feat(azure): Azure new check policy_ensure_asc_enforcement_enabled (#3452)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2026-02-10 06:45:08 +00:00 · 2024-02-27 13:34:28 +01:00
parent bd05aaa4f9
commit 73733f674c
10 changed files with 290 additions and 2 deletions
--- a/tests/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled_test.py
+++ b/tests/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled_test.py
@@ -0,0 +1,122 @@
+from unittest import mock
+from uuid import uuid4
+
+from prowler.providers.azure.services.policy.policy_service import PolicyAssigment
+from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
+
+
+class Test_policy_ensure_asc_enforcement_enabled:
+    def test_policy_no_subscriptions(self):
+        policy_client = mock.MagicMock
+        policy_client.policy_assigments = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled.policy_client",
+            new=policy_client,
+        ):
+            from prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled import (
+                policy_ensure_asc_enforcement_enabled,
+            )
+
+            check = policy_ensure_asc_enforcement_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_policy_subscription_empty(self):
+        policy_client = mock.MagicMock
+        policy_client.policy_assigments = {AZURE_SUBSCRIPTION: {}}
+
+        with mock.patch(
+            "prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled.policy_client",
+            new=policy_client,
+        ):
+            from prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled import (
+                policy_ensure_asc_enforcement_enabled,
+            )
+
+            check = policy_ensure_asc_enforcement_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_policy_subscription_no_asc(self):
+        policy_client = mock.MagicMock
+        resource_id = uuid4()
+        policy_client.policy_assigments = {
+            AZURE_SUBSCRIPTION: {
+                "policy-1": PolicyAssigment(id=resource_id, enforcement_mode="Default")
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled.policy_client",
+            new=policy_client,
+        ):
+            from prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled import (
+                policy_ensure_asc_enforcement_enabled,
+            )
+
+            check = policy_ensure_asc_enforcement_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_policy_subscription_asc_default(self):
+        policy_client = mock.MagicMock
+        resource_id = uuid4()
+        policy_client.policy_assigments = {
+            AZURE_SUBSCRIPTION: {
+                "SecurityCenterBuiltIn": PolicyAssigment(
+                    id=resource_id, enforcement_mode="Default"
+                )
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled.policy_client",
+            new=policy_client,
+        ):
+            from prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled import (
+                policy_ensure_asc_enforcement_enabled,
+            )
+
+            check = policy_ensure_asc_enforcement_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Policy assigment '{resource_id}' is configured with enforcement mode 'Default'."
+            )
+            assert result[0].resource_id == resource_id
+            assert result[0].resource_name == "SecurityCenterBuiltIn"
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+
+    def test_policy_subscription_asc_not_default(self):
+        policy_client = mock.MagicMock
+        resource_id = uuid4()
+        policy_client.policy_assigments = {
+            AZURE_SUBSCRIPTION: {
+                "SecurityCenterBuiltIn": PolicyAssigment(
+                    id=resource_id, enforcement_mode="DoNotEnforce"
+                )
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled.policy_client",
+            new=policy_client,
+        ):
+            from prowler.providers.azure.services.policy.policy_ensure_asc_enforcement_enabled.policy_ensure_asc_enforcement_enabled import (
+                policy_ensure_asc_enforcement_enabled,
+            )
+
+            check = policy_ensure_asc_enforcement_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Policy assigment '{resource_id}' is not configured with enforcement mode Default."
+            )
+            assert result[0].resource_id == resource_id
+            assert result[0].resource_name == "SecurityCenterBuiltIn"
+            assert result[0].subscription == AZURE_SUBSCRIPTION
--- a/tests/providers/azure/services/policy/policy_service_test.py
+++ b/tests/providers/azure/services/policy/policy_service_test.py
@@ -0,0 +1,46 @@
+from unittest.mock import patch
+
+from prowler.providers.azure.services.policy.policy_service import (
+    Policy,
+    PolicyAssigment,
+)
+from tests.providers.azure.azure_fixtures import (
+    AZURE_SUBSCRIPTION,
+    set_mocked_azure_audit_info,
+)
+
+
+def mock_policy_assigments(_):
+    return {
+        AZURE_SUBSCRIPTION: {
+            "policy-1": PolicyAssigment(id="id-1", enforcement_mode="Default")
+        }
+    }
+
+
+@patch(
+    "prowler.providers.azure.services.policy.policy_service.Policy.__get_policy_assigments__",
+    new=mock_policy_assigments,
+)
+class Test_AppInsights_Service:
+    def test__get_client__(self):
+        policy = Policy(set_mocked_azure_audit_info())
+        assert policy.clients[AZURE_SUBSCRIPTION].__class__.__name__ == "PolicyClient"
+
+    def test__get_subscriptions__(self):
+        policy = Policy(set_mocked_azure_audit_info())
+        assert policy.subscriptions.__class__.__name__ == "dict"
+
+    def test__get_policy_assigments__(self):
+        policy = Policy(set_mocked_azure_audit_info())
+        assert policy.policy_assigments.__class__.__name__ == "dict"
+        assert policy.policy_assigments[AZURE_SUBSCRIPTION].__class__.__name__ == "dict"
+        assert (
+            policy.policy_assigments[AZURE_SUBSCRIPTION]["policy-1"].__class__.__name__
+            == "PolicyAssigment"
+        )
+        assert policy.policy_assigments[AZURE_SUBSCRIPTION]["policy-1"].id == "id-1"
+        assert (
+            policy.policy_assigments[AZURE_SUBSCRIPTION]["policy-1"].enforcement_mode
+            == "Default"
+        )