ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(audit_info): refactor iam (#3163)

Browse Source
This commit is contained in:
Nacho Rivera
2023-12-05 15:59:53 +01:00
committed by GitHub
parent 3962c9d816
commit a81cbbc325
37 changed files with 551 additions and 1554 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py
View File

@@ -2,49 +2,16 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_administrator_access_with_mfa_test: class Test_iam_administrator_access_with_mfa_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_group_with_no_policies(self): def test_group_with_no_policies(self):
iam = client("iam") iam = client("iam")
@@ -54,7 +21,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -97,7 +64,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -135,7 +102,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -175,7 +142,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -239,7 +206,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

56
tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py
View File

@@ -3,49 +3,15 @@ from csv import DictReader
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import session
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_avoid_root_usage: class Test_iam_avoid_root_usage:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_root_not_used(self): def test_root_not_used(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -56,7 +22,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -96,7 +62,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -136,7 +102,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -176,7 +142,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -216,7 +182,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -256,7 +222,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -296,7 +262,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges_test.py
View File

@@ -1,47 +1,16 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
class Test_iam_aws_attached_policy_no_administrative_privileges_test: class Test_iam_aws_attached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_with_administrative_privileges(self): def test_policy_with_administrative_privileges(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +21,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
iam_client.attach_role_policy( iam_client.attach_role_policy(
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", RoleName="my-role" PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", RoleName="my-role"
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -91,7 +60,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword", PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword",
RoleName="my-role", RoleName="my-role",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -133,7 +102,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword", PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword",
RoleName="my-role", RoleName="my-role",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

45
tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py
View File

@@ -1,48 +1,15 @@
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_check_saml_providers_sts: class Test_iam_check_saml_providers_sts:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_iam_check_saml_providers_sts(self): def test_iam_check_saml_providers_sts(self):
iam_client = client("iam") iam_client = client("iam")
@@ -81,7 +48,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges_test.py
View File

@@ -2,47 +2,16 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
class Test_iam_customer_attached_policy_no_administrative_privileges_test: class Test_iam_customer_attached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_administrative(self): def test_policy_administrative(self):
iam_client = client("iam") iam_client = client("iam")
@@ -60,7 +29,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role") iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -102,7 +71,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role") iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -159,7 +128,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyArn=arn_non_administrative, RoleName="my-role" PolicyArn=arn_non_administrative, RoleName="my-role"
) )
iam_client.attach_role_policy(PolicyArn=arn_administrative, RoleName="my-role") iam_client.attach_role_policy(PolicyArn=arn_administrative, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

47
tests/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges_test.py
View File

@@ -2,47 +2,16 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
class Test_iam_customer_unattached_policy_no_administrative_privileges_test: class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_administrative(self): def test_policy_administrative(self):
iam_client = client("iam") iam_client = client("iam")
@@ -57,7 +26,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -96,7 +65,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -147,7 +116,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyDocument=dumps(policy_document_administrative), PolicyDocument=dumps(policy_document_administrative),
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

90
tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py
View File

@@ -1,14 +1,14 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
AWS_ACCOUNT_NUMBER = "123456789012" set_mocked_aws_audit_info,
AWS_REGION = "us-east-1" )
INLINE_POLICY_ADMIN = { INLINE_POLICY_ADMIN = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -32,36 +32,6 @@ ASSUME_ROLE_POLICY_DOCUMENT = {
class Test_iam_inline_policy_no_administrative_privileges: class Test_iam_inline_policy_no_administrative_privileges:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=[AWS_REGION],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
# Groups # Groups
@mock_iam @mock_iam
@@ -73,7 +43,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
_ = iam_client.create_group(GroupName=group_name) _ = iam_client.create_group(GroupName=group_name)
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -108,7 +78,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -126,7 +96,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == group_arn assert results[0].resource_arn == group_arn
assert results[0].resource_id == f"{group_name}/{policy_name}" assert results[0].resource_id == f"{group_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -152,7 +122,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN), PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -170,7 +140,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == group_arn assert results[0].resource_arn == group_arn
assert results[0].resource_id == f"{group_name}/{policy_name}" assert results[0].resource_id == f"{group_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -204,7 +174,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -224,7 +194,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2 assert len(results) == 2
for result in results: for result in results:
if result.resource_id == policy_name_admin: if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == group_arn assert result.resource_arn == group_arn
assert result.resource_id == policy_name_admin assert result.resource_id == policy_name_admin
assert result.resource_tags == [] assert result.resource_tags == []
@@ -235,7 +205,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
) )
elif result.resource_id == policy_name_not_admin: elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == group_arn assert result.resource_arn == group_arn
assert result.resource_id == policy_name_not_admin assert result.resource_id == policy_name_not_admin
assert result.resource_tags == [] assert result.resource_tags == []
@@ -258,7 +228,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -296,7 +266,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -314,7 +284,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == role_arn assert results[0].resource_arn == role_arn
assert results[0].resource_id == f"{role_name}/{policy_name}" assert results[0].resource_id == f"{role_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -343,7 +313,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN), PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -361,7 +331,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == role_arn assert results[0].resource_arn == role_arn
assert results[0].resource_id == f"{role_name}/{policy_name}" assert results[0].resource_id == f"{role_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -397,7 +367,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -417,7 +387,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2 assert len(results) == 2
for result in results: for result in results:
if result.resource_id == policy_name_admin: if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == role_arn assert result.resource_arn == role_arn
assert result.resource_id == policy_name_admin assert result.resource_id == policy_name_admin
assert result.resource_tags == [] assert result.resource_tags == []
@@ -428,7 +398,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
) )
elif result.resource_id == policy_name_not_admin: elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == role_arn assert result.resource_arn == role_arn
assert result.resource_id == policy_name_not_admin assert result.resource_id == policy_name_not_admin
assert result.resource_tags == [] assert result.resource_tags == []
@@ -450,7 +420,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -487,7 +457,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -505,7 +475,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == user_arn assert results[0].resource_arn == user_arn
assert results[0].resource_id == f"{user_name}/{policy_name}" assert results[0].resource_id == f"{user_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -533,7 +503,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN), PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -551,7 +521,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges() check = iam_inline_policy_no_administrative_privileges()
results = check.execute() results = check.execute()
assert len(results) == 1 assert len(results) == 1
assert results[0].region == AWS_REGION assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == user_arn assert results[0].resource_arn == user_arn
assert results[0].resource_id == f"{user_name}/{policy_name}" assert results[0].resource_id == f"{user_name}/{policy_name}"
assert results[0].resource_tags == [] assert results[0].resource_tags == []
@@ -586,7 +556,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN), PolicyDocument=dumps(INLINE_POLICY_ADMIN),
) )
# Audit Info # Audit Info
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
@@ -606,7 +576,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2 assert len(results) == 2
for result in results: for result in results:
if result.resource_id == policy_name_admin: if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == user_arn assert result.resource_arn == user_arn
assert result.resource_id == policy_name_admin assert result.resource_id == policy_name_admin
assert result.resource_tags == [] assert result.resource_tags == []
@@ -617,7 +587,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
) )
elif result.resource_id == policy_name_not_admin: elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == user_arn assert result.resource_arn == user_arn
assert result.resource_id == policy_name_not_admin assert result.resource_id == policy_name_not_admin
assert result.resource_tags == [] assert result.resource_tags == []

