,
|
||||
"description": "test description",
|
||||
},
|
||||
]
|
||||
}
|
||||
if operation_name == "ListPackages":
|
||||
return {
|
||||
"packages": [
|
||||
{
|
||||
"format": "pypi",
|
||||
"package": "test-package-no-ns",
|
||||
"originConfiguration": {
|
||||
"restrictions": {
|
||||
"publish": "ALLOW",
|
||||
"upstream": "BLOCK",
|
||||
}
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
if operation_name == "ListPackageVersions":
|
||||
assert (
|
||||
kwarg.get("maxResults") == 1
|
||||
), "list_package_versions must pass maxResults=1 to avoid fetching all versions"
|
||||
assert (
|
||||
"namespace" not in kwarg
|
||||
), "namespace should not be passed when package has no namespace"
|
||||
return {
|
||||
"defaultDisplayVersion": "1.0.0",
|
||||
"format": "pypi",
|
||||
"package": "test-package-no-ns",
|
||||
"versions": [
|
||||
{
|
||||
"version": "1.0.0",
|
||||
"revision": "abc123",
|
||||
"status": "Published",
|
||||
"origin": {
|
||||
"domainEntryPoint": {
|
||||
"repositoryName": "test-repository",
|
||||
"externalConnectionName": "",
|
||||
},
|
||||
"originType": "EXTERNAL",
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
if operation_name == "ListTagsForResource":
|
||||
return {"tags": []}
|
||||
|
||||
return make_api_call(self, operation_name, kwarg)
|
||||
|
||||
|
||||
@patch(
|
||||
"botocore.client.BaseClient._make_api_call",
|
||||
new=mock_make_api_call_no_namespace,
|
||||
)
|
||||
@patch(
|
||||
"prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
|
||||
new=mock_generate_regional_clients,
|
||||
)
|
||||
class Test_CodeArtifact_Service_No_Namespace:
|
||||
def test_list_packages_no_namespace(self):
|
||||
codeartifact = CodeArtifact(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
|
||||
)
|
||||
|
||||
assert len(codeartifact.repositories[TEST_REPOSITORY_ARN].packages) == 1
|
||||
|
||||
package = codeartifact.repositories[TEST_REPOSITORY_ARN].packages[0]
|
||||
assert package.name == "test-package-no-ns"
|
||||
assert package.namespace is None
|
||||
assert package.format == "pypi"
|
||||
assert (
|
||||
package.origin_configuration.restrictions.publish == RestrictionValues.ALLOW
|
||||
)
|
||||
assert (
|
||||
package.origin_configuration.restrictions.upstream
|
||||
== RestrictionValues.BLOCK
|
||||
)
|
||||
assert package.latest_version.version == "1.0.0"
|
||||
assert package.latest_version.status == LatestPackageVersionStatus.Published
|
||||
assert (
|
||||
package.latest_version.origin.origin_type
|
||||
== OriginInformationValues.EXTERNAL
|
||||
)
|
||||
|
||||
@@ -139,7 +139,7 @@ class Test_Codebuild_Service:
|
||||
)
|
||||
@mock_aws
|
||||
def test_codebuild_service(self):
|
||||
codebuild = Codebuild(set_mocked_aws_provider())
|
||||
codebuild = Codebuild(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
|
||||
assert codebuild.session.__class__.__name__ == "Session"
|
||||
assert codebuild.service == "codebuild"
|
||||
|
||||
@@ -76,7 +76,7 @@ class Test_CodePipeline_Service:
|
||||
)
|
||||
@mock_aws
|
||||
def test_codepipeline_service(self):
|
||||
codepipeline = CodePipeline(set_mocked_aws_provider())
|
||||
codepipeline = CodePipeline(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
|
||||
assert codepipeline.session.__class__.__name__ == "Session"
|
||||
assert codepipeline.service == "codepipeline"
|
||||
|
||||
@@ -106,27 +106,27 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_DataSync_Service:
|
||||
# Test DataSync Service initialization
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
assert datasync.service == "datasync"
|
||||
|
||||
# Test DataSync clients creation
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
for reg_client in datasync.regional_clients.values():
|
||||
assert reg_client.__class__.__name__ == "DataSync"
|
||||
|
||||
# Test DataSync session
|
||||
def test__get_session__(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
assert datasync.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test listing DataSync tasks
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_list_tasks(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
|
||||
task_arn = "arn:aws:datasync:eu-west-1:123456789012:task/task-12345678901234567"
|
||||
@@ -142,7 +142,7 @@ class Test_DataSync_Service:
|
||||
|
||||
# Test generic exception in list_tasks
|
||||
