From 5e567f3e3734c258b06abebf7f643eaec87dfdf7 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Mon, 17 Apr 2023 11:14:48 +0200 Subject: [PATCH] fix(iam tests): mock audit_info object (#2226) Co-authored-by: n4ch04 --- .../iam_administrator_access_with_mfa_test.py | 214 +++++++----- .../iam_avoid_root_usage_test.py | 314 +++++++++++------- .../iam_check_saml_providers_sts_test.py | 56 +++- .../iam_disable_30_days_credentials_test.py | 287 +++++++++------- .../iam_disable_45_days_credentials_test.py | 287 +++++++++------- .../iam_disable_90_days_credentials_test.py | 286 +++++++++------- ..._policy_permissive_role_assumption_test.py | 223 ++++++++----- ...expired_server_certificates_stored_test.py | 90 +++-- .../iam_no_root_access_key_test.py | 259 +++++++++------ ...s_passwords_within_90_days_or_less_test.py | 213 +++++++----- .../iam_password_policy_lowercase_test.py | 41 ++- ..._password_policy_minimum_length_14_test.py | 47 ++- .../iam_password_policy_number_test.py | 41 ++- .../iam_password_policy_reuse_24_test.py | 39 ++- .../iam_password_policy_symbol_test.py | 41 ++- .../iam_password_policy_uppercase_test.py | 39 ++- ...policy_allows_privilege_escalation_test.py | 51 ++- ...cy_attached_only_to_group_or_roles_test.py | 49 ++- ...olicy_no_administrative_privileges_test.py | 47 ++- ...service_confused_deputy_prevention_test.py | 39 ++- .../iam_root_hardware_mfa_enabled_test.py | 43 ++- .../iam_root_mfa_enabled_test.py | 41 ++- .../iam_rotate_access_key_90_days_test.py | 47 ++- .../iam_securityaudit_role_created_test.py | 5 +- .../iam_support_role_created_test.py | 40 ++- .../iam_user_hardware_mfa_enabled_test.py | 50 ++- ...am_user_mfa_enabled_console_access_test.py | 54 ++- ...m_user_no_setup_initial_access_key_test.py | 43 ++- .../iam_user_two_active_access_key_test.py | 56 +++- 29 files changed, 2065 insertions(+), 977 deletions(-) diff --git a/tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py b/tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py index 19d9dc7f..e671ee26 100644 --- a/tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py +++ b/tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py @@ -2,11 +2,40 @@ from json import dumps from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_administrator_access_with_mfa_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_group_with_no_policies(self): iam = client("iam") @@ -14,28 +43,31 @@ class Test_iam_administrator_access_with_mfa_test: arn = iam.create_group(GroupName=group_name)["Group"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( - iam_administrator_access_with_mfa, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( + iam_administrator_access_with_mfa, + ) - check = iam_administrator_access_with_mfa() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "PASS" - assert result[0].resource_id == group_name - assert result[0].resource_arn == arn - assert search( - f"Group {group_name} has no policies.", result[0].status_extended - ) + check = iam_administrator_access_with_mfa() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert result[0].resource_id == group_name + assert result[0].resource_arn == arn + assert search( + f"Group {group_name} has no policies.", result[0].status_extended + ) @mock_iam def test_group_non_administrative_policy(self): @@ -54,29 +86,32 @@ class Test_iam_administrator_access_with_mfa_test: arn = iam.create_group(GroupName=group_name)["Group"]["Arn"] iam.attach_group_policy(GroupName=group_name, PolicyArn=policy_arn) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( - iam_administrator_access_with_mfa, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( + iam_administrator_access_with_mfa, + ) - check = iam_administrator_access_with_mfa() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "PASS" - assert result[0].resource_id == group_name - assert result[0].resource_arn == arn - assert search( - f"Group {group_name} provides non-administrative access.", - result[0].status_extended, - ) + check = iam_administrator_access_with_mfa() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert result[0].resource_id == group_name + assert result[0].resource_arn == arn + assert search( + f"Group {group_name} provides non-administrative access.", + result[0].status_extended, + ) @mock_iam def test_admin_policy_no_users(self): @@ -89,29 +124,32 @@ class Test_iam_administrator_access_with_mfa_test: PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( - iam_administrator_access_with_mfa, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( + iam_administrator_access_with_mfa, + ) - check = iam_administrator_access_with_mfa() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "PASS" - assert result[0].resource_id == group_name - assert result[0].resource_arn == arn - assert search( - f"Group {group_name} provides administrative access but does not have users.", - result[0].status_extended, - ) + check = iam_administrator_access_with_mfa() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert result[0].resource_id == group_name + assert result[0].resource_arn == arn + assert search( + f"Group {group_name} provides administrative access but does not have users.", + result[0].status_extended, + ) @mock_iam def test_admin_policy_with_user_without_mfa(self): @@ -126,29 +164,32 @@ class Test_iam_administrator_access_with_mfa_test: ) iam.add_user_to_group(GroupName=group_name, UserName=user_name) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( - iam_administrator_access_with_mfa, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( + iam_administrator_access_with_mfa, + ) - check = iam_administrator_access_with_mfa() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "FAIL" - assert result[0].resource_id == group_name - assert result[0].resource_arn == arn - assert search( - f"Group {group_name} provides administrator access to User {user_name} with MFA disabled.", - result[0].status_extended, - ) + check = iam_administrator_access_with_mfa() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].resource_id == group_name + assert result[0].resource_arn == arn + assert search( + f"Group {group_name} provides administrator access to User {user_name} with MFA disabled.", + result[0].status_extended, + ) @mock_iam def test_various_policies_with_users_with_and_without_mfa(self): @@ -187,26 +228,29 @@ class Test_iam_administrator_access_with_mfa_test: iam.add_user_to_group(GroupName=group_name, UserName=user_name_no_mfa) iam.add_user_to_group(GroupName=group_name, UserName=user_name_mfa) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( - iam_administrator_access_with_mfa, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import ( + iam_administrator_access_with_mfa, + ) - check = iam_administrator_access_with_mfa() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "FAIL" - assert result[0].resource_id == group_name - assert result[0].resource_arn == arn_group - assert search( - f"Group {group_name} provides administrator access to User {user_name_no_mfa} with MFA disabled.", - result[0].status_extended, - ) + check = iam_administrator_access_with_mfa() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].resource_id == group_name + assert result[0].resource_arn == arn_group + assert search( + f"Group {group_name} provides administrator access to User {user_name_no_mfa} with MFA disabled.", + result[0].status_extended, + ) diff --git a/tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py b/tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py index ad9f788a..2e1c4378 100644 --- a/tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py +++ b/tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py @@ -3,10 +3,40 @@ from csv import DictReader from re import search from unittest import mock +from boto3 import