From c28ee03d6dd69346cb72ea46b1ab4fa1a12ef793 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?=
 <rubendltv22@gmail.com>
Date: Fri, 24 Jan 2025 16:42:45 +0100
Subject: [PATCH] fix(cloudsql): add trusted client certificates case for
 `cloudsql_instance_ssl_connections` (#6682)

(cherry picked from commit bcc246d950b3e6aaa8cdd831a5912e2731e68321)
---
 .../cloudsql_instance_ssl_connections.py      |  5 +-
 .../cloudsql_instance_ssl_connections_test.py | 48 +++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py
index 0f7ee53104..f951082559 100644
--- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py
+++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py
@@ -15,7 +15,10 @@ def execute(self) -> Check_Report_GCP:
             report.status_extended = (
                 f"Database Instance {instance.name} requires SSL connections."
             )
-            if not instance.require_ssl or instance.ssl_mode != "ENCRYPTED_ONLY":
+            if (
+                not instance.require_ssl
+                or instance.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+            ):
                 report.status = "FAIL"
                 report.status_extended = f"Database Instance {instance.name} does not require SSL connections."
             findings.append(report)
diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py
index 70ed073b3e..237600cce0 100644
--- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py
+++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py
@@ -167,3 +167,51 @@ def test_cloudsql_instance_ssl_connections_disabled_and_ssl_mode_not_encrypted(
             assert result[0].resource_name == "instance1"
             assert result[0].location == GCP_EU1_LOCATION
             assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_cloudsql_instance_ssl_connections_enabled_with_trusted_client_certificates(
+        self,
+    ):
+        cloudsql_client = mock.MagicMock()
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=set_mocked_gcp_provider(),
+        ), mock.patch(
+            "prowler.providers.gcp.services.cloudsql.cloudsql_instance_ssl_connections.cloudsql_instance_ssl_connections.cloudsql_client",
+            new=cloudsql_client,
+        ):
+            from prowler.providers.gcp.services.cloudsql.cloudsql_instance_ssl_connections.cloudsql_instance_ssl_connections import (
+                cloudsql_instance_ssl_connections,
+            )
+            from prowler.providers.gcp.services.cloudsql.cloudsql_service import (
+                Instance,
+            )
+
+            cloudsql_client.instances = [
+                Instance(
+                    name="instance1",
+                    version="POSTGRES_15",
+                    ip_addresses=[],
+                    region=GCP_EU1_LOCATION,
+                    public_ip=False,
+                    require_ssl=True,
+                    ssl_mode="TRUSTED_CLIENT_CERTIFICATE_REQUIRED",
+                    automated_backups=True,
+                    authorized_networks=[],
+                    flags=[],
+                    project_id=GCP_PROJECT_ID,
+                )
+            ]
+
+            check = cloudsql_instance_ssl_connections()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Database Instance instance1 requires SSL connections."
+            )
+            assert result[0].resource_id == "instance1"
+            assert result[0].resource_name == "instance1"
+            assert result[0].location == GCP_EU1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID