ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 15:25:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sns_topics_not_publicly_accessible): Change PASS behaviour (#2282)

Browse Source
This commit is contained in:
Pepe Fagoaga
2023-04-26 12:51:51 +02:00
committed by GitHub
parent 7adcf5ca46
commit fdbdb3ad86
2 changed files with 33 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py
View File

@@ -12,7 +12,7 @@ class sns_topics_not_publicly_accessible(Check):
report.resource_arn = topic.arn report.resource_arn = topic.arn
report.resource_tags = topic.tags report.resource_tags = topic.tags
report.status = "PASS" report.status = "PASS"
report.status_extended = f"SNS topic {topic.name} without public access" report.status_extended = f"SNS topic {topic.name} is not publicly accesible"
if topic.policy: if topic.policy:
for statement in topic.policy["Statement"]: for statement in topic.policy["Statement"]:
# Only check allow statements # Only check allow statements
@@ -31,11 +31,11 @@ class sns_topics_not_publicly_accessible(Check):
if "Condition" not in statement: if "Condition" not in statement:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = ( report.status_extended = (
f"SNS topic {topic.name} policy with public access" f"SNS topic {topic.name} is publicly accesible"
) )
else: else:
report.status = "FAIL" report.status = "PASS"
report.status_extended = f"SNS topic {topic.name} policy with public access but has a Condition" report.status_extended = f"SNS topic {topic.name} is publicly accesible but has a Condition that could filter it"
findings.append(report) findings.append(report)

39
tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py
View File

@@ -1,4 +1,3 @@
from re import search
from unittest import mock from unittest import mock
from uuid import uuid4 from uuid import uuid4
@@ -61,7 +60,7 @@ class Test_sns_topics_not_publicly_accessible:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
def test_topics_not_public(self): def test_topic_not_public(self):
sns_client = mock.MagicMock sns_client = mock.MagicMock
sns_client.topics = [] sns_client.topics = []
sns_client.topics.append( sns_client.topics.append(
@@ -84,11 +83,16 @@ class Test_sns_topics_not_publicly_accessible:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search("without public access", result[0].status_extended) assert (
result[0].status_extended
== f"SNS topic {topic_name} is not publicly accesible"
)
assert result[0].resource_id == topic_name assert result[0].resource_id == topic_name
assert result[0].resource_arn == topic_arn assert result[0].resource_arn == topic_arn
assert result[0].region == AWS_REGION
assert result[0].resource_tags == []
def test_topics_no_policy(self): def test_topic_no_policy(self):
sns_client = mock.MagicMock sns_client = mock.MagicMock
sns_client.topics = [] sns_client.topics = []
sns_client.topics.append( sns_client.topics.append(
@@ -106,11 +110,16 @@ class Test_sns_topics_not_publicly_accessible:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search("without public access", result[0].status_extended) assert (
result[0].status_extended
== f"SNS topic {topic_name} is not publicly accesible"
)
assert result[0].resource_id == topic_name assert result[0].resource_id == topic_name
assert result[0].resource_arn == topic_arn assert result[0].resource_arn == topic_arn
assert result[0].region == AWS_REGION
assert result[0].resource_tags == []
def test_topics_public_with_condition(self): def test_topic_public_with_condition(self):
sns_client = mock.MagicMock sns_client = mock.MagicMock
sns_client.topics = [] sns_client.topics = []
sns_client.topics.append( sns_client.topics.append(
@@ -132,12 +141,17 @@ class Test_sns_topics_not_publicly_accessible:
check = sns_topics_not_publicly_accessible() check = sns_topics_not_publicly_accessible()
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "PASS"
assert search("but has a Condition", result[0].status_extended) assert (
result[0].status_extended
== f"SNS topic {topic_name} is publicly accesible but has a Condition that could filter it"
)
assert result[0].resource_id == topic_name assert result[0].resource_id == topic_name
assert result[0].resource_arn == topic_arn assert result[0].resource_arn == topic_arn
assert result[0].region == AWS_REGION
assert result[0].resource_tags == []
def test_topics_no_key(self): def test_topic_public(self):
sns_client = mock.MagicMock sns_client = mock.MagicMock
sns_client.topics = [] sns_client.topics = []
sns_client.topics.append( sns_client.topics.append(
@@ -160,6 +174,11 @@ class Test_sns_topics_not_publicly_accessible:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search("with public access", result[0].status_extended) assert (
result[0].status_extended
== f"SNS topic {topic_name} is publicly accesible"
)
assert result[0].resource_id == topic_name assert result[0].resource_id == topic_name
assert result[0].resource_arn == topic_arn assert result[0].resource_arn == topic_arn
assert result[0].region == AWS_REGION
assert result[0].resource_tags == []