ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(global_services): handle global regions correctly (#1594)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
Sergio Garcia
2022-12-23 12:32:31 +01:00
committed by GitHub
parent 3cfe1b8376
commit d9dc6c0a49
25 changed files with 789 additions and 223 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
tests/providers/aws/aws_provider_test.py
View File

@@ -2,7 +2,7 @@ import boto3
import sure # noqa
from moto import mock_iam, mock_sts
from prowler.providers.aws.aws_provider import assume_role, get_region_global_service
from prowler.providers.aws.aws_provider import assume_role, generate_regional_clients
from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
ACCOUNT_ID = 123456789012
@@ -82,24 +82,85 @@ class Test_AWS_Provider:
21 + 1 + len(sessionName)
)
def test_get_region_global_service(self):
# Create mock audit_info
input_audit_info = AWS_Audit_Info(
def test_generate_regional_clients(self):
# New Boto3 session with the previously create user
session = boto3.session.Session(
region_name="us-east-1",
)
audited_regions = ["eu-west-1", "us-east-1"]
# Fulfil the input session object for Prowler
audit_info = AWS_Audit_Info(
original_session=None,
audit_session=None,
audited_account="123456789012",
audited_identity_arn="test-arn",
audited_user_id="test",
audit_session=session,
audited_account=None,
audited_partition="aws",
profile="default",
profile_region="eu-west-1",
audited_identity_arn=None,
audited_user_id=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
audited_regions=audited_regions,
organizations_metadata=None,
)
assert (
get_region_global_service(input_audit_info)
== input_audit_info.audited_regions[0]
generate_regional_clients_response = generate_regional_clients(
"ec2", audit_info
)
assert set(generate_regional_clients_response.keys()) == set(audited_regions)
def test_generate_regional_clients_global_service(self):
# New Boto3 session with the previously create user
session = boto3.session.Session(
region_name="us-east-1",
)
audited_regions = ["eu-west-1", "us-east-1"]
profile_region = "us-east-1"
# Fulfil the input session object for Prowler
audit_info = AWS_Audit_Info(
original_session=None,
audit_session=session,
audited_account=None,
audited_partition="aws",
audited_identity_arn=None,
audited_user_id=None,
profile=None,
profile_region=profile_region,
credentials=None,
assumed_role_info=None,
audited_regions=audited_regions,
organizations_metadata=None,
)
generate_regional_clients_response = generate_regional_clients(
"route53", audit_info, global_service=True
)
assert list(generate_regional_clients_response.keys()) == [profile_region]
def test_generate_regional_clients_cn_partition(self):
# New Boto3 session with the previously create user
session = boto3.session.Session(
region_name="us-east-1",
)
audited_regions = ["cn-northwest-1", "cn-north-1"]
# Fulfil the input session object for Prowler
audit_info = AWS_Audit_Info(
original_session=None,
audit_session=session,
audited_account=None,
audited_partition="aws-cn",
audited_identity_arn=None,
audited_user_id=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=audited_regions,
organizations_metadata=None,
)
generate_regional_clients_response = generate_regional_clients(
"shield", audit_info, global_service=True
)
# Shield does not exist in China
assert generate_regional_clients_response == {}

10
tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py
View File

@@ -17,6 +17,8 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
@@ -55,6 +57,8 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
@@ -88,6 +92,8 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
@@ -123,6 +129,8 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
@@ -182,6 +190,8 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),

8
tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py
View File

@@ -18,6 +18,8 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
@@ -51,6 +53,8 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
@@ -83,6 +87,8 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
@@ -115,6 +121,8 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),

2
tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py
View File

@@ -44,6 +44,8 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts.iam_client",
new=IAM(current_audit_info),

6
tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py
View File

@@ -18,6 +18,8 @@ class Test_iam_disable_30_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -48,6 +50,8 @@ class Test_iam_disable_30_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -75,6 +79,8 @@ class Test_iam_disable_30_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),

