ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(azure): Checks related to Azure Keyvault (#3430)

Browse Source
This commit is contained in:
Pedro Martín
2024-02-26 12:49:30 +01:00
committed by GitHub
parent 134c795f4b
commit 88863b137f
37 changed files with 2070 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
tests/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac_test.py Normal file
View File

@@ -0,0 +1,151 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_key_expiration_set_in_non_rbac:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
keyvault_key_expiration_set_in_non_rbac,
)
check = keyvault_key_expiration_set_in_non_rbac()
result = check.execute()
assert len(result) == 0
def test_no_keys(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
keyvault_key_expiration_set_in_non_rbac,
)
check = keyvault_key_expiration_set_in_non_rbac()
result = check.execute()
assert len(result) == 0
def test_key_vaults_invalid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
key_name = "Key Name"
key = Key(
id="id",
name=key_name,
enabled=True,
location="location",
attributes=KeyAttributes(expires=None, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[key],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
keyvault_key_expiration_set_in_non_rbac,
)
check = keyvault_key_expiration_set_in_non_rbac()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_valid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
key = Key(
id="id",
name="name",
enabled=True,
location="location",
attributes=KeyAttributes(expires=49394, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[key],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
keyvault_key_expiration_set_in_non_rbac,
)
check = keyvault_key_expiration_set_in_non_rbac()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the keys with expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

163
tests/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled_test.py Normal file
View File

@@ -0,0 +1,163 @@
from unittest import mock
from uuid import uuid4
from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicy
from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_key_rotation_enabled:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
keyvault_key_rotation_enabled,
)
check = keyvault_key_rotation_enabled()
result = check.execute()
assert len(result) == 0
def test_no_keys(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
keyvault_key_rotation_enabled,
)
check = keyvault_key_rotation_enabled()
result = check.execute()
assert len(result) == 0
def test_key_without_rotation_policy(self):
keyvault_client = mock.MagicMock
keyvault_name = "keyvault_name"
key_name = "key_name"
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[
Key(
id="id",
name=key_name,
enabled=True,
location="location",
attributes=KeyAttributes(expires=None, enabled=True),
rotation_policy=None,
)
],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
keyvault_key_rotation_enabled,
)
check = keyvault_key_rotation_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without rotation policy set."
)
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == "id"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_key_with_rotation_policy(self):
keyvault_client = mock.MagicMock
keyvault_name = "keyvault_name"
key_name = "key_name"
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[
Key(
id="id",
name=key_name,
enabled=True,
location="location",
attributes=KeyAttributes(expires=None, enabled=True),
rotation_policy=KeyRotationPolicy(
lifetime_actions=[
KeyRotationLifetimeAction(
action="Rotate",
lifetime_action_type="Rotate",
lifetime_percentage=80,
)
]
),
)
],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
keyvault_key_rotation_enabled,
)
check = keyvault_key_rotation_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} with rotation policy set."
)
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == "id"
assert result[0].subscription == AZURE_SUBSCRIPTION

210
tests/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set_test.py Normal file
View File

@@ -0,0 +1,210 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVaultInfo,
Secret,
)
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_non_rbac_secret_expiration_set:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
keyvault_non_rbac_secret_expiration_set,
)
check = keyvault_non_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 0
def test_no_secrets(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
keyvault_non_rbac_secret_expiration_set,
)
check = keyvault_non_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 0
def test_key_vaults_invalid_secrets(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret_name = "Secret"
secret = Secret(
id="id",
name=secret_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=None, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[secret],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
keyvault_non_rbac_secret_expiration_set,
)
check = keyvault_non_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_invalid_multiple_secrets(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret1_name = "Secret1"
secret2_name = "Secret2"
secret1 = Secret(
id="id",
name=secret1_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=None),
)
secret2 = Secret(
id="id",
name=secret2_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=84934),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[secret1, secret2],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
keyvault_non_rbac_secret_expiration_set,
)
check = keyvault_non_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret1_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_valid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret = Secret(
id="id",
name="name",
enabled=False,
location="location",
attributes=SecretAttributes(expires=None),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
),
keys=[],
secrets=[secret],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
keyvault_non_rbac_secret_expiration_set,
)
check = keyvault_non_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the secrets with expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

