ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(allowlist): add exceptions to allowlist (#2527)

Browse Source
This commit is contained in:
Sergio Garcia
2023-06-27 12:57:18 +02:00
committed by GitHub
parent 6efe634850
commit fa99ee9d5b
4 changed files with 264 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
tests/providers/aws/lib/allowlist/allowlist_test.py
View File

@@ -7,6 +7,7 @@ from prowler.providers.aws.lib.allowlist.allowlist import (
is_allowlisted_in_check,
is_allowlisted_in_region,
is_allowlisted_in_tags,
is_excepted,
parse_allowlist_file,
)
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
@@ -308,20 +309,44 @@ class Test_Allowlist:
}
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"prowler-test",
"",
)
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"test-prowler",
"",
)
assert not (
is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"check_test",
"us-east-2",
"test",
"",
)
)
@@ -343,6 +368,7 @@ class Test_Allowlist:
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"prowler",
@@ -352,6 +378,7 @@ class Test_Allowlist:
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"prowler-test",
@@ -361,6 +388,7 @@ class Test_Allowlist:
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"test-prowler",
@@ -371,6 +399,7 @@ class Test_Allowlist:
is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
AWS_ACCOUNT_NUMBER,
"iam_user_hardware_mfa_enabled",
AWS_REGION,
"test",
@@ -482,3 +511,73 @@ class Test_Allowlist:
"prowler-test",
"environment=prod | project=myproj",
)
def test_is_excepted(self):
# Allowlist example
check_allowlist = {
"check_test": {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
"Tags": ["environment=dev"],
"Exceptions": {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": ["eu-central-1", "eu-south-3"],
"Resources": ["test"],
"Tags": ["environment=test", "project=.*"],
},
}
}
assert is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-central-1",
"test",
"environment=test",
)
assert is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test",
"environment=test",
)
assert is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test123",
"environment=test",
)
assert not is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-south-2",
"test",
"environment=test",
)
assert not is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"prowler",
"environment=test",
)
assert not is_excepted(
check_allowlist,
"check_test",
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test",
"environment=pro",
)