From dbf376ec100b7950217ca9ec9e86f3b870dbced2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Wed, 16 Oct 2024 13:03:45 +0200 Subject: [PATCH] test(secretsmanager): test new check --- .../secretsmanager_secret_unused_test.py | 200 ++++++++++++++++++ 1 file changed, 200 insertions(+) create mode 100644 tests/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused_test.py diff --git a/tests/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused_test.py b/tests/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused_test.py new file mode 100644 index 0000000000..08af76f9b6 --- /dev/null +++ b/tests/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused_test.py @@ -0,0 +1,200 @@ +from datetime import datetime, timezone +from unittest.mock import patch + +import botocore +from boto3 import client +from freezegun import freeze_time +from moto import mock_aws + +from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider + +orig = botocore.client.BaseClient._make_api_call + + +def mock_make_api_call_secret_accessed_100_days_ago(self, operation_name, kwarg): + if operation_name == "ListSecrets": + return { + "SecretList": [ + { + "ARN": "arn:aws:secretsmanager:eu-west-1:123456789012:secret:test-100-days-secret", + "Name": "test-100-days-secret", + "LastAccessedDate": datetime( + 2023, 1, 1, 0, 0, 0, tzinfo=timezone.utc + ), + "Tags": [{"Key": "Name", "Value": "test-100-days-secret"}], + } + ] + } + # If we don't want to patch the API call + return orig(self, operation_name, kwarg) + + +def mock_make_api_call_secret_accessed_yesterday(self, operation_name, kwarg): + if operation_name == "ListSecrets": + return { + "SecretList": [ + { + "ARN": "arn:aws:secretsmanager:eu-west-1:123456789012:secret:test-secret", + "Name": "test-secret", + "LastAccessedDate": datetime( + 2023, 4, 9, 0, 0, 0, tzinfo=timezone.utc + ), + "Tags": [{"Key": "Name", "Value": "test-secret"}], + } + ] + } + # If we don't want to patch the API call + return orig(self, operation_name, kwarg) + + +class Test_secretsmanager_secret_unused: + def test_no_secrets(self): + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + from prowler.providers.aws.services.secretsmanager.secretsmanager_service import ( + SecretsManager, + ) + + with patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), patch( + "prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused.secretsmanager_client", + new=SecretsManager(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused import ( + secretsmanager_secret_unused, + ) + + check = secretsmanager_secret_unused() + result = check.execute() + + assert len(result) == 0 + + @mock_aws + def test_secret_never_used(self): + secretsmanager_client = client( + "secretsmanager", region_name=AWS_REGION_EU_WEST_1 + ) + + secret_arn = secretsmanager_client.create_secret( + Name="test-secret", + Tags=[ + {"Key": "Name", "Value": "test-secret"}, + ], + )["ARN"] + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + from prowler.providers.aws.services.secretsmanager.secretsmanager_service import ( + SecretsManager, + ) + + with patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), patch( + "prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused.secretsmanager_client", + new=SecretsManager(aws_provider), + ): + from prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused import ( + secretsmanager_secret_unused, + ) + + check = secretsmanager_secret_unused() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "Secret test-secret has never been accessed." + ) + assert result[0].resource_id == "test-secret" + assert result[0].resource_arn == secret_arn + assert result[0].region == AWS_REGION_EU_WEST_1 + assert result[0].resource_tags == [{"Key": "Name", "Value": "test-secret"}] + + @freeze_time("2023-04-10") + @patch( + "botocore.client.BaseClient._make_api_call", + new=mock_make_api_call_secret_accessed_100_days_ago, + ) + @mock_aws + def test_secret_unused_for_last_100_days(self): + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + from prowler.providers.aws.services.secretsmanager.secretsmanager_service import ( + SecretsManager, + ) + + with patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), patch( + "prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused.secretsmanager_client", + new=SecretsManager(aws_provider), + ): + from prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused import ( + secretsmanager_secret_unused, + ) + + check = secretsmanager_secret_unused() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "Secret test-100-days-secret has not been accessed since 2023-01-01 00:00:00+00:00, you should review if it is still needed." + ) + assert result[0].resource_id == "test-100-days-secret" + assert ( + result[0].resource_arn + == "arn:aws:secretsmanager:eu-west-1:123456789012:secret:test-100-days-secret" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + assert result[0].resource_tags == [ + {"Key": "Name", "Value": "test-100-days-secret"} + ] + + @freeze_time("2023-04-10") + @patch( + "botocore.client.BaseClient._make_api_call", + new=mock_make_api_call_secret_accessed_yesterday, + ) + @mock_aws + def test_secret_used_yesterday(self): + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + from prowler.providers.aws.services.secretsmanager.secretsmanager_service import ( + SecretsManager, + ) + + with patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), patch( + "prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused.secretsmanager_client", + new=SecretsManager(aws_provider), + ): + from prowler.providers.aws.services.secretsmanager.secretsmanager_secret_unused.secretsmanager_secret_unused import ( + secretsmanager_secret_unused, + ) + + check = secretsmanager_secret_unused() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "Secret test-secret has been accessed recently, last accessed on 2023-04-09 00:00:00+00:00." + ) + assert result[0].resource_id == "test-secret" + assert result[0].resource_arn == ( + "arn:aws:secretsmanager:eu-west-1:123456789012:secret:test-secret" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + assert result[0].resource_tags == [{"Key": "Name", "Value": "test-secret"}]