121
tests/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints_test.py Normal file
View File

@@ -0,0 +1,121 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import (
PrivateEndpointConnectionItem,
VaultProperties,
)
from prowler.providers.azure.services.keyvault.keyvault_service import KeyVaultInfo
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_private_endpoints:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
keyvault_private_endpoints,
)
check = keyvault_private_endpoints()
result = check.execute()
assert len(result) == 0
def test_key_vaults_no_private_endpoints(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=False,
private_endpoint_connections=None,
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
keyvault_private_endpoints,
)
check = keyvault_private_endpoints()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not using private endpoints."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_using_private_endpoints(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
private_endpoint = PrivateEndpointConnectionItem(
id="id",
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=True,
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
keyvault_private_endpoints,
)
keyvault_client.key_vaults[AZURE_SUBSCRIPTION][
0
].properties.private_endpoint_connections = [private_endpoint]
check = keyvault_private_endpoints()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is using private endpoints."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

110
tests/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled_test.py Normal file
View File

@@ -0,0 +1,110 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import KeyVaultInfo
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_rbac_enabled:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
keyvault_rbac_enabled,
)
check = keyvault_rbac_enabled()
result = check.execute()
assert len(result) == 0
def test_key_vaults_no_rbac(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=False,
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
keyvault_rbac_enabled,
)
check = keyvault_rbac_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not using RBAC for access control."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_rbac(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=True,
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
keyvault_rbac_enabled,
)
check = keyvault_rbac_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is using RBAC for access control."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

151
tests/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set_test.py Normal file
View File

@@ -0,0 +1,151 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_rbac_key_expiration_set:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
keyvault_rbac_key_expiration_set,
)
check = keyvault_rbac_key_expiration_set()
result = check.execute()
assert len(result) == 0
def test_no_keys(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
keyvault_rbac_key_expiration_set,
)
check = keyvault_rbac_key_expiration_set()
result = check.execute()
assert len(result) == 0
def test_key_vaults_invalid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
key_name = "Key Name"
key = Key(
id="id",
name=key_name,
enabled=True,
location="location",
attributes=KeyAttributes(expires=None, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[key],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
keyvault_rbac_key_expiration_set,
)
check = keyvault_rbac_key_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_valid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
key = Key(
id="id",
name="name",
enabled=True,
location="location",
attributes=KeyAttributes(expires=49394, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[key],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
keyvault_rbac_key_expiration_set,
)
check = keyvault_rbac_key_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the keys with expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

210
tests/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set_test.py Normal file
View File

@@ -0,0 +1,210 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVaultInfo,
Secret,
)
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_rbac_secret_expiration_set:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
keyvault_rbac_secret_expiration_set,
)
check = keyvault_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 0
def test_no_secrets(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
keyvault_rbac_secret_expiration_set,
)
check = keyvault_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 0
def test_key_vaults_invalid_secrets(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret_name = "Secret"
secret = Secret(
id="id",
name=secret_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=None),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[],
secrets=[secret],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
keyvault_rbac_secret_expiration_set,
)
check = keyvault_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_invalid_multiple_secrets(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret1_name = "Secret1"
secret2_name = "Secret2"
secret1 = Secret(
id="id",
name=secret1_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=None),
)
secret2 = Secret(
id="id",
name=secret2_name,
enabled=True,
location="location",
attributes=SecretAttributes(expires=84934),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[],
secrets=[secret1, secret2],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
keyvault_rbac_secret_expiration_set,
)
check = keyvault_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret1_name} without expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_valid_keys(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret = Secret(
id="id",
name="name",
enabled=False,
location="location",
attributes=SecretAttributes(expires=None),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
),
keys=[],
secrets=[secret],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
keyvault_rbac_secret_expiration_set,
)
check = keyvault_rbac_secret_expiration_set()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the secrets with expiration date set."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

182
tests/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable_test.py Normal file
View File

