diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml new file mode 100644 index 00000000..da1fedf6 --- /dev/null +++ b/.github/workflows/pull-request.yml @@ -0,0 +1,41 @@ +name: Lint & Test + +on: + push: + branches: + - 'prowler-3.0-dev' + pull_request: + branches: + - 'prowler-3.0-dev' + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.9"] + + steps: + - uses: actions/checkout@v3 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pipenv + pipenv install + - name: Bandit + run: | + pipenv run bandit -q -lll -x '*_test.py,./contrib/' -r . + - name: Safety + run: | + pipenv run safety check + - name: Vulture + run: | + pipenv run vulture --exclude "contrib" --min-confidence 100 . + - name: Test with pytest + run: | + pipenv run pytest -n auto diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0b8b3b42..02925c9b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,7 +45,7 @@ repos: hooks: - id: pytest-check name: pytest-check - entry: bash -c 'pytest' + entry: bash -c 'pytest -n auto' language: system - id: bandit diff --git a/Makefile b/Makefile index e63ab372..504f850c 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ .DEFAULT_GOAL:=help test: ## Test with pytest - pytest -v + pytest -n auto -vvv -s coverage: ## Show Test Coverage coverage run --skip-covered -m pytest -v && \ diff --git a/Pipfile b/Pipfile index 8468a4b3..3c711b40 100644 --- a/Pipfile +++ b/Pipfile @@ -16,6 +16,7 @@ safety = "1.10.3" vulture = "2.4" coverage = "6.4.1" pytest = "7.1.2" +pytest-xdist = "2.5.0" [dev-packages] diff --git a/Pipfile.lock b/Pipfile.lock index a1a835e1..c3f5b063 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "e77c8b5d556b7e3c336616485fe5c853f203896df85be049b89a4618bef8fab7" + "sha256": "be3fc654afc3da2914e7e3a61647d0f90cc468b4f2327568178440fca9adb9fe" }, "pipfile-spec": 6, "requires": { @@ -42,19 +42,19 @@ }, "boto3": { "hashes": [ - "sha256:b72496c7eaa45afbdfa48a7c648c3211342582d91c8c1b7330d09c18242132d1", - "sha256:ec1aa3f4c2b68da1a9c01e175086f5f6b1b8b67780fa569ab8875be5bb3fd5ae" + "sha256:0e6ef4b5e47b6073887961028201ecfc2024198125f20fbe5f5c00234f124543", + "sha256:719bfafbe4e076055aa1a51269ffdbe9c61446679b67f31d61c237976661154c" ], "index": "pypi", - "version": "==1.24.61" + "version": "==1.24.63" }, "botocore": { "hashes": [ - "sha256:535c8e97ed28a38fd09dd8f4735195e761bbee54e4c6021f3a709a97b1287dd6", - "sha256:99012965e2409665c7d86706862c5a141e01e1c4d2c81cb9409a44200ee59631" + "sha256:8567dee549430a53210c6b898dea3a8fc8ee9d7934ec1df7545c547cacbb2b8f", + "sha256:b97e17c930a7f45b50f94956a4474c1cd7b828e3dcd8a84dd0e3306ca6189335" ], "index": "pypi", - "version": "==1.27.61" + "version": "==1.27.63" }, "certifi": { "hashes": [ @@ -249,6 +249,14 @@ "markers": "python_version >= '3.5'", "version": "==0.5.2" }, + "execnet": { + "hashes": [ + "sha256:8f694f3ba9cc92cab508b152dcfe322153975c29bda272e2fd7f3f00f36e47c5", + "sha256:a295f7cc774947aac58dde7fdc85f4aa00c42adf5d8f5468fc630c1acf30a142" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.9.0" + }, "gitdb": { "hashes": [ "sha256:8033ad4e853066ba6ca92050b9df2f89301b8fc8bf7e9324d412a63f8bf1a8fd", @@ -402,44 +410,45 @@ }, "pydantic": { "hashes": [ - "sha256:1061c6ee6204f4f5a27133126854948e3b3d51fcc16ead2e5d04378c199b2f44", - "sha256:19b5686387ea0d1ea52ecc4cffb71abb21702c5e5b2ac626fd4dbaa0834aa49d", - "sha256:2bd446bdb7755c3a94e56d7bdfd3ee92396070efa8ef3a34fab9579fe6aa1d84", - "sha256:328558c9f2eed77bd8fffad3cef39dbbe3edc7044517f4625a769d45d4cf7555", - "sha256:32e0b4fb13ad4db4058a7c3c80e2569adbd810c25e6ca3bbd8b2a9cc2cc871d7", - "sha256:3ee0d69b2a5b341fc7927e92cae7ddcfd95e624dfc4870b32a85568bd65e6131", - "sha256:4aafd4e55e8ad5bd1b19572ea2df546ccace7945853832bb99422a79c70ce9b8", - "sha256:4b3946f87e5cef3ba2e7bd3a4eb5a20385fe36521d6cc1ebf3c08a6697c6cfb3", - "sha256:4de71c718c9756d679420c69f216776c2e977459f77e8f679a4a961dc7304a56", - "sha256:5565a49effe38d51882cb7bac18bda013cdb34d80ac336428e8908f0b72499b0", - "sha256:5803ad846cdd1ed0d97eb00292b870c29c1f03732a010e66908ff48a762f20e4", - "sha256:5da164119602212a3fe7e3bc08911a89db4710ae51444b4224c2382fd09ad453", - "sha256:615661bfc37e82ac677543704437ff737418e4ea04bef9cf11c6d27346606044", - "sha256:78a4d6bdfd116a559aeec9a4cfe77dda62acc6233f8b56a716edad2651023e5e", - "sha256:7d0f183b305629765910eaad707800d2f47c6ac5bcfb8c6397abdc30b69eeb15", - "sha256:7ead3cd020d526f75b4188e0a8d71c0dbbe1b4b6b5dc0ea775a93aca16256aeb", - "sha256:84d76ecc908d917f4684b354a39fd885d69dd0491be175f3465fe4b59811c001", - "sha256:8cb0bc509bfb71305d7a59d00163d5f9fc4530f0881ea32c74ff4f74c85f3d3d", - "sha256:91089b2e281713f3893cd01d8e576771cd5bfdfbff5d0ed95969f47ef6d676c3", - "sha256:9c9e04a6cdb7a363d7cb3ccf0efea51e0abb48e180c0d31dca8d247967d85c6e", - "sha256:a8c5360a0297a713b4123608a7909e6869e1b56d0e96eb0d792c27585d40757f", - "sha256:afacf6d2a41ed91fc631bade88b1d319c51ab5418870802cedb590b709c5ae3c", - "sha256:b34ba24f3e2d0b39b43f0ca62008f7ba962cff51efa56e64ee25c4af6eed987b", - "sha256:bd67cb2c2d9602ad159389c29e4ca964b86fa2f35c2faef54c3eb28b4efd36c8", - "sha256:c0f5e142ef8217019e3eef6ae1b6b55f09a7a15972958d44fbd228214cede567", - "sha256:cdb4272678db803ddf94caa4f94f8672e9a46bae4a44f167095e4d06fec12979", - "sha256:d70916235d478404a3fa8c997b003b5f33aeac4686ac1baa767234a0f8ac2326", - "sha256:d8ce3fb0841763a89322ea0432f1f59a2d3feae07a63ea2c958b2315e1ae8adb", - "sha256:e0b214e57623a535936005797567231a12d0da0c29711eb3514bc2b3cd008d0f", - "sha256:e631c70c9280e3129f071635b81207cad85e6c08e253539467e4ead0e5b219aa", - "sha256:e78578f0c7481c850d1c969aca9a65405887003484d24f6110458fb02cca7747", - "sha256:f0ca86b525264daa5f6b192f216a0d1e860b7383e3da1c65a1908f9c02f42801", - "sha256:f1a68f4f65a9ee64b6ccccb5bf7e17db07caebd2730109cb8a95863cfa9c4e55", - "sha256:fafe841be1103f340a24977f61dee76172e4ae5f647ab9e7fd1e1fca51524f08", - "sha256:ff68fc85355532ea77559ede81f35fff79a6a5543477e168ab3a381887caea76" + "sha256:026427be4e251f876e7519a63af37ae5ebb8b593ca8b02180bdc6becd1ea4ef4", + "sha256:134b4fd805737496ce4efd24ce2f8da0e08c66dcfc054fee1a19673eec780f2c", + "sha256:158f1479367da20914961b5406ac3b29dfe1d858ae2af96c444f73543defcf0c", + "sha256:172aaeeaff8fc3ac326fb8a2934a063ca0938586c5fe8848285052de83a240f7", + "sha256:1856bc6640aced42886f7ee48f5ed1fa5adf35e34064b5f9532b52d5a3b8a0d3", + "sha256:1b5212604aaf5954e9a7cea8f0c60d6dbef996aa7b41edefd329e6b5011ce8cf", + "sha256:1f99b4de6936a0f9fe255d1c7fdc447700ddd027c9ad38a612d453ed5fc7d6d0", + "sha256:22206c152f9b86c0ee169928f9c24e1c0c566edb2462600b298ccb04860961aa", + "sha256:231b19c010288bfbfdcd3f79df38b5ff893c6547cd8c7d006203435790b22815", + "sha256:39212b3853eea165a3cda11075d5b7d09d4291fcbc3c0ecefd23797ee21b29e9", + "sha256:3a3a60fcb5ce08cab593b7978d02db67b8d153e9d582adab7c0b69d7200d78be", + "sha256:45a6d0a9fdaad2a27ea69aec4659705ed8f60a5664e892c73e2b977d8f5166cc", + "sha256:4af55f33ae5be6cccecd4fa462630daffef1f161f60c3f194b24eca705d50748", + "sha256:4d2b9258f5bd2d129bd4cf2d31f9d40094b9ed6ef64896e2f7a70729b2d599ea", + "sha256:645b83297a9428a675c98c1f69a7237a381900e34f23245c0ea73d74e454bf68", + "sha256:652727f9e1d3ae30bd8a4dfbebcafd50df45277b97f3deabbbfedcf731f94aa5", + "sha256:7e34e46dd08dafd4c75b8378efe3eae7d8e5212950fcd894d86c1df2dcfb80fe", + "sha256:8e796f915762dec4678fafc89b1f0441ab9209517a8a682ddb3f988f7ffe0827", + "sha256:9500586151cd56a20bacb8f1082df1b4489000120d1c7ddc44c8b20870e8adbd", + "sha256:95ab3f31f35dc4f8fc85b04d13569e5fdc9de2d3050ae64c1fdc3430dfe7d92d", + "sha256:a0ba8710bfdaddb7424c05ad2dc1da04796003751eac6ad30c218ac1d68a174e", + "sha256:a1192c17667d21652ab93b5eecd1a776cd0a4e384ea8c331bb830c9d130293af", + "sha256:af669da39ede365069dbc5de56564b011e3353f801acdbdd7145002a78abc3d9", + "sha256:b3e3aed33fbd9518cf508d5415a58af683743d53dc5e58953973d73605774f34", + "sha256:b549eebe8de4e50fc3b4f8c1f9cc2f731d91787fc3f7d031561668377b8679bc", + "sha256:c4c76af6ad47bc46cf16bd0e4a5e536a7a2bec0dec14ea08b712daa6645bf293", + "sha256:d1dffae1f219d06a997ec78d1d2daafdbfecf243ad8eb36bfbcbc73e30e17385", + "sha256:d484fbbe6267b6c936a6d005d5170ab553f3f4367348c7e88d3e17f0a7179981", + "sha256:d73ae7e210929a1b7d288034835dd787e5b0597192d58ab7342bacbeec0f33df", + "sha256:d8e5c5a50821c55b76dcf422610225cb7e44685cdd81832d0d504fa8c9343f35", + "sha256:d8ef840ef803ef17a7bd52480eb85faca0eed728d70233fd560f7d1066330247", + "sha256:e03402b0a6b23a2d0b9ee31e45d80612c95562b5af8b5c900171b9d9015ddc5f", + "sha256:e13788fcad1baf5eb3236856b2a9a74f7dac6b3ea7ca1f60a4ad8bad4239cf4c", + "sha256:e290915a0ed53d3c59d6071fc7d2c843ed04c33affcd752dd1f3daa859b44a76", + "sha256:ed4e5c18cac70fadd4cf339f444c4f1795f0876dfd5b70cf0a841890b52f0001", + "sha256:f0985ba95af937389c9ce8d747138417303569cb736bd12469646ef53cd66e1c" ], "index": "pypi", - "version": "==1.9.2" + "version": "==1.10.0" }, "pyparsing": { "hashes": [ @@ -457,6 +466,22 @@ "index": "pypi", "version": "==7.1.2" }, + "pytest-forked": { + "hashes": [ + "sha256:8b67587c8f98cbbadfdd804539ed5455b6ed03802203485dd2f53c1422d7440e", + "sha256:bbbb6717efc886b9d64537b41fb1497cfaf3c9601276be8da2cccfea5a3c8ad8" + ], + "markers": "python_version >= '3.6'", + "version": "==1.4.0" + }, + "pytest-xdist": { + "hashes": [ + "sha256:4580deca3ff04ddb2ac53eba39d76cb5dd5edeac050cb6fbc768b0dd712b4edf", + "sha256:6fe5c74fec98906deb8f2d2b616b5c782022744978e7bd4695d39c8f42d0ce65" + ], + "index": "pypi", + "version": "==2.5.0" + }, "python-dateutil": { "hashes": [ "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", diff --git a/lib/check/check.py b/lib/check/check.py index e9bb4a40..7c8089c2 100644 --- a/lib/check/check.py +++ b/lib/check/check.py @@ -151,7 +151,11 @@ def recover_checks_from_provider(provider: str, service: str = None) -> list: # Format: "providers.{provider}.services.{service}.{check_name}.{check_name}" check_name = module_name.name # We need to exclude common shared libraries in services - if check_name.count(".") == 5 and "lib" not in check_name: + if ( + check_name.count(".") == 5 + and "lib" not in check_name + and "test" not in check_name + ): checks.append(check_name) return checks diff --git a/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py b/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py index ef8d97cf..99b95236 100644 --- a/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py +++ b/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py @@ -1,29 +1,33 @@ from lib.check.models import Check, Check_Report +from lib.logger import logger from providers.aws.services.iam.iam_client import iam_client class iam_user_two_active_access_key(Check): def execute(self) -> Check_Report: - findings = [] - response = iam_client.credential_report - for user in response: - report = Check_Report(self.metadata) - report.resource_id = user["user"] - report.resource_arn = user["arn"] - report.region = iam_client.region - if ( - user["access_key_1_active"] == "true" - and user["access_key_2_active"] == "true" - ): - report.status = "FAIL" - report.status_extended = ( - f"User {user['user']} has 2 active access keys." - ) - else: - report.status = "PASS" - report.status_extended = ( - f"User {user['user']} has not 2 active access keys." - ) - findings.append(report) - - return findings + try: + findings = [] + response = iam_client.credential_report + for user in response: + report = Check_Report(self.metadata) + report.resource_id = user["user"] + report.resource_arn = user["arn"] + report.region = iam_client.region + if ( + user["access_key_1_active"] == "true" + and user["access_key_2_active"] == "true" + ): + report.status = "FAIL" + report.status_extended = ( + f"User {user['user']} has 2 active access keys." + ) + else: + report.status = "PASS" + report.status_extended = ( + f"User {user['user']} has not 2 active access keys." + ) + findings.append(report) + except Exception as error: + logger.error(f"{error.__class__.__name__} -- {error}") + finally: + return findings diff --git a/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py b/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py new file mode 100644 index 00000000..f86f2629 --- /dev/null +++ b/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py @@ -0,0 +1,113 @@ +from unittest import mock + +from boto3 import client +from moto import mock_iam + +from providers.aws.lib.audit_info.audit_info import current_audit_info +from providers.aws.services.iam.iam_service import IAM + + +class Test_iam_user_two_active_access_key: + @mock_iam + def test_iam_user_two_active_access_key(self): + # Create IAM Mocked Resources + iam_client = client("iam") + user = "test1" + iam_client.create_user(UserName=user) + # Create Access Key 1 + iam_client.create_access_key(UserName=user) + # Create Access Key 2 + iam_client.create_access_key(UserName=user) + + with mock.patch( + "providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key import ( + iam_user_two_active_access_key, + ) + + check = iam_user_two_active_access_key() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + + @mock_iam + def test_iam_user_one_active_access_key(self): + # Create IAM User + iam_client = client("iam") + user = "test1" + iam_client.create_user(UserName=user) + # Create Access Key 1 + iam_client.create_access_key(UserName=user) + with mock.patch( + "providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key import ( + iam_user_two_active_access_key, + ) + + check = iam_user_two_active_access_key() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + + @mock_iam + def test_iam_user_without_active_access_key(self): + # Create IAM User + iam_client = client("iam") + user = "test1" + iam_client.create_user(UserName=user) + with mock.patch( + "providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key import ( + iam_user_two_active_access_key, + ) + + check = iam_user_two_active_access_key() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + + @mock_iam + def test_iam_no_users(self): + with mock.patch( + "providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key import ( + iam_user_two_active_access_key, + ) + + check = iam_user_two_active_access_key() + result = check.execute() + + assert len(result) == 0 + + @mock_iam + def test_bad_response(self): + mock_client = mock.MagicMock() + mock_client.credential_report = None + with mock.patch( + "providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client", + new=mock_client, + ): + # Test Check + from providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key import ( + iam_user_two_active_access_key, + ) + + check = iam_user_two_active_access_key() + result = check.execute() + + assert len(result) == 0