ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(role arguments): enhance role arguments validation (#3240)

Browse Source
This commit is contained in:
Sergio Garcia
2024-01-08 14:41:52 +01:00
committed by GitHub
parent 80b88a9365
commit 1df84ef6e4
5 changed files with 24 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
prowler/providers/aws/aws_provider.py
View File

@@ -10,7 +10,10 @@ from prowler.config.config import aws_services_json_file
from prowler.lib.check.check import list_modules, recover_checks_from_service
from prowler.lib.logger import logger
from prowler.lib.utils.utils import open_file, parse_json_file
from prowler.providers.aws.config import AWS_STS_GLOBAL_ENDPOINT_REGION
from prowler.providers.aws.config import (
AWS_STS_GLOBAL_ENDPOINT_REGION,
ROLE_SESSION_NAME,
)
from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
from prowler.providers.aws.lib.credentials.credentials import create_sts_session
@@ -116,7 +119,7 @@ def assume_role(
role_session_name = (
assumed_role_info.role_session_name
if assumed_role_info.role_session_name
else "ProwlerAssessmentSession"
else ROLE_SESSION_NAME
)
assume_role_arguments = {

1
prowler/providers/aws/config.py
View File

@@ -1,2 +1,3 @@
AWS_STS_GLOBAL_ENDPOINT_REGION = "us-east-1"
BOTO3_USER_AGENT_EXTRA = "APN_1826889"
ROLE_SESSION_NAME = "ProwlerAssessmentSession"

14
prowler/providers/aws/lib/arguments/arguments.py
View File

@@ -2,6 +2,7 @@ from argparse import ArgumentTypeError, Namespace
from re import fullmatch, search
from prowler.providers.aws.aws_provider import get_aws_available_regions
from prowler.providers.aws.config import ROLE_SESSION_NAME
from prowler.providers.aws.lib.arn.arn import arn_type
@@ -30,7 +31,7 @@ def init_parser(self):
aws_auth_subparser.add_argument(
"--role-session-name",
nargs="?",
default="ProwlerAssessmentSession",
default=ROLE_SESSION_NAME,
help="An identifier for the assumed role session. Defaults to ProwlerAssessmentSession",
type=validate_role_session_name,
)
@@ -194,10 +195,15 @@ def validate_arguments(arguments: Namespace) -> tuple[bool, str]:
# Handle if session_duration is not the default value or external_id is set
if (
arguments.session_duration and arguments.session_duration != 3600
) or arguments.external_id:
(arguments.session_duration and arguments.session_duration != 3600)
or arguments.external_id
or arguments.role_session_name != ROLE_SESSION_NAME
):
if not arguments.role:
return (False, "To use -I/-T options -R option is needed")
return (
False,
"To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed",
)
return (True, "")

11
tests/lib/cli/parser_test.py
View File

@@ -5,6 +5,7 @@ import pytest
from mock import patch
from prowler.lib.cli.parser import ProwlerArgumentParser
from prowler.providers.aws.config import ROLE_SESSION_NAME
from prowler.providers.aws.lib.arguments.arguments import (
validate_bucket,
validate_role_session_name,
@@ -743,7 +744,7 @@ class Test_Parser:
assert wrapped_exit.value.code == 2
assert (
capsys.readouterr().err
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
)
def test_aws_parser_session_duration_long(self, capsys):
@@ -756,7 +757,7 @@ class Test_Parser:
assert wrapped_exit.value.code == 2
assert (
capsys.readouterr().err
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
)
# TODO
@@ -777,7 +778,7 @@ class Test_Parser:
assert wrapped_exit.value.code == 2
assert (
capsys.readouterr().err
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
)
def test_aws_parser_external_id_long(self, capsys):
@@ -790,7 +791,7 @@ class Test_Parser:
assert wrapped_exit.value.code == 2
assert (
capsys.readouterr().err
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
== f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
)
def test_aws_parser_region_f(self):
@@ -1017,7 +1018,7 @@ class Test_Parser:
def test_aws_parser_role_session_name(self):
argument = "--role-session-name"
role_session_name = "ProwlerAssessmentSession"
role_session_name = ROLE_SESSION_NAME
command = [prowler_command, argument, role_session_name]
parsed = self.parser.parse(command)
assert parsed.role_session_name == role_session_name

4
tests/providers/common/audit_info_test.py
View File

@@ -393,7 +393,7 @@ class Test_Set_Audit_Info:
with pytest.raises(SystemExit) as exception:
_ = set_provider_audit_info(provider, arguments)
# assert exception == "To use -I/-T options -R option is needed"
# assert exception == "To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed"
assert isinstance(exception, pytest.ExceptionInfo)
def test_set_audit_info_external_id_without_role(self):
@@ -413,5 +413,5 @@ class Test_Set_Audit_Info:
with pytest.raises(SystemExit) as exception:
_ = set_provider_audit_info(provider, arguments)
# assert exception == "To use -I/-T options -R option is needed"
# assert exception == "To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed"
assert isinstance(exception, pytest.ExceptionInfo)