ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ecr): Refactor service (#2302)

Browse Source 
Co-authored-by: Gabriel Soltz <thegaby@gmail.com>
Co-authored-by: Kay Agahd <kagahd@users.noreply.github.com>
Co-authored-by: Nacho Rivera <nachor1992@gmail.com>
Co-authored-by: Kevin Pullin <kevin.pullin@gmail.com>
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Pepe Fagoaga
2023-05-09 17:04:21 +02:00
committed by GitHub
parent d344318dd4
commit 6f48012234
13 changed files with 894 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py
View File

@@ -1,17 +1,25 @@
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Registry, ScanningRule
from prowler.providers.aws.services.ecr.ecr_service import (
Registry,
Repository,
ScanningRule,
)
# Mock Test Region
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
repository_name = "test_repo"
repository_arn = (
f"arn:aws:ecr:eu-west-1:{AWS_ACCOUNT_NUMBER}:repository/{repository_name}"
)
class Test_ecr_registry_scan_images_on_push_enabled:
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries = {}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
@@ -25,21 +33,53 @@ class Test_ecr_registry_scan_images_on_push_enabled:
result = check.execute()
assert len(result) == 0
def test_scan_on_push_enabled(self):
def test_registry_no_repositories(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "*", "filterType": "WILDCARD"}],
)
],
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_registry_scan_images_on_push_enabled.ecr_registry_scan_images_on_push_enabled import (
ecr_registry_scan_images_on_push_enabled,
)
check = ecr_registry_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 0
def test_registry_scan_on_push_enabled(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy="",
images_details=None,
lifecycle_policy="",
)
],
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "*", "filterType": "WILDCARD"}],
)
],
)
with mock.patch(
@@ -60,19 +100,28 @@ class Test_ecr_registry_scan_images_on_push_enabled:
def test_scan_on_push_enabled_with_filters(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "test", "filterType": "WILDCARD"}],
)
],
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy="",
images_details=None,
lifecycle_policy="",
)
],
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "test", "filterType": "WILDCARD"}],
)
],
)
with mock.patch(
@@ -96,14 +145,23 @@ class Test_ecr_registry_scan_images_on_push_enabled:
def test_scan_on_push_disabled(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[],
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy="",
images_details=None,
lifecycle_policy="",
)
],
rules=[],
)
with mock.patch(

112
tests/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled_test.py
View File

@@ -1,7 +1,6 @@
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Repository
from prowler.providers.aws.services.ecr.ecr_service import Registry, Repository
# Mock Test Region
AWS_REGION = "eu-west-1"
@@ -24,19 +23,64 @@ repo_policy_public = {
class Test_ecr_repositories_lifecycle_policy_enabled:
def test_no_lyfecicle_policy(self):
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lyfecicle_policy="test-policy",
ecr_client.registries = {}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_lifecycle_policy_enabled.ecr_repositories_lifecycle_policy_enabled import (
ecr_repositories_lifecycle_policy_enabled,
)
check = ecr_repositories_lifecycle_policy_enabled()
result = check.execute()
assert len(result) == 0
def test_registry_no_repositories(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_lifecycle_policy_enabled.ecr_repositories_lifecycle_policy_enabled import (
ecr_repositories_lifecycle_policy_enabled,
)
check = ecr_repositories_lifecycle_policy_enabled()
result = check.execute()
assert len(result) == 0
def test_lifecycle_policy(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[],
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lifecycle_policy="test-policy",
)
],
)
with mock.patch(
@@ -51,23 +95,33 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("has lifecycle policy", result[0].status_extended)
assert (
result[0].status_extended
== f"Repository {repository_name} has a lifecycle policy configured"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
assert result[0].resource_tags == []
def test_lifecycle_policy(self):
def test_no_lifecycle_policy(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=False,
policy=repo_policy_public,
images_details=None,
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[],
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=False,
policy=repo_policy_public,
images_details=None,
lifecycle_policy=None,
)
],
)
with mock.patch(
@@ -82,6 +136,10 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("has no lifecycle policy", result[0].status_extended)
assert (
result[0].status_extended
== f"Repository {repository_name} has not a lifecycle policy configured"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
assert result[0].resource_tags == []

