ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(audit_info): refactor shield (#3131)

Browse Source
This commit is contained in:
Nacho Rivera
2023-12-05 11:40:42 +01:00
committed by GitHub
parent 50ef2729e6
commit b49e0b95f7
7 changed files with 161 additions and 270 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py
View File

@@ -1,22 +1,24 @@
from unittest import mock
from boto3 import client, session
from boto3 import client
from mock import patch
from moto import mock_ec2
from moto.core import DEFAULT_ACCOUNT_ID
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.shield.shield_service import Protection
from prowler.providers.common.models import Audit_Metadata
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
# Mock generate_regional_clients()
def mock_generate_regional_clients(service, audit_info, _):
regional_client = audit_info.audit_session.client(service, region_name=AWS_REGION)
regional_client.region = AWS_REGION
return {AWS_REGION: regional_client}
regional_client = audit_info.audit_session.client(
service, region_name=AWS_REGION_EU_WEST_1
)
regional_client.region = AWS_REGION_EU_WEST_1
return {AWS_REGION_EU_WEST_1: regional_client}
# Patch every AWS call using Boto3 and generate_regional_clients to have 1 client
@@ -25,37 +27,6 @@ def mock_generate_regional_clients(service, audit_info, _):
new=mock_generate_regional_clients,
)
class Test_shield_advanced_protection_in_associated_elastic_ips:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=DEFAULT_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{DEFAULT_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_ec2
def test_no_shield_not_active(self):
# Shield Client
@@ -69,10 +40,10 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips.ec2_client",
new=EC2(self.set_mocked_audit_info()),
new=EC2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips import (
@@ -87,15 +58,15 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
@mock_ec2
def test_shield_enabled_ip_protected(self):
# EC2 Client
ec2_client = client("ec2", region_name=AWS_REGION)
ec2_client = client("ec2", region_name=AWS_REGION_EU_WEST_1)
resp = ec2_client.allocate_address(Domain="vpc", Address="127.38.43.222")
allocation_id = resp["AllocationId"]
elastic_ip_arn = f"arn:aws:ec2:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
elastic_ip_arn = f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -103,7 +74,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
name="",
resource_arn=elastic_ip_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -114,10 +85,10 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips.ec2_client",
new=EC2(self.set_mocked_audit_info()),
new=EC2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips import (
@@ -128,7 +99,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == allocation_id
assert result[0].resource_arn == elastic_ip_arn
assert result[0].status == "PASS"
@@ -140,15 +111,15 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
@mock_ec2
def test_shield_enabled_ip_not_protected(self):
# EC2 Client
ec2_client = client("ec2", region_name=AWS_REGION)
ec2_client = client("ec2", region_name=AWS_REGION_EU_WEST_1)
resp = ec2_client.allocate_address(Domain="vpc", Address="127.38.43.222")
allocation_id = resp["AllocationId"]
elastic_ip_arn = f"arn:aws:ec2:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
elastic_ip_arn = f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.ec2.ec2_service import EC2
@@ -158,10 +129,10 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips.ec2_client",
new=EC2(self.set_mocked_audit_info()),
new=EC2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips import (
@@ -172,7 +143,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == allocation_id
assert result[0].resource_arn == elastic_ip_arn
assert result[0].status == "FAIL"
@@ -184,15 +155,15 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
@mock_ec2
def test_shield_disabled_ip_not_protected(self):
# EC2 Client
ec2_client = client("ec2", region_name=AWS_REGION)
ec2_client = client("ec2", region_name=AWS_REGION_EU_WEST_1)
resp = ec2_client.allocate_address(Domain="vpc", Address="127.38.43.222")
allocation_id = resp["AllocationId"]
_ = f"arn:aws:ec2:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
_ = f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:eip-allocation/{allocation_id}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.ec2.ec2_service import EC2
@@ -202,10 +173,10 @@ class Test_shield_advanced_protection_in_associated_elastic_ips:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips.ec2_client",
new=EC2(self.set_mocked_audit_info()),
new=EC2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_associated_elastic_ips.shield_advanced_protection_in_associated_elastic_ips import (