session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_avoid_root_usage: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_root_not_used(self): raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated @@ -15,29 +45,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "PASS" - assert search( - "Root user in the account wasn't accessed in the last", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "PASS" + assert search( + "Root user in the account wasn't accessed in the last", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_password_recently_used(self): @@ -50,28 +85,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - "Root user in the account was last accessed", result[0].status_extended - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + "Root user in the account was last accessed", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_access_key_1_recently_used(self): @@ -84,28 +125,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - "Root user in the account was last accessed", result[0].status_extended - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + "Root user in the account was last accessed", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_access_key_2_recently_used(self): @@ -118,28 +165,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - "Root user in the account was last accessed", result[0].status_extended - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + "Root user in the account was last accessed", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_password_used(self): @@ -152,29 +205,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "PASS" - assert search( - "Root user in the account wasn't accessed in the last 1 days", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "PASS" + assert search( + "Root user in the account wasn't accessed in the last 1 days", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_access_key_1_used(self): @@ -187,29 +245,34 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "PASS" - assert search( - "Root user in the account wasn't accessed in the last 1 days", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "PASS" + assert search( + "Root user in the account wasn't accessed in the last 1 days", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) @mock_iam def test_root_access_key_2_used(self): @@ -222,26 +285,31 @@ class Test_iam_avoid_root_usage: csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( - iam_avoid_root_usage, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import ( + iam_avoid_root_usage, + ) - service_client.credential_report = credential_list - check = iam_avoid_root_usage() - result = check.execute() - assert result[0].status == "PASS" - assert search( - "Root user in the account wasn't accessed in the last 1 days", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert result[0].resource_arn == "arn:aws:iam::123456789012:" + service_client.credential_report = credential_list + check = iam_avoid_root_usage() + result = check.execute() + assert result[0].status == "PASS" + assert search( + "Root user in the account wasn't accessed in the last 1 days", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn == "arn:aws:iam::123456789012:" + ) diff --git a/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py b/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py index d665e433..206310e7 100644 --- a/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py +++ b/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py @@ -1,10 +1,39 @@ from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_check_saml_providers_sts: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_iam_check_saml_providers_sts(self): iam_client = client("iam") @@ -41,20 +70,23 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS SAMLMetadataDocument=xml_template, Name=saml_provider_name ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - # Test Check - from prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts import ( - iam_check_saml_providers_sts, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts.iam_client", + new=IAM(audit_info), + ): + # Test Check + from prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts import ( + iam_check_saml_providers_sts, + ) - check = iam_check_saml_providers_sts() - result = check.execute() - assert result[0].status == "PASS" + check = iam_check_saml_providers_sts() + result = check.execute() + assert result[0].status == "PASS" diff --git a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py index b3789bc6..a9dff562 100644 --- a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py @@ -2,11 +2,40 @@ import datetime from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_disable_30_days_credentials_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_iam_user_logged_30_days(self): password_last_used = ( @@ -15,29 +44,33 @@ class Test_iam_disable_30_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} has logged in to the console in the past 30 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} has logged in to the console in the past 30 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged_30_days(self): @@ -47,59 +80,67 @@ class Test_iam_disable_30_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - f"User {user} has not logged in to the console in the past 30 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + f"User {user} has not logged in to the console in the past 30 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.users[0].password_last_used = "" - # raise Exception - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} does not have a console password or is unused.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = "" + # raise Exception + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} does not have a console password or is unused.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_user_no_access_keys(self): @@ -107,30 +148,38 @@ class Test_iam_disable_30_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A" - service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A" + service_client.credential_report[0][ + "access_key_1_last_rotated" + ] == "N/A" + service_client.credential_report[0][ + "access_key_2_last_rotated" + ] == "N/A" - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[-1].status == "PASS" - assert ( - result[-1].status_extended == f"User {user} does not have access keys." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[-1].status == "PASS" + assert ( + result[-1].status_extended + == f"User {user} does not have access keys." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_1_not_used(self): @@ -141,33 +190,36 @@ class Test_iam_disable_30_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.credential_report[0]["access_key_1_active"] = "true" - service_client.credential_report[0][ - "access_key_1_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 1 in the last 30 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 1 in the last 30 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_2_not_used(self): @@ -178,30 +230,33 @@ class Test_iam_disable_30_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( - iam_disable_30_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import ( + iam_disable_30_days_credentials, + ) - service_client.credential_report[0]["access_key_2_active"] = "true" - service_client.credential_report[0][ - "access_key_2_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated - check = iam_disable_30_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 2 in the last 30 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_30_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 30 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py index 21cf2ae1..2cb37f8b 100644 --- a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py @@ -2,11 +2,40 @@ import datetime from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_disable_45_days_credentials_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_iam_user_logged_45_days(self): password_last_used = ( @@ -15,29 +44,33 @@ class Test_iam_disable_45_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} has logged in to the console in the past 45 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} has logged in to the console in the past 45 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged_45_days(self): @@ -47,59 +80,67 @@ class Test_iam_disable_45_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - f"User {user} has not logged in to the console in the past 45 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + f"User {user} has not logged in to the console in the past 45 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.users[0].password_last_used = "" - # raise Exception - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} does not have a console password or is unused.