feat(aws): change logic for tags

prowler-cloud · Aug 19, 2024 · 1677105 · 1677105
1 parent bf13913
commit 1677105
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 13 deletions.
diff --git a/docs/tutorials/mutelist.md b/docs/tutorials/mutelist.md
@@ -9,7 +9,7 @@ Mutelist option works along with other options and will modify the output in the
 
 ## How the Mutelist Works
 
-The Mutelist uses an "ANDed" and "ORed" logic to determine which resources, checks, regions, and tags should be muted. For each check, the Mutelist checks if the account, region, and resource match the specified criteria, using an "ANDed" logic. If tags are specified, the mutelist uses and "ORed" logic to see if at least one tag is present in the resource.
+The Mutelist uses an "ANDed" and "ORed" logic to determine which resources, checks, regions, and tags should be muted. For each check, the Mutelist checks if the account, region, and resource match the specified criteria, using an "ANDed" logic. If tags are specified, the mutelist uses an "ANDed" logic to see if all of the tags are present in the resource.
 
 If any of the criteria do not match, the check is not muted.
 

diff --git a/prowler/lib/mutelist/mutelist.py b/prowler/lib/mutelist/mutelist.py
@@ -211,7 +211,9 @@ def is_muted_in_check(
                     muted_in_resource = self.is_item_matched(
                         muted_resources, finding_resource
                     )
-                    muted_in_tags = self.is_item_matched(muted_tags, finding_tags)
+                    muted_in_tags = self.is_item_matched(
+                        muted_tags, finding_tags, tag=True
+                    )
 
                     # For a finding to be muted requires the following set to True:
                     # - muted_in_check -> True
@@ -279,7 +281,9 @@ def is_excepted(
                 )
 
                 excepted_tags = exceptions.get("Tags", [])
-                is_tag_excepted = self.is_item_matched(excepted_tags, finding_tags)
+                is_tag_excepted = self.is_item_matched(
+                    excepted_tags, finding_tags, tag=True
+                )
 
                 if (
                     not is_account_excepted
@@ -303,7 +307,7 @@ def is_excepted(
             return False
 
     @staticmethod
-    def is_item_matched(matched_items, finding_items):
+    def is_item_matched(matched_items, finding_items, tag=False) -> bool:
         """
         Check if any of the items in matched_items are present in finding_items.
 
@@ -317,12 +321,19 @@ def is_item_matched(matched_items, finding_items):
         try:
             is_item_matched = False
             if matched_items and (finding_items or finding_items == ""):
+                if tag:
+                    is_item_matched = True
                 for item in matched_items:
                     if item.startswith("*"):
                         item = ".*" + item[1:]
-                    if re.search(item, finding_items):
-                        is_item_matched = True
-                        break
+                    if tag:
+                        if not re.search(item, finding_items):
+                            is_item_matched = False
+                            break
+                    else:
+                        if re.search(item, finding_items):
+                            is_item_matched = True
+                            break
             return is_item_matched
         except Exception as error:
             logger.error(

diff --git a/tests/providers/aws/lib/mutelist/aws_mutelist_test.py b/tests/providers/aws/lib/mutelist/aws_mutelist_test.py
@@ -1132,7 +1132,7 @@ def test_is_muted_tags(self):
         }
         mutelist = AWSMutelist(mutelist_content=mutelist_content)
 
-        assert mutelist.is_muted(
+        assert not mutelist.is_muted(
             AWS_ACCOUNT_NUMBER,
             "check_test",
             AWS_REGION_US_EAST_1,
@@ -1321,23 +1321,23 @@ def test_is_excepted(self):
             AWS_ACCOUNT_NUMBER,
             "eu-central-1",
             "test",
-            "environment=test",
+            "environment=test | project=prowler",
         )
 
         assert mutelist.is_excepted(
             exceptions,
             AWS_ACCOUNT_NUMBER,
             "eu-south-3",
             "test",
-            "environment=test",
+            "environment=test | project=prowler",
         )
 
         assert mutelist.is_excepted(
             exceptions,
             AWS_ACCOUNT_NUMBER,
             "eu-south-3",
             "test123",
-            "environment=test",
+            "environment=test | project=prowler",
         )
 
     def test_is_excepted_only_in_account(self):
@@ -1413,7 +1413,7 @@ def test_is_excepted_in_account_and_tags(self):
             "Accounts": [AWS_ACCOUNT_NUMBER],
             "Regions": [],
             "Resources": [],
-            "Tags": ["environment=test"],
+            "Tags": ["environment=test", "project=example"],
         }
         mutelist = AWSMutelist(mutelist_content={})
 
@@ -1422,7 +1422,7 @@ def test_is_excepted_in_account_and_tags(self):
             AWS_ACCOUNT_NUMBER,
             AWS_REGION_EU_CENTRAL_1,
             "resource_1",
-            "environment=test",
+            "environment=test | project=example",
         )
 
         assert not mutelist.is_excepted(