def test_list_tasks_generic_exception(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
# Mock the regional client's list_tasks method specifically
|
||||
mock_client = MagicMock()
|
||||
@@ -155,7 +155,7 @@ class Test_DataSync_Service:
|
||||
# Test describing DataSync tasks with various exceptions
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_describe_tasks_with_exceptions(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
|
||||
# Check all tasks were processed despite exceptions
|
||||
@@ -183,7 +183,7 @@ class Test_DataSync_Service:
|
||||
# Test listing task tags with various exceptions
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_list_task_tags_with_exceptions(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
datasync = DataSync(aws_provider)
|
||||
|
||||
tasks_by_name = {task.name: task for task in datasync.tasks.values()}
|
||||
|
||||
@@ -170,20 +170,20 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_ECR_Service:
|
||||
# Test ECR Service
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
assert ecr.service == "ecr"
|
||||
|
||||
# Test ECR client
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
for regional_client in ecr.regional_clients.values():
|
||||
assert regional_client.__class__.__name__ == "ECR"
|
||||
|
||||
# Test ECR session
|
||||
def test_get_session(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
assert ecr.session.__class__.__name__ == "Session"
|
||||
|
||||
@@ -198,7 +198,7 @@ class Test_ECR_Service:
|
||||
{"Key": "test", "Value": "test"},
|
||||
],
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
|
||||
assert len(ecr.registries) == 1
|
||||
@@ -226,7 +226,7 @@ class Test_ECR_Service:
|
||||
imageScanningConfiguration={"scanOnPush": True},
|
||||
imageTagMutability="IMMUTABLE",
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
assert len(ecr.registries) == 1
|
||||
assert len(ecr.registries[AWS_REGION_EU_WEST_1].repositories) == 1
|
||||
@@ -255,7 +255,7 @@ class Test_ECR_Service:
|
||||
imageScanningConfiguration={"scanOnPush": True},
|
||||
imageTagMutability="IMMUTABLE",
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
assert len(ecr.registries) == 1
|
||||
assert len(ecr.registries[AWS_REGION_EU_WEST_1].repositories) == 1
|
||||
@@ -273,7 +273,7 @@ class Test_ECR_Service:
|
||||
repositoryName=repo_name,
|
||||
imageScanningConfiguration={"scanOnPush": True},
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
|
||||
assert len(ecr.registries) == 1
|
||||
@@ -366,7 +366,7 @@ class Test_ECR_Service:
|
||||
# Test get ECR Registries Scanning Configuration
|
||||
@mock_aws
|
||||
def test_get_registry_scanning_configuration(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecr = ECR(aws_provider)
|
||||
assert len(ecr.registries) == 1
|
||||
assert ecr.registries[AWS_REGION_EU_WEST_1].id == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@@ -122,27 +122,27 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_ECS_Service:
|
||||
# Test ECS Service
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
assert ecs.service == "ecs"
|
||||
|
||||
# Test ECS client
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
for reg_client in ecs.regional_clients.values():
|
||||
assert reg_client.__class__.__name__ == "ECS"
|
||||
|
||||
# Test ECS session
|
||||
def test__get_session__(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
assert ecs.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test list ECS task definitions
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_list_task_definitions(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
|
||||
task_arn = "arn:aws:ecs:eu-west-1:123456789012:task-definition/test_cluster_1/test_ecs_task:1"
|
||||
@@ -156,7 +156,7 @@ class Test_ECS_Service:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test describe ECS task definitions
|
||||
def test_describe_task_definitions(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
|
||||
task_arn = "arn:aws:ecs:eu-west-1:123456789012:task-definition/test_cluster_1/test_ecs_task:1"
|
||||
@@ -204,7 +204,7 @@ class Test_ECS_Service:
|
||||
# Test list ECS clusters
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_list_clusters(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
|
||||
cluster_arn1 = "arn:aws:ecs:eu-west-1:123456789012:cluster/test_cluster_1"
|
||||