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = "" + # raise Exception + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} does not have a console password or is unused.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_user_no_access_keys(self): @@ -107,30 +148,38 @@ class Test_iam_disable_45_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A" - service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A" + service_client.credential_report[0][ + "access_key_1_last_rotated" + ] == "N/A" + service_client.credential_report[0][ + "access_key_2_last_rotated" + ] == "N/A" - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[-1].status == "PASS" - assert ( - result[-1].status_extended == f"User {user} does not have access keys." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[-1].status == "PASS" + assert ( + result[-1].status_extended + == f"User {user} does not have access keys." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_1_not_used(self): @@ -141,33 +190,36 @@ class Test_iam_disable_45_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.credential_report[0]["access_key_1_active"] = "true" - service_client.credential_report[0][ - "access_key_1_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 1 in the last 45 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 1 in the last 45 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_2_not_used(self): @@ -178,30 +230,33 @@ class Test_iam_disable_45_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( - iam_disable_45_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import ( + iam_disable_45_days_credentials, + ) - service_client.credential_report[0]["access_key_2_active"] = "true" - service_client.credential_report[0][ - "access_key_2_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated - check = iam_disable_45_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 2 in the last 45 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_45_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 45 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py index 39d63c79..72a1c811 100644 --- a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py @@ -2,11 +2,40 @@ import datetime from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_disable_90_days_credentials_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_iam_user_logged_90_days(self): password_last_used = ( @@ -15,29 +44,32 @@ class Test_iam_disable_90_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} has logged in to the console in the past 90 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} has logged in to the console in the past 90 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged_90_days(self): @@ -47,59 +79,67 @@ class Test_iam_disable_90_days_credentials_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.users[0].password_last_used = password_last_used - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - f"User {user} has not logged in to the console in the past 90 days.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = password_last_used + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + f"User {user} has not logged in to the console in the past 90 days.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_iam_user_not_logged(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.users[0].password_last_used = "" - # raise Exception - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"User {user} does not have a console password or is unused.", - result[0].status_extended, - ) - assert result[0].resource_id == user - assert result[0].resource_arn == arn + service_client.users[0].password_last_used = "" + # raise Exception + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"User {user} does not have a console password or is unused.", + result[0].status_extended, + ) + assert result[0].resource_id == user + assert result[0].resource_arn == arn @mock_iam def test_user_no_access_keys(self): @@ -107,30 +147,38 @@ class Test_iam_disable_90_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A" - service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A" + service_client.credential_report[0][ + "access_key_1_last_rotated" + ] == "N/A" + service_client.credential_report[0][ + "access_key_2_last_rotated" + ] == "N/A" - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[-1].status == "PASS" - assert ( - result[-1].status_extended == f"User {user} does not have access keys." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[-1].status == "PASS" + assert ( + result[-1].status_extended + == f"User {user} does not have access keys." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_1_not_used(self): @@ -141,33 +189,36 @@ class Test_iam_disable_90_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.credential_report[0]["access_key_1_active"] = "true" - service_client.credential_report[0][ - "access_key_1_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0][ + "access_key_1_last_used_date" + ] = credentials_last_rotated - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 1 in the last 90 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 1 in the last 90 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn @mock_iam def test_user_access_key_2_not_used(self): @@ -178,30 +229,33 @@ class Test_iam_disable_90_days_credentials_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( - iam_disable_90_days_credentials, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import ( + iam_disable_90_days_credentials, + ) - service_client.credential_report[0]["access_key_2_active"] = "true" - service_client.credential_report[0][ - "access_key_2_last_used_date" - ] = credentials_last_rotated + service_client.credential_report[0]["access_key_2_active"] = "true" + service_client.credential_report[0][ + "access_key_2_last_used_date" + ] = credentials_last_rotated - check = iam_disable_90_days_credentials() - result = check.execute() - assert result[-1].status == "FAIL" - assert ( - result[-1].status_extended - == f"User {user} has not used access key 2 in the last 90 days (100 days)." - ) - assert result[-1].resource_id == user - assert result[-1].resource_arn == arn + check = iam_disable_90_days_credentials() + result = check.execute() + assert result[-1].status == "FAIL" + assert ( + result[-1].status_extended + == f"User {user} has not used access key 2 in the last 90 days (100 days)." + ) + assert result[-1].resource_id == user + assert result[-1].