93
tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py
View File

@@ -1,48 +1,17 @@
from unittest import mock
from boto3 import client, resource, session
from boto3 import client, resource
from moto import mock_ec2, mock_elb
from moto.core import DEFAULT_ACCOUNT_ID
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.shield.shield_service import Protection
from prowler.providers.common.models import Audit_Metadata
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
class Test_shield_advanced_protection_in_classic_load_balancers:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=DEFAULT_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{DEFAULT_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_elb
@mock_ec2
def test_no_shield_not_active(self):
@@ -57,10 +26,10 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers.elb_client",
new=ELB(self.set_mocked_audit_info()),
new=ELB(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers import (
@@ -76,8 +45,8 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
@mock_elb
def test_shield_enabled_elb_protected(self):
# ELB Client
elb = client("elb", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
@@ -89,16 +58,16 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[f"{AWS_REGION}a"],
AvailabilityZones=[f"{AWS_REGION_EU_WEST_1}a"],
Scheme="internet-facing",
SecurityGroups=[security_group.id],
)
elb_arn = f"arn:aws:elasticloadbalancing:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
elb_arn = f"arn:aws:elasticloadbalancing:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -106,7 +75,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
name="",
resource_arn=elb_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -117,10 +86,10 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers.elb_client",
new=ELB(self.set_mocked_audit_info()),
new=ELB(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers import (
@@ -131,7 +100,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == elb_name
assert result[0].resource_arn == elb_arn
assert result[0].status == "PASS"
@@ -144,8 +113,8 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
@mock_ec2
def test_shield_enabled_elb_not_protected(self):
# ELB Client
elb = client("elb", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
@@ -157,16 +126,16 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[f"{AWS_REGION}a"],
AvailabilityZones=[f"{AWS_REGION_EU_WEST_1}a"],
Scheme="internet-facing",
SecurityGroups=[security_group.id],
)
elb_arn = f"arn:aws:elasticloadbalancing:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
elb_arn = f"arn:aws:elasticloadbalancing:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.elb.elb_service import ELB
@@ -176,10 +145,10 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers.elb_client",
new=ELB(self.set_mocked_audit_info()),
new=ELB(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers import (
@@ -190,7 +159,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == elb_name
assert result[0].resource_arn == elb_arn
assert result[0].status == "FAIL"
@@ -203,8 +172,8 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
@mock_ec2
def test_shield_disabled_elb_not_protected(self):
# ELB Client
elb = client("elb", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
elb = client("elb", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="sg01", Description="Test security group sg01"
@@ -216,16 +185,16 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
{"Protocol": "tcp", "LoadBalancerPort": 80, "InstancePort": 8080},
{"Protocol": "http", "LoadBalancerPort": 81, "InstancePort": 9000},
],
AvailabilityZones=[f"{AWS_REGION}a"],
AvailabilityZones=[f"{AWS_REGION_EU_WEST_1}a"],
Scheme="internet-facing",
SecurityGroups=[security_group.id],
)
_ = f"arn:aws:elasticloadbalancing:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
_ = f"arn:aws:elasticloadbalancing:{AWS_REGION_EU_WEST_1}:{DEFAULT_ACCOUNT_ID}:loadbalancer/{elb_name}"
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.elb.elb_service import ELB
@@ -235,10 +204,10 @@ class Test_shield_advanced_protection_in_classic_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers.elb_client",
new=ELB(self.set_mocked_audit_info()),
new=ELB(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_classic_load_balancers.shield_advanced_protection_in_classic_load_balancers import (

30
tests/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions_test.py
View File

@@ -4,8 +4,7 @@ from moto.core import DEFAULT_ACCOUNT_ID
from prowler.providers.aws.services.cloudfront.cloudfront_service import Distribution
from prowler.providers.aws.services.shield.shield_service import Protection
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import AWS_REGION_EU_WEST_1
class Test_shield_advanced_protection_in_cloudfront_distributions:
@@ -41,14 +40,17 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
)
cloudfront_client.distributions = {
distribution_id: Distribution(
arn=distribution_arn, id=distribution_id, region=AWS_REGION, origins=[]
arn=distribution_arn,
id=distribution_id,
region=AWS_REGION_EU_WEST_1,
origins=[],
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -56,7 +58,7 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
name="",
resource_arn=distribution_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -76,7 +78,7 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == distribution_id
assert result[0].resource_arn == distribution_arn
assert result[0].status == "PASS"
@@ -94,14 +96,17 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
)
cloudfront_client.distributions = {
distribution_id: Distribution(
arn=distribution_arn, id=distribution_id, region=AWS_REGION, origins=[]
arn=distribution_arn,
id=distribution_id,
region=AWS_REGION_EU_WEST_1,
origins=[],
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(
@@ -120,7 +125,7 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == distribution_id
assert result[0].resource_arn == distribution_arn
assert result[0].status == "FAIL"
@@ -138,14 +143,17 @@ class Test_shield_advanced_protection_in_cloudfront_distributions:
)
cloudfront_client.distributions = {
distribution_id: Distribution(
arn=distribution_arn, id=distribution_id, region=AWS_REGION, origins=[]
arn=distribution_arn,
id=distribution_id,
region=AWS_REGION_EU_WEST_1,
origins=[],
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(

21
tests/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators_test.py
View File