@@ -217,7 +217,7 @@ class Test_ECS_Service:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test describe ECS clusters
|
||||
def test_describe_clusters(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
|
||||
cluster_arn1 = "arn:aws:ecs:eu-west-1:123456789012:cluster/test_cluster_1"
|
||||
@@ -237,7 +237,7 @@ class Test_ECS_Service:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test describe ECS services
|
||||
def test_describe_services(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
ecs = ECS(aws_provider)
|
||||
|
||||
service_arn = (
|
||||
|
||||
@@ -93,18 +93,18 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_EFS:
|
||||
# Test EFS Session
|
||||
def test__get_session__(self):
|
||||
access_analyzer = EFS(set_mocked_aws_provider())
|
||||
access_analyzer = EFS(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
assert access_analyzer.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test EFS Service
|
||||
def test__get_service__(self):
|
||||
access_analyzer = EFS(set_mocked_aws_provider())
|
||||
access_analyzer = EFS(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
assert access_analyzer.service == "efs"
|
||||
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test EFS describe file systems
|
||||
def test_describe_file_systems(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
efs = EFS(aws_provider)
|
||||
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{FILE_SYSTEM_ID}"
|
||||
assert len(efs.filesystems) == 1
|
||||
@@ -119,7 +119,7 @@ class Test_EFS:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test EFS describe file systems policies
|
||||
def test_describe_file_system_policies(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
efs = EFS(aws_provider)
|
||||
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{FILE_SYSTEM_ID}"
|
||||
assert len(efs.filesystems) == 1
|
||||
@@ -131,7 +131,7 @@ class Test_EFS:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test EFS describe mount targets
|
||||
def test_describe_mount_targets(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
efs = EFS(aws_provider)
|
||||
assert len(efs.filesystems) == 1
|
||||
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{FILE_SYSTEM_ID}"
|
||||
@@ -144,7 +144,7 @@ class Test_EFS:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
# Test EFS describe access points
|
||||
def test_describe_access_points(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
efs = EFS(aws_provider)
|
||||
assert len(efs.filesystems) == 1
|
||||
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{FILE_SYSTEM_ID}"
|
||||
|
||||
@@ -31,20 +31,20 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_EKS_Service:
|
||||
# Test EKS Service
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
eks = EKS(aws_provider)
|
||||
assert eks.service == "eks"
|
||||
|
||||
# Test EKS client
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
eks = EKS(aws_provider)
|
||||
for reg_client in eks.regional_clients.values():
|
||||
assert reg_client.__class__.__name__ == "EKS"
|
||||
|
||||
# Test EKS session
|
||||
def test__get_session__(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
eks = EKS(aws_provider)
|
||||
assert eks.session.__class__.__name__ == "Session"
|
||||
|
||||
@@ -73,7 +73,7 @@ class Test_EKS_Service:
|
||||
roleArn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI",
|
||||
tags={"test": "test"},
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
eks = EKS(aws_provider)
|
||||
assert len(eks.clusters) == 1
|
||||
assert eks.clusters[0].name == cluster_name
|
||||
@@ -126,7 +126,7 @@ class Test_EKS_Service:
|
||||
},
|
||||
],
|
||||
)
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
eks = EKS(aws_provider)
|
||||
assert len(eks.clusters) == 1
|
||||
assert eks.clusters[0].name == cluster_name
|
||||
|
||||
@@ -59,7 +59,9 @@ class Test_ElasticBeanstalk_Service:
|
||||
# Test ElasticBeanstalk Client
|
||||
@mock_aws
|
||||
def test_get_client(self):
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
assert (
|
||||
elasticbeanstalk.regional_clients[AWS_REGION_EU_WEST_1].__class__.__name__
|
||||
== "ElasticBeanstalk"
|
||||
@@ -68,13 +70,17 @@ class Test_ElasticBeanstalk_Service:
|
||||
# Test ElasticBeanstalk Session
|
||||
@mock_aws
|
||||
def test__get_session__(self):
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
