ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(azure): Azure new checks related with App Service (#3432)

Browse Source 
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
This commit is contained in:
Rubén De la Torre Vico
2024-02-27 12:52:58 +01:00
committed by GitHub
parent 055a90df30
commit ab14efa329
49 changed files with 2263 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
tests/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on_test.py Normal file
View File

@@ -0,0 +1,111 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_client_certificates_on:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on import (
app_client_certificates_on,
)
check = app_client_certificates_on()
result = check.execute()
assert len(result) == 0
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on import (
app_client_certificates_on,
)
check = app_client_certificates_on()
result = check.execute()
assert len(result) == 0
def test_app_client_certificates_on(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Required",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on import (
app_client_certificates_on,
)
check = app_client_certificates_on()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Clients are required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_client_certificates_off(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on import (
app_client_certificates_on,
)
check = app_client_certificates_on()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Clients are not required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

111
tests/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up_test.py Normal file
View File

@@ -0,0 +1,111 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_auth_is_set_up:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up import (
app_ensure_auth_is_set_up,
)
check = app_ensure_auth_is_set_up()
result = check.execute()
assert len(result) == 0
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up import (
app_ensure_auth_is_set_up,
)
check = app_ensure_auth_is_set_up()
result = check.execute()
assert len(result) == 0
def test_app_auth_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up import (
app_ensure_auth_is_set_up,
)
check = app_ensure_auth_is_set_up()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Authentication is set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_auth_disabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=False,
configurations=mock.MagicMock(),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up import (
app_ensure_auth_is_set_up,
)
check = app_ensure_auth_is_set_up()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Authentication is not set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION

111
tests/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https_test.py Normal file
View File

@@ -0,0 +1,111 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_http_is_redirected_to_https:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https import (
app_ensure_http_is_redirected_to_https,
)
check = app_ensure_http_is_redirected_to_https()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https import (
app_ensure_http_is_redirected_to_https,
)
check = app_ensure_http_is_redirected_to_https()
result = check.execute()
assert len(result) == 0
def test_app_http_to_https(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https import (
app_ensure_http_is_redirected_to_https,
)
check = app_ensure_http_is_redirected_to_https()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP is not redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_http_to_https_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(),
client_cert_mode="Ignore",
https_only=True,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https import (
app_ensure_http_is_redirected_to_https,
)
check = app_ensure_http_is_redirected_to_https()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"HTTP is redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION

259
tests/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest_test.py Normal file
View File

@@ -0,0 +1,259 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_java_version_is_latest:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_configurations_none(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_linux_java_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(
linux_fx_version="Tomcat|9.0-java17", java_version=None
),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_linux_java_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(
linux_fx_version="Tomcat|9.0-java11", java_version=None
),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Java version is set to 'Tomcat|9.0-java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_windows_java_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(
linux_fx_version="", java_version="17"
),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_windows_java_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(
linux_fx_version="", java_version="11"
),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Java version is set to 'java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_linux_php_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(
linux_fx_version="php|8.0", java_version=None
),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest import (
app_ensure_java_version_is_latest,
)
check = app_ensure_java_version_is_latest()
result = check.execute()
assert len(result) == 0

143
tests/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest_test.py Normal file
View File

@@ -0,0 +1,143 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_php_version_is_latest:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest import (
app_ensure_php_version_is_latest,
)
check = app_ensure_php_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest import (
app_ensure_php_version_is_latest,
)
check = app_ensure_php_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_configurations_none(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest import (
app_ensure_php_version_is_latest,
)
check = app_ensure_php_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_php_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(linux_fx_version="php|8.0"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"php_latest_version": "8.2"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest import (
app_ensure_php_version_is_latest,
)
check = app_ensure_php_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"PHP version is set to 'php|8.0', the latest version that you could use is the '8.2' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_php_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(linux_fx_version="php|8.2"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"php_latest_version": "8.2"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest import (
app_ensure_php_version_is_latest,
)
check = app_ensure_php_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"PHP version is set to '8.2' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

143
tests/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest_test.py Normal file
View File

@@ -0,0 +1,143 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_python_version_is_latest:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest import (
app_ensure_python_version_is_latest,
)
check = app_ensure_python_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest import (
app_ensure_python_version_is_latest,
)
check = app_ensure_python_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_configurations_none(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest import (
app_ensure_python_version_is_latest,
)
check = app_ensure_python_version_is_latest()
result = check.execute()
assert len(result) == 0
def test_app_python_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(linux_fx_version="python|3.12"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"python_latest_version": "3.12"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest import (
app_ensure_python_version_is_latest,
)
check = app_ensure_python_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Python version is set to '3.12' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_python_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(linux_fx_version="python|3.10"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
app_client.audit_config = {"python_latest_version": "3.12"}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest import (
app_ensure_python_version_is_latest,
)
check = app_ensure_python_version_is_latest()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Python version is 'python|3.10', the latest version that you could use is the '3.12' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

147
tests/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20_test.py Normal file
View File

