mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(azure): SQLServer checks related to TDE encryption (#3343)
This commit is contained in:
Pedro Martín
@@ -73,6 +73,34 @@ expected_packages = [
|
||||
name="prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk",
|
||||
ispkg=True,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled",
|
||||
ispkg=True,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled",
|
||||
ispkg=False,
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
@@ -124,6 +152,34 @@ def mock_list_modules(*_):
|
||||
name="prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk",
|
||||
ispkg=True,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled",
|
||||
ispkg=True,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled"
|
||||
),
|
||||
name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled",
|
||||
ispkg=False,
|
||||
),
|
||||
]
|
||||
return modules
|
||||
|
||||
@@ -505,6 +561,14 @@ class Test_Check:
|
||||
"storage_ensure_encryption_with_customer_managed_keys",
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys",
|
||||
),
|
||||
(
|
||||
"sqlserver_tde_encrypted_with_cmk",
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk",
|
||||
),
|
||||
(
|
||||
"sqlserver_tde_encryption_enabled",
|
||||
"/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled",
|
||||
),
|
||||
]
|
||||
returned_checks = recover_checks_from_provider(provider, service)
|
||||
assert returned_checks == expected_checks
|
||||
|
||||
@@ -12,7 +12,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Ser
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_storage_is_on:
|
||||
class Test_sqlserver_auditing_enabled:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
@@ -8,7 +8,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Ser
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_storage_is_on:
|
||||
class Test_sqlserver_azuread_administrator_enabled:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
@@ -0,0 +1,148 @@
|
||||
from unittest.mock import patch
|
||||
|
||||
from azure.mgmt.sql.models import EncryptionProtector, TransparentDataEncryption
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import (
|
||||
DatabaseServer,
|
||||
SQL_Server,
|
||||
SQLServer,
|
||||
)
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
)
|
||||
|
||||
|
||||
def mock_sqlserver_get_sql_servers(_):
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Disabled"),
|
||||
)
|
||||
return {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id="id",
|
||||
name="name",
|
||||
public_network_access="public_network_access",
|
||||
minimal_tls_version="minimal_tls_version",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
databases=[database],
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
@patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer.__get_sql_servers__",
|
||||
new=mock_sqlserver_get_sql_servers,
|
||||
)
|
||||
class Test_SqlServer_Service:
|
||||
def test__get_client__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
sql_server.clients[AZURE_SUSCRIPTION].__class__.__name__
|
||||
== "SqlManagementClient"
|
||||
)
|
||||
|
||||
def test__get_sql_servers__(self):
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Disabled"),
|
||||
)
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].__class__.__name__
|
||||
== "SQL_Server"
|
||||
)
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].id == "id"
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].name == "name"
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].public_network_access
|
||||
== "public_network_access"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].minimal_tls_version
|
||||
== "minimal_tls_version"
|
||||
)
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].administrators is None
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].auditing_policies is None
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].firewall_rules is None
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].encryption_protector.__class__.__name__
|
||||
== "EncryptionProtector"
|
||||
)
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases == [database]
|
||||
|
||||
def test__get_databases__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].__class__.__name__
|
||||
== "DatabaseServer"
|
||||
)
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].id == "id"
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].name == "name"
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].type == "type"
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].location
|
||||
== "location"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases[0].managed_by
|
||||
== "managed_by"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0]
|
||||
.databases[0]
|
||||
.tde_encryption.__class__.__name__
|
||||
== "TransparentDataEncryption"
|
||||
)
|
||||
|
||||
def test__get_transparent_data_encryption__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0]
|
||||
.databases[0]
|
||||
.tde_encryption.__class__.__name__
|
||||
== "TransparentDataEncryption"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][0]
|
||||
.databases[0]
|
||||
.tde_encryption.status
|
||||
== "Disabled"
|
||||
)
|
||||
|
||||
def test__get_encryption_protectors__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].encryption_protector.__class__.__name__
|
||||
== "EncryptionProtector"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].encryption_protector.server_key_type
|
||||
== "AzureKeyVault"
|
||||
)
|
||||
|
||||
def test__get_resource_group__(self):
|
||||
id = "/subscriptions/subscription_id/resourceGroups/resource_group/providers/Microsoft.Sql/servers/sql_server"
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert sql_server.__get_resource_group__(id) == "resource_group"
|
||||
@@ -0,0 +1,210 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from azure.mgmt.sql.models import EncryptionProtector, TransparentDataEncryption
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import (
|
||||
DatabaseServer,
|
||||
SQL_Server,
|
||||
)
|
||||
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_sqlserver_tde_encrypted_with_cmk:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk import (
|
||||
sqlserver_tde_encrypted_with_cmk,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encrypted_with_cmk()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_no_sql_servers_databases(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk import (
|
||||
sqlserver_tde_encrypted_with_cmk,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encrypted_with_cmk()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_sql_servers_encryption_protector_service_managed(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=None,
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="ServiceManaged"
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk import (
|
||||
sqlserver_tde_encrypted_with_cmk,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encrypted_with_cmk()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has TDE disabled without CMK."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
|
||||
def test_sql_servers_database_encryption_disabled(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Disabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk import (
|
||||
sqlserver_tde_encrypted_with_cmk,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encrypted_with_cmk()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has TDE disabled with CMK."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
|
||||
def test_sql_servers_database_encryption_enabled(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Enabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encrypted_with_cmk.sqlserver_tde_encrypted_with_cmk import (
|
||||
sqlserver_tde_encrypted_with_cmk,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encrypted_with_cmk()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has TDE enabled with CMK."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
@@ -0,0 +1,160 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from azure.mgmt.sql.models import TransparentDataEncryption
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import (
|
||||
DatabaseServer,
|
||||
SQL_Server,
|
||||
)
|
||||
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_sqlserver_tde_encryption_enabled:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import (
|
||||
sqlserver_tde_encryption_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encryption_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_no_sql_servers_databases(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import (
|
||||
sqlserver_tde_encryption_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encryption_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_sql_servers_database_encryption_disabled(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database_name = "Database Name"
|
||||
database_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id=database_id,
|
||||
name=database_name,
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Disabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import (
|
||||
sqlserver_tde_encryption_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encryption_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has TDE disabled"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == database_name
|
||||
assert result[0].resource_id == database_id
|
||||
|
||||
def test_sql_servers_database_encryption_enabled(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database_name = "Database Name"
|
||||
database_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id=database_id,
|
||||
name=database_name,
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Enabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import (
|
||||
sqlserver_tde_encryption_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_tde_encryption_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has TDE enabled"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == database_name
|
||||
assert result[0].resource_id == database_id
|
||||
@@ -8,7 +8,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Ser
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_storage_is_on:
|
||||
class Test_sqlserver_unrestricted_inbound_access:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
Reference in New Issue
Block a user