feat(azure): Add new check "iam_custom_role_permits_administering_resource_locks" (#3317)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>

tests/lib/check/check_test.py

@@ -96,6 +96,10 @@ def mock_recover_checks_from_azure_provider(*_):
             "iam_subscription_roles_owner_custom_not_created",
             "/root_dir/fake_path/iam/iam_subscription_roles_owner_custom_not_created",
         ),
+        (
+            "iam_custom_role_has_permissions_to_administer_resource_locks",
+            "/root_dir/fake_path/iam/iam_custom_role_has_permissions_to_administer_resource_locks",
+        ),
         (
             "storage_default_network_access_rule_is_denied",
             "/root_dir/fake_path/storage/storage_default_network_access_rule_is_denied",

tests/providers/azure/azure_fixtures.py

@@ -0,0 +1,3 @@
+from uuid import uuid4
+
+AZURE_SUSCRIPTION = str(uuid4())

tests/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks_test.py

@@ -0,0 +1,112 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.authorization.v2022_04_01.models import Permission
+
+from prowler.providers.azure.services.iam.iam_service import Role
+from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION
+
+
+class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
+    def test_iam_no_roles(self):
+        defender_client = mock.MagicMock
+        defender_client.custom_roles = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks.iam_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks import (
+                iam_custom_role_has_permissions_to_administer_resource_locks,
+            )
+
+            check = iam_custom_role_has_permissions_to_administer_resource_locks()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_iam_custom_owner_role_created_with_lock_administration_permissions(
+        self,
+    ):
+        defender_client = mock.MagicMock
+        role_name = "test-role"
+        defender_client.custom_roles = {
+            AZURE_SUSCRIPTION: [
+                Role(
+                    id=str(uuid4()),
+                    name=role_name,
+                    type="CustomRole",
+                    assignable_scopes=["/.*", "/test"],
+                    permissions=[
+                        Permission(
+                            actions=[
+                                "Microsoft.Authorization/locks/*",
+                                "microsoft.aadiam/azureADMetrics/read",
+                            ]
+                        )
+                    ],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks.iam_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks import (
+                iam_custom_role_has_permissions_to_administer_resource_locks,
+            )
+
+            check = iam_custom_role_has_permissions_to_administer_resource_locks()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Role {role_name} from subscription {AZURE_SUSCRIPTION} has permission to administer resource locks."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert (
+                result[0].resource_id
+                == defender_client.custom_roles[AZURE_SUSCRIPTION][0].id
+            )
+            assert result[0].resource_name == role_name
+
+    def test_iam_custom_owner_role_created_with_no_lock_administration_permissions(
+        self,
+    ):
+        defender_client = mock.MagicMock
+        role_name = "test-role"
+        defender_client.custom_roles = {
+            AZURE_SUSCRIPTION: [
+                Role(
+                    id=str(uuid4()),
+                    name=role_name,
+                    type="CustomRole",
+                    assignable_scopes=["/*"],
+                    permissions=[Permission(actions=["*"])],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks.iam_client",
+            new=defender_client,
+        ):
+            from prowler.providers.azure.services.iam.iam_custom_role_has_permissions_to_administer_resource_locks.iam_custom_role_has_permissions_to_administer_resource_locks import (
+                iam_custom_role_has_permissions_to_administer_resource_locks,
+            )
+
+            check = iam_custom_role_has_permissions_to_administer_resource_locks()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Role {role_name} from subscription {AZURE_SUSCRIPTION} has no permission to administer resource locks."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert (
+                result[0].resource_id
+                == defender_client.custom_roles[AZURE_SUSCRIPTION][0].id
+            )
+            assert result[0].resource_name == role_name

tests/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created_test.py

@@ -4,14 +4,13 @@ from uuid import uuid4
 from azure.mgmt.authorization.v2022_04_01.models import Permission
 
 from prowler.providers.azure.services.iam.iam_service import Role
-
-AZURE_SUSCRIPTION = str(uuid4())
+from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION
 
 
-class Test_defender_ensure_defender_for_storage_is_on:
+class Test_iam_subscription_roles_owner_custom_not_created:
     def test_iam_no_roles(self):
         defender_client = mock.MagicMock
-        defender_client.roles = {}
+        defender_client.custom_roles = {}
 
         with mock.patch(
             "prowler.providers.azure.services.iam.iam_subscription_roles_owner_custom_not_created.iam_subscription_roles_owner_custom_not_created.iam_client",
@@ -28,12 +27,12 @@ class Test_defender_ensure_defender_for_storage_is_on:
     def test_iam_custom_owner_role_created_with_all(self):
         defender_client = mock.MagicMock
         role_name = "test-role"
-        defender_client.roles = {
+        defender_client.custom_roles = {
             AZURE_SUSCRIPTION: [
                 Role(
                     id=str(uuid4()),
                     name=role_name,
-                    type="type-role",
+                    type="CustomRole",
                     assignable_scopes=["/*"],
                     permissions=[Permission(actions="*")],
                 )
@@ -56,11 +55,17 @@ class Test_defender_ensure_defender_for_storage_is_on:
                 result[0].status_extended
                 == f"Role {role_name} from subscription {AZURE_SUSCRIPTION} is a custom owner role."
             )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert (
+                result[0].resource_id
+                == defender_client.custom_roles[AZURE_SUSCRIPTION][0].id
+            )
+            assert result[0].resource_name == role_name
 
     def test_iam_custom_owner_role_created_with_no_permissions(self):
         defender_client = mock.MagicMock
         role_name = "test-role"
-        defender_client.roles = {
+        defender_client.custom_roles = {
             AZURE_SUSCRIPTION: [
                 Role(
                     id=str(uuid4()),
@@ -88,3 +93,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
                 result[0].status_extended
                 == f"Role {role_name} from subscription {AZURE_SUSCRIPTION} is not a custom owner role."
             )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert (
+                result[0].resource_id
+                == defender_client.custom_roles[AZURE_SUSCRIPTION][0].id
+            )
+            assert result[0].resource_name == role_name