feat(Azure): Entra service with two checks (#3510)

tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py

@@ -0,0 +1,90 @@
+from unittest import mock
+from uuid import uuid4
+
+from prowler.providers.azure.services.entra.entra_service import AuthorizationPolicy
+
+
+class Test_entra_policy_ensure_default_user_cannot_create_apps:
+    def test_entra_no_authorization_policy(self):
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import (
+                entra_policy_ensure_default_user_cannot_create_tenants,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_tenants()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self):
+        id = str(uuid4())
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {
+            "test.com": AuthorizationPolicy(
+                id=id,
+                name="Test",
+                description="Test",
+                default_user_role_permissions=mock.MagicMock(
+                    allowed_to_create_apps=False
+                ),
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import (
+                entra_policy_ensure_default_user_cannot_create_apps,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_apps()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "App creation is disabled for non-admin users."
+            )
+            assert result[0].resource_name == "Test"
+            assert result[0].resource_id == id
+            assert result[0].subscription == "All from tenant 'test.com'"
+
+    def test_entra_default_user_role_permissions_allowed_to_create_apps(self):
+        id = str(uuid4())
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {
+            "test.com": AuthorizationPolicy(
+                id=id,
+                name="Test",
+                description="Test",
+                default_user_role_permissions=mock.MagicMock(
+                    allowed_to_create_apps=True
+                ),
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import (
+                entra_policy_ensure_default_user_cannot_create_apps,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_apps()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == "App creation is not disabled for non-admin users."
+            )
+            assert result[0].resource_name == "Test"
+            assert result[0].resource_id == id
+            assert result[0].subscription == "All from tenant 'test.com'"

tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py

@@ -0,0 +1,90 @@
+from unittest import mock
+from uuid import uuid4
+
+from prowler.providers.azure.services.entra.entra_service import AuthorizationPolicy
+
+
+class Test_entra_policy_ensure_default_user_cannot_create_tenants:
+    def test_entra_no_authorization_policy(self):
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import (
+                entra_policy_ensure_default_user_cannot_create_tenants,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_tenants()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self):
+        id = str(uuid4())
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {
+            "test.omnimicrosoft.com": AuthorizationPolicy(
+                id=id,
+                name="Test",
+                description="Test",
+                default_user_role_permissions=mock.MagicMock(
+                    allowed_to_create_tenants=False
+                ),
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import (
+                entra_policy_ensure_default_user_cannot_create_tenants,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_tenants()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Tenants creation is disabled for non-admin users."
+            )
+            assert result[0].resource_name == "Test"
+            assert result[0].resource_id == id
+            assert result[0].subscription == "All from tenant 'test.omnimicrosoft.com'"
+
+    def test_entra_default_user_role_permissions_allowed_to_create_tenants(self):
+        id = str(uuid4())
+        entra_client = mock.MagicMock
+        entra_client.authorization_policy = {
+            "test.omnimicrosoft.com": AuthorizationPolicy(
+                id=id,
+                name="Test",
+                description="Test",
+                default_user_role_permissions=mock.MagicMock(
+                    allowed_to_create_tenants=True
+                ),
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client",
+            new=entra_client,
+        ):
+            from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import (
+                entra_policy_ensure_default_user_cannot_create_tenants,
+            )
+
+            check = entra_policy_ensure_default_user_cannot_create_tenants()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == "Tenants creation is not disabled for non-admin users."
+            )
+            assert result[0].resource_name == "Test"
+            assert result[0].resource_id == id
+            assert result[0].subscription == "All from tenant 'test.omnimicrosoft.com'"

tests/providers/azure/services/entra/entra_service_test.py

@@ -0,0 +1,54 @@
+from unittest.mock import patch
+
+from prowler.providers.azure.services.entra.entra_service import (
+    AuthorizationPolicy,
+    Entra,
+    User,
+)
+from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_audit_info
+
+
+async def mock_entra_get_users(_):
+    return {
+        "user-1@tenant1.es": User(id="id-1", name="User 1"),
+    }
+
+
+async def mock_entra_get_authorization_policy(_):
+    return AuthorizationPolicy(
+        id="id-1",
+        name="Name 1",
+        description="Description 1",
+        default_user_role_permissions=None,
+    )
+
+
+@patch(
+    "prowler.providers.azure.services.entra.entra_service.Entra.__get_users__",
+    new=mock_entra_get_users,
+)
+@patch(
+    "prowler.providers.azure.services.entra.entra_service.Entra.__get_authorization_policy__",
+    new=mock_entra_get_authorization_policy,
+)
+class Test_Entra_Service:
+    def test__get_client__(self):
+        entra_client = Entra(set_mocked_azure_audit_info())
+        assert entra_client.clients[DOMAIN].__class__.__name__ == "GraphServiceClient"
+
+    def test__get_subscriptions__(self):
+        entra_client = Entra(set_mocked_azure_audit_info())
+        assert entra_client.subscriptions.__class__.__name__ == "dict"
+
+    def test__get_users__(self):
+        entra_client = Entra(set_mocked_azure_audit_info())
+        assert len(entra_client.users) == 1
+        assert entra_client.users["user-1@tenant1.es"].id == "id-1"
+        assert entra_client.users["user-1@tenant1.es"].name == "User 1"
+
+    def test__get_authorization_policy__(self):
+        entra_client = Entra(set_mocked_azure_audit_info())
+        assert entra_client.authorization_policy.id == "id-1"
+        assert entra_client.authorization_policy.name == "Name 1"
+        assert entra_client.authorization_policy.description == "Description 1"
+        assert not entra_client.authorization_policy.default_user_role_permissions