ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
73780682a171d114cf8cc5c070c811b995ac9c69
prowler/tests/providers/aws/lib/allowlist/allowlist_test.py
Pepe Fagoaga 73780682a1 fix(allowlist): Handle empty exceptions (#3266)
2024-01-12 09:54:03 +01:00

1253 lines
34 KiB
Python
Raw Blame History

import yaml
from boto3 import resource
from mock import MagicMock
from moto import mock_dynamodb, mock_s3
from prowler.providers.aws.lib.allowlist.allowlist import (
allowlist_findings,
is_allowlisted,
is_allowlisted_in_check,
is_allowlisted_in_region,
is_allowlisted_in_resource,
is_allowlisted_in_tags,
is_excepted,
parse_allowlist_file,
)
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_CENTRAL_1,
AWS_REGION_EU_SOUTH_3,
AWS_REGION_EU_WEST_1,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_Allowlist:
# Test S3 allowlist
@mock_s3
def test_s3_allowlist(self):
audit_info = set_mocked_aws_audit_info()
# Create bucket and upload allowlist yaml
s3_resource = resource("s3", region_name=AWS_REGION_US_EAST_1)
s3_resource.create_bucket(Bucket="test-allowlist")
s3_resource.Object("test-allowlist", "allowlist.yaml").put(
Body=open(
"tests/providers/aws/lib/allowlist/fixtures/allowlist.yaml",
"rb",
)
)
with open("tests/providers/aws/lib/allowlist/fixtures/allowlist.yaml") as f:
assert yaml.safe_load(f)["Allowlist"] == parse_allowlist_file(
audit_info, "s3://test-allowlist/allowlist.yaml"
)
# Test DynamoDB allowlist
@mock_dynamodb
def test_dynamo_allowlist(self):
audit_info = set_mocked_aws_audit_info()
# Create table and put item
dynamodb_resource = resource("dynamodb", region_name=AWS_REGION_US_EAST_1)
table_name = "test-allowlist"
params = {
"TableName": table_name,
"KeySchema": [
{"AttributeName": "Accounts", "KeyType": "HASH"},
{"AttributeName": "Checks", "KeyType": "RANGE"},
],
"AttributeDefinitions": [
{"AttributeName": "Accounts", "AttributeType": "S"},
{"AttributeName": "Checks", "AttributeType": "S"},
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 10,
"WriteCapacityUnits": 10,
},
}
table = dynamodb_resource.create_table(**params)
table.put_item(
Item={
"Accounts": "*",
"Checks": "iam_user_hardware_mfa_enabled",
"Regions": [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
"Resources": ["keyword"],
}
)
assert (
"keyword"
in parse_allowlist_file(
audit_info,
"arn:aws:dynamodb:"
+ AWS_REGION_US_EAST_1
+ ":"
+ str(AWS_ACCOUNT_NUMBER)
+ ":table/"
+ table_name,
)["Accounts"]["*"]["Checks"]["iam_user_hardware_mfa_enabled"]["Resources"]
)
@mock_dynamodb
def test_dynamo_allowlist_with_tags(self):
audit_info = set_mocked_aws_audit_info()
# Create table and put item
dynamodb_resource = resource("dynamodb", region_name=AWS_REGION_US_EAST_1)
table_name = "test-allowlist"
params = {
"TableName": table_name,
"KeySchema": [
{"AttributeName": "Accounts", "KeyType": "HASH"},
{"AttributeName": "Checks", "KeyType": "RANGE"},
],
"AttributeDefinitions": [
{"AttributeName": "Accounts", "AttributeType": "S"},
{"AttributeName": "Checks", "AttributeType": "S"},
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 10,
"WriteCapacityUnits": 10,
},
}
table = dynamodb_resource.create_table(**params)
table.put_item(
Item={
"Accounts": "*",
"Checks": "*",
"Regions": ["*"],
"Resources": ["*"],
"Tags": ["environment=dev"],
}
)
assert (
"environment=dev"
in parse_allowlist_file(
audit_info,
"arn:aws:dynamodb:"
+ AWS_REGION_US_EAST_1
+ ":"
+ str(AWS_ACCOUNT_NUMBER)
+ ":table/"
+ table_name,
)["Accounts"]["*"]["Checks"]["*"]["Tags"]
)
# Allowlist tests
def test_allowlist_findings_only_wildcard(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["prowler", "^test", "prowler-pro"],
}
}
}
}
}
# Check Findings
check_findings = []
finding_1 = MagicMock
finding_1.check_metadata = MagicMock
finding_1.check_metadata.CheckID = "check_test"
finding_1.status = "FAIL"
finding_1.region = AWS_REGION_US_EAST_1
finding_1.resource_id = "prowler"
finding_1.resource_tags = []
check_findings.append(finding_1)
allowlisted_findings = allowlist_findings(
allowlist, AWS_ACCOUNT_NUMBER, check_findings
)
assert len(allowlisted_findings) == 1
assert allowlisted_findings[0].status == "WARNING"
def test_allowlist_all_exceptions_empty(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"*": {
"Tags": ["*"],