108
tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py
View File

@@ -1,7 +1,6 @@
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Repository
from prowler.providers.aws.services.ecr.ecr_service import Registry, Repository
# Mock Test Region
AWS_REGION = "eu-west-1"
@@ -36,19 +35,64 @@ repo_policy_public = {
class Test_ecr_repositories_not_publicly_accessible:
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_not_publicly_accessible.ecr_repositories_not_publicly_accessible import (
ecr_repositories_not_publicly_accessible,
)
check = ecr_repositories_not_publicly_accessible()
result = check.execute()
assert len(result) == 0
def test_registry_no_repositories(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_not_publicly_accessible.ecr_repositories_not_publicly_accessible import (
ecr_repositories_not_publicly_accessible,
)
check = ecr_repositories_not_publicly_accessible()
result = check.execute()
assert len(result) == 0
def test_repository_not_public(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_not_public,
images_details=None,
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_not_public,
images_details=None,
lifecycle_policy=None,
)
],
rules=[],
)
with mock.patch(
@@ -63,23 +107,32 @@ class Test_ecr_repositories_not_publicly_accessible:
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("is not open", result[0].status_extended)
assert (
result[0].status_extended
== f"Repository {repository_name} is not publicly accesible"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_repository_public(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lifecycle_policy=None,
)
],
rules=[],
)
with mock.patch(
@@ -94,8 +147,9 @@ class Test_ecr_repositories_not_publicly_accessible:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
"policy may allow anonymous users to", result[0].status_extended
assert (
result[0].status_extended
== f"Repository {repository_name} policy may allow anonymous users to perform actions (Principal: '*')"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn

108
tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py
View File

@@ -1,7 +1,6 @@
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Repository
from prowler.providers.aws.services.ecr.ecr_service import Registry, Repository
# Mock Test Region
AWS_REGION = "eu-west-1"
@@ -24,19 +23,64 @@ repo_policy_public = {
class Test_ecr_repositories_scan_images_on_push_enabled:
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_images_on_push_enabled.ecr_repositories_scan_images_on_push_enabled import (
ecr_repositories_scan_images_on_push_enabled,
)
check = ecr_repositories_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 0
def test_registry_no_repositories(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_images_on_push_enabled.ecr_repositories_scan_images_on_push_enabled import (
ecr_repositories_scan_images_on_push_enabled,
)
check = ecr_repositories_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 0
def test_scan_on_push_disabled(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lifecycle_policy=None,
)
],
rules=[],
)
with mock.patch(
@@ -51,23 +95,32 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("has scan on push enabled", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} has scan on push enabled"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_scan_on_push_enabled(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=False,
policy=repo_policy_public,
images_details=None,
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=False,
policy=repo_policy_public,
images_details=None,
lifecycle_policy=None,
)
],
rules=[],
)
with mock.patch(
@@ -82,6 +135,9 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("has scan on push disabled", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} has scan on push disabled"
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn

266
tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py
View File

@@ -1,9 +1,11 @@
from datetime import datetime
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import (
FindingSeverityCounts,
ImageDetails,
Registry,
Repository,
)
@@ -28,20 +30,66 @@ repo_policy_public = {
class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 0
def test_registry_no_repositories(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 0
def test_empty_repository(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lifecycle_policy=None,
)
],
rules=[],
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
@@ -56,28 +104,35 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
def test_image_scaned_without_findings(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
),
],
lifecycle_policy=None,
)
],
rules=[],
)
ecr_client.repositories[0].images_details.append(
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
),
),
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
@@ -96,28 +151,35 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
def test_image_scanned_with_findings(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=12, high=34, medium=7
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
ecr_client.repositories[0].images_details.append(
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=12, high=34, medium=7
),
),
),
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
@@ -136,28 +198,35 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
def test_image_scanned_fail_scan(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="FAILED",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
ecr_client.repositories[0].images_details.append(
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
scan_findings_status="FAILED",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
),
),
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
@@ -176,28 +245,35 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
def test_image_not_scanned(self):
ecr_client = mock.MagicMock
ecr_client.repositories = []
ecr_client.repositories.append(
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[],
lyfecicle_policy=None,
)
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
ecr_client.repositories[0].images_details.append(
ImageDetails(
latest_tag="test-tag",
latest_digest="test-digest",
scan_findings_status="",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=0
),
),
),
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,

167
tests/providers/aws/services/ecr/ecr_service_test.py
View File

@@ -1,3 +1,4 @@
from datetime import datetime
from unittest.mock import patch
import botocore
@@ -24,8 +25,9 @@ def mock_make_api_call(self, operation_name, kwarg):
{
"imageDigest": "sha256:d8868e50ac4c7104d2200d42f432b661b2da8c1e417ccfae217e6a1e04bb9295",
"imageTags": [
"test-tag",
"test-tag1",
],
"imagePushedAt": datetime(2023, 1, 1),
"imageScanStatus": {
"status": "COMPLETE",
},
@@ -38,6 +40,13 @@ def mock_make_api_call(self, operation_name, kwarg):
"imageTags": [
"test-tag2",
],
"imagePushedAt": datetime(2023, 1, 2),
"imageScanStatus": {
"status": "COMPLETE",
},
"imageScanFindingsSummary": {
"findingSeverityCounts": {"CRITICAL": 1, "HIGH": 2, "MEDIUM": 3}
},
},
],
}
@@ -68,6 +77,7 @@ def mock_make_api_call(self, operation_name, kwarg):
],
},
}
return make_api_call(self, operation_name, kwarg)
@@ -128,7 +138,7 @@ class Test_ECR_Service:
# Test describe ECR repositories
@mock_ecr
def test__describe_repositories__(self):
def test__describe_registries_and_repositories__(self):
ecr_client = client("ecr", region_name=AWS_REGION)
ecr_client.create_repository(
repositoryName=repo_name,
@@ -139,11 +149,16 @@ class Test_ECR_Service:
)
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.repositories) == 1
assert ecr.repositories[0].name == repo_name
assert ecr.repositories[0].arn == repo_arn
assert ecr.repositories[0].scan_on_push
assert ecr.repositories[0].tags == [
assert len(ecr.registries) == 1
assert ecr.registries[AWS_REGION].id == AWS_ACCOUNT_NUMBER
assert ecr.registries[AWS_REGION].region == AWS_REGION
assert len(ecr.registries[AWS_REGION].repositories) == 1
assert ecr.registries[AWS_REGION].repositories[0].name == repo_name
assert ecr.registries[AWS_REGION].repositories[0].arn == repo_arn
assert ecr.registries[AWS_REGION].repositories[0].scan_on_push
assert ecr.registries[AWS_REGION].repositories[0].tags == [
{"Key": "test", "Value": "test"},
]
@@ -157,28 +172,39 @@ class Test_ECR_Service:
)
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.repositories) == 1
assert ecr.repositories[0].name == repo_name
assert ecr.repositories[0].arn == repo_arn
assert ecr.repositories[0].scan_on_push
assert len(ecr.registries) == 1
assert len(ecr.registries[AWS_REGION].repositories) == 1
assert ecr.registries[AWS_REGION].repositories[0].name == repo_name
assert ecr.registries[AWS_REGION].repositories[0].arn == repo_arn
assert ecr.registries[AWS_REGION].repositories[0].scan_on_push
assert (
ecr.repositories[0].policy["Statement"][0]["Sid"] == "Allow Describe Images"
ecr.registries[AWS_REGION].repositories[0].policy["Statement"][0]["Sid"]
== "Allow Describe Images"
)
assert ecr.repositories[0].policy["Statement"][0]["Effect"] == "Allow"
assert (
ecr.repositories[0].policy["Statement"][0]["Principal"]["AWS"][0]
ecr.registries[AWS_REGION].repositories[0].policy["Statement"][0]["Effect"]
== "Allow"
)
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.policy["Statement"][0]["Principal"]["AWS"][0]
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert (
ecr.repositories[0].policy["Statement"][0]["Action"][0]
ecr.registries[AWS_REGION]
.repositories[0]
.policy["Statement"][0]["Action"][0]
== "ecr:DescribeImages"
)
assert (
ecr.repositories[0].policy["Statement"][0]["Action"][1]
ecr.registries[AWS_REGION]
.repositories[0]
.policy["Statement"][0]["Action"][1]
== "ecr:DescribeRepositories"
)
# Test describe ECR repository policies
# Test describe ECR repository lifecycle policies
@mock_ecr
def test__get_lifecycle_policies__(self):
ecr_client = client("ecr", region_name=AWS_REGION)
@@ -188,11 +214,12 @@ class Test_ECR_Service:
)
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.repositories) == 1
assert ecr.repositories[0].name == repo_name
assert ecr.repositories[0].arn == repo_arn
assert ecr.repositories[0].scan_on_push
assert ecr.repositories[0].lyfecicle_policy
assert len(ecr.registries) == 1
assert len(ecr.registries[AWS_REGION].repositories) == 1
assert ecr.registries[AWS_REGION].repositories[0].name == repo_name
assert ecr.registries[AWS_REGION].repositories[0].arn == repo_arn
assert ecr.registries[AWS_REGION].repositories[0].scan_on_push
