ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(azure): Add new checks related to Network service (#3402)

Browse Source 
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Pedro Martín
2024-02-20 15:08:19 +01:00
committed by GitHub
parent 7d3c6a4a5e
commit 9a22c2de8b
43 changed files with 1881 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/lib/outputs/slack_test.py
View File

@@ -78,6 +78,7 @@ class Test_Slack_Integration:
audit_metadata=None,
audit_config=None,
azure_region_config=Azure_Region_Config(),
locations=None,
)
assert create_message_identity("aws", aws_audit_info) == (
f"AWS Account *{aws_audit_info.audited_account}*",

2
tests/providers/azure/azure_fixtures.py
View File

@@ -29,6 +29,7 @@ def set_mocked_azure_audit_info(
),
audit_config: dict = None,
azure_region_config: Azure_Region_Config = Azure_Region_Config(),
locations: list = None,
):
audit_info = Azure_Audit_Info(
credentials=credentials,
@@ -37,5 +38,6 @@ def set_mocked_azure_audit_info(
audit_resources=None,
audit_config=audit_config,
azure_region_config=azure_region_config,
locations=locations,
)
return audit_info

73
tests/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists_test.py Normal file
View File

@@ -0,0 +1,73 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.network.network_service import BastionHost
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_bastion_host_exists:
def test_no_bastion_hosts(self):
network_client = mock.MagicMock
network_client.bastion_hosts = {AZURE_SUBSCRIPTION: []}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_bastion_host_exists.network_bastion_host_exists import (
network_bastion_host_exists,
)
check = network_bastion_host_exists()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Bastion Host from subscription {AZURE_SUBSCRIPTION} does not exist"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == "Bastion Host"
assert result[0].resource_id == "N/A"
def test_network_bastion_host_exists(self):
network_client = mock.MagicMock
bastion_host_name = "Bastion Host Name"
bastion_host_id = str(uuid4())
network_client.bastion_hosts = {
AZURE_SUBSCRIPTION: [
BastionHost(
id=bastion_host_id,
name=bastion_host_name,
location="location",
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_bastion_host_exists.network_bastion_host_exists import (
network_bastion_host_exists,
)
check = network_bastion_host_exists()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Bastion Host from subscription {AZURE_SUBSCRIPTION} available are: {bastion_host_name}"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == "Bastion Host"
assert result[0].resource_id == bastion_host_id

200
tests/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days_test.py Normal file
View File

@@ -0,0 +1,200 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.network.models._models import FlowLog, RetentionPolicyParameters
from prowler.providers.azure.services.network.network_service import NetworkWatcher
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_flow_log_more_than_90_days:
def test_no_network_watchers(self):
network_client = mock.MagicMock
network_client.network_watchers = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_flow_log_more_than_90_days.network_flow_log_more_than_90_days import (
network_flow_log_more_than_90_days,
)
check = network_flow_log_more_than_90_days()
result = check.execute()
assert len(result) == 0
def test_network_network_watchers_no_flow_logs(self):
network_client = mock.MagicMock
network_watcher_name = "Network Watcher Name"
network_watcher_id = str(uuid4())
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location="location",
flow_logs=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_flow_log_more_than_90_days.network_flow_log_more_than_90_days import (
network_flow_log_more_than_90_days,
)
check = network_flow_log_more_than_90_days()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Network Watcher {network_watcher_name} from subscription {AZURE_SUBSCRIPTION} has no flow logs"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id
def test_network_network_watchers_flow_logs_disabled(self):
network_client = mock.MagicMock
network_watcher_name = "Network Watcher Name"
network_watcher_id = str(uuid4())
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location="location",
flow_logs=[
FlowLog(
enabled=False,
retention_policy=RetentionPolicyParameters(days=90),
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_flow_log_more_than_90_days.network_flow_log_more_than_90_days import (
network_flow_log_more_than_90_days,
)
check = network_flow_log_more_than_90_days()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Network Watcher {network_watcher_name} from subscription {AZURE_SUBSCRIPTION} has flow logs disabled"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id
def test_network_network_watchers_flow_logs_retention_days_80(self):
network_client = mock.MagicMock
network_watcher_name = "Network Watcher Name"
network_watcher_id = str(uuid4())
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location="location",
flow_logs=[
FlowLog(
enabled=True,
retention_policy=RetentionPolicyParameters(days=80),
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_flow_log_more_than_90_days.network_flow_log_more_than_90_days import (
network_flow_log_more_than_90_days,
)
check = network_flow_log_more_than_90_days()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Network Watcher {network_watcher_name} from subscription {AZURE_SUBSCRIPTION} flow logs retention policy is less than 90 days"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id
def test_network_network_watchers_flow_logs_well_configured(self):
network_client = mock.MagicMock
network_watcher_name = "Network Watcher Name"
network_watcher_id = str(uuid4())
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location="location",
flow_logs=[
FlowLog(
enabled=True,
retention_policy=RetentionPolicyParameters(days=90),
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_flow_log_more_than_90_days.network_flow_log_more_than_90_days import (
network_flow_log_more_than_90_days,
)
check = network_flow_log_more_than_90_days()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Network Watcher {network_watcher_name} from subscription {AZURE_SUBSCRIPTION} has flow logs enabled for more than 90 days"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id