assert elasticbeanstalk.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test ElasticBeanstalk Service
|
||||
@mock_aws
|
||||
def test__get_service__(self):
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
assert elasticbeanstalk.service == "elasticbeanstalk"
|
||||
|
||||
# Test _describe_environments
|
||||
@@ -90,7 +96,9 @@ class Test_ElasticBeanstalk_Service:
|
||||
EnvironmentName="test-env",
|
||||
)
|
||||
# ElasticBeanstalk Class
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
|
||||
assert len(elasticbeanstalk.environments) == 1
|
||||
assert (
|
||||
@@ -125,7 +133,9 @@ class Test_ElasticBeanstalk_Service:
|
||||
EnvironmentName="test-env",
|
||||
)
|
||||
# ElasticBeanstalk Class
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
assert (
|
||||
elasticbeanstalk.environments[
|
||||
environment["EnvironmentArn"]
|
||||
@@ -158,7 +168,9 @@ class Test_ElasticBeanstalk_Service:
|
||||
Tags=[{"Key": "test-key", "Value": "test-value"}],
|
||||
)
|
||||
# ElasticBeanstalk Class
|
||||
elasticbeanstalk = ElasticBeanstalk(set_mocked_aws_provider())
|
||||
elasticbeanstalk = ElasticBeanstalk(
|
||||
set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
)
|
||||
assert elasticbeanstalk.environments[environment["EnvironmentArn"]].tags == [
|
||||
{"Key": "test-key", "Value": "test-value"}
|
||||
]
|
||||
|
||||
@@ -91,7 +91,11 @@ class Test_emr_cluster_publicly_accesible:
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
|
||||
new=EC2(set_mocked_aws_provider(create_default_organization=False)),
|
||||
new=EC2(
|
||||
set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
@@ -161,7 +165,11 @@ class Test_emr_cluster_publicly_accesible:
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
|
||||
new=EC2(set_mocked_aws_provider(create_default_organization=False)),
|
||||
new=EC2(
|
||||
set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
@@ -248,7 +256,11 @@ class Test_emr_cluster_publicly_accesible:
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
|
||||
new=EC2(set_mocked_aws_provider(create_default_organization=False)),
|
||||
new=EC2(
|
||||
set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
@@ -338,7 +350,11 @@ class Test_emr_cluster_publicly_accesible:
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
|
||||
new=EC2(set_mocked_aws_provider(create_default_organization=False)),
|
||||
new=EC2(
|
||||
set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
@@ -425,7 +441,11 @@ class Test_emr_cluster_publicly_accesible:
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
|
||||
new=EC2(set_mocked_aws_provider(create_default_organization=False)),
|
||||
new=EC2(
|
||||
set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
|
||||
@@ -53,19 +53,19 @@ class Test_EMR_Service:
|
||||
# Test EMR Client
|
||||
@mock_aws
|
||||
def test_get_client(self):
|
||||
emr = EMR(set_mocked_aws_provider())
|
||||
emr = EMR(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
assert emr.regional_clients[AWS_REGION_EU_WEST_1].__class__.__name__ == "EMR"
|
||||
|
||||
# Test EMR Session
|
||||
@mock_aws
|
||||
def test__get_session__(self):
|
||||
emr = EMR(set_mocked_aws_provider())
|
||||
emr = EMR(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
assert emr.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test EMR Service
|
||||
@mock_aws
|
||||
def test__get_service__(self):
|
||||
emr = EMR(set_mocked_aws_provider())
|
||||
emr = EMR(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
assert emr.service == "emr"
|
||||
|
||||
# Test _list_clusters and _describe_cluster
|
||||
@@ -93,7 +93,7 @@ class Test_EMR_Service:
|
||||
)
|
||||
cluster_id = emr_client.run_job_flow(**run_job_flow_args)["JobFlowId"]
|
||||
# EMR Class
|
||||
emr = EMR(set_mocked_aws_provider())
|
||||
emr = EMR(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
|
||||
assert len(emr.clusters) == 1
|
||||
assert emr.clusters[cluster_id].id == cluster_id
|
||||
@@ -115,7 +115,7 @@ class Test_EMR_Service:
|
||||
|
||||
@mock_aws
|
||||
def test_get_block_public_access_configuration(self):
|
||||
emr = EMR(set_mocked_aws_provider())
|
||||
emr = EMR(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
|
||||
|
||||
assert len(emr.block_public_access_configuration) == 1
|
||||
assert emr.block_public_access_configuration[
|
||||
|
