From 2891bc0b9618909c05829903c419b8028e5bd650 Mon Sep 17 00:00:00 2001
From: Nacho Rivera <nachor1992@gmail.com>
Date: Thu, 31 Aug 2023 11:54:48 +0200
Subject: [PATCH] fix(policy_condition_parser): add StringEquals aws:SourceArn
 condition (#2793)

---
 .../policy_condition_parser.py                |  1 +
 .../policy_condition_parser_test.py           | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py b/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
index 512c8f89..99a40406 100644
--- a/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
+++ b/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
@@ -25,6 +25,7 @@ def is_account_only_allowed_in_condition(
             "s3:resourceaccount",
             "aws:principalaccount",
             "aws:resourceaccount",
+            "aws:sourcearn",
         ],
         "StringLike": [
             "aws:sourceaccount",
diff --git a/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py b/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
index 60df59a0..14d45471 100644
--- a/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
+++ b/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
@@ -230,6 +230,26 @@ class Test_policy_condition_parser:
             condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
         )
 
+    def test_condition_parser_string_equals_aws_SourceArn_str(self):
+        condition_statement = {
+            "StringEquals": {
+                "aws:SourceArn": f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*"
+            }
+        }
+        assert is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
+    def test_condition_parser_string_equals_aws_SourceArn_str_not_valid(self):
+        condition_statement = {
+            "StringEquals": {
+                "aws:SourceArn": f"arn:aws:cloudtrail:*:{NON_TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*"
+            }
+        }
+        assert not is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
     def test_condition_parser_string_like_aws_PrincipalAccount_list(self):
         condition_statement = {
             "StringLike": {"aws:PrincipalAccount": [TRUSTED_AWS_ACCOUNT_NUMBER]}