209
tests/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted_test.py Normal file
View File

@@ -0,0 +1,209 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_http_internet_access_restricted:
def test_no_security_groups(self):
network_client = mock.MagicMock
network_client.security_groups = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_http_internet_access_restricted.network_http_internet_access_restricted import (
network_http_internet_access_restricted,
)
check = network_http_internet_access_restricted()
result = check.execute()
assert len(result) == 0
def test_network_security_groups_no_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_http_internet_access_restricted.network_http_internet_access_restricted import (
network_http_internet_access_restricted,
)
check = network_http_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has HTTP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="80",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_http_internet_access_restricted.network_http_internet_access_restricted import (
network_http_internet_access_restricted,
)
check = network_http_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has HTTP internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules_range(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="20-100",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_http_internet_access_restricted.network_http_internet_access_restricted import (
network_http_internet_access_restricted,
)
check = network_http_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has HTTP internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_valid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="23",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_http_internet_access_restricted.network_http_internet_access_restricted import (
network_http_internet_access_restricted,
)
check = network_http_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has HTTP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id

162
tests/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted_test.py Normal file
View File

@@ -0,0 +1,162 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_rdp_internet_access_restricted:
def test_no_security_groups(self):
network_client = mock.MagicMock
network_client.security_groups = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_rdp_internet_access_restricted.network_rdp_internet_access_restricted import (
network_rdp_internet_access_restricted,
)
check = network_rdp_internet_access_restricted()
result = check.execute()
assert len(result) == 0
def test_network_security_groups_no_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_rdp_internet_access_restricted.network_rdp_internet_access_restricted import (
network_rdp_internet_access_restricted,
)
check = network_rdp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has RDP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_valid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="3388",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_rdp_internet_access_restricted.network_rdp_internet_access_restricted import (
network_rdp_internet_access_restricted,
)
check = network_rdp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has RDP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules_range(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="33-6000",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_rdp_internet_access_restricted.network_rdp_internet_access_restricted import (
network_rdp_internet_access_restricted,
)
check = network_rdp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has RDP internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id

129
tests/providers/azure/services/network/network_service_test.py Normal file
View File

@@ -0,0 +1,129 @@
from unittest.mock import patch
from azure.mgmt.network.models import FlowLog
from prowler.providers.azure.services.network.network_service import (
BastionHost,
Network,
NetworkWatcher,
SecurityGroup,
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
)
def mock_network_get_security_groups(_):
return {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id="id",
name="name",
location="location",
security_rules=[],
)
]
}
def mock_network_get_bastion_hosts(_):
return {
AZURE_SUBSCRIPTION: [
BastionHost(
id="id",
name="name",
location="location",
)
]
}
def mock_network_get_network_watchers(_):
return {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id="id",
name="name",
location="location",
flow_logs=[FlowLog(enabled=True, retention_policy=90)],
)
]
}
@patch(
"prowler.providers.azure.services.network.network_service.Network.__get_security_groups__",
new=mock_network_get_security_groups,
)
@patch(
"prowler.providers.azure.services.network.network_service.Network.__get_bastion_hosts__",
new=mock_network_get_bastion_hosts,
)
@patch(
"prowler.providers.azure.services.network.network_service.Network.__get_network_watchers__",
new=mock_network_get_network_watchers,
)
class Test_Network_Service:
def test__get_client__(self):
network = Network(set_mocked_azure_audit_info())
assert (
network.clients[AZURE_SUBSCRIPTION].__class__.__name__
== "NetworkManagementClient"
)
def test__get_security_groups__(self):
network = Network(set_mocked_azure_audit_info())
assert (
network.security_groups[AZURE_SUBSCRIPTION][0].__class__.__name__
== "SecurityGroup"
)
assert network.security_groups[AZURE_SUBSCRIPTION][0].id == "id"
assert network.security_groups[AZURE_SUBSCRIPTION][0].name == "name"
assert network.security_groups[AZURE_SUBSCRIPTION][0].location == "location"
assert network.security_groups[AZURE_SUBSCRIPTION][0].security_rules == []
def test__get_network_watchers__(self):
network = Network(set_mocked_azure_audit_info())
assert (
network.network_watchers[AZURE_SUBSCRIPTION][0].__class__.__name__
== "NetworkWatcher"
)
assert network.network_watchers[AZURE_SUBSCRIPTION][0].id == "id"
assert network.network_watchers[AZURE_SUBSCRIPTION][0].name == "name"
assert network.network_watchers[AZURE_SUBSCRIPTION][0].location == "location"
assert network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs == [
FlowLog(enabled=True, retention_policy=90)
]
def __get_flow_logs__(self):
network = Network(set_mocked_azure_audit_info())
nw_name = "name"
assert (
network.network_watchers[AZURE_SUBSCRIPTION][0]
.flow_logs[nw_name][0]
.__class__.__name__
== "FlowLog"
)
assert network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs == [
FlowLog(enabled=True, retention_policy=90)
]
assert (
network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs[0].enabled is True
)
assert (
network.network_watchers[AZURE_SUBSCRIPTION][0]
.flow_logs[0]
.retention_policy
== 90
)
def __get_bastion_hosts__(self):
network = Network(set_mocked_azure_audit_info())
assert (
network.bastion_hosts[AZURE_SUBSCRIPTION][0].__class__.__name__
== "BastionHost"
)
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].id == "id"
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].name == "name"
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].location == "location"

209
tests/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted_test.py Normal file
View File

@@ -0,0 +1,209 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_ssh_internet_access_restricted:
def test_no_security_groups(self):
network_client = mock.MagicMock
network_client.security_groups = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_ssh_internet_access_restricted.network_ssh_internet_access_restricted import (
network_ssh_internet_access_restricted,
)
check = network_ssh_internet_access_restricted()
result = check.execute()
assert len(result) == 0
def test_network_security_groups_no_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_ssh_internet_access_restricted.network_ssh_internet_access_restricted import (
network_ssh_internet_access_restricted,
)
check = network_ssh_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has SSH internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="22",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_ssh_internet_access_restricted.network_ssh_internet_access_restricted import (
network_ssh_internet_access_restricted,
)
check = network_ssh_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has SSH internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules_range(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="20-25",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_ssh_internet_access_restricted.network_ssh_internet_access_restricted import (
network_ssh_internet_access_restricted,
)
check = network_ssh_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has SSH internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_valid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
destination_port_range="23",
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_ssh_internet_access_restricted.network_ssh_internet_access_restricted import (
network_ssh_internet_access_restricted,
)
check = network_ssh_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has SSH internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id

160
tests/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted_test.py Normal file
View File