53
tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py
View File

@@ -2,49 +2,16 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_no_custom_policy_permissive_role_assumption: class Test_iam_no_custom_policy_permissive_role_assumption:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_allows_permissive_role_assumption_wildcard(self): def test_policy_allows_permissive_role_assumption_wildcard(self):
iam_client = client("iam") iam_client = client("iam")
@@ -61,7 +28,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -101,7 +68,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -145,7 +112,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -185,7 +152,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -237,7 +204,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py
View File

@@ -1,54 +1,21 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_no_expired_server_certificates_stored_test: class Test_iam_no_expired_server_certificates_stored_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_no_certificates(self): def test_no_certificates(self):
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -79,7 +46,7 @@ class Test_iam_no_expired_server_certificates_stored_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

51
tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py
View File

@@ -1,49 +1,16 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_no_root_access_key_test: class Test_iam_no_root_access_key_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_iam_root_no_access_keys(self): def test_iam_root_no_access_keys(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +19,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -95,7 +62,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -138,7 +105,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -181,7 +148,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

57
tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py
View File

@@ -1,55 +1,22 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import session
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_expires_passwords_within_90_days_or_less: class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=AWS_ACCOUNT_ARN,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_password_expiration_lower_90(self): def test_password_expiration_lower_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -81,7 +48,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert search( assert search(
"Password expiration is set lower than 90 days", "Password expiration is set lower than 90 days",
result[0].status_extended, result[0].status_extended,
@@ -91,7 +58,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
def test_password_expiration_greater_90(self): def test_password_expiration_greater_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -123,7 +90,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert search( assert search(
"Password expiration is set greater than 90 days", "Password expiration is set greater than 90 days",
result[0].status_extended, result[0].status_extended,
@@ -133,7 +100,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
def test_password_expiration_just_90(self): def test_password_expiration_just_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -165,7 +132,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert search( assert search(
"Password expiration is set lower than 90 days", "Password expiration is set lower than 90 days",
result[0].status_extended, result[0].status_extended,

53
tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py
View File

@@ -1,49 +1,18 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_lowercase: class Test_iam_password_policy_lowercase:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_no_lowercase_flag(self): def test_iam_password_policy_no_lowercase_flag(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +21,7 @@ class Test_iam_password_policy_lowercase:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +45,7 @@ class Test_iam_password_policy_lowercase:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_lowercase_flag(self): def test_iam_password_policy_lowercase_flag(self):
@@ -86,7 +55,7 @@ class Test_iam_password_policy_lowercase:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +79,4 @@ class Test_iam_password_policy_lowercase:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

60
tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py
View File

@@ -1,49 +1,25 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_minimum_length_14: class Test_iam_password_policy_minimum_length_14:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_minimum_length_equal_14(self): def test_iam_password_policy_minimum_length_equal_14(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +28,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_minimum_length_14:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_minimum_length_greater_14(self): def test_iam_password_policy_minimum_length_greater_14(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,7 +86,7 @@ class Test_iam_password_policy_minimum_length_14:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_minimum_length_less_14(self): def test_iam_password_policy_minimum_length_less_14(self):
@@ -120,7 +96,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -144,4 +120,4 @@ class Test_iam_password_policy_minimum_length_14:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

56
tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py
View File

@@ -1,49 +1,25 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_number: class Test_iam_password_policy_number:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_no_number_flag(self): def test_iam_password_policy_no_number_flag(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +28,7 @@ class Test_iam_password_policy_number:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_number:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_number_flag(self): def test_iam_password_policy_number_flag(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_number:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +86,4 @@ class Test_iam_password_policy_number:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

