feat(azure): Defender check defender_ensure_iot_hub_defender_is_on (#3367)

2026-02-10 14:55:00 +00:00 · 2024-02-07 12:46:02 +01:00
parent f7051351ec
commit 740e829e4f
6 changed files with 286 additions and 0 deletions
--- a/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py
+++ b/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py
@@ -0,0 +1,153 @@
+from unittest import mock
+from uuid import uuid4
+
+from prowler.providers.azure.services.defender.defender_service import (
+    IoTSecuritySolution,
+)
+from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
+
+
+class Test_defender_ensure_iot_hub_defender_is_on:
+    def test_defender_no_subscriptions(self):
+        defender_client = mock.MagicMock
+        defender_client.iot_security_solutions = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on import (
+                defender_ensure_iot_hub_defender_is_on,
+            )
+
+            check = defender_ensure_iot_hub_defender_is_on()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_defender_no_iot_hub_solutions(self):
+        defender_client = mock.MagicMock
+        defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION: {}}
+
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on import (
+                defender_ensure_iot_hub_defender_is_on,
+            )
+
+            check = defender_ensure_iot_hub_defender_is_on()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"No IoT Security Solutions found in the subscription {AZURE_SUBSCRIPTION}."
+            )
+            assert result[0].resource_name == "IoT Hub Defender"
+            assert result[0].resource_id == "IoT Hub Defender"
+
+    def test_defender_iot_hub_solution_disabled(self):
+        resource_id = str(uuid4())
+        defender_client = mock.MagicMock
+        defender_client.iot_security_solutions = {
+            AZURE_SUBSCRIPTION: {
+                "iot_sec_solution": IoTSecuritySolution(
+                    resource_id=resource_id, status="Disabled"
+                )
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on import (
+                defender_ensure_iot_hub_defender_is_on,
+            )
+
+            check = defender_ensure_iot_hub_defender_is_on()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"The security solution iot_sec_solution is disabled in susbscription {AZURE_SUBSCRIPTION}"
+            )
+            assert result[0].resource_name == "iot_sec_solution"
+            assert result[0].resource_id == resource_id
+
+    def test_defender_iot_hub_solution_enabled(self):
+        resource_id = str(uuid4())
+        defender_client = mock.MagicMock
+        defender_client.iot_security_solutions = {
+            AZURE_SUBSCRIPTION: {
+                "iot_sec_solution": IoTSecuritySolution(
+                    resource_id=resource_id, status="Enabled"
+                )
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on import (
+                defender_ensure_iot_hub_defender_is_on,
+            )
+
+            check = defender_ensure_iot_hub_defender_is_on()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"The security solution iot_sec_solution is enabled in susbscription {AZURE_SUBSCRIPTION}."
+            )
+            assert result[0].resource_name == "iot_sec_solution"
+            assert result[0].resource_id == resource_id
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+
+    def test_defender_multiple_iot_hub_solution_enabled_and_disabled(self):
+        resource_id_enabled = str(uuid4())
+        resource_id_disabled = str(uuid4())
+        defender_client = mock.MagicMock
+        defender_client.iot_security_solutions = {
+            AZURE_SUBSCRIPTION: {
+                "iot_sec_solution_enabled": IoTSecuritySolution(
+                    resource_id=resource_id_enabled, status="Enabled"
+                ),
+                "iot_sec_solution_disabled": IoTSecuritySolution(
+                    resource_id=resource_id_disabled, status="Disabled"
+                ),
+            }
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on import (
+                defender_ensure_iot_hub_defender_is_on,
+            )
+
+            check = defender_ensure_iot_hub_defender_is_on()
+            result = check.execute()
+            assert len(result) == 2
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"The security solution iot_sec_solution_enabled is enabled in susbscription {AZURE_SUBSCRIPTION}."
+            )
+            assert result[0].resource_name == "iot_sec_solution_enabled"
+            assert result[0].resource_id == resource_id_enabled
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+
+            assert result[1].status == "FAIL"
+            assert (
+                result[1].status_extended
+                == f"The security solution iot_sec_solution_disabled is disabled in susbscription {AZURE_SUBSCRIPTION}"
+            )
+            assert result[1].resource_name == "iot_sec_solution_disabled"
+            assert result[1].resource_id == resource_id_disabled
+            assert result[1].subscription == AZURE_SUBSCRIPTION
--- a/tests/providers/azure/services/defender/defender_service_test.py
+++ b/tests/providers/azure/services/defender/defender_service_test.py
@@ -5,6 +5,7 @@ from prowler.providers.azure.services.defender.defender_service import (
    Assesment,
    AutoProvisioningSetting,
    Defender,
+    IoTSecuritySolution,
    Pricing,
    SecurityContacts,
    Setting,
@@ -81,6 +82,17 @@ def mock_defender_get_settings(_):
    }


+def mock_defender_get_iot_security_solutions(_):
+    return {
+        AZURE_SUBSCRIPTION: {
+            "iot_sec_solution": IoTSecuritySolution(
+                resource_id="/subscriptions/resource_id",
+                status="Enabled",
+            )
+        }
+    }
+
+
@patch(
    "prowler.providers.azure.services.defender.defender_service.Defender.__get_pricings__",
    new=mock_defender_get_pricings,
@@ -101,6 +113,10 @@ def mock_defender_get_settings(_):
    "prowler.providers.azure.services.defender.defender_service.Defender.__get_security_contacts__",
    new=mock_defender_get_security_contacts,
 )
+@patch(
+    "prowler.providers.azure.services.defender.defender_service.Defender.__get_iot_security_solutions__",
+    new=mock_defender_get_iot_security_solutions,
+)
 class Test_Defender_Service:
    def test__get_client__(self):
        defender = Defender(set_mocked_azure_audit_info())
@@ -221,3 +237,19 @@ class Test_Defender_Service:
            ].notified_roles_state
            == "On"
        )
+
+    def test__get_iot_security_solutions__(self):
+        defender = Defender(set_mocked_azure_audit_info())
+        assert len(defender.iot_security_solutions) == 1
+        assert (
+            defender.iot_security_solutions[AZURE_SUBSCRIPTION][
+                "iot_sec_solution"
+            ].resource_id
+            == "/subscriptions/resource_id"
+        )
+        assert (
+            defender.iot_security_solutions[AZURE_SUBSCRIPTION][
+                "iot_sec_solution"
+            ].status
+            == "Enabled"
+        )