ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(vpc_endpoint_connections_trust_boundaries): Handle AWS Account ID as Principal (#2611)

Browse Source
This commit is contained in:
Pepe Fagoaga
2023-08-03 09:16:58 +02:00
committed by GitHub
parent 92c8a440ea
commit 5bf3f70717
4 changed files with 782 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

268
tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
View File

@@ -6,19 +6,19 @@ AWS_ACCOUNT_NUMBER = "123456789012"
class Test_policy_condition_parser:
def test_condition_parser_string_equals_list(self):
def test_condition_parser_string_equals_aws_SourceAccount_list(self):
condition_statement = {"StringEquals": {"aws:SourceAccount": ["123456789012"]}}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_str(self):
def test_condition_parser_string_equals_aws_SourceAccount_str(self):
condition_statement = {"StringEquals": {"aws:SourceAccount": "123456789012"}}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_list_not_valid(self):
def test_condition_parser_string_equals_aws_SourceAccount_list_not_valid(self):
condition_statement = {
"StringEquals": {"aws:SourceAccount": ["123456789012", "111222333444"]}
}
@@ -26,13 +26,67 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_str_not_valid(self):
def test_condition_parser_string_equals_aws_SourceAccount_str_not_valid(self):
condition_statement = {"StringEquals": {"aws:SourceAccount": "111222333444"}}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnlike_list(self):
def test_condition_parser_string_equals_s3_ResourceAccount_list(self):
condition_statement = {"StringEquals": {"s3:ResourceAccount": ["123456789012"]}}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_s3_ResourceAccount_str(self):
condition_statement = {"StringEquals": {"s3:ResourceAccount": "123456789012"}}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_s3_ResourceAccount_list_not_valid(self):
condition_statement = {
"StringEquals": {"s3:ResourceAccount": ["123456789012", "111222333444"]}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_s3_ResourceAccount_str_not_valid(self):
condition_statement = {"StringEquals": {"s3:ResourceAccount": "111222333444"}}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_aws_PrincipalAccount_list(self):
condition_statement = {
"StringEquals": {"aws:PrincipalAccount": ["123456789012"]}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_aws_PrincipalAccount_str(self):
condition_statement = {"StringEquals": {"aws:PrincipalAccount": "123456789012"}}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_aws_PrincipalAccount_list_not_valid(self):
condition_statement = {
"StringEquals": {"aws:PrincipalAccount": ["123456789012", "111222333444"]}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_equals_aws_PrincipalAccount_str_not_valid(self):
condition_statement = {"StringEquals": {"aws:PrincipalAccount": "111222333444"}}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_like_aws_SourceArn_list(self):
condition_statement = {
"ArnLike": {"aws:SourceArn": ["arn:aws:cloudtrail:*:123456789012:trail/*"]}
}
@@ -41,7 +95,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnlike_list_not_valid(self):
def test_condition_parser_arn_like_aws_SourceArn_list_not_valid(self):
condition_statement = {
"ArnLike": {
"aws:SourceArn": [
@@ -55,7 +109,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnlike_str(self):
def test_condition_parser_arn_like_aws_SourceArn_str(self):
condition_statement = {
"ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:123456789012:trail/*"}
}
@@ -64,7 +118,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnlike_str_not_valid(self):
def test_condition_parser_arn_like_aws_SourceArn_str_not_valid(self):
condition_statement = {
"ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:111222333444:trail/*"}
}
@@ -73,7 +127,50 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnequals_list(self):
def test_condition_parser_arn_like_aws_PrincipalArn_list(self):
condition_statement = {
"ArnLike": {
"aws:PrincipalArn": ["arn:aws:cloudtrail:*:123456789012:trail/*"]
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_like_aws_PrincipalArn_list_not_valid(self):
condition_statement = {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:cloudtrail:*:123456789012:trail/*",
"arn:aws:cloudtrail:*:111222333444:trail/*",
]
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_like_aws_PrincipalArn_str(self):
condition_statement = {
"ArnLike": {"aws:PrincipalArn": "arn:aws:cloudtrail:*:123456789012:trail/*"}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_like_aws_PrincipalArn_str_not_valid(self):
condition_statement = {
"ArnLike": {"aws:PrincipalArn": "arn:aws:cloudtrail:*:111222333444:trail/*"}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_equals_aws_SourceArn_list(self):
condition_statement = {
"ArnEquals": {
"aws:SourceArn": [
@@ -86,7 +183,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnequals_list_not_valid(self):
def test_condition_parser_arn_equals_aws_SourceArn_list_not_valid(self):
condition_statement = {
"ArnEquals": {
"aws:SourceArn": [
@@ -100,7 +197,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnequals_str(self):
def test_condition_parser_arn_equals_aws_SourceArn_str(self):
condition_statement = {
"ArnEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
@@ -111,7 +208,7 @@ class Test_policy_condition_parser:
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arnequals_str_not_valid(self):
def test_condition_parser_arn_equals_aws_SourceArn_str_not_valid(self):
condition_statement = {
"ArnEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:eu-west-1:111222333444:trail/test"
@@ -121,3 +218,150 @@ class Test_policy_condition_parser:
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_equals_aws_PrincipalArn_list(self):
condition_statement = {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
]
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_equals_aws_PrincipalArn_list_not_valid(self):
condition_statement = {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test",
"arn:aws:cloudtrail:eu-west-1:111222333444:trail/test",
]
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_equals_aws_PrincipalArn_str(self):
condition_statement = {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_arn_equals_aws_PrincipalArn_str_not_valid(self):
condition_statement = {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:cloudtrail:eu-west-1:111222333444:trail/test"
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_SourceArn_list(self):
condition_statement = {
"StringLike": {
"aws:SourceArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
]
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_SourceArn_list_not_valid(self):
condition_statement = {
"StringLike": {
"aws:SourceArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test",
"arn:aws:cloudtrail:eu-west-1:111222333444:trail/test",
]
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_SourceArn_str(self):
condition_statement = {
"StringLike": {
"aws:SourceArn": "arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_SourceArn_str_not_valid(self):
condition_statement = {
"StringLike": {
"aws:SourceArn": "arn:aws:cloudtrail:eu-west-1:111222333444:trail/test"
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_PrincipalArn_list(self):
condition_statement = {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
]
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_PrincipalArn_list_not_valid(self):
condition_statement = {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:cloudtrail:eu-west-1:123456789012:trail/test",
"arn:aws:cloudtrail:eu-west-1:111222333444:trail/test",
]
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_PrincipalArn_str(self):
condition_statement = {
"StringLike": {
"aws:PrincipalArn": "arn:aws:cloudtrail:eu-west-1:123456789012:trail/test"
}
}
assert is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)
def test_condition_parser_string_like_aws_PrincipalArn_str_not_valid(self):
condition_statement = {
"StringLike": {
"aws:PrincipalArn": "arn:aws:cloudtrail:eu-west-1:111222333444:trail/test"
}
}
assert not is_account_only_allowed_in_condition(
condition_statement, AWS_ACCOUNT_NUMBER
)