@@ -6,8 +6,7 @@ from prowler.providers.aws.services.globalaccelerator.globalaccelerator_service
Accelerator,
)
from prowler.providers.aws.services.shield.shield_service import Protection
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import AWS_REGION_EU_WEST_1
class Test_shield_advanced_protection_in_global_accelerators:
@@ -44,7 +43,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
accelerator_name: Accelerator(
arn=accelerator_arn,
name=accelerator_name,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
enabled=True,
)
}
@@ -52,7 +51,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -60,7 +59,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
name="",
resource_arn=accelerator_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -80,7 +79,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == accelerator_id
assert result[0].resource_arn == accelerator_arn
assert result[0].status == "PASS"
@@ -99,7 +98,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
accelerator_name: Accelerator(
arn=accelerator_arn,
name=accelerator_name,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
enabled=True,
)
}
@@ -107,7 +106,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(
@@ -126,7 +125,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == accelerator_id
assert result[0].resource_arn == accelerator_arn
assert result[0].status == "FAIL"
@@ -145,7 +144,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
accelerator_name: Accelerator(
arn=accelerator_arn,
name=accelerator_name,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
enabled=True,
)
}
@@ -153,7 +152,7 @@ class Test_shield_advanced_protection_in_global_accelerators:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(

126
tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py
View File

@@ -1,22 +1,23 @@
from unittest import mock
from boto3 import client, resource, session
from boto3 import client, resource
from mock import patch
from moto import mock_ec2, mock_elbv2
from moto.core import DEFAULT_ACCOUNT_ID as AWS_ACCOUNT_NUMBER
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.shield.shield_service import Protection
from prowler.providers.common.models import Audit_Metadata
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
# Mock generate_regional_clients()
def mock_generate_regional_clients(service, audit_info, _):
regional_client = audit_info.audit_session.client(service, region_name=AWS_REGION)
regional_client.region = AWS_REGION
return {AWS_REGION: regional_client}
regional_client = audit_info.audit_session.client(
service, region_name=AWS_REGION_EU_WEST_1
)
regional_client.region = AWS_REGION_EU_WEST_1
return {AWS_REGION_EU_WEST_1: regional_client}
# Patch every AWS call using Boto3 and generate_regional_clients to have 1 client
@@ -25,37 +26,6 @@ def mock_generate_regional_clients(service, audit_info, _):
new=mock_generate_regional_clients,
)
class Test_shield_advanced_protection_in_internet_facing_load_balancers:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_ec2
@mock_elbv2
def test_no_shield_not_active(self):
@@ -70,10 +40,10 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers.elbv2_client",
new=ELBv2(self.set_mocked_audit_info()),
new=ELBv2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers import (
@@ -89,8 +59,8 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
@mock_elbv2
def test_shield_enabled_elbv2_internet_facing_protected(self):
# ELBv2 Client
conn = client("elbv2", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
@@ -99,12 +69,12 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=f"{AWS_REGION}a",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}a",
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=f"{AWS_REGION}b",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}b",
)
lb_name = "my-lb"
lb = conn.create_load_balancer(
@@ -119,7 +89,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -127,7 +97,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
name="",
resource_arn=lb_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -138,10 +108,10 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers.elbv2_client",
new=ELBv2(self.set_mocked_audit_info()),
new=ELBv2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers import (
@@ -152,7 +122,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == lb_name
assert result[0].resource_arn == lb["LoadBalancerArn"]
assert result[0].status == "PASS"
@@ -165,8 +135,8 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
@mock_elbv2
def test_shield_enabled_elbv2_internal_protected(self):
# ELBv2 Client
conn = client("elbv2", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
@@ -175,12 +145,12 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
subnet1 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=f"{AWS_REGION}a",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}a",
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=f"{AWS_REGION}b",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}b",
)
lb_name = "my-lb"
lb = conn.create_load_balancer(
@@ -195,7 +165,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -203,7 +173,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
name="",
resource_arn=lb_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -214,10 +184,10 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers.elbv2_client",
new=ELBv2(self.set_mocked_audit_info()),
new=ELBv2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers import (
@@ -233,18 +203,22 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
@mock_elbv2
def test_shield_enabled_elbv2_internet_facing_not_protected(self):
# ELBv2 Client
conn = client("elbv2", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id, CidrBlock="172.28.7.192/26", AvailabilityZone=f"{AWS_REGION}a"
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}a",
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id, CidrBlock="172.28.7.0/26", AvailabilityZone=f"{AWS_REGION}b"
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}b",
)
lb_name = "my-lb"
lb = conn.create_load_balancer(
@@ -259,7 +233,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
@@ -269,10 +243,10 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers.elbv2_client",
new=ELBv2(self.set_mocked_audit_info()),
new=ELBv2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers import (
@@ -283,7 +257,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == lb_name
assert result[0].resource_arn == lb_arn
assert result[0].status == "FAIL"
@@ -296,18 +270,22 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
@mock_elbv2
def test_shield_disabled_elbv2_internet_facing_not_protected(self):
# ELBv2 Client
conn = client("elbv2", region_name=AWS_REGION)
ec2 = resource("ec2", region_name=AWS_REGION)
conn = client("elbv2", region_name=AWS_REGION_EU_WEST_1)
ec2 = resource("ec2", region_name=AWS_REGION_EU_WEST_1)
security_group = ec2.create_security_group(
GroupName="a-security-group", Description="First One"
)
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24", InstanceTenancy="default")
subnet1 = ec2.create_subnet(
VpcId=vpc.id, CidrBlock="172.28.7.192/26", AvailabilityZone=f"{AWS_REGION}a"
VpcId=vpc.id,
CidrBlock="172.28.7.192/26",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}a",
)
subnet2 = ec2.create_subnet(
VpcId=vpc.id, CidrBlock="172.28.7.0/26", AvailabilityZone=f"{AWS_REGION}b"
VpcId=vpc.id,
CidrBlock="172.28.7.0/26",
AvailabilityZone=f"{AWS_REGION_EU_WEST_1}b",
)
lb_name = "my-lb"
lb = conn.create_load_balancer(
@@ -322,7 +300,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
from prowler.providers.aws.services.elbv2.elbv2_service import ELBv2
@@ -332,10 +310,10 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers:
new=shield_client,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=self.set_mocked_audit_info(),
new=set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]),
), mock.patch(
"prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers.elbv2_client",
new=ELBv2(self.set_mocked_audit_info()),
new=ELBv2(set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])),
):
# Test Check
from prowler.providers.aws.services.shield.shield_advanced_protection_in_internet_facing_load_balancers.shield_advanced_protection_in_internet_facing_load_balancers import (