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py b/tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py index a346677c..1205627f 100644 --- a/tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py +++ b/tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py @@ -2,11 +2,40 @@ from json import dumps from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_no_custom_policy_permissive_role_assumption: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_policy_allows_permissive_role_assumption_wildcard(self): iam_client = client("iam") @@ -21,28 +50,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( - iam_no_custom_policy_permissive_role_assumption, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( + iam_no_custom_policy_permissive_role_assumption, + ) - check = iam_no_custom_policy_permissive_role_assumption() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - f"Custom Policy {policy_name} allows permissive STS Role assumption", - result[0].status_extended, - ) - assert result[0].resource_arn == arn - assert result[0].resource_id == policy_name + check = iam_no_custom_policy_permissive_role_assumption() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + f"Custom Policy {policy_name} allows permissive STS Role assumption", + result[0].status_extended, + ) + assert result[0].resource_arn == arn + assert result[0].resource_id == policy_name @mock_iam def test_policy_allows_permissive_role_assumption_no_wilcard(self): @@ -58,28 +90,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( - iam_no_custom_policy_permissive_role_assumption, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( + iam_no_custom_policy_permissive_role_assumption, + ) - check = iam_no_custom_policy_permissive_role_assumption() - result = check.execute() - assert result[0].status == "FAIL" - assert search( - f"Custom Policy {policy_name} allows permissive STS Role assumption", - result[0].status_extended, - ) - assert result[0].resource_arn == arn - assert result[0].resource_id == policy_name + check = iam_no_custom_policy_permissive_role_assumption() + result = check.execute() + assert result[0].status == "FAIL" + assert search( + f"Custom Policy {policy_name} allows permissive STS Role assumption", + result[0].status_extended, + ) + assert result[0].resource_arn == arn + assert result[0].resource_id == policy_name @mock_iam def test_policy_assume_role_not_allow_permissive_role_assumption(self): @@ -98,28 +133,32 @@ class Test_iam_no_custom_policy_permissive_role_assumption: arn = iam_client.create_policy( PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( - iam_no_custom_policy_permissive_role_assumption, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( + iam_no_custom_policy_permissive_role_assumption, + ) - check = iam_no_custom_policy_permissive_role_assumption() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"Custom Policy {policy_name} does not allow permissive STS Role assumption", - result[0].status_extended, - ) - assert result[0].resource_arn == arn - assert result[0].resource_id == policy_name + check = iam_no_custom_policy_permissive_role_assumption() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"Custom Policy {policy_name} does not allow permissive STS Role assumption", + result[0].status_extended, + ) + assert result[0].resource_arn == arn + assert result[0].resource_id == policy_name @mock_iam def test_policy_not_allow_permissive_role_assumption(self): @@ -135,28 +174,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( - iam_no_custom_policy_permissive_role_assumption, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( + iam_no_custom_policy_permissive_role_assumption, + ) - check = iam_no_custom_policy_permissive_role_assumption() - result = check.execute() - assert result[0].status == "PASS" - assert search( - f"Custom Policy {policy_name} does not allow permissive STS Role assumption", - result[0].status_extended, - ) - assert result[0].resource_arn == arn - assert result[0].resource_id == policy_name + check = iam_no_custom_policy_permissive_role_assumption() + result = check.execute() + assert result[0].status == "PASS" + assert search( + f"Custom Policy {policy_name} does not allow permissive STS Role assumption", + result[0].status_extended, + ) + assert result[0].resource_arn == arn + assert result[0].resource_id == policy_name @mock_iam def test_policy_permissive_and_not_permissive(self): @@ -184,33 +226,36 @@ class Test_iam_no_custom_policy_permissive_role_assumption: PolicyDocument=dumps(policy_document_permissive), )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( - iam_no_custom_policy_permissive_role_assumption, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import ( + iam_no_custom_policy_permissive_role_assumption, + ) - check = iam_no_custom_policy_permissive_role_assumption() - result = check.execute() - assert len(result) == 2 - assert result[0].status == "PASS" - assert result[0].resource_arn == arn_non_permissive - assert search( - f"Policy {policy_name_non_permissive} does not allow permissive STS Role assumption", - result[0].status_extended, - ) - assert result[0].resource_id == policy_name_non_permissive - assert result[1].status == "FAIL" - assert result[1].resource_arn == arn_permissive - assert search( - f"Policy {policy_name_permissive} allows permissive STS Role assumption", - result[1].status_extended, - ) - assert result[1].resource_id == policy_name_permissive + check = iam_no_custom_policy_permissive_role_assumption() + result = check.execute() + assert len(result) == 2 + assert result[0].status == "PASS" + assert result[0].resource_arn == arn_non_permissive + assert search( + f"Policy {policy_name_non_permissive} does not allow permissive STS Role assumption", + result[0].status_extended, + ) + assert result[0].resource_id == policy_name_non_permissive + assert result[1].status == "FAIL" + assert result[1].resource_arn == arn_permissive + assert search( + f"Policy {policy_name_permissive} allows permissive STS Role assumption", + result[1].status_extended, + ) + assert result[1].resource_id == policy_name_permissive diff --git a/tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py b/tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py index 1ed415ec..5025cdd0 100644 --- a/tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py +++ b/tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py @@ -1,28 +1,62 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_no_expired_server_certificates_stored_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_no_certificates(self): - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM + audit_info = self.set_mocked_audit_info() + with mock.patch( - "prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import ( - iam_no_expired_server_certificates_stored, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import ( + iam_no_expired_server_certificates_stored, + ) - check = iam_no_expired_server_certificates_stored() - result = check.execute() + check = iam_no_expired_server_certificates_stored() + result = check.execute() - assert len(result) == 0 + assert len(result) == 0 @mock_iam def test_expired_certificate(self): @@ -33,25 +67,31 @@ class Test_iam_no_expired_server_certificates_stored_test: CertificateBody="certbody", PrivateKey="privatekey", )["ServerCertificateMetadata"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM + audit_info = self.set_mocked_audit_info() + with mock.patch( - "prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client", - new=IAM(current_audit_info), + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, ): - from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import ( - iam_no_expired_server_certificates_stored, - ) + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client", + new=IAM(audit_info), + ): + from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import ( + iam_no_expired_server_certificates_stored, + ) - check = iam_no_expired_server_certificates_stored() - result = check.execute() + check = iam_no_expired_server_certificates_stored() + result = check.execute() - assert len(result) == 1 + assert len(result) == 1 - assert result[0].status == "FAIL" - assert search( - "IAM Certificate certname has expired", result[0].status_extended - ) - assert result[0].resource_id == cert["ServerCertificateId"] - assert result[0].resource_arn == cert["Arn"] + assert result[0].status == "FAIL" + assert search( + "IAM Certificate