Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(securityhub): add tags securityhub_enabled #5231

Merged
merged 6 commits into from
Sep 30, 2024
Merged

feat(securityhub): add tags securityhub_enabled #5231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
788565a
feat(securityhub): add tags to SecurityHubHub and _list_tags method
puchy22 Sep 27, 2024
71924a8
test(securityhub): test new list_tags method
puchy22 Sep 27, 2024
9b301b0
chore(securityhub): add tags to report
puchy22 Sep 27, 2024
40688c3
test(securityhub): add new tag verification
puchy22 Sep 27, 2024
8d18c70
chore(securityhub): add comprobation for invalid hubs
puchy22 Sep 30, 2024
68bc390
chore: revision
MrCloudSec Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ def execute(self):
report.region = securityhub.region
report.resource_id = securityhub.id
report.resource_arn = securityhub.arn
report.resource_tags = securityhub.tags
if securityhub.status == "ACTIVE":
report.status = "PASS"
if securityhub.standards:
Expand Down
18 changes: 17 additions & 1 deletion prowler/providers/aws/services/securityhub/securityhub_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
from typing import Optional

from botocore.client import ClientError
from pydantic import BaseModel

Expand All @@ -6,13 +8,13 @@
from prowler.providers.aws.lib.service.service import AWSService


################## SecurityHub
class SecurityHub(AWSService):
def __init__(self, provider):
# Call AWSService's __init__
super().__init__(__class__.__name__, provider)
self.securityhubs = []
self.__threading_call__(self._describe_hub)
self.__threading_call__(self._list_tags, self.securityhubs)

def _describe_hub(self, regional_client):
logger.info("SecurityHub - Describing Hub...")
Expand Down Expand Up @@ -85,6 +87,19 @@
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)

def _list_tags(self, resource: any):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, check here not to do it for Hub with NOT_AVAILABLE status.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the ARN would be an account ARN and therefore, not valid.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solved!

try:
if resource.status != "NOT_AVAILABLE":
resource.tags = [
self.regional_clients[resource.region].list_tags_for_resource(
ResourceArn=resource.arn
)["Tags"]
]
except Exception as error:
logger.error(

Check warning on line 99 in prowler/providers/aws/services/securityhub/securityhub_service.py

View check run for this annotation

Codecov / codecov/patch

prowler/providers/aws/services/securityhub/securityhub_service.py#L98-L99 

Added lines #L98 - L99 were not covered by tests
f"{resource.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)


class SecurityHubHub(BaseModel):
arn: str
Expand All @@ -93,3 +108,4 @@
standards: str
integrations: str
region: str
tags: Optional[list]
16 changes: 13 additions & 3 deletions tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ def test_securityhub_hub_inactive(self):
standards="",
integrations="",
region=AWS_REGION_EU_WEST_1,
tags=[{"test_key": "test_value"}],
)
]
with mock.patch(
Expand All @@ -37,6 +38,7 @@ def test_securityhub_hub_inactive(self):
assert result[0].resource_id == "Security Hub"
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_tags == [{"test_key": "test_value"}]

def test_securityhub_hub_active_with_standards(self):
securityhub_client = mock.MagicMock
Expand All @@ -47,7 +49,8 @@ def test_securityhub_hub_active_with_standards(self):
status="ACTIVE",
standards="cis-aws-foundations-benchmark/v/1.2.0",
integrations="",
region="eu-west-1",
region=AWS_REGION_EU_WEST_1,
tags=[{"test_key": "test_value"}],
)
]
with mock.patch(
Expand All @@ -73,6 +76,7 @@ def test_securityhub_hub_active_with_standards(self):
== "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
)
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_tags == [{"test_key": "test_value"}]

def test_securityhub_hub_active_with_integrations(self):
securityhub_client = mock.MagicMock
Expand All @@ -83,7 +87,8 @@ def test_securityhub_hub_active_with_integrations(self):
status="ACTIVE",
standards="",
integrations="prowler",
region="eu-west-1",
region=AWS_REGION_EU_WEST_1,
tags=[{"test_key": "test_value"}],
)
]
with mock.patch(
Expand All @@ -109,6 +114,7 @@ def test_securityhub_hub_active_with_integrations(self):
== "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
)
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_tags == [{"test_key": "test_value"}]

def test_securityhub_hub_active_without_integrations_or_standards(self):
securityhub_client = mock.MagicMock
Expand All @@ -120,7 +126,8 @@ def test_securityhub_hub_active_without_integrations_or_standards(self):
status="ACTIVE",
standards="",
integrations="",
region="eu-west-1",
region=AWS_REGION_EU_WEST_1,
tags=[{"test_key": "test_value"}],
)
]
with mock.patch(
Expand All @@ -146,6 +153,7 @@ def test_securityhub_hub_active_without_integrations_or_standards(self):
== "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
)
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_tags == [{"test_key": "test_value"}]

def test_securityhub_hub_active_without_integrations_or_standards_muted(self):
securityhub_client = mock.MagicMock
Expand All @@ -159,6 +167,7 @@ def test_securityhub_hub_active_without_integrations_or_standards_muted(self):
standards="",
integrations="",
region="eu-south-2",
tags=[],
)
]
with mock.patch(
Expand All @@ -185,3 +194,4 @@ def test_securityhub_hub_active_without_integrations_or_standards_muted(self):
== "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
)
assert result[0].region == "eu-south-2"
assert result[0].resource_tags == []
11 changes: 11 additions & 0 deletions tests/providers/aws/services/securityhub/securityhub_service_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ def mock_make_api_call(self, operation_name, kwarg):
return {
"HubArn": "arn:aws:securityhub:us-east-1:0123456789012:hub/default",
}
if operation_name == "ListTagsForResource":
return {
"Tags": {"test_key": "test_value"},
}

return make_api_call(self, operation_name, kwarg)


Expand Down Expand Up @@ -80,3 +85,9 @@ def test_describe_hub(self):
assert securityhub.securityhubs[0].id == "default"
assert securityhub.securityhubs[0].standards == "cis-aws-foundations-benchmark "
assert securityhub.securityhubs[0].integrations == "prowler "

def test_list_tags(self):
# Set partition for the service
securityhub = SecurityHub(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
assert len(securityhub.securityhubs) == 1
assert securityhub.securityhubs[0].tags == [{"test_key": "test_value"}]