"Regions": [AWS_REGION_US_EAST_1],
"Resources": ["*"],
"Exceptions": {
"Tags": [],
"Regions": [],
"Accounts": [],
"Resources": [],
},
}
}
}
}
}
# Check Findings
check_findings = []
finding_1 = MagicMock
finding_1.check_metadata = MagicMock
finding_1.check_metadata.CheckID = "check_test"
finding_1.status = "FAIL"
finding_1.region = AWS_REGION_US_EAST_1
finding_1.resource_id = "prowler"
finding_1.resource_tags = []
check_findings.append(finding_1)
allowlisted_findings = allowlist_findings(
allowlist, AWS_ACCOUNT_NUMBER, check_findings
)
assert len(allowlisted_findings) == 1
assert allowlisted_findings[0].status == "WARNING"
def test_is_allowlisted_with_everything_excepted(self):
allowlist = {
"Accounts": {
"*": {
"Checks": {
"athena_*": {
"Regions": "*",
"Resources": "*",
"Tags": "*",
"Exceptions": {
"Accounts": ["*"],
"Regions": ["*"],
"Resources": ["*"],
"Tags": ["*"],
},
}
}
}
}
}
assert not is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"athena_1",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
def test_is_allowlisted_with_default_allowlist(self):
allowlist = {
"Accounts": {
"*": {
"Checks": {
"*": {
"Tags": ["*"],
"Regions": ["*"],
"Resources": ["*"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"athena_1",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
def test_is_allowlisted(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["prowler", "^test", "prowler-pro"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-pro-test",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_wildcard(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": [".*"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_asterisk(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_all_and_single_account(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test_2": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
},
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1],
"Resources": ["*"],
}
}
},
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_2",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_all_and_single_account_with_different_resources(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test_1": {
"Regions": ["*"],
"Resources": ["resource_1", "resource_2"],
},
}
},
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test_1": {
"Regions": ["*"],
"Resources": ["resource_3"],
}
}
},
}
}
assert is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_1",
"",
)
assert is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_2",
"",
)
assert not is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_3",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_3",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_2",
"",
)
def test_is_allowlisted_all_and_single_account_with_different_resources_and_exceptions(
self,
):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test_1": {
"Regions": ["*"],
"Resources": ["resource_1", "resource_2"],
"Exceptions": {"Regions": [AWS_REGION_US_EAST_1]},
},
}
},
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test_1": {
"Regions": ["*"],
"Resources": ["resource_3"],
"Exceptions": {"Regions": [AWS_REGION_EU_WEST_1]},
}
}
},
}
}
assert not is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_2",
"",
)
assert not is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_1",
"",
)
assert is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_EU_WEST_1,
"resource_2",
"",
)
assert not is_allowlisted(
allowlist,
"111122223333",
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_3",
"",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_1",
AWS_REGION_US_EAST_1,
"resource_3",
"",
)
assert not is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test_1",
AWS_REGION_EU_WEST_1,
"resource_3",
"",
)
def test_is_allowlisted_single_account(self):
allowlist = {
"Accounts": {
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1],
"Resources": ["prowler"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_in_region(self):
allowlisted_regions = [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
finding_region = AWS_REGION_US_EAST_1
assert is_allowlisted_in_region(allowlisted_regions, finding_region)
def test_is_allowlisted_in_region_wildcard(self):
allowlisted_regions = ["*"]