certname has expired", result[0].status_extended + ) + assert result[0].resource_id == cert["ServerCertificateId"] + assert result[0].resource_arn == cert["Arn"] diff --git a/tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py b/tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py index 52404ca4..101ee2a0 100644 --- a/tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py +++ b/tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py @@ -1,50 +1,82 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_no_root_access_key_test: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_iam_root_no_access_keys(self): iam_client = client("iam") user = "test" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( - iam_no_root_access_key, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( + iam_no_root_access_key, + ) - service_client.credential_report[0]["user"] = "" - service_client.credential_report[0][ - "arn" - ] = "arn:aws:iam::123456789012:user/" - service_client.credential_report[0]["access_key_1_active"] = "false" - service_client.credential_report[0]["access_key_2_active"] = "false" - check = iam_no_root_access_key() - result = check.execute() + service_client.credential_report[0]["user"] = "" + service_client.credential_report[0][ + "arn" + ] = "arn:aws:iam::123456789012:user/" + service_client.credential_report[0]["access_key_1_active"] = "false" + service_client.credential_report[0]["access_key_2_active"] = "false" + check = iam_no_root_access_key() + result = check.execute() - # raise Exception - assert result[0].status == "PASS" - assert search( - "User does not have access keys.", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert ( - result[0].resource_arn - == "arn:aws:iam::123456789012:user/" - ) + # raise Exception + assert result[0].status == "PASS" + assert search( + "User does not have access keys.", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn + == "arn:aws:iam::123456789012:user/" + ) @mock_iam def test_iam_root_access_key_1(self): @@ -52,39 +84,42 @@ class Test_iam_no_root_access_key_test: user = "test" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( - iam_no_root_access_key, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( + iam_no_root_access_key, + ) - service_client.credential_report[0]["user"] = "" - service_client.credential_report[0][ - "arn" - ] = "arn:aws:iam::123456789012:user/" - service_client.credential_report[0]["access_key_1_active"] = "true" - service_client.credential_report[0]["access_key_2_active"] = "false" - check = iam_no_root_access_key() - result = check.execute() + service_client.credential_report[0]["user"] = "" + service_client.credential_report[0][ + "arn" + ] = "arn:aws:iam::123456789012:user/" + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0]["access_key_2_active"] = "false" + check = iam_no_root_access_key() + result = check.execute() - # raise Exception - assert result[0].status == "FAIL" - assert search( - "User has one active access key.", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert ( - result[0].resource_arn - == "arn:aws:iam::123456789012:user/" - ) + # raise Exception + assert result[0].status == "FAIL" + assert search( + "User has one active access key.", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn + == "arn:aws:iam::123456789012:user/" + ) @mock_iam def test_iam_root_access_key_2(self): @@ -92,39 +127,42 @@ class Test_iam_no_root_access_key_test: user = "test" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( - iam_no_root_access_key, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( + iam_no_root_access_key, + ) - service_client.credential_report[0]["user"] = "" - service_client.credential_report[0][ - "arn" - ] = "arn:aws:iam::123456789012:user/" - service_client.credential_report[0]["access_key_1_active"] = "false" - service_client.credential_report[0]["access_key_2_active"] = "true" - check = iam_no_root_access_key() - result = check.execute() + service_client.credential_report[0]["user"] = "" + service_client.credential_report[0][ + "arn" + ] = "arn:aws:iam::123456789012:user/" + service_client.credential_report[0]["access_key_1_active"] = "false" + service_client.credential_report[0]["access_key_2_active"] = "true" + check = iam_no_root_access_key() + result = check.execute() - # raise Exception - assert result[0].status == "FAIL" - assert search( - "User has one active access key.", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert ( - result[0].resource_arn - == "arn:aws:iam::123456789012:user/" - ) + # raise Exception + assert result[0].status == "FAIL" + assert search( + "User has one active access key.", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn + == "arn:aws:iam::123456789012:user/" + ) @mock_iam def test_iam_root_both_access_keys(self): @@ -132,36 +170,39 @@ class Test_iam_no_root_access_key_test: user = "test" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + audit_info = self.set_mocked_audit_info() with mock.patch( - "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( - iam_no_root_access_key, - ) + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import ( + iam_no_root_access_key, + ) - service_client.credential_report[0]["user"] = "" - service_client.credential_report[0][ - "arn" - ] = "arn:aws:iam::123456789012:user/" - service_client.credential_report[0]["access_key_1_active"] = "true" - service_client.credential_report[0]["access_key_2_active"] = "true" - check = iam_no_root_access_key() - result = check.execute() + service_client.credential_report[0]["user"] = "" + service_client.credential_report[0][ + "arn" + ] = "arn:aws:iam::123456789012:user/" + service_client.credential_report[0]["access_key_1_active"] = "true" + service_client.credential_report[0]["access_key_2_active"] = "true" + check = iam_no_root_access_key() + result = check.execute() - # raise Exception - assert result[0].status == "FAIL" - assert search( - "User has two active access key.", - result[0].status_extended, - ) - assert result[0].resource_id == "" - assert ( - result[0].resource_arn - == "arn:aws:iam::123456789012:user/" - ) + # raise Exception + assert result[0].status == "FAIL" + assert search( + "User has two active access key.", + result[0].status_extended, + ) + assert result[0].resource_id == "" + assert ( + result[0].resource_arn + == "arn:aws:iam::123456789012:user/" + ) diff --git a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py index ce3ab9c2..29c53333 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py @@ -1,108 +1,153 @@ from re import search from unittest import mock +from boto3 import session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" + class Test_iam_password_policy_expires_passwords_within_90_days_or_less: + # Mocked Audit Info + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + region_name=AWS_REGION, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=AWS_REGION, + credentials=None, + assumed_role_info=None, + audited_regions=None, + organizations_metadata=None, + audit_resources=None, + ) + return audit_info + @mock_iam def test_password_expiration_lower_90(self): - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy - with mock.patch( - "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( - iam_password_policy_expires_passwords_within_90_days_or_less, - ) + audit_info = self.set_mocked_audit_info() - service_client.password_policy = PasswordPolicy( - length=10, - symbols=True, - numbers=True, - uppercase=True, - lowercase=True, - allow_change=True, - expiration=True, - max_age=40, - reuse_prevention=2, - hard_expiry=True, - ) - check = iam_password_policy_expires_passwords_within_90_days_or_less() - result = check.execute() - assert result[0].status == "PASS" - assert result[0].resource_id == "password_policy" - assert search( - "Password expiration is set lower than 90 