mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(azure): Add new check storage_key_rotation_90_days (#3323)
This commit is contained in:
Pedro Martín
@@ -40,6 +40,13 @@ expected_packages = [
|
||||
name="prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_key_rotation_90_days"
|
||||
),
|
||||
name="prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder("/root_dir/prowler/providers/azure/services/storage"),
|
||||
name="prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys",
|
||||
@@ -68,6 +75,13 @@ def mock_list_modules(*_):
|
||||
name="prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_key_rotation_90_days"
|
||||
),
|
||||
name="prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days",
|
||||
ispkg=False,
|
||||
),
|
||||
ModuleInfo(
|
||||
module_finder=FileFinder(
|
||||
"/root_dir/prowler/providers/azure/services/storage"
|
||||
@@ -447,6 +461,10 @@ class Test_Check:
|
||||
"storage_ensure_minimum_tls_version_12",
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12",
|
||||
),
|
||||
(
|
||||
"storage_key_rotation_90_days",
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_key_rotation_90_days",
|
||||
),
|
||||
(
|
||||
"storage_ensure_encryption_with_customer_managed_keys",
|
||||
"/root_dir/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys",
|
||||
|
||||
@@ -38,6 +38,7 @@ class Test_storage_blob_public_access_level_is_disabled:
|
||||
network_rule_set=None,
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -77,6 +78,7 @@ class Test_storage_blob_public_access_level_is_disabled:
|
||||
network_rule_set=None,
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -40,6 +40,7 @@ class Test_storage_default_network_access_rule_is_denied:
|
||||
network_rule_set=NetworkRuleSet(default_action="Allow"),
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -79,6 +80,7 @@ class Test_storage_default_network_access_rule_is_denied:
|
||||
network_rule_set=NetworkRuleSet(default_action="Deny"),
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -40,6 +40,7 @@ class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:
|
||||
network_rule_set=NetworkRuleSet(bypass=[None]),
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -79,6 +80,7 @@ class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:
|
||||
network_rule_set=NetworkRuleSet(bypass=["AzureServices"]),
|
||||
encryption_type=None,
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -38,6 +38,7 @@ class Test_storage_ensure_encryption_with_customer_managed_keys:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -77,6 +78,7 @@ class Test_storage_ensure_encryption_with_customer_managed_keys:
|
||||
network_rule_set=None,
|
||||
encryption_type="Microsoft.Keyvault",
|
||||
minimum_tls_version=None,
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -38,6 +38,7 @@ class Test_storage_ensure_minimum_tls_version_12:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -77,6 +78,7 @@ class Test_storage_ensure_minimum_tls_version_12:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_2",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -38,6 +38,7 @@ class Test_storage_infrastructure_encryption_is_enabled:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -77,6 +78,7 @@ class Test_storage_infrastructure_encryption_is_enabled:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,145 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.storage.storage_service import Storage_Account
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION
|
||||
|
||||
|
||||
class Test_storage_key_rotation_90_dayss:
|
||||
def test_storage_no_storage_accounts(self):
|
||||
storage_client = mock.MagicMock
|
||||
storage_client.storage_accounts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days.storage_client",
|
||||
new=storage_client,
|
||||
):
|
||||
from prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days import (
|
||||
storage_key_rotation_90_days,
|
||||
)
|
||||
|
||||
check = storage_key_rotation_90_days()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_storage_storage_key_rotation_91_days(self):
|
||||
storage_account_id = str(uuid4())
|
||||
storage_account_name = "Test Storage Account"
|
||||
expiration_days = 91
|
||||
storage_client = mock.MagicMock
|
||||
storage_client.storage_accounts = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
Storage_Account(
|
||||
id=storage_account_id,
|
||||
name=storage_account_name,
|
||||
enable_https_traffic_only=False,
|
||||
infrastructure_encryption=False,
|
||||
allow_blob_public_access=None,
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=expiration_days,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days.storage_client",
|
||||
new=storage_client,
|
||||
):
|
||||
from prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days import (
|
||||
storage_key_rotation_90_days,
|
||||
)
|
||||
|
||||
check = storage_key_rotation_90_days()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has an invalid key expiration period of {expiration_days} days."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == storage_account_name
|
||||
assert result[0].resource_id == storage_account_id
|
||||
|
||||
def test_storage_storage_key_rotation_90_days(self):
|
||||
storage_account_id = str(uuid4())
|
||||
storage_account_name = "Test Storage Account"
|
||||
expiration_days = 90
|
||||
storage_client = mock.MagicMock
|
||||
storage_client.storage_accounts = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
Storage_Account(
|
||||
id=storage_account_id,
|
||||
name=storage_account_name,
|
||||
enable_https_traffic_only=False,
|
||||
infrastructure_encryption=False,
|
||||
allow_blob_public_access=None,
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_2",
|
||||
key_expiration_period_in_days=expiration_days,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days.storage_client",
|
||||
new=storage_client,
|
||||
):
|
||||
from prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days import (
|
||||
storage_key_rotation_90_days,
|
||||
)
|
||||
|
||||
check = storage_key_rotation_90_days()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has a key expiration period of {expiration_days} days."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == storage_account_name
|
||||
assert result[0].resource_id == storage_account_id
|
||||
|
||||
def test_storage_storage_no_key_rotation(self):
|
||||
storage_account_id = str(uuid4())
|
||||
storage_account_name = "Test Storage Account"
|
||||
storage_client = mock.MagicMock
|
||||
storage_client.storage_accounts = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
Storage_Account(
|
||||
id=storage_account_id,
|
||||
name=storage_account_name,
|
||||
enable_https_traffic_only=False,
|
||||
infrastructure_encryption=False,
|
||||
allow_blob_public_access=None,
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_2",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days.storage_client",
|
||||
new=storage_client,
|
||||
):
|
||||
from prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days import (
|
||||
storage_key_rotation_90_days,
|
||||
)
|
||||
|
||||
check = storage_key_rotation_90_days()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has no key expiration period set."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == storage_account_name
|
||||
assert result[0].resource_id == storage_account_id
|
||||
@@ -38,6 +38,7 @@ class Test_storage_secure_transfer_required_is_enabled:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -77,6 +78,7 @@ class Test_storage_secure_transfer_required_is_enabled:
|
||||
network_rule_set=None,
|
||||
encryption_type="None",
|
||||
minimum_tls_version="TLS1_1",
|
||||
key_expiration_period_in_days=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user