From 1df84ef6e437d9bdf79f9f90fcc8fa7cddcac5ab Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Mon, 8 Jan 2024 14:41:52 +0100
Subject: [PATCH] chore(role arguments): enhance role arguments validation
 (#3240)

---
 prowler/providers/aws/aws_provider.py            |  7 +++++--
 prowler/providers/aws/config.py                  |  1 +
 prowler/providers/aws/lib/arguments/arguments.py | 14 ++++++++++----
 tests/lib/cli/parser_test.py                     | 11 ++++++-----
 tests/providers/common/audit_info_test.py        |  4 ++--
 5 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py
index a0d3c046..406c768d 100644
--- a/prowler/providers/aws/aws_provider.py
+++ b/prowler/providers/aws/aws_provider.py
@@ -10,7 +10,10 @@ from prowler.config.config import aws_services_json_file
 from prowler.lib.check.check import list_modules, recover_checks_from_service
 from prowler.lib.logger import logger
 from prowler.lib.utils.utils import open_file, parse_json_file
-from prowler.providers.aws.config import AWS_STS_GLOBAL_ENDPOINT_REGION
+from prowler.providers.aws.config import (
+    AWS_STS_GLOBAL_ENDPOINT_REGION,
+    ROLE_SESSION_NAME,
+)
 from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
 from prowler.providers.aws.lib.credentials.credentials import create_sts_session
 
@@ -116,7 +119,7 @@ def assume_role(
         role_session_name = (
             assumed_role_info.role_session_name
             if assumed_role_info.role_session_name
-            else "ProwlerAssessmentSession"
+            else ROLE_SESSION_NAME
         )
 
         assume_role_arguments = {
diff --git a/prowler/providers/aws/config.py b/prowler/providers/aws/config.py
index 619b433f..aec92925 100644
--- a/prowler/providers/aws/config.py
+++ b/prowler/providers/aws/config.py
@@ -1,2 +1,3 @@
 AWS_STS_GLOBAL_ENDPOINT_REGION = "us-east-1"
 BOTO3_USER_AGENT_EXTRA = "APN_1826889"
+ROLE_SESSION_NAME = "ProwlerAssessmentSession"
diff --git a/prowler/providers/aws/lib/arguments/arguments.py b/prowler/providers/aws/lib/arguments/arguments.py
index 9864e9fa..1676be09 100644
--- a/prowler/providers/aws/lib/arguments/arguments.py
+++ b/prowler/providers/aws/lib/arguments/arguments.py
@@ -2,6 +2,7 @@ from argparse import ArgumentTypeError, Namespace
 from re import fullmatch, search
 
 from prowler.providers.aws.aws_provider import get_aws_available_regions
+from prowler.providers.aws.config import ROLE_SESSION_NAME
 from prowler.providers.aws.lib.arn.arn import arn_type
 
 
@@ -30,7 +31,7 @@ def init_parser(self):
     aws_auth_subparser.add_argument(
         "--role-session-name",
         nargs="?",
-        default="ProwlerAssessmentSession",
+        default=ROLE_SESSION_NAME,
         help="An identifier for the assumed role session. Defaults to ProwlerAssessmentSession",
         type=validate_role_session_name,
     )
@@ -194,10 +195,15 @@ def validate_arguments(arguments: Namespace) -> tuple[bool, str]:
 
     # Handle if session_duration is not the default value or external_id is set
     if (
-        arguments.session_duration and arguments.session_duration != 3600
-    ) or arguments.external_id:
+        (arguments.session_duration and arguments.session_duration != 3600)
+        or arguments.external_id
+        or arguments.role_session_name != ROLE_SESSION_NAME
+    ):
         if not arguments.role:
-            return (False, "To use -I/-T options -R option is needed")
+            return (
+                False,
+                "To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed",
+            )
 
     return (True, "")
 
diff --git a/tests/lib/cli/parser_test.py b/tests/lib/cli/parser_test.py
index 78d69924..cbd0fac1 100644
--- a/tests/lib/cli/parser_test.py
+++ b/tests/lib/cli/parser_test.py
@@ -5,6 +5,7 @@ import pytest
 from mock import patch
 
 from prowler.lib.cli.parser import ProwlerArgumentParser
+from prowler.providers.aws.config import ROLE_SESSION_NAME
 from prowler.providers.aws.lib.arguments.arguments import (
     validate_bucket,
     validate_role_session_name,
@@ -743,7 +744,7 @@ class Test_Parser:
         assert wrapped_exit.value.code == 2
         assert (
             capsys.readouterr().err
-            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
+            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
         )
 
     def test_aws_parser_session_duration_long(self, capsys):
@@ -756,7 +757,7 @@ class Test_Parser:
         assert wrapped_exit.value.code == 2
         assert (
             capsys.readouterr().err
-            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
+            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
         )
 
     # TODO
@@ -777,7 +778,7 @@ class Test_Parser:
         assert wrapped_exit.value.code == 2
         assert (
             capsys.readouterr().err
-            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
+            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
         )
 
     def test_aws_parser_external_id_long(self, capsys):
@@ -790,7 +791,7 @@ class Test_Parser:
         assert wrapped_exit.value.code == 2
         assert (
             capsys.readouterr().err
-            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/-T options -R option is needed\n"
+            == f"{prowler_default_usage_error}\nprowler: error: aws: To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed\n"
         )
 
     def test_aws_parser_region_f(self):
@@ -1017,7 +1018,7 @@ class Test_Parser:
 
     def test_aws_parser_role_session_name(self):
         argument = "--role-session-name"
-        role_session_name = "ProwlerAssessmentSession"
+        role_session_name = ROLE_SESSION_NAME
         command = [prowler_command, argument, role_session_name]
         parsed = self.parser.parse(command)
         assert parsed.role_session_name == role_session_name
diff --git a/tests/providers/common/audit_info_test.py b/tests/providers/common/audit_info_test.py
index 25835d04..8502c820 100644
--- a/tests/providers/common/audit_info_test.py
+++ b/tests/providers/common/audit_info_test.py
@@ -393,7 +393,7 @@ class Test_Set_Audit_Info:
 
             with pytest.raises(SystemExit) as exception:
                 _ = set_provider_audit_info(provider, arguments)
-            # assert exception == "To use -I/-T options -R option is needed"
+            # assert exception == "To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed"
             assert isinstance(exception, pytest.ExceptionInfo)
 
     def test_set_audit_info_external_id_without_role(self):
@@ -413,5 +413,5 @@ class Test_Set_Audit_Info:
 
             with pytest.raises(SystemExit) as exception:
                 _ = set_provider_audit_info(provider, arguments)
-            # assert exception == "To use -I/-T options -R option is needed"
+            # assert exception == "To use -I/--external-id, -T/--session-duration or --role-session-name options -R/--role option is needed"
             assert isinstance(exception, pytest.ExceptionInfo)