56
tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py
View File

@@ -1,55 +1,31 @@
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_reuse_24: class Test_iam_password_policy_reuse_24:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_reuse_prevention_equal_24(self): def test_iam_password_policy_reuse_prevention_equal_24(self):
iam_client = client("iam") iam_client = client("iam")
# update password policy # update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=24) iam_client.update_account_password_policy(PasswordReusePrevention=24)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -74,7 +50,7 @@ class Test_iam_password_policy_reuse_24:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_reuse_prevention_less_24(self): def test_iam_password_policy_reuse_prevention_less_24(self):
@@ -82,7 +58,7 @@ class Test_iam_password_policy_reuse_24:
# update password policy # update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=20) iam_client.update_account_password_policy(PasswordReusePrevention=20)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -107,4 +83,4 @@ class Test_iam_password_policy_reuse_24:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

56
tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py
View File

@@ -1,49 +1,25 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_symbol: class Test_iam_password_policy_symbol:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_no_symbol_flag(self): def test_iam_password_policy_no_symbol_flag(self):
iam_client = client("iam") iam_client = client("iam")
@@ -52,7 +28,7 @@ class Test_iam_password_policy_symbol:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_symbol:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_symbol_flag(self): def test_iam_password_policy_symbol_flag(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_symbol:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +86,4 @@ class Test_iam_password_policy_symbol:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

56
tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py
View File

@@ -1,55 +1,31 @@
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" )
class Test_iam_password_policy_uppercase: class Test_iam_password_policy_uppercase:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_password_policy_no_uppercase_flag(self): def test_iam_password_policy_no_uppercase_flag(self):
iam_client = client("iam") iam_client = client("iam")
# update password policy # update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=False) iam_client.update_account_password_policy(RequireUppercaseCharacters=False)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -74,7 +50,7 @@ class Test_iam_password_policy_uppercase:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_password_policy_uppercase_flag(self): def test_iam_password_policy_uppercase_flag(self):
@@ -82,7 +58,7 @@ class Test_iam_password_policy_uppercase:
# update password policy # update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=True) iam_client.update_account_password_policy(RequireUppercaseCharacters=True)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -107,4 +83,4 @@ class Test_iam_password_policy_uppercase:
) )
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