6
tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py
View File

@@ -18,6 +18,8 @@ class Test_iam_disable_45_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -48,6 +50,8 @@ class Test_iam_disable_45_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -75,6 +79,8 @@ class Test_iam_disable_45_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),

6
tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py
View File

@@ -18,6 +18,8 @@ class Test_iam_disable_90_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -48,6 +50,8 @@ class Test_iam_disable_90_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
@@ -75,6 +79,8 @@ class Test_iam_disable_90_days_credentials_test:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),

10
tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py
View File

@@ -24,6 +24,8 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
@@ -59,6 +61,8 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
@@ -97,6 +101,8 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
@@ -132,6 +138,8 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
@@ -179,6 +187,8 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),

6
tests/providers/aws/services/iam/iam_service_test.py
View File

@@ -2,11 +2,11 @@ import json
from json import dumps
from boto3 import client, session
from freezegun import freeze_time
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM
from freezegun import freeze_time
AWS_ACCOUNT_NUMBER = 123456789012
TEST_DATETIME = "2023-01-01T12:01:01+00:00"
@@ -23,10 +23,10 @@ class Test_IAM_Service:
),
audited_account=None,
audited_user_id=None,
audited_partition=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,

10
tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py
View File

@@ -14,6 +14,8 @@ class Test_trustedadvisor_errors_and_warnings:
def test_no_detectors(self):
trustedadvisor_client = mock.MagicMock
trustedadvisor_client.checks = []
trustedadvisor_client.enabled = False
trustedadvisor_client.account = AWS_ACCOUNT_NUMBER
with mock.patch(
"prowler.providers.aws.services.trustedadvisor.trustedadvisor_service.TrustedAdvisor",
trustedadvisor_client,
@@ -24,11 +26,16 @@ class Test_trustedadvisor_errors_and_warnings:
check = trustedadvisor_errors_and_warnings()
result = check.execute()
assert len(result) == 0
assert len(result) == 1
assert (
result[0].status_extended
== "Amazon Web Services Premium Support Subscription is required to use this service."
)
def test_trustedadvisor_all_passed_checks(self):
trustedadvisor_client = mock.MagicMock
trustedadvisor_client.checks = []
trustedadvisor_client.enabled = True
trustedadvisor_client.checks.append(
Check(
id="check1",
@@ -55,6 +62,7 @@ class Test_trustedadvisor_errors_and_warnings:
def test_trustedadvisor_error_check(self):
trustedadvisor_client = mock.MagicMock
trustedadvisor_client.checks = []
trustedadvisor_client.enabled = True
trustedadvisor_client.checks.append(
Check(
id="check1",

15
tests/providers/aws/services/trustedadvisor/trustedadvisor_service_test.py
View File

@@ -21,17 +21,7 @@ def mock_make_api_call(self, operation_name, kwarg):
return make_api_call(self, operation_name, kwarg)
def mock_generate_regional_clients(service, audit_info):
regional_client = audit_info.audit_session.client(service, region_name=AWS_REGION)
regional_client.region = AWS_REGION
return {AWS_REGION: regional_client}
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
@patch(
"prowler.providers.aws.services.trustedadvisor.trustedadvisor_service.generate_regional_clients",
new=mock_generate_regional_clients,
)
class Test_TrustedAdvisor_Service:
# Mocked Audit Info
def set_mocked_audit_info(self):
@@ -46,7 +36,7 @@ class Test_TrustedAdvisor_Service:
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
@@ -64,8 +54,7 @@ class Test_TrustedAdvisor_Service:
def test_client(self):
audit_info = self.set_mocked_audit_info()
trustedadvisor = TrustedAdvisor(audit_info)
for reg_client in trustedadvisor.regional_clients.values():
assert reg_client.__class__.__name__ == "Support"
assert trustedadvisor.client.__class__.__name__ == "Support"
# Test TrustedAdvisor session
def test__get_session__(self):