finding_region = AWS_REGION_US_EAST_1
assert is_allowlisted_in_region(allowlisted_regions, finding_region)
def test_is_not_allowlisted_in_region(self):
allowlisted_regions = [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
finding_region = "eu-west-2"
assert not is_allowlisted_in_region(allowlisted_regions, finding_region)
def test_is_allowlisted_in_check(self):
allowlisted_checks = {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert not (
is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"check_test",
"us-east-2",
"test",
"",
)
)
def test_is_allowlisted_in_check_regex(self):
# Allowlist example
allowlisted_checks = {
"s3_*": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"s3_bucket_no_mfa_delete",
AWS_REGION_US_EAST_1,
"prowler-test",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"s3_bucket_policy_public_write_access",
AWS_REGION_US_EAST_1,
"test-prowler",
"",
)
assert not (
is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"iam_user_hardware_mfa_enabled",
AWS_REGION_US_EAST_1,
"test",
"",
)
)
def test_is_allowlisted_lambda_generic_check(self):
allowlisted_checks = {
"lambda_*": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_no_secrets_in_code",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_no_secrets_in_variables",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_not_publicly_accessible",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_url_cors_policy",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_url_public",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_using_supported_runtimes",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
def test_is_allowlisted_lambda_concrete_check(self):
allowlisted_checks = {
"lambda_function_no_secrets_in_variables": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
}
}
assert is_allowlisted_in_check(
allowlisted_checks,
AWS_ACCOUNT_NUMBER,
"awslambda_function_no_secrets_in_variables",
AWS_REGION_US_EAST_1,
"prowler",
"",
)
def test_is_allowlisted_tags(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1],
"Resources": ["*"],
"Tags": ["environment=dev", "project=.*"],
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler",
"environment=dev",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_US_EAST_1,
"prowler-test",
"environment=dev | project=prowler",
)
assert not (
is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
"us-east-2",
"test",
"environment=pro",
)
)
def test_is_allowlisted_specific_account_with_other_account_excepted(self):
# Allowlist example
allowlist = {
"Accounts": {
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test": {
"Regions": [AWS_REGION_EU_WEST_1],
"Resources": ["*"],
"Tags": [],
"Exceptions": {"Accounts": ["111122223333"]},
}
}
}
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION_EU_WEST_1,
"prowler",
"environment=dev",
)
assert not is_allowlisted(
allowlist,
"111122223333",
"check_test",
AWS_REGION_EU_WEST_1,
"prowler",
"environment=dev",
)
def test_is_allowlisted_complex_allowlist(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"s3_bucket_object_versioning": {
"Regions": [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
"Resources": ["ci-logs", "logs", ".+-logs"],
},
"ecs_task_definitions_no_environment_secrets": {
"Regions": ["*"],
"Resources": ["*"],
"Exceptions": {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": [
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_SOUTH_3,
],
},
},
"*": {
"Regions": ["*"],
"Resources": ["*"],
"Tags": ["environment=dev"],
},
}
},
AWS_ACCOUNT_NUMBER: {
"Checks": {
"*": {
"Regions": ["*"],
"Resources": ["*"],
"Exceptions": {
"Resources": ["test"],
"Tags": ["environment=prod"],
},
}
}
},
}
}
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"test_check",
AWS_REGION_EU_WEST_1,
"prowler-logs",
"environment=dev",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"ecs_task_definitions_no_environment_secrets",
AWS_REGION_EU_WEST_1,
"prowler",
"environment=dev",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"s3_bucket_object_versioning",
AWS_REGION_EU_WEST_1,
"prowler-logs",
"environment=dev",
)
def test_is_allowlisted_in_tags(self):
allowlist_tags = ["environment=dev", "project=prowler"]
assert is_allowlisted_in_tags(allowlist_tags, "environment=dev")
