From dbc2c481dcbf52fd15e1d535b117531f1fd60fc3 Mon Sep 17 00:00:00 2001 From: Nacho Rivera Date: Tue, 5 Dec 2023 13:20:52 +0100 Subject: [PATCH] test(audit_info): refactor networkfirewall (#3152) --- .../networkfirewall_in_all_vpc_test.py | 170 ++++++++---------- .../networkfirewall_service_test.py | 62 ++----- 2 files changed, 91 insertions(+), 141 deletions(-) diff --git a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py index c0e28c82..772854fd 100644 --- a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py +++ b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py @@ -1,16 +1,14 @@ from unittest import mock -from boto3 import session - -from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.aws.services.networkfirewall.networkfirewall_service import ( Firewall, ) from prowler.providers.aws.services.vpc.vpc_service import VPCs, VpcSubnet -from prowler.providers.common.models import Audit_Metadata +from tests.providers.aws.audit_info_utils import ( + AWS_REGION_US_EAST_1, + set_mocked_aws_audit_info, +) -AWS_REGION = "us-east-1" -AWS_ACCOUNT_NUMBER = "123456789012" FIREWALL_ARN = "arn:aws:network-firewall:us-east-1:123456789012:firewall/my-firewall" FIREWALL_NAME = "my-firewall" VPC_ID_PROTECTED = "vpc-12345678901234567" @@ -19,49 +17,19 @@ POLICY_ARN = "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/my class Test_networkfirewall_in_all_vpc: - # Mocked Audit Info - def set_mocked_audit_info(self): - audit_info = AWS_Audit_Info( - session_config=None, - original_session=None, - audit_session=session.Session( - profile_name=None, - botocore_session=None, - region_name=AWS_REGION, - ), - audited_account=AWS_ACCOUNT_NUMBER, - audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root", - audited_user_id=None, - audited_partition="aws", - audited_identity_arn=None, - profile=None, - profile_region=AWS_REGION, - credentials=None, - assumed_role_info=None, - audited_regions=None, - organizations_metadata=None, - audit_resources=None, - mfa_enabled=False, - audit_metadata=Audit_Metadata( - services_scanned=0, - expected_checks=[], - completed_checks=0, - audit_progress=0, - ), - ) - return audit_info - def test_no_vpcs(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = {} - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -87,13 +55,15 @@ class Test_networkfirewall_in_all_vpc: def test_vpcs_with_firewall_all(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [ Firewall( arn=FIREWALL_ARN, name=FIREWALL_NAME, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, policy_arn=POLICY_ARN, vpc_id=VPC_ID_PROTECTED, tags=[], @@ -101,8 +71,8 @@ class Test_networkfirewall_in_all_vpc: ) ] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_PROTECTED: VPCs( id=VPC_ID_PROTECTED, @@ -110,7 +80,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", subnets=[ VpcSubnet( @@ -123,7 +93,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -132,7 +102,7 @@ class Test_networkfirewall_in_all_vpc: ) } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -160,19 +130,21 @@ class Test_networkfirewall_in_all_vpc: result[0].status_extended == f"VPC {VPC_ID_PROTECTED} has Network Firewall enabled." ) - assert result[0].region == AWS_REGION + assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == VPC_ID_PROTECTED assert result[0].resource_tags == [] assert result[0].resource_arn == "arn_test" def test_vpcs_without_firewall(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, @@ -180,7 +152,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", subnets=[ VpcSubnet( @@ -193,7 +165,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -202,7 +174,7 @@ class Test_networkfirewall_in_all_vpc: ) } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -230,20 +202,22 @@ class Test_networkfirewall_in_all_vpc: result[0].status_extended == f"VPC {VPC_ID_UNPROTECTED} does not have Network Firewall enabled." ) - assert result[0].region == AWS_REGION + assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == VPC_ID_UNPROTECTED assert result[0].resource_tags == [] assert result[0].resource_arn == "arn_test" def