days", - result[0].status_extended, - ) + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( + iam_password_policy_expires_passwords_within_90_days_or_less, + ) + + service_client.password_policy = PasswordPolicy( + length=10, + symbols=True, + numbers=True, + uppercase=True, + lowercase=True, + allow_change=True, + expiration=True, + max_age=40, + reuse_prevention=2, + hard_expiry=True, + ) + check = iam_password_policy_expires_passwords_within_90_days_or_less() + result = check.execute() + assert result[0].status == "PASS" + assert result[0].resource_id == "password_policy" + assert search( + "Password expiration is set lower than 90 days", + result[0].status_extended, + ) @mock_iam def test_password_expiration_greater_90(self): - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy - with mock.patch( - "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( - iam_password_policy_expires_passwords_within_90_days_or_less, - ) + audit_info = self.set_mocked_audit_info() - service_client.password_policy = PasswordPolicy( - length=10, - symbols=True, - numbers=True, - uppercase=True, - lowercase=True, - allow_change=True, - expiration=True, - max_age=100, - reuse_prevention=2, - hard_expiry=True, - ) - check = iam_password_policy_expires_passwords_within_90_days_or_less() - result = check.execute() - assert result[0].status == "FAIL" - assert result[0].resource_id == "password_policy" - assert search( - "Password expiration is set greater than 90 days", - result[0].status_extended, - ) + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( + iam_password_policy_expires_passwords_within_90_days_or_less, + ) + + service_client.password_policy = PasswordPolicy( + length=10, + symbols=True, + numbers=True, + uppercase=True, + lowercase=True, + allow_change=True, + expiration=True, + max_age=100, + reuse_prevention=2, + hard_expiry=True, + ) + check = iam_password_policy_expires_passwords_within_90_days_or_less() + result = check.execute() + assert result[0].status == "FAIL" + assert result[0].resource_id == "password_policy" + assert search( + "Password expiration is set greater than 90 days", + result[0].status_extended, + ) @mock_iam def test_password_expiration_just_90(self): - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy - with mock.patch( - "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", - new=IAM(current_audit_info), - ) as service_client: - from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( - iam_password_policy_expires_passwords_within_90_days_or_less, - ) + audit_info = self.set_mocked_audit_info() - service_client.password_policy = PasswordPolicy( - length=10, - symbols=True, - numbers=True, - uppercase=True, - lowercase=True, - allow_change=True, - expiration=True, - max_age=90, - reuse_prevention=2, - hard_expiry=True, - ) - check = iam_password_policy_expires_passwords_within_90_days_or_less() - result = check.execute() - assert result[0].status == "PASS" - assert result[0].resource_id == "password_policy" - assert search( - "Password expiration is set lower than 90 days", - result[0].status_extended, - ) + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client", + new=IAM(audit_info), + ) as service_client: + from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import ( + iam_password_policy_expires_passwords_within_90_days_or_less, + ) + + service_client.password_policy = PasswordPolicy( + length=10, + symbols=True, + numbers=True, + uppercase=True, + lowercase=True, + allow_change=True, + expiration=True, + max_age=90, + reuse_prevention=2, + hard_expiry=True, + ) + check = iam_password_policy_expires_passwords_within_90_days_or_less() + result = check.execute() + assert result[0].status == "PASS" + assert result[0].resource_id == "password_policy" + assert search( + "Password expiration is set lower than 90 days", + result[0].status_extended, + ) diff --git a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py index c2e20347..229fd243 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py @@ -1,23 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_lowercase: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_no_lowercase_flag(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(RequireLowercaseCharacters=False) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_lowercase.iam_password_policy_lowercase.iam_client", new=IAM(current_audit_info), ): @@ -41,12 +70,14 @@ class Test_iam_password_policy_lowercase: # update password policy iam_client.update_account_password_policy(RequireLowercaseCharacters=True) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_lowercase.iam_password_policy_lowercase.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py index dba8936b..31a85bc3 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py @@ -1,23 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_minimum_length_14: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_minimum_length_equal_14(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(MinimumPasswordLength=14) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client", new=IAM(current_audit_info), ): @@ -41,12 +70,14 @@ class Test_iam_password_policy_minimum_length_14: # update password policy iam_client.update_account_password_policy(MinimumPasswordLength=20) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client", new=IAM(current_audit_info), ): @@ -70,12 +101,14 @@ class Test_iam_password_policy_minimum_length_14: # update password policy iam_client.update_account_password_policy(MinimumPasswordLength=10) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py index 63075389..2c20acc0 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py @@ -1,23 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_number: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_no_number_flag(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(RequireNumbers=False) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_number.iam_password_policy_number.iam_client", new=IAM(current_audit_info), ): @@ -41,12 +70,14 @@ class Test_iam_password_policy_number: # update password policy iam_client.update_account_password_policy(RequireNumbers=True) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_number.iam_password_policy_number.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py index f6441b63..8a50766b 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py @@ -1,20 +1,50 @@ from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_reuse_24: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_reuse_prevention_equal_24(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(PasswordReusePrevention=24) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_reuse_24.iam_password_policy_reuse_24.iam_client", new=IAM(current_audit_info), ): @@ -33,10 +63,13 @@ class Test_iam_password_policy_reuse_24: # update password policy iam_client.update_account_password_policy(PasswordReusePrevention=20) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_reuse_24.iam_password_policy_reuse_24.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py index a369a1e9..6d78118d 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py @@ -1,23 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_symbol: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_no_symbol_flag(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(RequireSymbols=False) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_symbol.iam_password_policy_symbol.iam_client", new=IAM(current_audit_info), ): @@ -41,12 +70,14 @@ class Test_iam_password_policy_symbol: # update password policy iam_client.update_account_password_policy(RequireSymbols=True) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_symbol.iam_password_policy_symbol.