From 06dc3d3361f9fe14e10af0d2d8701cc7930aa845 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Oct 2023 09:28:50 +0100 Subject: [PATCH] build(deps-dev): bump pytest from 7.4.2 to 7.4.3 (#2981) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pepe Fagoaga --- poetry.lock | 8 +- pyproject.toml | 2 +- tests/providers/aws/audit_info_utils.py | 1 + ...om_internet_to_tcp_port_redis_6379_test.py | 174 ++++++++++-------- 4 files changed, 107 insertions(+), 78 deletions(-) diff --git a/poetry.lock b/poetry.lock index 3d7f3a73..e117b9e4 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1933,13 +1933,13 @@ diagrams = ["jinja2", "railroad-diagrams"] [[package]] name = "pytest" -version = "7.4.2" +version = "7.4.3" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.7" files = [ - {file = "pytest-7.4.2-py3-none-any.whl", hash = "sha256:1d881c6124e08ff0a1bb75ba3ec0bfd8b5354a01c194ddd5a0a870a48d99b002"}, - {file = "pytest-7.4.2.tar.gz", hash = "sha256:a766259cfab564a2ad52cb1aae1b881a75c3eb7e34ca3779697c23ed47c47069"}, + {file = "pytest-7.4.3-py3-none-any.whl", hash = "sha256:0d009c083ea859a71b76adf7c1d502e4bc170b80a8ef002da5806527b9591fac"}, + {file = "pytest-7.4.3.tar.gz", hash = "sha256:d989d136982de4e3b29dabcc838ad581c64e8ed52c11fbe86ddebd9da0818cd5"}, ] [package.dependencies] @@ -2889,4 +2889,4 @@ docs = ["mkdocs", "mkdocs-material"] [metadata] lock-version = "2.0" python-versions = "^3.9" -content-hash = "aef6e6b3e68e4fe079d80851d20290cf23290d69391529d4670183c24be14714" +content-hash = "18a939f0238eb68ec48a95c569985f38683aaa795c1ca1eb280e402d3fa066ad" diff --git a/pyproject.toml b/pyproject.toml index 47bf06e4..fd75d66d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -64,7 +64,7 @@ mock = "5.1.0" moto = "4.2.6" openapi-spec-validator = "0.7.1" pylint = "3.0.2" -pytest = "7.4.2" +pytest = "7.4.3" pytest-cov = "4.1.0" pytest-randomly = "3.15.0" pytest-xdist = "3.3.1" diff --git a/tests/providers/aws/audit_info_utils.py b/tests/providers/aws/audit_info_utils.py index 114dbf57..d2598a8c 100644 --- a/tests/providers/aws/audit_info_utils.py +++ b/tests/providers/aws/audit_info_utils.py @@ -4,6 +4,7 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1 = "us-east-1" +AWS_REGION_EU_WEST_1 = "eu-west-1" AWS_PARTITION = "aws" AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py index 561046a4..aa6c63e3 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py @@ -1,57 +1,35 @@ from unittest import mock -from boto3 import client, resource, session +from boto3 import client, resource from moto import mock_ec2 -from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.aws.services.vpc.vpc_service import VPC -from prowler.providers.common.models import Audit_Metadata - -AWS_REGION = "us-east-1" -AWS_ACCOUNT_NUMBER = "123456789012" +from tests.providers.aws.audit_info_utils import ( + AWS_REGION_EU_WEST_1, + AWS_REGION_US_EAST_1, + set_mocked_aws_audit_info, +) class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: - def set_mocked_audit_info(self): - audit_info = AWS_Audit_Info( - session_config=None, - original_session=None, - audit_session=session.Session( - profile_name=None, - botocore_session=None, - ), - audited_account=AWS_ACCOUNT_NUMBER, - audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root", - audited_user_id=None, - audited_partition="aws", - audited_identity_arn=None, - profile=None, - profile_region=None, - credentials=None, - assumed_role_info=None, - audited_regions=["us-east-1", "eu-west-1"], - organizations_metadata=None, - audit_resources=None, - mfa_enabled=False, - audit_metadata=Audit_Metadata( - services_scanned=0, - expected_checks=[], - completed_checks=0, - audit_progress=0, - ), - ) - - return audit_info - @mock_ec2 def test_ec2_default_sgs(self): # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") + ec2_client_us_east_1 = client("ec2", region_name=AWS_REGION_US_EAST_1) + ec2_client_us_east_1.create_vpc(CidrBlock="10.0.0.0/16") + sgs_us_east_1 = ec2_client_us_east_1.describe_security_groups()[ + "SecurityGroups" + ] + ec2_client_eu_west_1 = client("ec2", region_name=AWS_REGION_EU_WEST_1) + sgs_eu_west_1 = ec2_client_eu_west_1.describe_security_groups()[ + "SecurityGroups" + ] from prowler.providers.aws.services.ec2.ec2_service import EC2 - current_audit_info = self.set_mocked_audit_info() + current_audit_info = set_mocked_aws_audit_info( + audited_regions=[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] + ) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -73,24 +51,55 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: ) result = check.execute() - # One default sg per region + # One default sg per region + VPC assert len(result) == 3 + # All are compliant by default - assert result[0].status == "PASS" - assert result[1].status == "PASS" - assert result[2].status == "PASS" + # 2 in us-east-1 + for sg in sgs_us_east_1: + for res in result: + if res.resource_id == sg["GroupId"]: + assert res.status == "PASS" + assert res.region == AWS_REGION_US_EAST_1 + assert ( + res.status_extended + == f"Security group {sg['GroupName']} ({sg['GroupId']}) does not have Redis port 6379 open to the Internet." + ) + assert ( + res.resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION_US_EAST_1}:{current_audit_info.audited_account}:security-group/{sg['GroupId']}" + ) + assert res.resource_details == sg["GroupName"] + assert res.resource_tags == [] + + # 1 in eu-west-1 + for sg in sgs_eu_west_1: + for res in result: + if res.resource_id == sg["GroupId"]: + assert res.status == "PASS" + assert res.region == AWS_REGION_EU_WEST_1 + assert ( + res.status_extended + == f"Security group {sg['GroupName']} ({sg['GroupId']}) does not have Redis port 6379 open to the Internet." + ) + assert ( + res.resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION_EU_WEST_1}:{current_audit_info.audited_account}:security-group/{sg['GroupId']}" + ) + assert res.resource_details == sg["GroupName"] + assert res.resource_tags == [] @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) - ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ - "SecurityGroups" - ][0] + ec2_client_us_east_1 = client("ec2", region_name=AWS_REGION_US_EAST_1) + ec2_client_us_east_1.create_vpc(CidrBlock="10.0.0.0/16") + default_sg = ec2_client_us_east_1.describe_security_groups( + GroupNames=["default"] + )["SecurityGroups"][0] default_sg_id = default_sg["GroupId"] default_sg_name = default_sg["GroupName"] - ec2_client.authorize_security_group_ingress( + ec2_client_us_east_1.