ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(scanner): Tag-based scan (#1751)

Browse Source 
Co-authored-by: Toni de la Fuente <toni@blyx.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
Sergio Garcia
2023-01-31 12:19:29 +01:00
committed by GitHub
parent 0d1a5318ec
commit 3ac4dc8392
110 changed files with 1224 additions and 635 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
tests/lib/cli/parser_test.py
View File

@@ -54,6 +54,7 @@ class Test_Parser:
assert not parsed.output_bucket_no_assume
assert not parsed.shodan
assert not parsed.allowlist_file
assert not parsed.scan_tags
def test_default_parser_no_arguments_azure(self):
provider = "azure"
@@ -795,6 +796,24 @@ class Test_Parser:
parsed = self.parser.parse(command)
assert parsed.allowlist_file == allowlist_file
def test_aws_parser_scan_tags_short(self):
argument = "-t"
scan_tag = "Key=Value"
command = [prowler_command, argument, scan_tag]
parsed = self.parser.parse(command)
assert len(parsed.scan_tags) == 1
assert scan_tag in parsed.scan_tags
def test_aws_parser_scan_tags_long(self):
argument = "--scan-tags"
scan_tag1 = "Key=Value"
scan_tag2 = "Key2=Value2"
command = [prowler_command, argument, scan_tag1, scan_tag2]
parsed = self.parser.parse(command)
assert len(parsed.scan_tags) == 2
assert scan_tag1 in parsed.scan_tags
assert scan_tag2 in parsed.scan_tags
def test_parser_azure_auth_sp(self):
argument = "--sp-env-auth"
command = [prowler_command, "azure", argument]

4
tests/lib/outputs/outputs_test.py
View File

@@ -81,6 +81,7 @@ class Test_Outputs:
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
test_output_modes = [
["csv"],
@@ -258,6 +259,7 @@ class Test_Outputs:
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
finding = Check_Report(
load_check_metadata(
@@ -327,6 +329,7 @@ class Test_Outputs:
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
# Creat mock bucket
bucket_name = "test_bucket"
@@ -429,6 +432,7 @@ class Test_Outputs:
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
finding = Check_Report(
load_check_metadata(

17
tests/lib/scan_filters/scan_filters_test.py Normal file
View File

@@ -0,0 +1,17 @@
from prowler.lib.scan_filters.scan_filters import is_resource_filtered
class Test_Scan_Filters:
def test_is_resource_filtered(self):
audit_resources = [
"arn:aws:iam::123456789012:user/test_user",
"arn:aws:s3:::test_bucket",
]
assert is_resource_filtered(
"arn:aws:iam::123456789012:user/test_user", audit_resources
)
assert not is_resource_filtered(
"arn:aws:iam::123456789012:user/test1", audit_resources
)
assert is_resource_filtered("test_bucket", audit_resources)
assert is_resource_filtered("arn:aws:s3:::test_bucket", audit_resources)

4
tests/providers/aws/aws_provider_test.py
View File

@@ -56,6 +56,7 @@ class Test_AWS_Provider:
),
audited_regions=audited_regions,
organizations_metadata=None,
audit_resources=None,
)
# Call assume_role
@@ -109,6 +110,7 @@ class Test_AWS_Provider:
assumed_role_info=None,
audited_regions=audited_regions,
organizations_metadata=None,
audit_resources=None,
)
generate_regional_clients_response = generate_regional_clients(
"ec2", audit_info
@@ -137,6 +139,7 @@ class Test_AWS_Provider:
assumed_role_info=None,
audited_regions=audited_regions,
organizations_metadata=None,
audit_resources=None,
)
generate_regional_clients_response = generate_regional_clients(
"route53", audit_info, global_service=True
@@ -164,6 +167,7 @@ class Test_AWS_Provider:
assumed_role_info=None,
audited_regions=audited_regions,
organizations_metadata=None,
audit_resources=None,
)
generate_regional_clients_response = generate_regional_clients(
"shield", audit_info, global_service=True

1
tests/providers/aws/lib/allowlist/allowlist_test.py
View File

@@ -32,6 +32,7 @@ class Test_Allowlist:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/acm/acm_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_ACM_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/apigateway/apigateway_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_APIGateway_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/apigatewayv2/apigatewayv2_service_test.py
View File

@@ -58,6 +58,7 @@ class Test_ApiGatewayV2_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/autoscaling/autoscaling_service_test.py
View File

@@ -29,6 +29,7 @@ class Test_AutoScaling_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled_test.py
View File

@@ -42,6 +42,7 @@ class Test_awslambda_function_invoke_api_operations_cloudtrail_logging_enabled:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/awslambda/awslambda_service_test.py
View File

@@ -74,6 +74,7 @@ class Test_Lambda_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/cloudformation/cloudformation_service_test.py
View File

@@ -151,6 +151,7 @@ class Test_CloudFormation_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/cloudfront/cloudfront_service_test.py
View File

@@ -161,6 +161,7 @@ class Test_CloudFront_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/cloudtrail/cloudtrail_service_test.py
View File

@@ -26,6 +26,7 @@ class Test_Cloudtrail_Service:
assumed_role_info=None,
audited_regions=["eu-west-1", "us-east-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/cloudwatch/cloudwatch_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_CloudWatch_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/codebuild/codebuild_service_test.py
View File

@@ -70,6 +70,7 @@ class Test_Codebuild_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/config/config_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_Config_Service:
assumed_role_info=None,
audited_regions=["eu-west-1", "us-east-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/dynamodb/dynamodb_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_DynamoDB_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/ec2/ec2_service_test.py
View File

@@ -36,6 +36,7 @@ class Test_EC2_Service:
assumed_role_info=None,
audited_regions=["eu-west-1", "us-east-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/ecr/ecr_service_test.py
View File

@@ -87,6 +87,7 @@ class Test_ECR_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/ecs/ecs_service_test.py
View File

@@ -39,6 +39,7 @@ class Test_ECS_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/efs/efs_service_test.py
View File

@@ -70,6 +70,7 @@ class Test_EFS:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/eks/eks_service_test.py
View File

@@ -44,6 +44,7 @@ class Test_EKS_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/elb/elb_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_ELB_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/elbv2/elbv2_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_ELBv2_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py
View File

@@ -30,6 +30,7 @@ class Test_emr_cluster_publicly_accesible:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/emr/emr_service_test.py
View File

@@ -66,6 +66,7 @@ class Test_EMR_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/globalaccelerator/globalaccelerator_service_test.py
View File

@@ -65,6 +65,7 @@ class Test_GlobalAccelerator_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/glue/glue_service_test.py
View File

@@ -135,6 +135,7 @@ class Test_Glue_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/guardduty/guardduty_service_test.py
View File

@@ -49,6 +49,7 @@ class Test_GuardDuty_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/iam/iam_service_test.py
View File

@@ -30,6 +30,7 @@ class Test_IAM_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/kms/kms_service_test.py
View File

@@ -29,6 +29,7 @@ class Test_ACM_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/opensearch/opensearch_service_test.py
View File

@@ -115,6 +115,7 @@ class Test_OpenSearchService_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/rds/rds_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_RDS_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/redshift/redshift_service_test.py
View File

@@ -75,6 +75,7 @@ class Test_Redshift_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/route53/route53_service_test.py
View File

@@ -43,6 +43,7 @@ class Test_Route53_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/route53/route53domains_service_test.py
View File

@@ -82,6 +82,7 @@ class Test_Route53_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py
View File

@@ -29,6 +29,7 @@ class Test_s3_account_level_public_access_blocks:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access_test.py
View File

@@ -30,6 +30,7 @@ class Test_s3_bucket_public_access:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/s3/s3_service_test.py
View File

@@ -30,6 +30,7 @@ class Test_S3_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/sagemaker/sagemaker_service_test.py
View File

@@ -116,6 +116,7 @@ class Test_SageMaker_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/secretsmanager/secretsmanager_service_test.py
View File

@@ -45,6 +45,7 @@ class Test_SecretsManager_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py
View File

@@ -42,6 +42,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py
View File

@@ -29,6 +29,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py
View File

@@ -42,6 +42,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/shield/shield_service_test.py
View File

