chore(sqs_...not_publicly_accessible): less restrictive condition test (#3211)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2026-02-10 14:55:00 +00:00 · 2023-12-19 16:53:19 +01:00
parent f8d77d9a30
commit 78505cb0a8
7 changed files with 224 additions and 152 deletions
--- a/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
+++ b/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
--- a/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py
+++ b/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py
@@ -92,6 +92,21 @@ test_public_policy_with_condition_diff_account = {
    ],
 }

+test_public_policy_with_invalid_condition_block = {
+    "Version": "2012-10-17",
+    "Id": "Queue1_Policy_UUID",
+    "Statement": [
+        {
+            "Sid": "Queue1_AnonymousAccess_ReceiveMessage",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "sqs:ReceiveMessage",
+            "Resource": test_queue_arn,
+            "Condition": {"DateGreaterThan": {"aws:CurrentTime": "2009-01-31T12:00Z"}},
+        }
+    ],
+}
+

 class Test_sqs_queues_not_publicly_accessible:
    def test_no_queues(self):
@@ -240,7 +255,7 @@ class Test_sqs_queues_not_publicly_accessible:
            assert result[0].resource_tags == []
            assert result[0].region == AWS_REGION_EU_WEST_1

-    def test_queues_public_with_condition_invalid_other_account(self):
+    def test_queues_public_with_condition_valid_with_other_account(self):
        sqs_client = mock.MagicMock
        sqs_client.queues = []
        sqs_client.audited_account = AWS_ACCOUNT_NUMBER
@@ -261,6 +276,40 @@ class Test_sqs_queues_not_publicly_accessible:
                sqs_queues_not_publicly_accessible,
            )

+            check = sqs_queues_not_publicly_accessible()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"SQS queue {test_queue_url} is not public because its policy only allows access from the same account."
+            )
+            assert result[0].resource_id == test_queue_url
+            assert result[0].resource_arn == test_queue_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    def test_queues_public_with_condition_with_invalid_block(self):
+        sqs_client = mock.MagicMock
+        sqs_client.queues = []
+        sqs_client.audited_account = AWS_ACCOUNT_NUMBER
+        sqs_client.queues.append(
+            Queue(
+                id=test_queue_url,
+                name=test_queue_name,
+                region=AWS_REGION_EU_WEST_1,
+                policy=test_public_policy_with_invalid_condition_block,
+                arn=test_queue_arn,
+            )
+        )
+        with mock.patch(
+            "prowler.providers.aws.services.sqs.sqs_service.SQS",
+            sqs_client,
+        ):
+            from prowler.providers.aws.services.sqs.sqs_queues_not_publicly_accessible.sqs_queues_not_publicly_accessible import (
+                sqs_queues_not_publicly_accessible,
+            )
+
            check = sqs_queues_not_publicly_accessible()
            result = check.execute()
            assert len(result) == 1