21
tests/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from prowler.providers.aws.services.route53.route53_service import HostedZone
from prowler.providers.aws.services.shield.shield_service import Protection
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import AWS_REGION_EU_WEST_1
class Test_shield_advanced_protection_in_route53_hosted_zones:
@@ -47,14 +46,14 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
name=hosted_zone_name,
hosted_zone_name=hosted_zone_name,
private_zone=False,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
protection_id = "test-protection"
shield_client.protections = {
protection_id: Protection(
@@ -62,7 +61,7 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
name="",
resource_arn=hosted_zone_arn,
protection_arn="",
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
@@ -85,7 +84,7 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == hosted_zone_id
assert result[0].resource_arn == hosted_zone_arn
assert result[0].status == "PASS"
@@ -108,14 +107,14 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
name=hosted_zone_name,
hosted_zone_name=hosted_zone_name,
private_zone=False,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = True
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(
@@ -137,7 +136,7 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
result = check.execute()
assert len(result) == 1
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == hosted_zone_id
assert result[0].resource_arn == hosted_zone_arn
assert result[0].status == "FAIL"
@@ -160,14 +159,14 @@ class Test_shield_advanced_protection_in_route53_hosted_zones:
name=hosted_zone_name,
hosted_zone_name=hosted_zone_name,
private_zone=False,
region=AWS_REGION,
region=AWS_REGION_EU_WEST_1,
)
}
# Shield Client
shield_client = mock.MagicMock
shield_client.enabled = False
shield_client.region = AWS_REGION
shield_client.region = AWS_REGION_EU_WEST_1
shield_client.protections = {}
with mock.patch(

51
tests/providers/aws/services/shield/shield_service_test.py
View File

@@ -1,14 +1,12 @@
import botocore
from boto3 import session
from mock import patch
from moto.core import DEFAULT_ACCOUNT_ID
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.shield.shield_service import Shield
from prowler.providers.common.models import Audit_Metadata
# Mock Test Region
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
# Mocking Access Analyzer Calls
make_api_call = botocore.client.BaseClient._make_api_call
@@ -35,67 +33,36 @@ def mock_make_api_call(self, operation_name, kwarg):
# Patch every AWS call using Boto3 and generate_regional_clients to have 1 client
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
class Test_Shield_Service:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=DEFAULT_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{DEFAULT_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
# Test Shield Service
def test_service(self):
# Shield client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
shield = Shield(audit_info)
assert shield.service == "shield"
# Test Shield Client
def test_client(self):
# Shield client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
shield = Shield(audit_info)
assert shield.client.__class__.__name__ == "Shield"
# Test Shield Session
def test__get_session__(self):
# Shield client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
shield = Shield(audit_info)
assert shield.session.__class__.__name__ == "Session"
def test__get_subscription_state__(self):
# Shield client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
shield = Shield(audit_info)
assert shield.enabled
def test__list_protections__(self):
# Shield client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
shield = Shield(audit_info)
protection_id = "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
protection_name = "Protection for CloudFront distribution"