||||
@@ -55,27 +55,27 @@ class Test_GlobalAccelerator_Service:
|
||||
# Test GlobalAccelerator Service
|
||||
def test_service(self):
|
||||
# GlobalAccelerator client for this test class
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
|
||||
globalaccelerator = GlobalAccelerator(aws_provider)
|
||||
assert globalaccelerator.service == "globalaccelerator"
|
||||
|
||||
# Test GlobalAccelerator Client
|
||||
def test_client(self):
|
||||
# GlobalAccelerator client for this test class
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
|
||||
globalaccelerator = GlobalAccelerator(aws_provider)
|
||||
assert globalaccelerator.client.__class__.__name__ == "GlobalAccelerator"
|
||||
|
||||
# Test GlobalAccelerator Session
|
||||
def test__get_session__(self):
|
||||
# GlobalAccelerator client for this test class
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
|
||||
globalaccelerator = GlobalAccelerator(aws_provider)
|
||||
assert globalaccelerator.session.__class__.__name__ == "Session"
|
||||
|
||||
def test_list_accelerators(self):
|
||||
# GlobalAccelerator client for this test class
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
|
||||
globalaccelerator = GlobalAccelerator(aws_provider)
|
||||
|
||||
accelerator_name = "TestAccelerator"
|
||||
@@ -99,7 +99,7 @@ class Test_GlobalAccelerator_Service:
|
||||
|
||||
def test_list_tags(self):
|
||||
# GlobalAccelerator client for this test class
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
|
||||
globalaccelerator = GlobalAccelerator(aws_provider)
|
||||
|
||||
assert len(globalaccelerator.accelerators) == 1
|
||||
|
||||
@@ -39,7 +39,7 @@ def mock_make_api_call_members_managers(self, operation_name, api_params):
|
||||
class Test_guardduty_centrally_managed:
|
||||
@mock_aws
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -67,7 +67,7 @@ class Test_guardduty_centrally_managed:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -112,7 +112,7 @@ class Test_guardduty_centrally_managed:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -156,7 +156,7 @@ class Test_guardduty_centrally_managed:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -64,7 +64,7 @@ class Test_guardduty_delegated_admin_enabled_all_regions:
|
||||
@mock_aws
|
||||
def test_no_detectors(self):
|
||||
"""Test when no GuardDuty detectors exist."""
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -102,7 +102,7 @@ class Test_guardduty_delegated_admin_enabled_all_regions:
|
||||
guardduty_client_boto = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
detector_id = guardduty_client_boto.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -148,7 +148,7 @@ class Test_guardduty_delegated_admin_enabled_all_regions:
|
||||
guardduty_client_boto = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
detector_id = guardduty_client_boto.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -194,7 +194,7 @@ class Test_guardduty_delegated_admin_enabled_all_regions:
|
||||
guardduty_client_boto = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
detector_id = guardduty_client_boto.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ def mock_make_api_call(self, operation_name, kwarg):
|
||||
|
||||
class Test_guardduty_ec2_malware_protection_enabled:
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -74,7 +74,7 @@ class Test_guardduty_ec2_malware_protection_enabled:
|
||||
|
||||
guardduty_client.create_detector(Enable=False)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -112,7 +112,7 @@ class Test_guardduty_ec2_malware_protection_enabled:
|
||||
},
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -161,7 +161,7 @@ class Test_guardduty_ec2_malware_protection_enabled:
|
||||
},
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ from tests.providers.aws.utils import (
|
||||
|
||||
class Test_guardduty_eks_audit_log_enabled:
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -42,7 +42,7 @@ class Test_guardduty_eks_audit_log_enabled:
|
||||
|
||||
guardduty_client.create_detector(Enable=False)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -74,7 +74,7 @@ class Test_guardduty_eks_audit_log_enabled:
|
||||
Enable=True, DataSources={"Kubernetes": {"AuditLogs": {"Enable": True}}}
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -118,7 +118,7 @@ class Test_guardduty_eks_audit_log_enabled:
|
||||