@@ -0,0 +1,147 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ensure_using_http20:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20 import (
app_ensure_using_http20,
)
check = app_ensure_using_http20()
result = check.execute()
assert len(result) == 0
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20 import (
app_ensure_using_http20,
)
check = app_ensure_using_http20()
result = check.execute()
assert len(result) == 0
def test_app_configurations_none(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20 import (
app_ensure_using_http20,
)
check = app_ensure_using_http20()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_http20_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(http20_enabled=True),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20 import (
app_ensure_using_http20,
)
check = app_ensure_using_http20()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"HTTP/2.0 is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_http20_not_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(http20_enabled=False),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20 import (
app_ensure_using_http20,
)
check = app_ensure_using_http20()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

147
tests/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled_test.py Normal file
View File

@@ -0,0 +1,147 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_ftp_deployment_disabled:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled import (
app_ftp_deployment_disabled,
)
check = app_ftp_deployment_disabled()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled import (
app_ftp_deployment_disabled,
)
check = app_ftp_deployment_disabled()
result = check.execute()
assert len(result) == 0
def test_app_configurations_none(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled import (
app_ftp_deployment_disabled,
)
check = app_ftp_deployment_disabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_ftp_deployment_disabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(ftps_state="AllAllowed"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled import (
app_ftp_deployment_disabled,
)
check = app_ftp_deployment_disabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_ftp_deploy_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(ftps_state="Disabled"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled import (
app_ftp_deployment_disabled,
)
check = app_ftp_deployment_disabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"FTP is disabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

147
tests/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12_test.py Normal file
View File

@@ -0,0 +1,147 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_minimum_tls_version_12:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12 import (
app_minimum_tls_version_12,
)
check = app_minimum_tls_version_12()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12 import (
app_minimum_tls_version_12,
)
check = app_minimum_tls_version_12()
result = check.execute()
assert len(result) == 0
def test_app_none_configurations(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12 import (
app_minimum_tls_version_12,
)
check = app_minimum_tls_version_12()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_min_tls_version_12(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=mock.MagicMock(min_tls_version="1.2"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12 import (
app_minimum_tls_version_12,
)
check = app_minimum_tls_version_12()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Minimum TLS version is set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_min_tls_version_10(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=False,
configurations=mock.MagicMock(min_tls_version="1.0"),
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12 import (
app_minimum_tls_version_12,
)
check = app_minimum_tls_version_12()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

111
tests/providers/azure/services/app/app_register_with_identity/app_register_with_identity_test.py Normal file
View File

@@ -0,0 +1,111 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_app_register_with_identity:
def test_app_no_subscriptions(self):
app_client = mock.MagicMock
app_client.apps = {}
with mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity import (
app_register_with_identity,
)
check = app_register_with_identity()
result = check.execute()
assert len(result) == 0
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity import (
app_register_with_identity,
)
check = app_register_with_identity()
result = check.execute()
assert len(result) == 0
def test_app_none_configurations(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=None,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity import (
app_register_with_identity,
)
check = app_register_with_identity()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' does not have an identity configured."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_app_identity(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
configurations=None,
client_cert_mode="Ignore",
https_only=False,
identity=mock.MagicMock,
)
}
}
with mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
from prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity import (
app_register_with_identity,
)
check = app_register_with_identity()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' has an identity configured."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION

79
tests/providers/azure/services/app/app_service_test.py Normal file
View File

@@ -0,0 +1,79 @@
from unittest.mock import patch
from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource
from prowler.providers.azure.services.app.app_service import App, WebApp
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
)
def mock_app_get_apps(self):
return {
AZURE_SUBSCRIPTION: {
"app_id-1": WebApp(
resource_id="/subscriptions/resource_id",
configurations=SiteConfigResource(),
identity=ManagedServiceIdentity(type="SystemAssigned"),
auth_enabled=True,
client_cert_mode="Required",
https_only=True,
)
}
}
@patch(
"prowler.providers.azure.services.app.app_service.App.__get_apps__",
new=mock_app_get_apps,
)
class Test_App_Service:
def test__get_client__(self):
app_service = App(set_mocked_azure_audit_info())
assert (
app_service.clients[AZURE_SUBSCRIPTION].__class__.__name__
== "WebSiteManagementClient"
)
def test__get_subscriptions__(self):
app_service = App(set_mocked_azure_audit_info())
assert app_service.subscriptions.__class__.__name__ == "dict"
def test__get_apps__(self):
app_service = App(set_mocked_azure_audit_info())
assert len(app_service.apps) == 1
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].resource_id
== "/subscriptions/resource_id"
)
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].auth_enabled
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].client_cert_mode
== "Required"
)
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].https_only
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].identity.type
== "SystemAssigned"
)
assert (
app_service.apps[AZURE_SUBSCRIPTION][
"app_id-1"
].configurations.__class__.__name__
== "SiteConfigResource"
)
def test__get_client_cert_mode__(self):
app_service = App(set_mocked_azure_audit_info())
assert (
app_service.__get_client_cert_mode__(False, "OptionalInteractiveUser")
== "Ignore"
)
assert (
app_service.__get_client_cert_mode__(True, "OptionalInteractiveUser")
== "Optional"
)
assert app_service.__get_client_cert_mode__(True, "Optional") == "Allow"
assert app_service.__get_client_cert_mode__(True, "Required") == "Required"
assert app_service.__get_client_cert_mode__(True, "Foo") == "Ignore"