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ { @@ -104,7 +113,9 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: from prowler.providers.aws.services.ec2.ec2_service import EC2 - current_audit_info = self.set_mocked_audit_info() + current_audit_info = set_mocked_aws_audit_info( + audited_regions=[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] + ) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -126,20 +137,20 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: ) result = check.execute() - # One default sg per region + # One default sg per region + VPC assert len(result) == 3 - # Search changed sg + for sg in result: if sg.resource_id == default_sg_id: assert sg.status == "FAIL" - assert sg.region == AWS_REGION + assert sg.region == AWS_REGION_US_EAST_1 assert ( sg.status_extended == f"Security group {default_sg_name} ({default_sg_id}) has Redis port 6379 open to the Internet." ) assert ( sg.resource_arn - == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION_US_EAST_1}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) assert sg.resource_details == default_sg_name assert sg.resource_tags == [] @@ -147,7 +158,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) + ec2_client = client("ec2", region_name=AWS_REGION_US_EAST_1) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" @@ -168,8 +179,9 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: from prowler.providers.aws.services.ec2.ec2_service import EC2 - current_audit_info = self.set_mocked_audit_info() - + current_audit_info = set_mocked_aws_audit_info( + audited_regions=[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] + ) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", new=current_audit_info, @@ -192,18 +204,18 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: # One default sg per region assert len(result) == 3 - # Search changed sg + for sg in result: if sg.resource_id == default_sg_id: assert sg.status == "PASS" - assert sg.region == AWS_REGION + assert sg.region == AWS_REGION_US_EAST_1 assert ( sg.status_extended == f"Security group {default_sg_name} ({default_sg_id}) does not have Redis port 6379 open to the Internet." ) assert ( sg.resource_arn - == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION_US_EAST_1}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) assert sg.resource_details == default_sg_name assert sg.resource_tags == [] @@ -211,12 +223,14 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: @mock_ec2 def test_ec2_default_sgs_ignoring(self): # Create EC2 Mocked Resources - ec2_client = client("ec2", region_name=AWS_REGION) + ec2_client = client("ec2", region_name=AWS_REGION_US_EAST_1) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") from prowler.providers.aws.services.ec2.ec2_service import EC2 - current_audit_info = self.set_mocked_audit_info() + current_audit_info = set_mocked_aws_audit_info( + audited_regions=[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] + ) current_audit_info.ignore_unused_services = True with mock.patch( @@ -225,6 +239,9 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: ), mock.patch( "prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.ec2_client", new=EC2(current_audit_info), + ), mock.patch( + "prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.vpc_client", + new=VPC(current_audit_info), ): # Test Check from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379 import ( @@ -241,19 +258,17 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: @mock_ec2 def test_ec2_default_sgs_ignoring_vpc_in_use(self): # Create EC2 Mocked Resources - ec2 = resource("ec2", region_name=AWS_REGION) + ec2 = resource("ec2", region_name=AWS_REGION_US_EAST_1) vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16") subnet = ec2.create_subnet(VpcId=vpc.id, CidrBlock="10.0.0.0/18") ec2.create_network_interface(SubnetId=subnet.id) - ec2_client = client("ec2", region_name=AWS_REGION) - default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ - "SecurityGroups" - ][0] - default_sg["GroupId"] - default_sg["GroupName"] + ec2_client = client("ec2", region_name=AWS_REGION_US_EAST_1) + + sgs_us_east_1 = ec2_client.describe_security_groups()["SecurityGroups"] + from prowler.providers.aws.services.ec2.ec2_service import EC2 - current_audit_info = self.set_mocked_audit_info() + current_audit_info = set_mocked_aws_audit_info() current_audit_info.ignore_unused_services = True with mock.patch( @@ -277,5 +292,18 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: result = check.execute() assert len(result) == 1 - assert result[0].status == "PASS" - assert result[0].region == AWS_REGION + + for sg in sgs_us_east_1: + if sg["GroupId"] == result[0].resource_id: + assert result[0].status == "PASS" + assert result[0].region == AWS_REGION_US_EAST_1 + assert ( + result[0].status_extended + == f"Security group {sg['GroupName']} ({sg['GroupId']}) does not have Redis port 6379 open to the Internet." + ) + assert ( + result[0].resource_arn + == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION_US_EAST_1}:{current_audit_info.audited_account}:security-group/{sg['GroupId']}" + ) + assert result[0].resource_details == sg["GroupName"] + assert result[0].resource_tags == []