fix(oci): scan identity in known valid region

[rchotacode]

Context

Please include relevant motivation and context for this PR.

Fix #10528

Description

Scans found region for identity misconfigurations instead of generally defaulting to us-ashburn-1

Steps to review

Scanning any tenancy with an identity domain outside us-ashburn-1 or not supporting us-ashburn-1

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.36%. Comparing base (8affbf4) to head (5e3450e).
⚠️ Report is 1 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (8affbf4) and HEAD (5e3450e). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (8affbf4)	HEAD (5e3450e)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10529       +/-   ##
===========================================
- Coverage   93.65%   61.36%   -32.29%     
===========================================
  Files         230       87      -143     
  Lines       33937     2876    -31061     
===========================================
- Hits        31784     1765    -30019     
+ Misses       2153     1111     -1042     

Flag	Coverage Δ
api	?
prowler-py3.10-oraclecloud	61.36% <100.00%> (?)
prowler-py3.11-oraclecloud	61.36% <100.00%> (?)
prowler-py3.12-oraclecloud	61.36% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	61.36% <100.00%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[HugoPBrito]

Thanks for tackling this — the issue is real and the approach (using the provider's known regions instead of hardcoding us-ashburn-1) makes sense. However, there are a few issues that need addressing before this can be merged:

1. is not vs != — all 5 string comparisons use identity check instead of equality. This is the most critical issue.
2. Removed guards on search methods — __search_root_compartment_resources__ and __search_active_non_root_compartments__ lost their region guard entirely, which will cause redundant calls and potentially duplicate results.
3. Provider change breaks multi-region — single_region now always picks the first region even when multiple are specified.
4. Missing test updates — Codecov shows 41% patch coverage with 7 uncovered lines.

[rchotacode]

Thanks for the feedback Hugo! I've implemented the changes requested so that domains are filtered at insertion with the provided code, the test now tests both password policies and list_domains with multiple regional clients. Home region's default is fixed along with the other issues listed. Let me know if there's anything else I should look into!

[HugoPBrito]

Found a regression while testing this branch. With an empty _regions list the new initializer at oraclecloud_provider.py:164-167 crashes the entire scan:

INFO: Found 0 subscribed regions
CRITICAL: IndexError[347]: list index out of range

Root cause: the default value passed to next() is evaluated eagerly, so self._regions[0].key raises IndexError whenever _regions is empty (e.g. when --region/-f filters don't match any subscribed region):

self._home_region = next(
    (region.key for region in self._regions if region.is_home_region),
    self._regions[0].key,   # IndexError when self._regions == []
)

Pre-PR this same scenario completed silently with 0 findings; now it aborts the whole run. Could you guard against the empty-list case and surface a clear error (e.g. "no subscribed regions match the requested filter") instead of letting it crash here?

[HugoPBrito]

Could you also share evidence that the fix behaves as expected in a tenancy whose home region is not us-ashburn-1? Ideally a full --log-level INFO run of --service identity showing the new Home region is: <non-ashburn-region> log line and identity findings being produced where the previous behavior would have returned none. We aren't able to validate the original scenario end-to-end on our side, so concrete evidence from your test environment would be very helpful.

[rchotacode]

Thanks for the feedback again Hugo! I have fixed the edge case described, but am unfortunately not comfortable showing test results for any of our tenancies. I setup a free tier personal OCI account with a home region of us-phoenix-1. This image shows that was detected.

[rchotacode]

Here is evidence of a home region being detected in a multi region environment

[HugoPBrito]

That will do the job, thanks!

Just take into account this last comment an it will be ready to be merged.

Thank you for the effort put into this.

[rchotacode]

Changelog moved, thanks Hugo!

[prowler-bot]

💚 All backports created successfully

Status	Branch	Result
✅	v5.25

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details