149
tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py
View File

@@ -2,14 +2,14 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
AWS_REGION = "us-east-1" set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
# Keep this up-to-date with the check's actions that allows for privilege escalation # Keep this up-to-date with the check's actions that allows for privilege escalation
privilege_escalation_policies_combination = { privilege_escalation_policies_combination = {
@@ -84,40 +84,16 @@ privilege_escalation_policies_combination = {
class Test_iam_policy_allows_privilege_escalation: class Test_iam_policy_allows_privilege_escalation:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
# @mock_iam # @mock_iam
# def test_iam_policy_allows_privilege_escalation_sts(self): # def test_iam_policy_allows_privilege_escalation_sts(self):
# iam_client = client("iam", region_name=AWS_REGION) # iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
# policy_name = "policy1" # policy_name = "policy1"
# policy_document = { # policy_document = {
# "Version": "2012-10-17", # "Version": "2012-10-17",
@@ -128,10 +104,8 @@ class Test_iam_policy_allows_privilege_escalation:
# policy_arn = iam_client.create_policy( # policy_arn = iam_client.create_policy(
# PolicyName=policy_name, PolicyDocument=dumps(policy_document) # PolicyName=policy_name, PolicyDocument=dumps(policy_document)
# )["Policy"]["Arn"] # )["Policy"]["Arn"]
# set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
# current_audit_info = self.set_mocked_audit_info()
# from prowler.providers.aws.services.iam.iam_service import IAM # from prowler.providers.aws.services.iam.iam_service import IAM
# with mock.patch( # with mock.patch(
# "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", # "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
# new=current_audit_info, # new=current_audit_info,
@@ -143,7 +117,6 @@ class Test_iam_policy_allows_privilege_escalation:
# from prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation import ( # from prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation import (
# iam_policy_allows_privilege_escalation, # iam_policy_allows_privilege_escalation,
# ) # )
# check = iam_policy_allows_privilege_escalation() # check = iam_policy_allows_privilege_escalation()
# result = check.execute() # result = check.execute()
# assert len(result) == 1 # assert len(result) == 1
@@ -157,7 +130,7 @@ class Test_iam_policy_allows_privilege_escalation:
@mock_iam @mock_iam
def test_iam_policy_not_allows_privilege_escalation(self): def test_iam_policy_not_allows_privilege_escalation(self):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -171,7 +144,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -196,12 +169,12 @@ class Test_iam_policy_allows_privilege_escalation:
) )
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
@mock_iam @mock_iam
def test_iam_policy_not_allows_privilege_escalation_glue_GetDevEndpoints(self): def test_iam_policy_not_allows_privilege_escalation_glue_GetDevEndpoints(self):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -219,7 +192,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -244,12 +217,12 @@ class Test_iam_policy_allows_privilege_escalation:
) )
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
@mock_iam @mock_iam
def test_iam_policy_not_allows_privilege_escalation_dynamodb_PutItem(self): def test_iam_policy_not_allows_privilege_escalation_dynamodb_PutItem(self):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -278,7 +251,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -303,14 +276,14 @@ class Test_iam_policy_allows_privilege_escalation:
) )
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
@mock_iam @mock_iam
def test_iam_policy_allows_privilege_escalation_iam_all_and_ec2_RunInstances( def test_iam_policy_allows_privilege_escalation_iam_all_and_ec2_RunInstances(
self, self,
): ):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -333,7 +306,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -354,7 +327,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
assert search( assert search(
@@ -368,7 +341,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_PassRole( def test_iam_policy_allows_privilege_escalation_iam_PassRole(
self, self,
): ):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -384,7 +357,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -405,7 +378,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
assert search( assert search(
@@ -418,7 +391,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_combinations( def test_iam_policy_allows_privilege_escalation_two_combinations(
self, self,
): ):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -453,7 +426,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -474,7 +447,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
assert search( assert search(
@@ -490,7 +463,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_PassRole_and_other_actions( def test_iam_policy_allows_privilege_escalation_iam_PassRole_and_other_actions(
self, self,
): ):
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1" policy_name = "policy1"
policy_document = { policy_document = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -511,7 +484,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"] )["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -532,7 +505,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
assert search( assert search(
@@ -545,8 +518,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_policies_combination( def test_iam_policy_allows_privilege_escalation_policies_combination(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "privileged_policy" policy_name = "privileged_policy"
for values in privilege_escalation_policies_combination.values(): for values in privilege_escalation_policies_combination.values():
print(list(values)) print(list(values))
@@ -585,7 +558,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == [] assert result[0].resource_tags == []
assert search( assert search(
@@ -604,8 +577,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_policies_one_good_one_bad( def test_iam_policy_allows_privilege_escalation_two_policies_one_good_one_bad(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -672,7 +645,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "PASS" assert finding.status == "PASS"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert ( assert (
finding.status_extended finding.status_extended
@@ -683,7 +656,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_2 assert finding.resource_id == policy_name_2
assert finding.resource_arn == policy_arn_2 assert finding.resource_arn == policy_arn_2
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
f"Custom Policy {policy_arn_2} allows privilege escalation using the following actions: ", f"Custom Policy {policy_arn_2} allows privilege escalation using the following actions: ",
@@ -697,8 +670,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_bad_policies( def test_iam_policy_allows_privilege_escalation_two_bad_policies(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -772,7 +745,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
@@ -787,7 +760,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_2 assert finding.resource_id == policy_name_2
assert finding.resource_arn == policy_arn_2 assert finding.resource_arn == policy_arn_2
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
@@ -802,8 +775,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_over_permissive_policy( def test_iam_policy_allows_privilege_escalation_over_permissive_policy(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -853,7 +826,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
@@ -868,8 +841,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_administrator_policy( def test_iam_policy_allows_privilege_escalation_administrator_policy(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -909,7 +882,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:", f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -926,8 +899,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_put( def test_iam_policy_allows_privilege_escalation_iam_put(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -967,7 +940,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:", f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -979,8 +952,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_wildcard( def test_iam_policy_allows_privilege_escalation_iam_wildcard(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -1020,7 +993,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL" assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert search( assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:", f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -1032,8 +1005,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_not_allows_privilege_escalation_custom_policy( def test_iam_policy_not_allows_privilege_escalation_custom_policy(
self, self,
): ):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION) iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1" policy_name_1 = "privileged_policy_1"
policy_document_1 = { policy_document_1 = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -1048,7 +1021,7 @@ class Test_iam_policy_allows_privilege_escalation:
"Sid": "", "Sid": "",
"Effect": "Allow", "Effect": "Allow",
"Action": "es:*", "Action": "es:*",
"Resource": f"arn:aws:es:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:domain/test/*", "Resource": f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/test/*",
}, },
], ],
} }
@@ -1079,7 +1052,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "PASS" assert finding.status == "PASS"
assert finding.resource_id == policy_name_1 assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1 assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == [] assert finding.resource_tags == []
assert ( assert (
finding.status_extended finding.status_extended

61
tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py
View File

@@ -1,48 +1,17 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
AWS_ACCOUNT_NUMBER = "123456789012" set_mocked_aws_audit_info,
AWS_REGION = "eu-west-1" )
class Test_iam_policy_attached_only_to_group_or_roles: class Test_iam_policy_attached_only_to_group_or_roles:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=[AWS_REGION],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_iam_user_attached_policy(self): def test_iam_user_attached_policy(self):
result = [] result = []
@@ -61,7 +30,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"] )["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn) iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -82,7 +51,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended result[0].status_extended
== f"User {user} has the policy {policy_name} attached." == f"User {user} has the policy {policy_name} attached."
) )
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policy_name}" assert result[0].resource_id == f"{user}/{policy_name}"
assert ( assert (
result[0].resource_arn result[0].resource_arn
@@ -110,7 +79,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"] )["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn) iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -132,7 +101,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended result[0].status_extended
== f"User {user} has the policy {policyName} attached." == f"User {user} has the policy {policyName} attached."
) )
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}" assert result[0].resource_id == f"{user}/{policyName}"
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
@@ -140,7 +109,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended result[0].status_extended
== f"User {user} has the policy {policyName} attached." == f"User {user} has the policy {policyName} attached."
) )
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}" assert result[0].resource_id == f"{user}/{policyName}"
assert ( assert (
result[0].resource_arn result[0].resource_arn
@@ -164,7 +133,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
UserName=user, PolicyName=policyName, PolicyDocument=dumps(policyDocument) UserName=user, PolicyName=policyName, PolicyDocument=dumps(policyDocument)
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -185,7 +154,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended result[0].status_extended
== f"User {user} has the inline policy {policyName} attached." == f"User {user} has the inline policy {policyName} attached."
) )
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}" assert result[0].resource_id == f"{user}/{policyName}"
assert ( assert (
result[0].resource_arn result[0].resource_arn
@@ -199,7 +168,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
user = "test_no_policies" user = "test_no_policies"
iam_client.create_user(UserName=user) iam_client.create_user(UserName=user)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -220,7 +189,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended result[0].status_extended
== f"User {user} has no inline or attached policies." == f"User {user} has no inline or attached policies."
) )
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == user assert result[0].resource_id == user
assert ( assert (
result[0].resource_arn result[0].resource_arn

