fix(security_hub): Handle user facing errors (#3456)

2026-02-10 14:55:00 +00:00 · 2024-02-28 10:03:43 +01:00
parent ab437fb459
commit 64aa0435e8
2 changed files with 144 additions and 4 deletions
--- a/tests/providers/aws/lib/security_hub/security_hub_test.py
+++ b/tests/providers/aws/lib/security_hub/security_hub_test.py
@@ -1,7 +1,9 @@
+from logging import ERROR, WARNING
 from os import path

 import botocore
 from boto3 import session
+from botocore.client import ClientError
 from mock import MagicMock, patch

 from prowler.config.config import prowler_version, timestamp_utc
@@ -130,6 +132,126 @@ class Test_SecurityHub:
            AWS_COMMERCIAL_PARTITION, AWS_REGION_EU_WEST_1, session, AWS_ACCOUNT_NUMBER
        )

+    def test_verify_security_hub_integration_enabled_per_region_security_hub_disabled(
+        self, caplog
+    ):
+        caplog.set_level(WARNING)
+        session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
+
+        with patch(
+            "prowler.providers.aws.lib.security_hub.security_hub.session.Session.client",
+        ) as mock_security_hub:
+            error_message = f"Account {AWS_ACCOUNT_NUMBER} is not subscribed to AWS Security Hub in region {AWS_REGION_EU_WEST_1}"
+            error_code = "InvalidAccessException"
+            error_response = {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message,
+                }
+            }
+            operation_name = "DescribeHub"
+            mock_security_hub.side_effect = ClientError(error_response, operation_name)
+
+            assert not verify_security_hub_integration_enabled_per_region(
+                AWS_COMMERCIAL_PARTITION,
+                AWS_REGION_EU_WEST_1,
+                session,
+                AWS_ACCOUNT_NUMBER,
+            )
+            assert caplog.record_tuples == [
+                (
+                    "root",
+                    WARNING,
+                    f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
+                )
+            ]
+
+    def test_verify_security_hub_integration_enabled_per_region_prowler_not_subscribed(
+        self, caplog
+    ):
+        caplog.set_level(WARNING)
+        session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
+
+        with patch(
+            "prowler.providers.aws.lib.security_hub.security_hub.session.Session.client",
+        ) as mock_security_hub:
+            mock_security_hub.describe_hub.return_value = None
+            mock_security_hub.list_enabled_products_for_import.return_value = []
+
+            assert not verify_security_hub_integration_enabled_per_region(
+                AWS_COMMERCIAL_PARTITION,
+                AWS_REGION_EU_WEST_1,
+                session,
+                AWS_ACCOUNT_NUMBER,
+            )
+            assert caplog.record_tuples == [
+                (
+                    "root",
+                    WARNING,
+                    f"Security Hub is enabled in {AWS_REGION_EU_WEST_1} but Prowler integration does not accept findings. More info: https://docs.prowler.cloud/en/latest/tutorials/aws/securityhub/",
+                )
+            ]
+
+    def test_verify_security_hub_integration_enabled_per_region_another_ClientError(
+        self, caplog
+    ):
+        caplog.set_level(WARNING)
+        session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
+
+        with patch(
+            "prowler.providers.aws.lib.security_hub.security_hub.session.Session.client",
+        ) as mock_security_hub:
+            error_message = f"Another exception in region {AWS_REGION_EU_WEST_1}"
+            error_code = "AnotherException"
+            error_response = {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message,
+                }
+            }
+            operation_name = "DescribeHub"
+            mock_security_hub.side_effect = ClientError(error_response, operation_name)
+
+            assert not verify_security_hub_integration_enabled_per_region(
+                AWS_COMMERCIAL_PARTITION,
+                AWS_REGION_EU_WEST_1,
+                session,
+                AWS_ACCOUNT_NUMBER,
+            )
+            assert caplog.record_tuples == [
+                (
+                    "root",
+                    ERROR,
+                    f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
+                )
+            ]
+
+    def test_verify_security_hub_integration_enabled_per_region_another_Exception(
+        self, caplog
+    ):
+        caplog.set_level(WARNING)
+        session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
+
+        with patch(
+            "prowler.providers.aws.lib.security_hub.security_hub.session.Session.client",
+        ) as mock_security_hub:
+            error_message = f"Another exception in region {AWS_REGION_EU_WEST_1}"
+            mock_security_hub.side_effect = Exception(error_message)
+
+            assert not verify_security_hub_integration_enabled_per_region(
+                AWS_COMMERCIAL_PARTITION,
+                AWS_REGION_EU_WEST_1,
+                session,
+                AWS_ACCOUNT_NUMBER,
+            )
+            assert caplog.record_tuples == [
+                (
+                    "root",
+                    ERROR,
+                    f"Exception -- [68]: {error_message}",
+                )
+            ]
+
    def test_prepare_security_hub_findings_enabled_region_not_quiet(self):
        enabled_regions = [AWS_REGION_EU_WEST_1]
        output_options = self.set_mocked_output_options(is_quiet=False)