Enable=True, DataSources={"Kubernetes": {"AuditLogs": {"Enable": False}}}
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@ from moto import mock_aws
|
||||
from tests.providers.aws.utils import (
|
||||
AWS_ACCOUNT_NUMBER,
|
||||
AWS_REGION_EU_WEST_1,
|
||||
AWS_REGION_US_EAST_1,
|
||||
set_mocked_aws_provider,
|
||||
)
|
||||
|
||||
@@ -13,7 +14,7 @@ from tests.providers.aws.utils import (
|
||||
class Test_guardduty_is_enabled:
|
||||
@mock_aws
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -43,7 +44,7 @@ class Test_guardduty_is_enabled:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -85,7 +86,7 @@ class Test_guardduty_is_enabled:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=False)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -131,7 +132,7 @@ class Test_guardduty_is_enabled:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=False)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -177,7 +178,9 @@ class Test_guardduty_is_enabled:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=False)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
|
||||
)
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ orig = botocore.client.BaseClient._make_api_call
|
||||
|
||||
class Test_guardduty_lambda_protection_enabled:
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -45,7 +45,7 @@ class Test_guardduty_lambda_protection_enabled:
|
||||
|
||||
guardduty_client.create_detector(Enable=False)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -78,7 +78,7 @@ class Test_guardduty_lambda_protection_enabled:
|
||||
Features=[{"Name": "LAMBDA_NETWORK_LOGS", "Status": "ENABLED"}],
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -123,7 +123,7 @@ class Test_guardduty_lambda_protection_enabled:
|
||||
Features=[{"Name": "LAMBDA_NETWORK_LOGS", "Status": "DISABLED"}],
|
||||
)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ def mock_make_api_call(self, operation_name, kwarg):
|
||||
class Test_guardduty_no_high_severity_findings:
|
||||
@mock_aws
|
||||
def test_no_detectors(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -56,7 +56,7 @@ class Test_guardduty_no_high_severity_findings:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_guardduty_no_high_severity_findings:
|
||||
|
||||
detector_id = guardduty_client.create_detector(Enable=True)["DetectorId"]
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
from prowler.providers.aws.services.guardduty.guardduty_service import GuardDuty
|
||||
|
||||
|
||||
@@ -66,20 +66,20 @@ def mock_generate_regional_clients(provider, service):
|
||||
class Test_GuardDuty_Service:
|
||||
# Test GuardDuty Service
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
assert guardduty.service == "guardduty"
|
||||
|
||||
# Test GuardDuty client
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
for reg_client in guardduty.regional_clients.values():
|
||||
assert reg_client.__class__.__name__ == "GuardDuty"
|
||||
|
||||
# Test GuardDuty session
|
||||
def test__get_session__(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
assert guardduty.session.__class__.__name__ == "Session"
|
||||
|
||||
@@ -89,7 +89,7 @@ class Test_GuardDuty_Service:
|
||||
guardduty_client = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
response = guardduty_client.create_detector(Enable=True, Tags={"test": "test"})
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
|
||||
assert len(guardduty.detectors) == 1
|
||||
@@ -121,7 +121,7 @@ class Test_GuardDuty_Service:
|
||||
],
|
||||
)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
|
||||
assert len(guardduty.detectors) == 1
|
||||
@@ -149,7 +149,7 @@ class Test_GuardDuty_Service:
|
||||
guardduty_client = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
response = guardduty_client.create_detector(Enable=True)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
|
||||
assert len(guardduty.detectors) == 1
|
||||
@@ -170,7 +170,7 @@ class Test_GuardDuty_Service:
|
||||
guardduty_client = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
response = guardduty_client.create_detector(Enable=True)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
|
||||
assert len(guardduty.detectors) == 1
|
||||
@@ -192,7 +192,7 @@ class Test_GuardDuty_Service:
|
||||
guardduty_client = client("guardduty", region_name=AWS_REGION_EU_WEST_1)
|
||||