@@ -0,0 +1,182 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVaultInfo,
Secret,
)
AZURE_SUBSCRIPTION = str(uuid4())
class Test_keyvault_recoverable:
def test_no_key_vaults(self):
keyvault_client = mock.MagicMock
keyvault_client.key_vaults = {}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
keyvault_recoverable,
)
check = keyvault_recoverable()
result = check.execute()
assert len(result) == 0
def test_key_vaults_no_purge(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=True,
enable_soft_delete=True,
enable_purge_protection=False,
),
keys=[],
secrets=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
keyvault_recoverable,
)
check = keyvault_recoverable()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not recoverable."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_no_soft_delete(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret1 = Secret(
id="id",
name="name",
enabled=True,
location="location",
attributes=SecretAttributes(expires=None, enabled=True),
)
secret2 = Secret(
id="id",
name="name",
enabled=True,
location="location",
attributes=SecretAttributes(expires=84934, enabled=True),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=True,
enable_soft_delete=True,
enable_purge_protection=False,
),
keys=[],
secrets=[secret1, secret2],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
keyvault_recoverable,
)
check = keyvault_recoverable()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not recoverable."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id
def test_key_vaults_valid_configuration(self):
keyvault_client = mock.MagicMock
keyvault_name = "Keyvault Name"
keyvault_id = str(uuid4())
secret = Secret(
id="id",
name="name",
enabled=True,
location="location",
attributes=SecretAttributes(expires=None, enabled=False),
)
keyvault_client.key_vaults = {
AZURE_SUBSCRIPTION: [
KeyVaultInfo(
id=keyvault_id,
name=keyvault_name,
location="location",
resource_group="resource_group",
properties=VaultProperties(
tenant_id="tenantid",
sku="sku",
enable_rbac_authorization=True,
enable_soft_delete=True,
enable_purge_protection=True,
),
keys=[],
secrets=[secret],
)
]
}
with mock.patch(
"prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
new=keyvault_client,
):
from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
keyvault_recoverable,
)
check = keyvault_recoverable()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is recoverable."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == keyvault_name
assert result[0].resource_id == keyvault_id

99
tests/providers/azure/services/keyvault/keyvault_service_test.py Normal file
View File

@@ -0,0 +1,99 @@
from unittest.mock import patch
from prowler.providers.azure.services.keyvault.keyvault_service import (
Key,
KeyVault,
KeyVaultInfo,
Secret,
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
)
def mock_keyvault_get_key_vaults(_, __):
keyvault_info = KeyVaultInfo(
id="id",
name="name",
location="location",
resource_group="resource_group",
properties=None,
keys=[
Key(
id="id",
name="name",
enabled=True,
location="location",
attributes=None,
rotation_policy=None,
)
],
secrets=[
Secret(
id="id",
name="name",
enabled=True,
location="location",
attributes=None,
)
],
)
return {AZURE_SUBSCRIPTION: [keyvault_info]}
@patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault.__get_key_vaults__",
new=mock_keyvault_get_key_vaults,
)
class Test_keyvault_service:
def test__get_client__(self):
keyvault = KeyVault(set_mocked_azure_audit_info())
assert (
keyvault.clients[AZURE_SUBSCRIPTION].__class__.__name__
== "KeyVaultManagementClient"
)
def test__get_key_vaults__(self):
keyvault = KeyVault(set_mocked_azure_audit_info())
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].__class__.__name__
== "KeyVaultInfo"
)
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].id == "id"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].name == "name"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].location == "location"
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].resource_group
== "resource_group"
)
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].properties is None
def test__get_keys__(self):
keyvault = KeyVault(set_mocked_azure_audit_info())
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].__class__.__name__
== "Key"
)
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].id == "id"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].name == "name"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].enabled is True
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].location == "location"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].attributes is None
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].rotation_policy is None
)
def test__get_secrets__(self):
keyvault = KeyVault(set_mocked_azure_audit_info())
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].__class__.__name__
== "Secret"
)
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].id == "id"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].name == "name"
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].enabled is True
assert (
keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].location == "location"
)
assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].attributes is None