From 2d1c3d8121a7b58ac510ac6896967633cde95ce8 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 14 Mar 2023 13:10:21 +0100 Subject: [PATCH] fix(emr): solve emr_cluster_publicly_accesible error (#2086) --- .../emr_cluster_publicly_accesible.py | 10 ++- .../emr_cluster_publicly_accesible_test.py | 83 +++++++++++++++++++ 2 files changed, 91 insertions(+), 2 deletions(-) diff --git a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py index 868a6e60..dfc28895 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py +++ b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py @@ -32,7 +32,10 @@ class emr_cluster_publicly_accesible(Check): master_node_sg_groups = deepcopy( cluster.master.additional_security_groups_id ) - master_node_sg_groups.append(cluster.master.security_group_id) + if master_node_sg_groups: + master_node_sg_groups.append(cluster.master.security_group_id) + else: + master_node_sg_groups = [cluster.master.security_group_id] master_public_security_groups = [] for master_sg in master_node_sg_groups: @@ -51,7 +54,10 @@ class emr_cluster_publicly_accesible(Check): slave_node_sg_groups = deepcopy( cluster.slave.additional_security_groups_id ) - slave_node_sg_groups.append(cluster.slave.security_group_id) + if slave_node_sg_groups: + slave_node_sg_groups.append(cluster.slave.security_group_id) + else: + slave_node_sg_groups = [cluster.slave.security_group_id] slave_public_security_groups = [] for slave_sg in slave_node_sg_groups: diff --git a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py index cbee0814..58a781f8 100644 --- a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py +++ b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py @@ -361,3 +361,86 @@ class Test_emr_cluster_publicly_accesible: result[0].status_extended == f"EMR Cluster {cluster_id} is publicly accessible through the following Security Groups: Master Node {master_expected_public_sgs}" ) + + @mock_ec2 + def test_clusters_master_private_slave_public_sg_none_additional_sgs(self): + # EC2 Client + ec2 = resource("ec2", AWS_REGION) + # Create Master Security Group + master_security_group = ec2.create_security_group( + GroupName=str(uuid4()), Description="test-decurity-group" + ) + master_security_group.authorize_ingress( + IpProtocol="tcp", + FromPort=0, + ToPort=65535, + CidrIp="10.0.0.0/8", + ) + + # Create Slave Security Group + slave_security_group = ec2.create_security_group( + GroupName=str(uuid4()), Description="test-decurity-group" + ) + slave_security_group.authorize_ingress( + IpProtocol="tcp", + FromPort=0, + ToPort=65535, + CidrIp="0.0.0.0/0", + ) + + # EMR Client + emr_client = mock.MagicMock + cluster_name = "test-cluster" + cluster_id = "j-XWO1UKVCC6FCV" + cluster_arn = f"arn:aws:elasticmapreduce:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:cluster/{cluster_name}" + emr_client.clusters = { + "test-cluster": Cluster( + id=cluster_id, + arn=cluster_arn, + name=cluster_name, + status=ClusterStatus.RUNNING, + region=AWS_REGION, + master_public_dns_name="test.amazonaws.com", + public=True, + master=Node( + security_group_id=master_security_group.id, + additional_security_groups_id=None, + ), + slave=Node( + security_group_id=slave_security_group.id, + additional_security_groups_id=None, + ), + ) + } + + slave_expected_public_sgs = [slave_security_group.id] + + from prowler.providers.aws.services.ec2.ec2_service import EC2 + + with mock.patch( + "prowler.providers.aws.services.emr.emr_service.EMR", + new=emr_client, + ), mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + self.set_mocked_audit_info(), + ), mock.patch( + "prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client", + new=EC2(self.set_mocked_audit_info()), + ): + # Test Check + from prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible import ( + emr_cluster_publicly_accesible, + ) + + check = emr_cluster_publicly_accesible() + result = check.execute() + + assert len(result) == 1 + assert result[0].region == AWS_REGION + assert result[0].resource_id == cluster_id + assert result[0].resource_arn == cluster_arn + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"EMR Cluster {cluster_id} is publicly accessible through the following Security Groups: Slaves Nodes {slave_expected_public_sgs}" + )