45
tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py
View File

@@ -1,49 +1,20 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_policy_no_full_access_to_cloudtrail: class Test_iam_policy_no_full_access_to_cloudtrail:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_full_access_to_cloudtrail(self): def test_policy_full_access_to_cloudtrail(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_cloudtrail_full" policy_name = "policy_cloudtrail_full"
policy_document_full_access = { policy_document_full_access = {
@@ -82,7 +53,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail:
@mock_iam @mock_iam
def test_policy_no_full_access_to_cloudtrail(self): def test_policy_no_full_access_to_cloudtrail(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_no_cloudtrail_full" policy_name = "policy_no_cloudtrail_full"
policy_document_full_access = { policy_document_full_access = {
@@ -121,7 +92,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail:
@mock_iam @mock_iam
def test_policy_mixed(self): def test_policy_mixed(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_mixed" policy_name = "policy_mixed"
policy_document_full_access = { policy_document_full_access = {

45
tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py
View File

@@ -1,49 +1,20 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_policy_no_full_access_to_kms: class Test_iam_policy_no_full_access_to_kms:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_policy_full_access_to_kms(self): def test_policy_full_access_to_kms(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_kms_full" policy_name = "policy_kms_full"
policy_document_full_access = { policy_document_full_access = {
@@ -82,7 +53,7 @@ class Test_iam_policy_no_full_access_to_kms:
@mock_iam @mock_iam
def test_policy_no_full_access_to_kms(self): def test_policy_no_full_access_to_kms(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_no_kms_full" policy_name = "policy_no_kms_full"
policy_document_full_access = { policy_document_full_access = {
@@ -121,7 +92,7 @@ class Test_iam_policy_no_full_access_to_kms:
@mock_iam @mock_iam
def test_policy_mixed(self): def test_policy_mixed(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam") iam_client = client("iam")
policy_name = "policy_mixed" policy_name = "policy_mixed"
policy_document_full_access = { policy_document_full_access = {

51
tests/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1" AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012" AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_administratoraccess_policy: class Test_iam_role_administratoraccess_policy:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_no_roles(self): def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,
@@ -83,7 +54,7 @@ class Test_iam_role_administratoraccess_policy:
AssumeRolePolicyDocument=dumps(assume_role_policy_document), AssumeRolePolicyDocument=dumps(assume_role_policy_document),
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -132,7 +103,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/SecurityAudit", PolicyArn="arn:aws:iam::aws:policy/SecurityAudit",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -181,7 +152,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -230,7 +201,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -279,7 +250,7 @@ class Test_iam_role_administratoraccess_policy:
) )
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

51
tests/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1" AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012" AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_cross_account_readonlyaccess_policy: class Test_iam_role_cross_account_readonlyaccess_policy:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_no_roles(self): def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,
@@ -83,7 +54,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
AssumeRolePolicyDocument=dumps(assume_role_policy_document), AssumeRolePolicyDocument=dumps(assume_role_policy_document),
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -132,7 +103,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess", PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -181,7 +152,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess", PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -230,7 +201,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess", PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -279,7 +250,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
) )
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

53
tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps from json import dumps
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1" AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012" AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_cross_service_confused_deputy_prevention: class Test_iam_role_cross_service_confused_deputy_prevention:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_no_roles(self): def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -88,7 +59,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
) )
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
@@ -127,7 +98,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -175,7 +146,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -225,7 +196,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -275,7 +246,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -325,7 +296,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

48
tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py
View File

@@ -1,47 +1,23 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
class Test_iam_root_hardware_mfa_enabled_test: class Test_iam_root_hardware_mfa_enabled_test:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_root_hardware_virtual_mfa_enabled(self): def test_root_hardware_virtual_mfa_enabled(self):
iam = client("iam") iam = client("iam")
@@ -50,7 +26,7 @@ class Test_iam_root_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -83,7 +59,7 @@ class Test_iam_root_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

46
tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py
View File

@@ -1,54 +1,32 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_root_mfa_enabled_test: class Test_iam_root_mfa_enabled_test:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_root_mfa_not_enabled(self): def test_root_mfa_not_enabled(self):
iam_client = client("iam") iam_client = client("iam")
user = "test-user" user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"] iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -83,7 +61,7 @@ class Test_iam_root_mfa_enabled_test:
user = "test-user" user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"] iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

64
tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
View File

@@ -1,48 +1,16 @@
import datetime import datetime
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
AWS_ACCOUNT_NUMBER = "123456789012" )
AWS_REGION = "us-east-1"
class Test_iam_rotate_access_key_90_days_test: class Test_iam_rotate_access_key_90_days_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_user_no_access_keys(self): def test_user_no_access_keys(self):
iam_client = client("iam") iam_client = client("iam")
@@ -51,7 +19,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +44,7 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_access_key_1_not_rotated(self): def test_user_access_key_1_not_rotated(self):
@@ -89,7 +57,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -117,7 +85,7 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_access_key_2_not_rotated(self): def test_user_access_key_2_not_rotated(self):
@@ -130,7 +98,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -158,7 +126,7 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_both_access_keys_not_rotated(self): def test_user_both_access_keys_not_rotated(self):
@@ -171,7 +139,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -204,7 +172,7 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[1].status == "FAIL" assert result[1].status == "FAIL"
assert ( assert (
result[1].status_extended result[1].status_extended
@@ -212,7 +180,7 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[1].resource_id == user assert result[1].resource_id == user
assert result[1].resource_arn == arn assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION assert result[1].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_both_access_keys_rotated(self): def test_user_both_access_keys_rotated(self):
@@ -225,7 +193,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -259,4 +227,4 @@ class Test_iam_rotate_access_key_90_days_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