response = guardduty_client.create_detector(Enable=True)
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
guardduty = GuardDuty(aws_provider)
|
||||
|
||||
assert len(guardduty.detectors) == 1
|
||||
|
||||
@@ -1413,6 +1413,115 @@ class Test_Policy:
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_aws_CalledVia_str(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"aws:CalledVia": "cloudformation.amazonaws.com"}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_aws_CalledViaFirst_str(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"aws:CalledViaFirst": "cloudformation.amazonaws.com"}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_aws_CalledViaLast_str(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"aws:CalledViaLast": "glue.amazonaws.com"}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_string_like_aws_CalledVia_str(self):
|
||||
condition_statement = {"StringLike": {"aws:CalledVia": "*.amazonaws.com"}}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_kms_CallerAccount_str(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"kms:CallerAccount": TRUSTED_AWS_ACCOUNT_NUMBER}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_kms_CallerAccount_str_not_valid(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"kms:CallerAccount": NON_TRUSTED_AWS_ACCOUNT_NUMBER}
|
||||
}
|
||||
assert not is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_kms_CallerAccount_list(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"kms:CallerAccount": [TRUSTED_AWS_ACCOUNT_NUMBER]}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_kms_CallerAccount_list_not_valid(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {
|
||||
"kms:CallerAccount": [
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
NON_TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
]
|
||||
}
|
||||
}
|
||||
assert not is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_equals_kms_ViaService_str(self):
|
||||
condition_statement = {
|
||||
"StringEquals": {"kms:ViaService": "glue.eu-central-1.amazonaws.com"}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_string_like_kms_CallerAccount_str(self):
|
||||
condition_statement = {
|
||||
"StringLike": {"kms:CallerAccount": TRUSTED_AWS_ACCOUNT_NUMBER}
|
||||
}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_like_kms_CallerAccount_str_not_valid(self):
|
||||
condition_statement = {
|
||||
"StringLike": {"kms:CallerAccount": NON_TRUSTED_AWS_ACCOUNT_NUMBER}
|
||||
}
|
||||
assert not is_condition_block_restrictive(
|
||||
condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
|
||||
)
|
||||
|
||||
def test_condition_parser_string_like_kms_ViaService_str(self):
|
||||
condition_statement = {"StringLike": {"kms:ViaService": "glue.*.amazonaws.com"}}
|
||||
assert is_condition_block_restrictive(
|
||||
condition_statement,
|
||||
TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
is_cross_account_allowed=True,
|
||||
)
|
||||
|
||||
def test_condition_parser_two_lists_unrestrictive(self):
|
||||
condition_statement = {
|
||||
"StringLike": {
|
||||
@@ -2357,6 +2466,71 @@ class Test_Policy:
|
||||
trusted_ips=["1.2.3.4", "5.6.7.8"],
|
||||
)
|
||||
|
||||
def test_is_policy_public_kms_caller_account_and_via_service(self):
|
||||
policy = {
|
||||
"Version": "2008-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {"AWS": "*"},
|
||||
"Action": [
|
||||
"kms:Encrypt",
|
||||
"kms:Decrypt",
|
||||
"kms:ReEncrypt*",
|
||||
"kms:GenerateDataKey*",
|
||||
"kms:CreateGrant",
|
||||
"kms:DescribeKey",
|
||||
],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"kms:ViaService": "glue.eu-central-1.amazonaws.com",
|
||||
"kms:CallerAccount": TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
}
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
assert not is_policy_public(policy, TRUSTED_AWS_ACCOUNT_NUMBER)
|
||||
|
||||
def test_is_policy_public_kms_caller_account_only(self):
|
||||
policy = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {"AWS": "*"},
|
||||
"Action": ["kms:Decrypt"],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"kms:CallerAccount": TRUSTED_AWS_ACCOUNT_NUMBER,
|
||||
}
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
assert not is_policy_public(policy, TRUSTED_AWS_ACCOUNT_NUMBER)
|
||||
|
||||
def test_is_policy_public_kms_via_service_without_account_restriction(self):
|
||||
