ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(acm): add certificate id (#2903)

Browse Source
This commit is contained in:
Sergio Garcia
2023-10-03 13:03:46 +02:00
committed by GitHub
parent 436166c255
commit a4d3e78eb1
5 changed files with 37 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
View File

@@ -12,14 +12,16 @@ class acm_certificates_expiration_check(Check):
report.region = certificate.region report.region = certificate.region
if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD: if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"ACM Certificate for {certificate.name} expires in {certificate.expiration_days} days." report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
report.resource_id = certificate.name report.resource_id = certificate.id
report.resource_details = certificate.name
report.resource_arn = certificate.arn report.resource_arn = certificate.arn
report.resource_tags = certificate.tags report.resource_tags = certificate.tags
else: else:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"ACM Certificate for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
report.resource_id = certificate.name report.resource_id = certificate.id
report.resource_details = certificate.name
report.resource_arn = certificate.arn report.resource_arn = certificate.arn
report.resource_tags = certificate.tags report.resource_tags = certificate.tags

17
prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py
View File

@@ -10,23 +10,24 @@ class acm_certificates_transparency_logs_enabled(Check):
report.region = certificate.region report.region = certificate.region
if certificate.type == "IMPORTED": if certificate.type == "IMPORTED":
report.status = "PASS" report.status = "PASS"
report.status_extended = ( report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
f"ACM Certificate for {certificate.name} is imported." report.resource_id = certificate.id
) report.resource_details = certificate.name
report.resource_id = certificate.name
report.resource_arn = certificate.arn report.resource_arn = certificate.arn
report.resource_tags = certificate.tags report.resource_tags = certificate.tags
else: else:
if not certificate.transparency_logging: if not certificate.transparency_logging:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging disabled." report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
report.resource_id = certificate.name report.resource_id = certificate.id
report.resource_details = certificate.name
report.resource_arn = certificate.arn report.resource_arn = certificate.arn
report.resource_tags = certificate.tags report.resource_tags = certificate.tags
else: else:
report.status = "PASS" report.status = "PASS"
report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging enabled." report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
report.resource_id = certificate.name report.resource_id = certificate.id
report.resource_details = certificate.name
report.resource_arn = certificate.arn report.resource_arn = certificate.arn
report.resource_tags = certificate.tags report.resource_tags = certificate.tags
findings.append(report) findings.append(report)

2
prowler/providers/aws/services/acm/acm_service.py
View File

@@ -47,6 +47,7 @@ class ACM(AWSService):
Certificate( Certificate(
arn=certificate["CertificateArn"], arn=certificate["CertificateArn"],
name=certificate["DomainName"], name=certificate["DomainName"],
id=certificate["CertificateArn"].split("/")[-1],
type=certificate["Type"], type=certificate["Type"],
expiration_days=certificate_expiration_time, expiration_days=certificate_expiration_time,
transparency_logging=False, transparency_logging=False,
@@ -94,6 +95,7 @@ class ACM(AWSService):
class Certificate(BaseModel): class Certificate(BaseModel):
arn: str arn: str
name: str name: str
id: str
type: str type: str
tags: Optional[list] = [] tags: Optional[list] = []
expiration_days: int expiration_days: int