45
tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py
View File

@@ -2,51 +2,20 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
AWS_ACCOUNT_NUMBER = "123456789012" set_mocked_aws_audit_info,
)
class Test_iam_securityaudit_role_created: class Test_iam_securityaudit_role_created:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam @mock_iam
def test_securityaudit_role_created(self): def test_securityaudit_role_created(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = client("iam") iam = client("iam")
role_name = "test_securityaudit_role_created" role_name = "test_securityaudit_role_created"
assume_role_policy_document = { assume_role_policy_document = {
@@ -93,7 +62,7 @@ class Test_iam_securityaudit_role_created:
@mock_iam @mock_iam
def test_no_securityaudit_role_created(self): def test_no_securityaudit_role_created(self):
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

88
tests/providers/aws/services/iam/iam_service_test.py
View File

@@ -2,16 +2,18 @@ from json import dumps
from uuid import uuid4 from uuid import uuid4
import botocore import botocore
from boto3 import client, session from boto3 import client
from freezegun import freeze_time from freezegun import freeze_time
from mock import patch from mock import patch
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM, Policy, is_service_role from prowler.providers.aws.services.iam.iam_service import IAM, Policy, is_service_role
from prowler.providers.common.models import Audit_Metadata from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
TEST_DATETIME = "2023-01-01T12:01:01+00:00" TEST_DATETIME = "2023-01-01T12:01:01+00:00"
INLINE_POLICY_NOT_ADMIN = { INLINE_POLICY_NOT_ADMIN = {
@@ -77,42 +79,12 @@ def mock_make_api_call(self, operation_name, kwargs):
# Patch every AWS call using Boto3 # Patch every AWS call using Boto3
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call) @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
class Test_IAM_Service: class Test_IAM_Service:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
# Test IAM Client # Test IAM Client
@mock_iam @mock_iam
def test__get_client__(self): def test__get_client__(self):
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert iam.client.__class__.__name__ == "IAM" assert iam.client.__class__.__name__ == "IAM"
@@ -120,7 +92,7 @@ class Test_IAM_Service:
@mock_iam @mock_iam
def test__get_session__(self): def test__get_session__(self):
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert iam.session.__class__.__name__ == "Session" assert iam.session.__class__.__name__ == "Session"
@@ -162,7 +134,7 @@ class Test_IAM_Service:
} }
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.credential_report) == 1 assert len(iam.credential_report) == 1
assert iam.credential_report[0].get("user") assert iam.credential_report[0].get("user")
@@ -333,7 +305,7 @@ class Test_IAM_Service:
)["Role"] )["Role"]
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.roles) == len(iam_client.list_roles()["Roles"]) assert len(iam.roles) == len(iam_client.list_roles()["Roles"])
@@ -360,7 +332,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.groups) == len(iam_client.list_groups()["Groups"]) assert len(iam.groups) == len(iam_client.list_groups()["Groups"])
@@ -384,7 +356,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.users) == len(iam_client.list_users()["Users"]) assert len(iam.users) == len(iam_client.list_users()["Users"])
assert iam.users[0].tags == [ assert iam.users[0].tags == [
@@ -402,7 +374,7 @@ class Test_IAM_Service:
account_summary = iam_client.get_account_summary()["SummaryMap"] account_summary = iam_client.get_account_summary()["SummaryMap"]
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert iam.account_summary["SummaryMap"] == account_summary assert iam.account_summary["SummaryMap"] == account_summary
@@ -436,7 +408,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert iam.password_policy.length == min_password_length assert iam.password_policy.length == min_password_length
@@ -472,7 +444,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.users) == 1 assert len(iam.users) == 1
@@ -506,7 +478,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.virtual_mfa_devices) == 1 assert len(iam.virtual_mfa_devices) == 1
@@ -533,7 +505,7 @@ class Test_IAM_Service:
iam_client.add_user_to_group(GroupName=group, UserName=username) iam_client.add_user_to_group(GroupName=group, UserName=username)
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.groups) == 1 assert len(iam.groups) == 1
@@ -580,7 +552,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.groups) == 1 assert len(iam.groups) == 1
@@ -615,7 +587,7 @@ class Test_IAM_Service:
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.roles) == 1 assert len(iam.roles) == 1
@@ -636,7 +608,7 @@ class Test_IAM_Service:
EntityFilter="Role", EntityFilter="Role",
)["PolicyRoles"] )["PolicyRoles"]
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_support_policy) == 0 assert len(iam.entities_role_attached_to_support_policy) == 0
@@ -667,7 +639,7 @@ class Test_IAM_Service:
EntityFilter="Role", EntityFilter="Role",
)["PolicyRoles"] )["PolicyRoles"]
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_support_policy) == 1 assert len(iam.entities_role_attached_to_support_policy) == 1
assert iam.entities_role_attached_to_support_policy[0]["RoleName"] == role_name assert iam.entities_role_attached_to_support_policy[0]["RoleName"] == role_name
@@ -680,7 +652,7 @@ class Test_IAM_Service:
EntityFilter="Role", EntityFilter="Role",
)["PolicyRoles"] )["PolicyRoles"]
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_securityaudit_policy) == 0 assert len(iam.entities_role_attached_to_securityaudit_policy) == 0
@@ -711,7 +683,7 @@ class Test_IAM_Service:
EntityFilter="Role", EntityFilter="Role",
)["PolicyRoles"] )["PolicyRoles"]
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_securityaudit_policy) == 1 assert len(iam.entities_role_attached_to_securityaudit_policy) == 1
assert ( assert (
@@ -736,7 +708,7 @@ class Test_IAM_Service:
{"Key": "string", "Value": "string"}, {"Key": "string", "Value": "string"},
], ],
) )
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
custom_policies = 0 custom_policies = 0
for policy in iam.policies: for policy in iam.policies:
@@ -761,7 +733,7 @@ class Test_IAM_Service:
iam_client.create_policy( iam_client.create_policy(
PolicyName=policy_name, PolicyDocument=dumps(policy_document) PolicyName=policy_name, PolicyDocument=dumps(policy_document)
) )
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
custom_policies = 0 custom_policies = 0
@@ -812,7 +784,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.saml_providers) == 1 assert len(iam.saml_providers) == 1
@@ -836,7 +808,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.users) == 1 assert len(iam.users) == 1
@@ -880,7 +852,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
iam_client.delete_policy iam_client.delete_policy
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.groups) == 1 assert len(iam.groups) == 1
@@ -924,7 +896,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
) )
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.roles) == 1 assert len(iam.roles) == 1
@@ -964,7 +936,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
access_key = iam_client.create_access_key(UserName="test-user") access_key = iam_client.create_access_key(UserName="test-user")
access_key_id = access_key["AccessKey"]["AccessKeyId"] access_key_id = access_key["AccessKey"]["AccessKeyId"]
# IAM client for this test class # IAM client for this test class
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info) iam = IAM(audit_info)
assert len(iam.users) == 1 assert len(iam.users) == 1