@@ -0,0 +1,160 @@
from unittest import mock
from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_udp_internet_access_restricted:
def test_no_security_groups(self):
network_client = mock.MagicMock
network_client.security_groups = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_udp_internet_access_restricted.network_udp_internet_access_restricted import (
network_udp_internet_access_restricted,
)
check = network_udp_internet_access_restricted()
result = check.execute()
assert len(result) == 0
def test_network_security_groups_no_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_udp_internet_access_restricted.network_udp_internet_access_restricted import (
network_udp_internet_access_restricted,
)
check = network_udp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has UDP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_invalid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
protocol="UDP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_udp_internet_access_restricted.network_udp_internet_access_restricted import (
network_udp_internet_access_restricted,
)
check = network_udp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has UDP internet access allowed."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id
def test_network_security_groups_valid_security_rules(self):
network_client = mock.MagicMock
security_group_name = "Security Group Name"
security_group_id = str(uuid4())
network_client.security_groups = {
AZURE_SUBSCRIPTION: [
SecurityGroup(
id=security_group_id,
name=security_group_name,
location="location",
security_rules=[
SecurityRule(
protocol="TCP",
source_address_prefix="Internet",
access="Allow",
direction="Inbound",
)
],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_udp_internet_access_restricted.network_udp_internet_access_restricted import (
network_udp_internet_access_restricted,
)
check = network_udp_internet_access_restricted()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Security Group {security_group_name} from subscription {AZURE_SUBSCRIPTION} has UDP internet access restricted."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == security_group_name
assert result[0].resource_id == security_group_id

112
tests/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled_test.py Normal file
View File

@@ -0,0 +1,112 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.network.network_service import NetworkWatcher
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_watcher_enabled:
def test_no_network_watchers(self):
network_client = mock.MagicMock
locations = []
network_client.locations = {AZURE_SUBSCRIPTION: locations}
network_client.security_groups = {}
network_client.network_watchers = {}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_watcher_enabled.network_watcher_enabled import (
network_watcher_enabled,
)
check = network_watcher_enabled()
result = check.execute()
assert len(result) == 0
def test_network_invalid_network_watchers(self):
network_client = mock.MagicMock
locations = ["location"]
network_client.locations = {AZURE_SUBSCRIPTION: locations}
network_watcher_name = "Network Watcher"
network_watcher_id = f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Network/networkWatchers/{locations[0]}"
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location=None,
flow_logs=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_watcher_enabled.network_watcher_enabled import (
network_watcher_enabled,
)
check = network_watcher_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Network Watcher is not enabled for the location {locations[0]} in subscription {AZURE_SUBSCRIPTION}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id
def test_network_valid_network_watchers(self):
network_client = mock.MagicMock
locations = ["location"]
network_client.locations = {AZURE_SUBSCRIPTION: locations}
network_watcher_name = "Network Watcher"
network_watcher_id = f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Network/networkWatchers/{locations[0]}"
network_client.network_watchers = {
AZURE_SUBSCRIPTION: [
NetworkWatcher(
id=network_watcher_id,
name=network_watcher_name,
location="location",
flow_logs=[],
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_watcher_enabled.network_watcher_enabled import (
network_watcher_enabled,
)
check = network_watcher_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Network Watcher is enabled for the location {locations[0]} in subscription {AZURE_SUBSCRIPTION}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == network_watcher_name
assert result[0].resource_id == network_watcher_id

1
tests/providers/common/audit_info_test.py
View File

@@ -34,6 +34,7 @@ mock_azure_audit_info = Azure_Audit_Info(
audit_resources=None,
audit_config=None,
azure_region_config=Azure_Region_Config(),
locations=None,
)
mock_set_audit_info = Audit_Info()

1
tests/providers/common/common_outputs_test.py
View File

@@ -36,6 +36,7 @@ class Test_Common_Output_Options:
audit_resources=None,
audit_config=None,
azure_region_config=Azure_Region_Config(),
locations=None,
)
return audit_info