policy = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {"AWS": "*"},
|
||||
"Action": ["kms:Decrypt"],
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"kms:ViaService": "glue.eu-central-1.amazonaws.com",
|
||||
}
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
assert not is_policy_public(policy, TRUSTED_AWS_ACCOUNT_NUMBER)
|
||||
|
||||
def test_check_admin_access(self):
|
||||
policy = {
|
||||
"Version": "2012-10-17",
|
||||
|
||||
@@ -104,26 +104,26 @@ def mock_generate_regional_clients(provider, service):
|
||||
class TestOpenSearchServiceService:
|
||||
# Test OpenSearchService Service
|
||||
def test_service(self):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
assert opensearch.service == "opensearch"
|
||||
|
||||
# Test OpenSearchService_ client
|
||||
def test_client(self):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
for reg_client in opensearch.regional_clients.values():
|
||||
assert reg_client.__class__.__name__ == "OpenSearchService"
|
||||
|
||||
# Test OpenSearchService session
|
||||
def test__get_session__(self):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
assert opensearch.session.__class__.__name__ == "Session"
|
||||
|
||||
# Test OpenSearchService list domains names
|
||||
def test_list_domain_names(self):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
assert len(opensearch.opensearch_domains) == 1
|
||||
assert opensearch.opensearch_domains[domain_arn].name == test_domain_name
|
||||
@@ -132,7 +132,7 @@ class TestOpenSearchServiceService:
|
||||
# Test OpenSearchService describe domain
|
||||
@mock_aws
|
||||
def test_describe_domain(self):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
assert len(opensearch.opensearch_domains) == 1
|
||||
assert opensearch.opensearch_domains[domain_arn].name == test_domain_name
|
||||
@@ -237,7 +237,7 @@ class TestOpenSearchServiceService:
|
||||
"botocore.client.BaseClient._make_api_call",
|
||||
new=mock_make_api_call_missing_fields,
|
||||
):
|
||||
aws_provider = set_mocked_aws_provider([])
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
opensearch = OpenSearchService(aws_provider)
|
||||
|
||||
# Should not crash even with missing optional fields
|
||||
|
||||
@@ -248,6 +248,7 @@ class Test_rds_instance_no_public_access:
|
||||
PubliclyAccessible=True,
|
||||
VpcSecurityGroupIds=[default_sg_id],
|
||||
)
|
||||
from prowler.providers.aws.services.ec2.ec2_service import EC2
|
||||
from prowler.providers.aws.services.rds.rds_service import RDS
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
@@ -256,9 +257,15 @@ class Test_rds_instance_no_public_access:
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=aws_provider,
|
||||
):
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.rds.rds_instance_no_public_access.rds_instance_no_public_access.rds_client",
|
||||
new=RDS(aws_provider),
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.rds.rds_instance_no_public_access.rds_instance_no_public_access.rds_client",
|
||||
new=RDS(aws_provider),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.aws.services.rds.rds_instance_no_public_access.rds_instance_no_public_access.ec2_client",
|
||||
new=EC2(aws_provider),
|
||||
),
|
||||
):
|
||||
# Test Check
|
||||
from prowler.providers.aws.services.rds.rds_instance_no_public_access.rds_instance_no_public_access import (
|
||||
|
||||
@@ -96,7 +96,7 @@ ADMINISTRATOR_ROLE_ASSUME_ROLE_POLICY = {
|
||||
# This here causes to call this function mocking the AWS calls
|
||||
@mock_aws
|
||||
def set_mocked_aws_provider(
|
||||
audited_regions: list[str] = [],
|
||||
audited_regions: list[str] = [AWS_REGION_US_EAST_1],
|
||||
audited_account: str = AWS_ACCOUNT_NUMBER,
|
||||
audited_account_arn: str = AWS_ACCOUNT_ARN,
|
||||
audited_partition: str = AWS_COMMERCIAL_PARTITION,
|
||||
@@ -143,7 +143,9 @@ def set_mocked_aws_provider(
|
||||
# Mock Configiration
|
||||
provider._scan_unused_services = scan_unused_services
|
||||
provider._enabled_regions = (
|
||||
enabled_regions if enabled_regions else set(audited_regions)
|
||||
enabled_regions
|
||||
if enabled_regions is not None
|
||||
else (set(audited_regions) if audited_regions else None)
|
||||
)
|
||||
# TODO: we can create the organizations metadata here with moto
|
||||
provider._organizations_metadata = None
|
||||
|
||||
Reference in New Issue
Block a user