ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(allowlist) - tags parameter is a string, not a list (#2375)

Browse Source
This commit is contained in:
Kevin Pullin
2023-05-23 00:51:50 -07:00
committed by GitHub
parent a4a400facf
commit 1234c1e7e2
2 changed files with 36 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
prowler/providers/aws/lib/allowlist/allowlist.py
View File

@@ -212,13 +212,12 @@ def is_allowlisted_in_tags(check_allowlist, elem, resource, tags):
all_allowed_tags_in_resource_tags = True all_allowed_tags_in_resource_tags = True
for allowed_tag in check_allowlist["Tags"]: for allowed_tag in check_allowlist["Tags"]:
found_allowed_tag = False found_allowed_tag = False
for resource_tag in tags: if re.search(allowed_tag, tags):
if re.search(allowed_tag, resource_tag): found_allowed_tag = True
found_allowed_tag = True
break
if not found_allowed_tag: if not found_allowed_tag:
all_allowed_tags_in_resource_tags = False all_allowed_tags_in_resource_tags = False
break
return all_allowed_tags_in_resource_tags return all_allowed_tags_in_resource_tags
else: else:

66
tests/providers/aws/lib/allowlist/allowlist_test.py
View File

@@ -165,15 +165,15 @@ class Test_Allowlist:
} }
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
) )
assert is_allowlisted( assert is_allowlisted(
@@ -187,7 +187,7 @@ class Test_Allowlist:
assert not ( assert not (
is_allowlisted( is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
) )
) )
@@ -207,20 +207,20 @@ class Test_Allowlist:
} }
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
) )
assert not ( assert not (
is_allowlisted( is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
) )
) )
@@ -240,20 +240,20 @@ class Test_Allowlist:
} }
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
) )
assert is_allowlisted( assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
) )
assert not ( assert not (
is_allowlisted( is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
) )
) )
@@ -273,20 +273,20 @@ class Test_Allowlist:
} }
assert is_allowlisted_in_region( assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
) )
assert is_allowlisted_in_region( assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
) )
assert is_allowlisted_in_region( assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
) )
assert not ( assert not (
is_allowlisted_in_region( is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
) )
) )
@@ -306,20 +306,20 @@ class Test_Allowlist:
} }
assert is_allowlisted_in_check( assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
) )
assert is_allowlisted_in_check( assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
) )
assert is_allowlisted_in_check( assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
) )
assert not ( assert not (
is_allowlisted_in_check( is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", [] allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
) )
) )
@@ -344,7 +344,7 @@ class Test_Allowlist:
"s3_bucket_public_access", "s3_bucket_public_access",
AWS_REGION, AWS_REGION,
"prowler", "prowler",
[], "",
) )
assert is_allowlisted_in_check( assert is_allowlisted_in_check(
@@ -353,7 +353,7 @@ class Test_Allowlist:
"s3_bucket_public_access", "s3_bucket_public_access",
AWS_REGION, AWS_REGION,
"prowler-test", "prowler-test",
[], "",
) )
assert is_allowlisted_in_check( assert is_allowlisted_in_check(
@@ -362,7 +362,7 @@ class Test_Allowlist:
"s3_bucket_public_access", "s3_bucket_public_access",
AWS_REGION, AWS_REGION,
"test-prowler", "test-prowler",
[], "",
) )
assert not ( assert not (
@@ -372,7 +372,7 @@ class Test_Allowlist:
"iam_user_hardware_mfa_enabled", "iam_user_hardware_mfa_enabled",
AWS_REGION, AWS_REGION,
"test", "test",
[], "",
) )
) )
@@ -398,7 +398,7 @@ class Test_Allowlist:
"check_test", "check_test",
AWS_REGION, AWS_REGION,
"prowler", "prowler",
["environment=dev"], "environment=dev",
) )
assert is_allowlisted( assert is_allowlisted(
@@ -407,7 +407,7 @@ class Test_Allowlist:
"check_test", "check_test",
AWS_REGION, AWS_REGION,
"prowler-test", "prowler-test",
["environment=dev", "project=prowler"], "environment=dev | project=prowler",
) )
assert not ( assert not (
@@ -417,7 +417,7 @@ class Test_Allowlist:
"check_test", "check_test",
"us-east-2", "us-east-2",
"test", "test",
["environment=pro"], "environment=pro",
) )
) )
@@ -433,14 +433,14 @@ class Test_Allowlist:
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"prowler", "prowler",
["environment=dev"], "environment=dev",
) )
assert is_allowlisted_in_tags( assert is_allowlisted_in_tags(
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"prowler-test", "prowler-test",
["environment=dev", "project=prowler"], "environment=dev | project=prowler",
) )
assert not ( assert not (
@@ -448,7 +448,7 @@ class Test_Allowlist:
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"test", "test",
["environment=pro"], "environment=pro",
) )
) )
@@ -464,19 +464,19 @@ class Test_Allowlist:
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"prowler-test", "prowler-test",
["environment=test", "proj=prowler"], "environment=test | proj=prowler",
) )
assert not is_allowlisted_in_tags( assert not is_allowlisted_in_tags(
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"prowler-test", "prowler-test",
["env=prod", "project=prowler"], "env=prod | project=prowler",
) )
assert not is_allowlisted_in_tags( assert not is_allowlisted_in_tags(
check_allowlist, check_allowlist,
check_allowlist["Resources"][0], check_allowlist["Resources"][0],
"prowler-test", "prowler-test",
["environment=prod", "project=myproj"], "environment=prod | project=myproj",
) )