test_vpcs_with_name_without_firewall(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, @@ -251,7 +225,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", subnets=[ VpcSubnet( @@ -264,7 +238,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -273,7 +247,7 @@ class Test_networkfirewall_in_all_vpc: ) } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -301,20 +275,22 @@ class Test_networkfirewall_in_all_vpc: result[0].status_extended == "VPC vpc_name does not have Network Firewall enabled." ) - assert result[0].region == AWS_REGION + assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == VPC_ID_UNPROTECTED assert result[0].resource_tags == [] assert result[0].resource_arn == "arn_test" def test_vpcs_with_and_without_firewall(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [ Firewall( arn=FIREWALL_ARN, name=FIREWALL_NAME, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, policy_arn=POLICY_ARN, vpc_id=VPC_ID_PROTECTED, tags=[], @@ -322,8 +298,8 @@ class Test_networkfirewall_in_all_vpc: ) ] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, @@ -331,7 +307,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", subnets=[ VpcSubnet( @@ -344,7 +320,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -357,7 +333,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", subnets=[ VpcSubnet( @@ -370,7 +346,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -379,7 +355,7 @@ class Test_networkfirewall_in_all_vpc: ), } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", @@ -409,7 +385,7 @@ class Test_networkfirewall_in_all_vpc: r.status_extended == f"VPC {VPC_ID_PROTECTED} has Network Firewall enabled." ) - assert r.region == AWS_REGION + assert r.region == AWS_REGION_US_EAST_1 assert r.resource_id == VPC_ID_PROTECTED assert r.resource_tags == [] assert r.resource_arn == "arn_test" @@ -419,26 +395,28 @@ class Test_networkfirewall_in_all_vpc: r.status_extended == f"VPC {VPC_ID_UNPROTECTED} does not have Network Firewall enabled." ) - assert r.region == AWS_REGION + assert r.region == AWS_REGION_US_EAST_1 assert r.resource_id == VPC_ID_UNPROTECTED assert r.resource_tags == [] assert r.resource_arn == "arn_test" def test_vpcs_without_firewall_ignoring(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", name="vpc_name", subnets=[ @@ -452,7 +430,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -461,7 +439,7 @@ class Test_networkfirewall_in_all_vpc: ) } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) vpc_client.audit_info.ignore_unused_services = True with mock.patch( @@ -488,12 +466,14 @@ class Test_networkfirewall_in_all_vpc: def test_vpcs_without_firewall_ignoring_vpc_in_use(self): networkfirewall_client = mock.MagicMock - networkfirewall_client.audit_info = self.set_mocked_audit_info() - networkfirewall_client.region = AWS_REGION + networkfirewall_client.audit_info = set_mocked_aws_audit_info( + [AWS_REGION_US_EAST_1] + ) + networkfirewall_client.region = AWS_REGION_US_EAST_1 networkfirewall_client.network_firewalls = [] vpc_client = mock.MagicMock - vpc_client.audit_info = self.set_mocked_audit_info() - vpc_client.region = AWS_REGION + vpc_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) + vpc_client.region = AWS_REGION_US_EAST_1 vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, @@ -501,7 +481,7 @@ class Test_networkfirewall_in_all_vpc: default=False, cidr_block="192.168.0.0/16", flow_log=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, arn="arn_test", in_use=True, subnets=[ @@ -515,7 +495,7 @@ class Test_networkfirewall_in_all_vpc: availability_zone="us-east-1a", public=False, nat_gateway=False, - region=AWS_REGION, + region=AWS_REGION_US_EAST_1, tags=[], mapPublicIpOnLaunch=False, ) @@ -524,7 +504,7 @@ class Test_networkfirewall_in_all_vpc: ) } - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) vpc_client.audit_info.ignore_unused_services = True with mock.patch( @@ -553,7 +533,7 @@ class Test_networkfirewall_in_all_vpc: result[0].status_extended == "VPC vpc_name does not have Network Firewall enabled." ) - assert result[0].region == AWS_REGION + assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == VPC_ID_UNPROTECTED assert result[0].resource_tags == [] assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/networkfirewall/networkfirewall_service_test.py b/tests/providers/aws/services/networkfirewall/networkfirewall_service_test.py index a7fe5a4a..20aaa3b2 100644 --- a/tests/providers/aws/services/networkfirewall/networkfirewall_service_test.py +++ b/tests/providers/aws/services/networkfirewall/networkfirewall_service_test.py @@ -1,16 +1,15 @@ from unittest.mock import patch import botocore -from boto3 import session -from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info from prowler.providers.aws.services.networkfirewall.networkfirewall_service import ( NetworkFirewall, ) -from prowler.providers.common.models import Audit_Metadata +from tests.providers.aws.audit_info_utils import ( + AWS_REGION_US_EAST_1, + set_mocked_aws_audit_info, +) -# Mock Test Region -AWS_REGION = "us-east-1" FIREWALL_ARN = "arn:aws:network-firewall:us-east-1:123456789012:firewall/my-firewall" FIREWALL_NAME = "my-firewall" VPC_ID = "vpc-12345678901234567" @@ -53,9 +52,11 @@ def mock_make_api_call(self, operation_name, kwargs): def mock_generate_regional_clients(service, audit_info, _): - regional_client = audit_info.audit_session.client(service, region_name=AWS_REGION) - regional_client.region = AWS_REGION - return {AWS_REGION: regional_client} + regional_client = audit_info.audit_session.client( + service, region_name=AWS_REGION_US_EAST_1 + ) + regional_client.region = AWS_REGION_US_EAST_1 + return {AWS_REGION_US_EAST_1: regional_client} # Patch every AWS call using Boto3 and generate_regional_clients to have 1 client @@ -65,64 +66,33 @@ def mock_generate_regional_clients(service, audit_info, _): new=mock_generate_regional_clients, ) class Test_NetworkFirewall_Service: - # Mocked Audit Info - def set_mocked_audit_info(self): - audit_info = AWS_Audit_Info( - session_config=None, - original_session=None, - audit_session=session.Session( - profile_name=None, - botocore_session=None, - ), - audited_account=None, - audited_account_arn=None, - audited_user_id=None, - audited_partition="aws", - audited_identity_arn=None, - profile=None, - profile_region=None, - credentials=None, - assumed_role_info=None, - audited_regions=None, - organizations_metadata=None, - audit_resources=None, - mfa_enabled=False, - audit_metadata=Audit_Metadata( - services_scanned=0, - expected_checks=[], - completed_checks=0, - audit_progress=0, - ), - ) - return audit_info - def test__get_client__(self): - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) networkfirewall = NetworkFirewall(audit_info) assert ( - networkfirewall.regional_clients[AWS_REGION].__class__.__name__ + networkfirewall.regional_clients[AWS_REGION_US_EAST_1].__class__.__name__ == "NetworkFirewall" ) def test__get_service__(self): - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) networkfirewall = NetworkFirewall(audit_info) assert networkfirewall.service == "network-firewall" def test__list_firewalls__(self): - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) networkfirewall = NetworkFirewall(audit_info) assert len(networkfirewall.network_firewalls) == 1 assert networkfirewall.network_firewalls[0].arn == FIREWALL_ARN - assert networkfirewall.network_firewalls[0].region == AWS_REGION + assert networkfirewall.network_firewalls[0].region == AWS_REGION_US_EAST_1 assert networkfirewall.network_firewalls[0].name == FIREWALL_NAME def test__describe_firewall__(self): - audit_info = self.set_mocked_audit_info() + audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) networkfirewall = NetworkFirewall(audit_info) assert len(networkfirewall.network_firewalls) == 1 assert networkfirewall.network_firewalls[0].arn == FIREWALL_ARN - assert networkfirewall.network_firewalls[0].region == AWS_REGION + assert networkfirewall.network_firewalls[0].region == AWS_REGION_US_EAST_1 assert networkfirewall.network_firewalls[0].name == FIREWALL_NAME assert networkfirewall.network_firewalls[0].policy_arn == POLICY_ARN assert networkfirewall.network_firewalls[0].vpc_id == VPC_ID