@@ -52,6 +52,7 @@ class Test_Shield_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/sns/sns_service_test.py
View File

@@ -66,6 +66,7 @@ class Test_SNS_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/sqs/sqs_service_test.py
View File

@@ -68,6 +68,7 @@ class Test_SQS_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/ssm/ssm_service_test.py
View File

@@ -141,6 +141,7 @@ class Test_SSM_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/trustedadvisor/trustedadvisor_service_test.py
View File

@@ -41,6 +41,7 @@ class Test_TrustedAdvisor_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/vpc/vpc_service_test.py
View File

@@ -29,6 +29,7 @@ class Test_VPC_Service:
assumed_role_info=None,
audited_regions=["eu-west-1", "us-east-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/waf/waf_service_test.py
View File

@@ -63,6 +63,7 @@ class Test_WAF_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/wafv2/wafv2_service_test.py
View File

@@ -27,6 +27,7 @@ class Test_WAFv2_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

1
tests/providers/aws/services/workspaces/workspaces_service_test.py
View File

@@ -60,6 +60,7 @@ class Test_WorkSpaces_Service:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info

62
tests/providers/common/audit_info_test.py
View File

@@ -3,7 +3,13 @@ import json
import boto3
import sure # noqa
from mock import patch
from moto import mock_iam, mock_organizations, mock_sts
from moto import (
mock_ec2,
mock_iam,
mock_organizations,
mock_resourcegroupstaggingapi,
mock_sts,
)
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.azure.azure_provider import Azure_Provider
@@ -11,8 +17,13 @@ from prowler.providers.azure.lib.audit_info.models import (
Azure_Audit_Info,
Azure_Identity_Info,
)
from prowler.providers.common.audit_info import Audit_Info, set_provider_audit_info
from prowler.providers.common.audit_info import (
Audit_Info,
get_tagged_resources,
set_provider_audit_info,
)
EXAMPLE_AMI_ID = "ami-12c6146b"
ACCOUNT_ID = 123456789012
mock_current_audit_info = AWS_Audit_Info(
original_session=None,
@@ -27,6 +38,7 @@ mock_current_audit_info = AWS_Audit_Info(
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
audit_metadata=None,
)
@@ -199,3 +211,49 @@ class Test_Set_Audit_Info:
audit_info = set_provider_audit_info(provider, arguments)
assert isinstance(audit_info, Azure_Audit_Info)
@mock_resourcegroupstaggingapi
@mock_ec2
def test_get_tagged_resources(self):
client = boto3.client("ec2", region_name="eu-central-1")
instances = client.run_instances(
ImageId=EXAMPLE_AMI_ID,
MinCount=1,
MaxCount=1,
InstanceType="t2.micro",
TagSpecifications=[
{
"ResourceType": "instance",
"Tags": [
{"Key": "MY_TAG1", "Value": "MY_VALUE1"},
{"Key": "MY_TAG2", "Value": "MY_VALUE2"},
],
},
{
"ResourceType": "instance",
"Tags": [{"Key": "ami", "Value": "test"}],
},
],
)
instance_id = instances["Instances"][0]["InstanceId"]
image_id = client.create_image(Name="testami", InstanceId=instance_id)[
"ImageId"
]
client.create_tags(Resources=[image_id], Tags=[{"Key": "ami", "Value": "test"}])
mock_current_audit_info.audited_regions = ["eu-central-1"]
mock_current_audit_info.audit_session = boto3.session.Session()
assert len(get_tagged_resources(["ami=test"], mock_current_audit_info)) == 2
assert image_id in str(
get_tagged_resources(["ami=test"], mock_current_audit_info)
)
assert instance_id in str(
get_tagged_resources(["ami=test"], mock_current_audit_info)
)
assert (
len(get_tagged_resources(["MY_TAG1=MY_VALUE1"], mock_current_audit_info))
== 1
)
assert instance_id in str(
get_tagged_resources(["MY_TAG1=MY_VALUE1"], mock_current_audit_info)
)

1
tests/providers/common/common_outputs_test.py
View File

@@ -53,6 +53,7 @@ class Test_Common_Output_Options:
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info