ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-12 15:55:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(iam tests): mock audit_info object (#2226)

Browse Source 
Co-authored-by: n4ch04 <nachor1992@gmail.com>
This commit is contained in:
Sergio Garcia
2023-04-17 11:14:48 +02:00
committed by GitHub
parent c4757684c1
commit 5e567f3e37
29 changed files with 2065 additions and 977 deletions
Download Patch File Download Diff File Expand all files Collapse all files

314
tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py
View File

@@ -3,10 +3,40 @@ from csv import DictReader
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_avoid_root_usage:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_root_not_used(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -15,29 +45,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_password_recently_used(self):
@@ -50,28 +85,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_1_recently_used(self):
@@ -84,28 +125,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_2_recently_used(self):
@@ -118,28 +165,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_password_used(self):
@@ -152,29 +205,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_1_used(self):
@@ -187,29 +245,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_2_used(self):
@@ -222,26 +285,31 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)