46
tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py
View File

@@ -2,47 +2,25 @@ from json import dumps
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_support_role_created: class Test_iam_support_role_created:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_support_role_created(self): def test_support_role_created(self):
iam = client("iam") iam = client("iam")
@@ -65,7 +43,7 @@ class Test_iam_support_role_created:
PolicyArn="arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy", PolicyArn="arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy",
) )
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -94,7 +72,7 @@ class Test_iam_support_role_created:
@mock_iam @mock_iam
def test_no_support_role_created(self): def test_no_support_role_created(self):
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

71
tests/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused_test.py
View File

@@ -1,50 +1,19 @@
import datetime import datetime
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1" AWS_REGION = "us-east-1"
class Test_iam_user_accesskey_unused_test: class Test_iam_user_accesskey_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_unused_access_keys_days": 45},
)
return audit_info
@mock_iam @mock_iam
def test_user_no_access_keys(self): def test_user_no_access_keys(self):
iam_client = client("iam") iam_client = client("iam")
@@ -53,7 +22,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -84,7 +55,7 @@ class Test_iam_user_accesskey_unused_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_access_key_1_not_used(self): def test_user_access_key_1_not_used(self):
@@ -97,7 +68,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -126,7 +99,7 @@ class Test_iam_user_accesskey_unused_test:
) )
assert result[0].resource_id == user + "/AccessKey1" assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_access_key_2_not_used(self): def test_user_access_key_2_not_used(self):
@@ -139,7 +112,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -168,7 +143,7 @@ class Test_iam_user_accesskey_unused_test:
) )
assert result[0].resource_id == user + "/AccessKey2" assert result[0].resource_id == user + "/AccessKey2"
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_user_both_access_keys_not_used(self): def test_user_both_access_keys_not_used(self):
@@ -181,7 +156,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -215,7 +192,7 @@ class Test_iam_user_accesskey_unused_test:
) )
assert result[0].resource_id == user + "/AccessKey1" assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
assert result[1].status == "FAIL" assert result[1].status == "FAIL"
assert ( assert (
@@ -237,7 +214,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -271,4 +250,4 @@ class Test_iam_user_accesskey_unused_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

59
tests/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused_test.py
View File

@@ -1,50 +1,19 @@
import datetime import datetime
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1" AWS_REGION = "us-east-1"
class Test_iam_user_console_access_unused_test: class Test_iam_user_console_access_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_console_access_days": 45},
)
return audit_info
@mock_iam @mock_iam
def test_iam_user_logged_45_days(self): def test_iam_user_logged_45_days(self):
password_last_used = ( password_last_used = (
@@ -56,7 +25,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -81,7 +52,7 @@ class Test_iam_user_console_access_unused_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_user_not_logged_45_days(self): def test_iam_user_not_logged_45_days(self):
@@ -94,7 +65,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -119,7 +92,7 @@ class Test_iam_user_console_access_unused_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam @mock_iam
def test_iam_user_not_logged(self): def test_iam_user_not_logged(self):
@@ -129,7 +102,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info() audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -155,4 +130,4 @@ class Test_iam_user_console_access_unused_test:
) )
assert result[0].resource_id == user assert result[0].resource_id == user
assert result[0].resource_arn == arn assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1

48
tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py
View File

@@ -1,47 +1,25 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_hardware_mfa_enabled_test: class Test_iam_user_hardware_mfa_enabled_test:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_user_no_mfa_devices(self): def test_user_no_mfa_devices(self):
iam_client = client("iam") iam_client = client("iam")
@@ -50,7 +28,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -83,7 +61,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -122,7 +100,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