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py index 79e4d595..6e8bdee8 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py @@ -1,20 +1,50 @@ from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_password_policy_uppercase: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_password_policy_no_uppercase_flag(self): iam_client = client("iam") # update password policy iam_client.update_account_password_policy(RequireUppercaseCharacters=False) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client", new=IAM(current_audit_info), ): @@ -33,10 +63,13 @@ class Test_iam_password_policy_uppercase: # update password policy iam_client.update_account_password_policy(RequireUppercaseCharacters=True) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py b/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py index 2a3b82b8..9498ab57 100644 --- a/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py +++ b/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py @@ -1,13 +1,39 @@ from json import dumps from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + AWS_REGION = "us-east-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_iam_policy_allows_privilege_escalation: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_policy_allows_privilege_escalation_sts(self): iam_client = client("iam", region_name=AWS_REGION) @@ -22,10 +48,13 @@ class Test_iam_policy_allows_privilege_escalation: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client", new=IAM(current_audit_info), ): @@ -47,7 +76,6 @@ class Test_iam_policy_allows_privilege_escalation: @mock_iam def test_iam_policy_not_allows_privilege_escalation(self): - iam_client = client("iam", region_name=AWS_REGION) policy_name = "policy1" policy_document = { @@ -62,10 +90,13 @@ class Test_iam_policy_allows_privilege_escalation: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client", new=IAM(current_audit_info), ): @@ -87,7 +118,6 @@ class Test_iam_policy_allows_privilege_escalation: @mock_iam def test_iam_policy_not_allows_privilege_escalation_glue_GetDevEndpoints(self): - iam_client = client("iam", region_name=AWS_REGION) policy_name = "policy1" policy_document = { @@ -106,10 +136,13 @@ class Test_iam_policy_allows_privilege_escalation: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client", new=IAM(current_audit_info), ): @@ -131,7 +164,6 @@ class Test_iam_policy_allows_privilege_escalation: @mock_iam def test_iam_policy_not_allows_privilege_escalation_dynamodb_PutItem(self): - iam_client = client("iam", region_name=AWS_REGION) policy_name = "policy1" policy_document = { @@ -161,10 +193,13 @@ class Test_iam_policy_allows_privilege_escalation: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py b/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py index 1439763a..64ad4438 100644 --- a/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py +++ b/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py @@ -2,11 +2,38 @@ from json import dumps from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_policy_attached_only_to_group_or_roles: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_user_attached_policy(self): result = [] @@ -25,10 +52,13 @@ class Test_iam_policy_attached_only_to_group_or_roles: )["Policy"]["Arn"] iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client", new=IAM(current_audit_info), ): @@ -61,10 +91,13 @@ class Test_iam_policy_attached_only_to_group_or_roles: )["Policy"]["Arn"] iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client", new=IAM(current_audit_info), ): @@ -103,10 +136,13 @@ class Test_iam_policy_attached_only_to_group_or_roles: UserName=user, PolicyName=policyName, PolicyDocument=dumps(policyDocument) ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client", new=IAM(current_audit_info), ): @@ -125,10 +161,13 @@ class Test_iam_policy_attached_only_to_group_or_roles: user = "test_no_policies" iam_client.create_user(UserName=user) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py b/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py index 9bdd896e..292b1f5a 100644 --- a/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py +++ b/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py @@ -2,14 +2,40 @@ from json import dumps from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_policy_no_administrative_privileges_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_policy_administrative(self): - iam_client = client("iam") policy_name = "policy1" policy_document = { @@ -22,10 +48,13 @@ class Test_iam_policy_no_administrative_privileges_test: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client", new=IAM(current_audit_info), ): @@ -42,7 +71,6 @@ class Test_iam_policy_no_administrative_privileges_test: @mock_iam def test_policy_non_administrative(self): - iam_client = client("iam") policy_name = "policy1" policy_document = { @@ -55,10 +83,13 @@ class Test_iam_policy_no_administrative_privileges_test: PolicyName=policy_name, PolicyDocument=dumps(policy_document) )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client", new=IAM(current_audit_info), ): @@ -77,7 +108,6 @@ class Test_iam_policy_no_administrative_privileges_test: @mock_iam def test_policy_administrative_and_non_administrative(self): - iam_client = client("iam") policy_name_non_administrative = "policy1" policy_document_non_administrative = { @@ -102,10 +132,13 @@ class Test_iam_policy_no_administrative_privileges_test: PolicyDocument=dumps(policy_document_administrative), )["Policy"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py index ada5b25e..3c9ef69d 100644 --- a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py +++ b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py @@ -1,14 +1,39 @@ from json import dumps from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + AWS_REGION = "us-east-1" AWS_ACCOUNT_ID = "123456789012" class Test_iam_role_cross_service_confused_deputy_prevention: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_ID, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_service_role_without_cross_service_confused_deputy_prevention(self): iam_client = client("iam", region_name=AWS_REGION) @@ -27,12 +52,14 @@ class Test_iam_role_cross_service_confused_deputy_prevention: AssumeRolePolicyDocument=dumps(policy_document), ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() current_audit_info.audited_account = AWS_ACCOUNT_ID with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client", new=IAM(current_audit_info), ): @@ -73,12 +100,14 @@ class Test_iam_role_cross_service_confused_deputy_prevention: AssumeRolePolicyDocument=dumps(policy_document), ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() current_audit_info.audited_account = AWS_ACCOUNT_ID with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py index 6e169814..d710fcd0 100644 --- a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py +++ b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py @@ -1,22 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_root_hardware_mfa_enabled_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_root_hardware_virtual_mfa_enabled(self): iam = client("iam") mfa_device_name = "mfa-test" iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -41,12 +71,15 @@ class Test_iam_root_hardware_mfa_enabled_test: iam = client("iam") mfa_device_name = "mfa-test" iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py b/tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py index 7eeddfcb..4596e02a 100644 --- a/tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py +++ b/tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py @@ -1,20 +1,51 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_root_mfa_enabled_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_root_mfa_not_enabled(self): iam_client = client("iam") user = "test-user" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_root_mfa_enabled.iam_root_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -42,10 +73,14 @@ class Test_iam_root_mfa_enabled_test: iam_client = client("iam") user = "test-user" iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_root_mfa_enabled.iam_root_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py