assert is_allowlisted_in_tags(
allowlist_tags,
"environment=dev | project=prowler",
)
assert not (
is_allowlisted_in_tags(
allowlist_tags,
"environment=pro",
)
)
def test_is_allowlisted_in_tags_regex(self):
allowlist_tags = ["environment=(dev|test)", ".*=prowler"]
assert is_allowlisted_in_tags(
allowlist_tags,
"environment=test | proj=prowler",
)
assert is_allowlisted_in_tags(
allowlist_tags,
"env=prod | project=prowler",
)
assert not is_allowlisted_in_tags(
allowlist_tags,
"environment=prod | project=myproj",
)
def test_is_allowlisted_in_tags_with_no_tags_in_finding(self):
allowlist_tags = ["environment=(dev|test)", ".*=prowler"]
finding_tags = ""
assert not is_allowlisted_in_tags(allowlist_tags, finding_tags)
def test_is_excepted(self):
# Allowlist example
exceptions = {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": ["eu-central-1", "eu-south-3"],
"Resources": ["test"],
"Tags": ["environment=test", "project=.*"],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-central-1",
"test",
"environment=test",
)
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test",
"environment=test",
)
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test123",
"environment=test",
)
def test_is_excepted_only_in_account(self):
# Allowlist example
exceptions = {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": [],
"Resources": [],
"Tags": [],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-central-1",
"test",
"environment=test",
)
def test_is_excepted_only_in_region(self):
# Allowlist example
exceptions = {
"Accounts": [],
"Regions": [AWS_REGION_EU_CENTRAL_1, AWS_REGION_EU_SOUTH_3],
"Resources": [],
"Tags": [],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_CENTRAL_1,
"test",
"environment=test",
)
def test_is_excepted_only_in_resources(self):
# Allowlist example
exceptions = {
"Accounts": [],
"Regions": [],
"Resources": ["resource_1"],
"Tags": [],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_CENTRAL_1,
"resource_1",
"environment=test",
)
def test_is_excepted_only_in_tags(self):
# Allowlist example
exceptions = {
"Accounts": [],
"Regions": [],
"Resources": [],
"Tags": ["environment=test"],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_CENTRAL_1,
"resource_1",
"environment=test",
)
def test_is_excepted_in_account_and_tags(self):
# Allowlist example
exceptions = {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": [],
"Resources": [],
"Tags": ["environment=test"],
}
assert is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_CENTRAL_1,
"resource_1",
"environment=test",
)
assert not is_excepted(
exceptions,
"111122223333",
AWS_REGION_EU_CENTRAL_1,
"resource_1",
"environment=test",
)
assert not is_excepted(
exceptions,
"111122223333",
AWS_REGION_EU_CENTRAL_1,
"resource_1",
"environment=dev",
)
def test_is_excepted_all_wildcard(self):
exceptions = {
"Accounts": ["*"],
"Regions": ["*"],
"Resources": ["*"],
"Tags": ["*"],
}
assert is_excepted(
exceptions, AWS_ACCOUNT_NUMBER, "eu-south-2", "test", "environment=test"
)
assert not is_excepted(
exceptions, AWS_ACCOUNT_NUMBER, "eu-south-2", "test", None
)
def test_is_not_excepted(self):
exceptions = {
"Accounts": [AWS_ACCOUNT_NUMBER],
"Regions": ["eu-central-1", "eu-south-3"],
"Resources": ["test"],
"Tags": ["environment=test", "project=.*"],
}
assert not is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-2",
"test",
"environment=test",
)
assert not is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"prowler",
"environment=test",
)
assert not is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-3",
"test",
"environment=pro",
)
def test_is_excepted_all_empty(self):
exceptions = {
"Accounts": [],
"Regions": [],
"Resources": [],
"Tags": [],
}
assert not is_excepted(
exceptions,
AWS_ACCOUNT_NUMBER,
"eu-south-2",
"test",
"environment=test",
)
def test_is_allowlisted_in_resource(self):
allowlist_resources = ["prowler", "^test", "prowler-pro"]
assert is_allowlisted_in_resource(allowlist_resources, "prowler")
assert is_allowlisted_in_resource(allowlist_resources, "prowler-test")
assert is_allowlisted_in_resource(allowlist_resources, "test-prowler")
assert not is_allowlisted_in_resource(allowlist_resources, "random")
Reference in New Issue View Git Blame Copy Permalink