16
tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py
View File

@@ -28,7 +28,8 @@ class Test_acm_certificates_expiration_check:
assert len(result) == 0 assert len(result) == 0
def test_acm_certificate_expirated(self): def test_acm_certificate_expirated(self):
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" certificate_id = str(uuid.uuid4())
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
certificate_name = "test-certificate.com" certificate_name = "test-certificate.com"
certificate_type = "AMAZON_ISSUED" certificate_type = "AMAZON_ISSUED"
@@ -36,6 +37,7 @@ class Test_acm_certificates_expiration_check:
acm_client.certificates = [ acm_client.certificates = [
Certificate( Certificate(
arn=certificate_arn, arn=certificate_arn,
id=certificate_id,
name=certificate_name, name=certificate_name,
type=certificate_type, type=certificate_type,
expiration_days=5, expiration_days=5,
@@ -60,15 +62,16 @@ class Test_acm_certificates_expiration_check:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"ACM Certificate for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." == f"ACM Certificate {certificate_id} for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
) )
assert result[0].resource_id == certificate_name assert result[0].resource_id == certificate_id
assert result[0].resource_arn == certificate_arn assert result[0].resource_arn == certificate_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION
assert result[0].resource_tags == [] assert result[0].resource_tags == []
def test_acm_certificate_not_expirated(self): def test_acm_certificate_not_expirated(self):
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" certificate_id = str(uuid.uuid4())
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
certificate_name = "test-certificate.com" certificate_name = "test-certificate.com"
certificate_type = "AMAZON_ISSUED" certificate_type = "AMAZON_ISSUED"
expiration_days = 365 expiration_days = 365
@@ -77,6 +80,7 @@ class Test_acm_certificates_expiration_check:
acm_client.certificates = [ acm_client.certificates = [
Certificate( Certificate(
arn=certificate_arn, arn=certificate_arn,
id=certificate_id,
name=certificate_name, name=certificate_name,
type=certificate_type, type=certificate_type,
expiration_days=expiration_days, expiration_days=expiration_days,
@@ -101,9 +105,9 @@ class Test_acm_certificates_expiration_check:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"ACM Certificate for {certificate_name} expires in {expiration_days} days." == f"ACM Certificate {certificate_id} for {certificate_name} expires in {expiration_days} days."
) )
assert result[0].resource_id == certificate_name assert result[0].resource_id == certificate_id
assert result[0].resource_arn == certificate_arn assert result[0].resource_arn == certificate_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION
assert result[0].resource_tags == [] assert result[0].resource_tags == []

16
tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py
View File

@@ -27,7 +27,8 @@ class Test_acm_certificates_transparency_logs_enabled:
assert len(result) == 0 assert len(result) == 0
def test_acm_certificate_with_logging(self): def test_acm_certificate_with_logging(self):
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" certificate_id = str(uuid.uuid4())
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
certificate_name = "test-certificate.com" certificate_name = "test-certificate.com"
certificate_type = "AMAZON_ISSUED" certificate_type = "AMAZON_ISSUED"
@@ -35,6 +36,7 @@ class Test_acm_certificates_transparency_logs_enabled:
acm_client.certificates = [ acm_client.certificates = [
Certificate( Certificate(
arn=certificate_arn, arn=certificate_arn,
id=certificate_id,
name=certificate_name, name=certificate_name,
type=certificate_type, type=certificate_type,
expiration_days=365, expiration_days=365,
@@ -59,15 +61,16 @@ class Test_acm_certificates_transparency_logs_enabled:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"ACM Certificate for {certificate_name} has Certificate Transparency logging enabled." == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging enabled."
) )
assert result[0].resource_id == certificate_name assert result[0].resource_id == certificate_id
assert result[0].resource_arn == certificate_arn assert result[0].resource_arn == certificate_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION
assert result[0].resource_tags == [] assert result[0].resource_tags == []
def test_acm_certificate_without_logging(self): def test_acm_certificate_without_logging(self):
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" certificate_id = str(uuid.uuid4())
certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
certificate_name = "test-certificate.com" certificate_name = "test-certificate.com"
certificate_type = "AMAZON_ISSUED" certificate_type = "AMAZON_ISSUED"
@@ -75,6 +78,7 @@ class Test_acm_certificates_transparency_logs_enabled:
acm_client.certificates = [ acm_client.certificates = [
Certificate( Certificate(
arn=certificate_arn, arn=certificate_arn,
id=certificate_id,
name=certificate_name, name=certificate_name,
type=certificate_type, type=certificate_type,
expiration_days=365, expiration_days=365,
@@ -99,9 +103,9 @@ class Test_acm_certificates_transparency_logs_enabled:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"ACM Certificate for {certificate_name} has Certificate Transparency logging disabled." == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging disabled."
) )
assert result[0].resource_id == certificate_name assert result[0].resource_id == certificate_id
assert result[0].resource_arn == certificate_arn assert result[0].resource_arn == certificate_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION
assert result[0].resource_tags == [] assert result[0].resource_tags == []