assert ecr.registries[AWS_REGION].repositories[0].lifecycle_policy
# Test get image details
@mock_ecr
@@ -204,45 +231,103 @@ class Test_ECR_Service:
)
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.repositories) == 1
assert ecr.repositories[0].name == repo_name
assert ecr.repositories[0].arn == repo_arn
assert ecr.repositories[0].scan_on_push
assert len(ecr.repositories[0].images_details) == 2
assert ecr.repositories[0].images_details[0].latest_tag == "test-tag"
assert len(ecr.registries) == 1
assert len(ecr.registries[AWS_REGION].repositories) == 1
assert ecr.registries[AWS_REGION].repositories[0].name == repo_name
assert ecr.registries[AWS_REGION].repositories[0].arn == repo_arn
assert ecr.registries[AWS_REGION].repositories[0].scan_on_push
assert len(ecr.registries[AWS_REGION].repositories[0].images_details) == 2
# First image pushed
assert ecr.registries[AWS_REGION].repositories[0].images_details[
0
].image_pushed_at == datetime(2023, 1, 1)
assert (
ecr.repositories[0].images_details[0].latest_digest
ecr.registries[AWS_REGION].repositories[0].images_details[0].latest_tag
== "test-tag1"
)
assert (
ecr.registries[AWS_REGION].repositories[0].images_details[0].latest_digest
== "sha256:d8868e50ac4c7104d2200d42f432b661b2da8c1e417ccfae217e6a1e04bb9295"
)
assert ecr.repositories[0].images_details[0].scan_findings_status == "COMPLETE"
assert (
ecr.repositories[0].images_details[0].scan_findings_severity_count.critical
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[0]
.scan_findings_status
== "COMPLETE"
)
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[0]
.scan_findings_severity_count.critical
== 1
)
assert (
ecr.repositories[0].images_details[0].scan_findings_severity_count.high == 2
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[0]
.scan_findings_severity_count.high
== 2
)
assert (
ecr.repositories[0].images_details[0].scan_findings_severity_count.medium
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[0]
.scan_findings_severity_count.medium
== 3
)
assert ecr.repositories[0].images_details[1].latest_tag == "test-tag2"
# Second image pushed
assert ecr.registries[AWS_REGION].repositories[0].images_details[
1
].image_pushed_at == datetime(2023, 1, 2)
assert (
ecr.repositories[0].images_details[1].latest_digest
ecr.registries[AWS_REGION].repositories[0].images_details[1].latest_tag
== "test-tag2"
)
assert (
ecr.registries[AWS_REGION].repositories[0].images_details[1].latest_digest
== "sha256:83251ac64627fc331584f6c498b3aba5badc01574e2c70b2499af3af16630eed"
)
assert not ecr.repositories[0].images_details[1].scan_findings_status
assert not ecr.repositories[0].images_details[1].scan_findings_severity_count
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[1]
.scan_findings_status
== "COMPLETE"
)
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[1]
.scan_findings_severity_count.critical
== 1
)
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[1]
.scan_findings_severity_count.high
== 2
)
assert (
ecr.registries[AWS_REGION]
.repositories[0]
.images_details[1]
.scan_findings_severity_count.medium
== 3
)
# Test get ECR Registries
# Test get ECR Registries Scanning Configuration
@mock_ecr
def test__get_registry_scanning_configuration__(self):
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.registries) == 1
assert ecr.registries[0].id == AWS_ACCOUNT_NUMBER
assert ecr.registries[0].scan_type == "BASIC"
assert ecr.registries[0].rules == [
assert ecr.registries[AWS_REGION].id == AWS_ACCOUNT_NUMBER
assert ecr.registries[AWS_REGION].scan_type == "BASIC"
assert ecr.registries[AWS_REGION].rules == [
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "*", "filterType": "WILDCARD"}],

4
tests/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy_test.py
View File

@@ -271,8 +271,8 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_service.IAM",
iam_client,
"prowler.providers.aws.services.iam.iam_role_cross_account_readonlyaccess_policy.iam_role_cross_account_readonlyaccess_policy.iam_client",
new=iam_client,
):
# Test Check
from prowler.providers.aws.services.iam.iam_role_cross_account_readonlyaccess_policy.iam_role_cross_account_readonlyaccess_policy import (