From 6ffae9f18e23cd547dd248ee2d7c9222c644f5ed Mon Sep 17 00:00:00 2001 From: Sergio Date: Thu, 12 Sep 2024 08:45:01 -0400 Subject: [PATCH] enhance check --- .../__init__.py | 0 ...ributions_https_sni_enabled.metadata.json} | 2 +- ...dfront_distributions_https_sni_enabled.py} | 22 +++++----- ...t_distributions_https_sni_enabled_test.py} | 40 ++++++++----------- 4 files changed, 27 insertions(+), 37 deletions(-) rename prowler/providers/aws/services/cloudfront/{cloudfront_distributions_using_sni_https_requests => cloudfront_distributions_https_sni_enabled}/__init__.py (100%) rename prowler/providers/aws/services/cloudfront/{cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.metadata.json => cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json} (96%) rename prowler/providers/aws/services/cloudfront/{cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.py => cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py} (53%) rename tests/providers/aws/services/cloudfront/{cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests_test.py => cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled_test.py} (69%) diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/__init__.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/__init__.py similarity index 100% rename from prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/__init__.py rename to prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/__init__.py diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.metadata.json b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json similarity index 96% rename from prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.metadata.json rename to prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json index 666c0c35028..2abfaad1dc0 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.metadata.json +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json @@ -1,6 +1,6 @@ { "Provider": "aws", - "CheckID": "cloudfront_distributions_using_sni_https_requests", + "CheckID": "cloudfront_distributions_https_sni_enabled", "CheckTitle": "Check if CloudFront distributions are using SNI to serve HTTPS requests.", "CheckType": [ "NIST 800-53 Controls" diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py similarity index 53% rename from prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.py rename to prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py index 6520320a5fb..0c323812de3 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py @@ -7,26 +7,24 @@ ) -class cloudfront_distributions_using_sni_https_requests(Check): +class cloudfront_distributions_https_sni_enabled(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS(self.metadata()) - report.region = distribution.region - report.resource_arn = distribution.arn - report.resource_id = distribution.id - report.resource_tags = distribution.tags - report.status = "FAIL" - report.status_extended = f"CloudFront Distribution {distribution.id} does not have a certificate." - if distribution.certificate: + report = Check_Report_AWS(self.metadata()) + report.region = distribution.region + report.resource_arn = distribution.arn + report.resource_id = distribution.id + report.resource_tags = distribution.tags + if distribution.ssl_support_method == SSLSupportMethod.sni_only: report.status = "PASS" - report.status_extended = f"CloudFront Distribution {distribution.id} has a configured certificate to serve HTTPS requests with SNI." + report.status_extended = f"CloudFront Distribution {distribution.id} is serving HTTPS requests using SNI." else: report.status = "FAIL" - report.status_extended = f"CloudFront Distribution {distribution.id} does have a certificate but is not set up to use SNI." + report.status_extended = f"CloudFront Distribution {distribution.id} is not serving HTTPS requests using SNI." - findings.append(report) + findings.append(report) return findings diff --git a/tests/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests_test.py b/tests/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled_test.py similarity index 69% rename from tests/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests_test.py rename to tests/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled_test.py index 6294c19b210..7c2bfaeae19 100644 --- a/tests/providers/aws/services/cloudfront/cloudfront_distributions_using_sni_https_requests/cloudfront_distributions_using_sni_https_requests_test.py +++ b/tests/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled_test.py @@ -13,7 +13,7 @@ REGION = "us-east-1" -class Test_cloudfront_distributions_using_sni_https_requests: +class Test_cloudfront_distributions_https_sni_enabled: def test_no_distributions(self): cloudfront_client = mock.MagicMock cloudfront_client.distributions = {} @@ -22,11 +22,11 @@ def test_no_distributions(self): new=cloudfront_client, ): # Test Check - from prowler.providers.aws.services.cloudfront.cloudfront_distributions_using_sni_https_requests.cloudfront_distributions_using_sni_https_requests import ( - cloudfront_distributions_using_sni_https_requests, + from prowler.providers.aws.services.cloudfront.cloudfront_distributions_https_sni_enabled.cloudfront_distributions_https_sni_enabled import ( + cloudfront_distributions_https_sni_enabled, ) - check = cloudfront_distributions_using_sni_https_requests() + check = cloudfront_distributions_https_sni_enabled() result = check.execute() assert len(result) == 0 @@ -48,22 +48,14 @@ def test_distribution_no_certificate(self): new=cloudfront_client, ): # Test Check - from prowler.providers.aws.services.cloudfront.cloudfront_distributions_using_sni_https_requests.cloudfront_distributions_using_sni_https_requests import ( - cloudfront_distributions_using_sni_https_requests, + from prowler.providers.aws.services.cloudfront.cloudfront_distributions_https_sni_enabled.cloudfront_distributions_https_sni_enabled import ( + cloudfront_distributions_https_sni_enabled, ) - check = cloudfront_distributions_using_sni_https_requests() + check = cloudfront_distributions_https_sni_enabled() result = check.execute() - assert len(result) == 1 - assert result[0].region == REGION - assert result[0].resource_arn == DISTRIBUTION_ARN - assert result[0].resource_id == DISTRIBUTION_ID - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == f"CloudFront Distribution {DISTRIBUTION_ID} does not have a certificate." - ) + assert len(result) == 0 def test_distribution_certificate_not_set_up(self): cloudfront_client = mock.MagicMock @@ -84,11 +76,11 @@ def test_distribution_certificate_not_set_up(self): new=cloudfront_client, ): # Test Check - from prowler.providers.aws.services.cloudfront.cloudfront_distributions_using_sni_https_requests.cloudfront_distributions_using_sni_https_requests import ( - cloudfront_distributions_using_sni_https_requests, + from prowler.providers.aws.services.cloudfront.cloudfront_distributions_https_sni_enabled.cloudfront_distributions_https_sni_enabled import ( + cloudfront_distributions_https_sni_enabled, ) - check = cloudfront_distributions_using_sni_https_requests() + check = cloudfront_distributions_https_sni_enabled() result = check.execute() assert len(result) == 1 @@ -98,7 +90,7 @@ def test_distribution_certificate_not_set_up(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"CloudFront Distribution {DISTRIBUTION_ID} does have a certificate but is not set up to use SNI." + == f"CloudFront Distribution {DISTRIBUTION_ID} is not serving HTTPS requests using SNI." ) def test_distribution_valid_configuration(self): @@ -120,11 +112,11 @@ def test_distribution_valid_configuration(self): new=cloudfront_client, ): # Test Check - from prowler.providers.aws.services.cloudfront.cloudfront_distributions_using_sni_https_requests.cloudfront_distributions_using_sni_https_requests import ( - cloudfront_distributions_using_sni_https_requests, + from prowler.providers.aws.services.cloudfront.cloudfront_distributions_https_sni_enabled.cloudfront_distributions_https_sni_enabled import ( + cloudfront_distributions_https_sni_enabled, ) - check = cloudfront_distributions_using_sni_https_requests() + check = cloudfront_distributions_https_sni_enabled() result = check.execute() assert len(result) == 1 @@ -134,5 +126,5 @@ def test_distribution_valid_configuration(self): assert result[0].status == "PASS" assert ( result[0].status_extended - == f"CloudFront Distribution {DISTRIBUTION_ID} has a configured certificate to serve HTTPS requests with SNI." + == f"CloudFront Distribution {DISTRIBUTION_ID} is serving HTTPS requests using SNI." )