51
tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py
View File

@@ -1,56 +1,33 @@
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_mfa_enabled_console_access_test: class Test_iam_user_mfa_enabled_console_access_test:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_root_user_not_password_console_enabled(self): def test_root_user_not_password_console_enabled(self):
iam_client = client("iam") iam_client = client("iam")
user = "test-user" user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"] arn = iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,
@@ -83,7 +60,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,
@@ -116,7 +93,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,
@@ -150,7 +127,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info, new=current_audit_info,

49
tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py
View File

@@ -2,47 +2,24 @@ from csv import DictReader
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import session
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_no_setup_initial_access_key_test: class Test_iam_user_no_setup_initial_access_key_test:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_setup_access_key_1_fail(self): def test_setup_access_key_1_fail(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -51,7 +28,7 @@ test_false_access_key_1,arn:aws:iam::123456789012:test_false_access_key_1,2022-0
csv_reader = DictReader(credential_lines, delimiter=",") csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader) credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -80,7 +57,7 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0
csv_reader = DictReader(credential_lines, delimiter=",") csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader) credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -109,7 +86,7 @@ test_false_both_access_keys,arn:aws:iam::123456789012:test_false_both_access_key
csv_reader = DictReader(credential_lines, delimiter=",") csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader) credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(
@@ -140,7 +117,7 @@ test_pass,arn:aws:iam::123456789012:test_pass,2022-02-17T14:59:38+00:00,not_supp
csv_reader = DictReader(credential_lines, delimiter=",") csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader) credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch( with mock.patch(

50
tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py
View File

@@ -1,47 +1,25 @@
from re import search from re import search
from unittest import mock from unittest import mock
from boto3 import client, session from boto3 import client
from moto import mock_iam from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from tests.providers.aws.audit_info_utils import (
from prowler.providers.common.models import Audit_Metadata AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012" AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_two_active_access_key: class Test_iam_user_two_active_access_key:
def set_mocked_audit_info(self): from tests.providers.aws.audit_info_utils import (
audit_info = AWS_Audit_Info( AWS_ACCOUNT_ARN,
session_config=None, AWS_ACCOUNT_NUMBER,
original_session=None, AWS_REGION_US_EAST_1,
audit_session=session.Session( set_mocked_aws_audit_info,
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
) )
return audit_info
@mock_iam @mock_iam
def test_iam_user_two_active_access_key(self): def test_iam_user_two_active_access_key(self):
# Create IAM Mocked Resources # Create IAM Mocked Resources
@@ -55,7 +33,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -94,7 +72,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -129,7 +107,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -159,7 +137,7 @@ class Test_iam_user_two_active_access_key:
def test_iam_no_users(self): def test_iam_no_users(self):
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info() current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

29
tests/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials_test.py
View File

@@ -1,9 +1,10 @@
from unittest import mock from unittest import mock
from prowler.providers.aws.services.iam.iam_service import IAM from prowler.providers.aws.services.iam.iam_service import IAM
from tests.providers.aws.audit_info_utils import (
AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION_US_EAST_1,
)
IAM_USER_NAME = "test-user" IAM_USER_NAME = "test-user"
IAM_USER_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{IAM_USER_NAME}" IAM_USER_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{IAM_USER_NAME}"
@@ -13,7 +14,7 @@ USER_DATA = (IAM_USER_NAME, IAM_USER_ARN)
class Test_iam_user_with_temporary_credentials: class Test_iam_user_with_temporary_credentials:
def test_no_users(self): def test_no_users(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {} iam_client.access_keys_metadata = {}
iam_client.last_accessed_services = {} iam_client.last_accessed_services = {}
@@ -42,7 +43,7 @@ class Test_iam_user_with_temporary_credentials:
def test_user_no_access_keys_no_accesed_services(self): def test_user_no_access_keys_no_accesed_services(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: []} iam_client.access_keys_metadata = {USER_DATA: []}
iam_client.last_accessed_services = {USER_DATA: []} iam_client.last_accessed_services = {USER_DATA: []}
@@ -75,11 +76,11 @@ class Test_iam_user_with_temporary_credentials:
) )
assert result[0].resource_id == IAM_USER_NAME assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
def test_user_access_keys_no_accesed_services(self): def test_user_access_keys_no_accesed_services(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]} iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {USER_DATA: []} iam_client.last_accessed_services = {USER_DATA: []}
@@ -112,11 +113,11 @@ class Test_iam_user_with_temporary_credentials:
) )
assert result[0].resource_id == IAM_USER_NAME assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
def test_user_access_keys_accesed_services_sts(self): def test_user_access_keys_accesed_services_sts(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]} iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {USER_DATA: [{"ServiceNamespace": "sts"}]} iam_client.last_accessed_services = {USER_DATA: [{"ServiceNamespace": "sts"}]}
@@ -149,11 +150,11 @@ class Test_iam_user_with_temporary_credentials:
) )
assert result[0].resource_id == IAM_USER_NAME assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
def test_access_keys_with_iam_and_sts(self): def test_access_keys_with_iam_and_sts(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]} iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = { iam_client.last_accessed_services = {
@@ -188,11 +189,11 @@ class Test_iam_user_with_temporary_credentials:
) )
assert result[0].resource_id == IAM_USER_NAME assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1
def test_access_keys_with_iam_and_ec2(self): def test_access_keys_with_iam_and_ec2(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.region = AWS_REGION iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]} iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = { iam_client.last_accessed_services = {
@@ -227,4 +228,4 @@ class Test_iam_user_with_temporary_credentials:
) )
assert result[0].resource_id == IAM_USER_NAME assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION assert result[0].region == AWS_REGION_US_EAST_1