index c0d6ee8a..4606b919 100644 --- a/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py +++ b/tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py @@ -1,23 +1,52 @@ import datetime from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_rotate_access_key_90_days_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_user_no_access_keys(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -46,12 +75,14 @@ class Test_iam_rotate_access_key_90_days_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -83,12 +114,14 @@ class Test_iam_rotate_access_key_90_days_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py b/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py index b88753bd..ba5fd5dc 100644 --- a/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py +++ b/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py @@ -8,9 +8,10 @@ from moto import mock_iam from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info from prowler.providers.aws.services.iam.iam_service import IAM +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_securityaudit_role_created: - # Mocked Audit Info def set_mocked_audit_info(self): audit_info = AWS_Audit_Info( @@ -20,7 +21,7 @@ class Test_iam_securityaudit_role_created: profile_name=None, botocore_session=None, ), - audited_account=None, + audited_account=AWS_ACCOUNT_NUMBER, audited_user_id=None, audited_partition="aws", audited_identity_arn=None, diff --git a/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py b/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py index 92b1c806..926f1231 100644 --- a/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py +++ b/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py @@ -2,11 +2,38 @@ from json import dumps from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_support_role_created: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_support_role_created(self): iam = client("iam") @@ -29,10 +56,13 @@ class Test_iam_support_role_created: PolicyArn="arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy", ) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_support_role_created.iam_support_role_created.iam_client", new=IAM(current_audit_info), ): @@ -55,11 +85,13 @@ class Test_iam_support_role_created: @mock_iam def test_no_support_role_created(self): - - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_support_role_created.iam_support_role_created.iam_client", new=IAM(current_audit_info), ): diff --git a/tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py b/tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py index c76cb913..813650c1 100644 --- a/tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py +++ b/tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py @@ -1,22 +1,52 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_user_hardware_mfa_enabled_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_user_no_mfa_devices(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -41,12 +71,15 @@ class Test_iam_user_hardware_mfa_enabled_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -77,12 +110,15 @@ class Test_iam_user_hardware_mfa_enabled_test: iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py b/tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py index 4380375b..9d8d1fc8 100644 --- a/tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py +++ b/tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py @@ -1,21 +1,51 @@ from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_user_mfa_enabled_console_access_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_root_user_not_password_console_enabled(self): iam_client = client("iam") user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -42,11 +72,13 @@ class Test_iam_user_mfa_enabled_console_access_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -73,11 +105,13 @@ class Test_iam_user_mfa_enabled_console_access_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -105,11 +139,13 @@ class Test_iam_user_mfa_enabled_console_access_test: user = "test-user" arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py b/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py index a36343a9..ef72e397 100644 --- a/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py +++ b/tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py @@ -2,10 +2,38 @@ from csv import DictReader from re import search from unittest import mock +from boto3 import session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_user_no_setup_initial_access_key_test: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_setup_access_key_1_fail(self): raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated @@ -14,10 +42,13 @@ test_false_access_key_1,arn:aws:iam::123456789012:test_false_access_key_1,2022-0 csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -40,10 +71,13 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0 csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client", new=IAM(current_audit_info), ) as service_client: @@ -66,10 +100,13 @@ test_pass,arn:aws:iam::123456789012:test_pass,2022-02-17T14:59:38+00:00,not_supp csv_reader = DictReader(credential_lines, delimiter=",") credential_list = list(csv_reader) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info + current_audit_info = self.set_mocked_audit_info() from prowler.providers.aws.services.iam.iam_service import IAM with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client", new=IAM(current_audit_info), ) as service_client: diff --git a/tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py b/tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py index 389408b4..4f99a8d6 100644 --- a/tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py +++ b/tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py @@ -1,11 +1,38 @@ from re import search from unittest import mock -from boto3 import client +from boto3 import client, session from moto import mock_iam +from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info + +AWS_ACCOUNT_NUMBER = "123456789012" + class Test_iam_user_two_active_access_key: + def set_mocked_audit_info(self): + audit_info = AWS_Audit_Info( + session_config=None, + original_session=None, + audit_session=session.Session( + profile_name=None, + botocore_session=None, + ), + audited_account=AWS_ACCOUNT_NUMBER, + audited_user_id=None, + audited_partition="aws", + audited_identity_arn=None, + profile=None, + profile_region=None, + credentials=None, + assumed_role_info=None, + audited_regions=["us-east-1", "eu-west-1"], + organizations_metadata=None, + audit_resources=None, + ) + + return audit_info + @mock_iam def test_iam_user_two_active_access_key(self): # Create IAM Mocked Resources @@ -17,12 +44,17 @@ class Test_iam_user_two_active_access_key: # Create Access Key 2 iam_client.create_access_key(UserName=user) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", new=IAM(current_audit_info), ): @@ -51,12 +83,14 @@ class Test_iam_user_two_active_access_key: # Create Access Key 1 iam_client.create_access_key(UserName=user) - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", new=IAM(current_audit_info), ): @@ -84,12 +118,14 @@ class Test_iam_user_two_active_access_key: user = "test1" user_arn = iam_client.create_user(UserName=user)["User"]["Arn"] - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", new=IAM(current_audit_info), ): @@ -112,12 +148,14 @@ class Test_iam_user_two_active_access_key: @mock_iam def test_iam_no_users(self): - from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info from prowler.providers.aws.services.iam.iam_service import IAM - current_audit_info.audited_partition = "aws" + current_audit_info = self.set_mocked_audit_info() with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( "prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", new=IAM(current_audit_info), ):