mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(azure): Azure new checks related with AKS (#3476)
This commit is contained in:
Rubén De la Torre Vico
committed by
GitHub
GitHub
parent
00ab5b5fc2
commit
ddd43bae5d
@@ -0,0 +1,111 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_aks_cluster_rbac_enabled:
|
||||
def test_aks_no_subscriptions(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled import (
|
||||
aks_cluster_rbac_enabled,
|
||||
)
|
||||
|
||||
check = aks_cluster_rbac_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled import (
|
||||
aks_cluster_rbac_enabled,
|
||||
)
|
||||
|
||||
check = aks_cluster_rbac_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_cluster_rbac_enabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn=None,
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled import (
|
||||
aks_cluster_rbac_enabled,
|
||||
)
|
||||
|
||||
check = aks_cluster_rbac_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"RBAC is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_rbac_not_enabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn=None,
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=False,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled import (
|
||||
aks_cluster_rbac_enabled,
|
||||
)
|
||||
|
||||
check = aks_cluster_rbac_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"RBAC is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
@@ -0,0 +1,151 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_aks_clusters_created_with_private_nodes:
|
||||
def test_aks_no_subscriptions(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes import (
|
||||
aks_clusters_created_with_private_nodes,
|
||||
)
|
||||
|
||||
check = aks_clusters_created_with_private_nodes()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes import (
|
||||
aks_clusters_created_with_private_nodes,
|
||||
)
|
||||
|
||||
check = aks_clusters_created_with_private_nodes()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_cluster_no_private_nodes(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=True)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes import (
|
||||
aks_clusters_created_with_private_nodes,
|
||||
)
|
||||
|
||||
check = aks_clusters_created_with_private_nodes()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_cluster_private_nodes(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="private_fqdn",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes import (
|
||||
aks_clusters_created_with_private_nodes,
|
||||
)
|
||||
|
||||
check = aks_clusters_created_with_private_nodes()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_cluster_public_and_private_nodes(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="private_fqdn",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[
|
||||
mock.MagicMock(enable_node_public_ip=False),
|
||||
mock.MagicMock(enable_node_public_ip=True),
|
||||
mock.MagicMock(enable_node_public_ip=False),
|
||||
],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes import (
|
||||
aks_clusters_created_with_private_nodes,
|
||||
)
|
||||
|
||||
check = aks_clusters_created_with_private_nodes()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
@@ -0,0 +1,147 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_aks_clusters_public_access_disabled:
|
||||
def test_aks_no_subscriptions(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled import (
|
||||
aks_clusters_public_access_disabled,
|
||||
)
|
||||
|
||||
check = aks_clusters_public_access_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled import (
|
||||
aks_clusters_public_access_disabled,
|
||||
)
|
||||
|
||||
check = aks_clusters_public_access_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_cluster_public_fqdn(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn=None,
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled import (
|
||||
aks_clusters_public_access_disabled,
|
||||
)
|
||||
|
||||
check = aks_clusters_public_access_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_cluster_private_fqdn(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="private_fqdn",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled import (
|
||||
aks_clusters_public_access_disabled,
|
||||
)
|
||||
|
||||
check = aks_clusters_public_access_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is disabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_cluster_private_fqdn_with_public_ip(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="private_fqdn",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=True)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled import (
|
||||
aks_clusters_public_access_disabled,
|
||||
)
|
||||
|
||||
check = aks_clusters_public_access_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
@@ -0,0 +1,111 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_aks_network_policy_enabled:
|
||||
def test_aks_no_subscriptions(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled import (
|
||||
aks_network_policy_enabled,
|
||||
)
|
||||
|
||||
check = aks_network_policy_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled import (
|
||||
aks_network_policy_enabled,
|
||||
)
|
||||
|
||||
check = aks_network_policy_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_aks_network_policy_enabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn=None,
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled import (
|
||||
aks_network_policy_enabled,
|
||||
)
|
||||
|
||||
check = aks_network_policy_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Network policy is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_aks_network_policy_disabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn=None,
|
||||
network_policy=None,
|
||||
agent_pool_profiles=[mock.MagicMock(enable_node_public_ip=False)],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
from prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled import (
|
||||
aks_network_policy_enabled,
|
||||
)
|
||||
|
||||
check = aks_network_policy_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Network policy is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
60
tests/providers/azure/services/aks/aks_service_test.py
Normal file
60
tests/providers/azure/services/aks/aks_service_test.py
Normal file
@@ -0,0 +1,60 @@
|
||||
from unittest.mock import patch
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import AKS, Cluster
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
)
|
||||
|
||||
|
||||
def mock_aks_get_clusters(_):
|
||||
return {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"cluster_id-1": Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
private_fqdn="private_fqdn",
|
||||
network_policy="network_policy",
|
||||
agent_pool_profiles=[],
|
||||
rbac_enabled=True,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@patch(
|
||||
"prowler.providers.azure.services.aks.aks_service.AKS.__get_clusters__",
|
||||
new=mock_aks_get_clusters,
|
||||
)
|
||||
class Test_AppInsights_Service:
|
||||
def test__get_client__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
assert (
|
||||
aks.clients[AZURE_SUBSCRIPTION].__class__.__name__
|
||||
== "ContainerServiceClient"
|
||||
)
|
||||
|
||||
def test__get_subscriptions__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
assert aks.subscriptions.__class__.__name__ == "dict"
|
||||
|
||||
def test__get_components__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
assert len(aks.clusters) == 1
|
||||
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].name == "cluster_name"
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].public_fqdn
|
||||
== "public_fqdn"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].private_fqdn
|
||||
== "private_fqdn"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].network_policy
|
||||
== "network_policy"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].agent_pool_profiles == []
|
||||
)
|
||||
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].rbac_enabled
|
||||
@@ -0,0 +1,171 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Assesment
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_defender_container_images_resolved_vulnerabilities:
|
||||
def test_defender_no_subscriptions(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_empty(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_no_assesment(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
status="Unhealthy",
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_assesment_unhealthy(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
status="Unhealthy",
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_id
|
||||
)
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_name
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
|
||||
def test_defender_subscription_assesment_healthy(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
status="Healthy",
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_id
|
||||
)
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_name
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
)
|
||||
|
||||
def test_defender_subscription_assesment_not_applicable(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
status="NotApplicable",
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
|
||||
defender_container_images_resolved_vulnerabilities,
|
||||
)
|
||||
|
||||
check = defender_container_images_resolved_vulnerabilities()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
@@ -0,0 +1,175 @@
|
||||
from datetime import timedelta
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
|
||||
|
||||
class Test_defender_container_images_scan_enabled:
|
||||
def test_defender_no_subscriptions(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_empty(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {AZURE_SUBSCRIPTION: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_no_containers(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"NotContainers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
free_trial_remaining_time=timedelta(days=1),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_defender_subscription_containers_no_extensions(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
free_trial_remaining_time=timedelta(days=1),
|
||||
extensions={},
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_defender_subscription_containers_container_images_scan_off(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
free_trial_remaining_time=timedelta(days=1),
|
||||
extensions={"ContainerRegistriesVulnerabilityAssessments": False},
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
|
||||
def test_defender_subscription_containers_container_images_scan_on(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
free_trial_remaining_time=timedelta(days=1),
|
||||
extensions={"ContainerRegistriesVulnerabilityAssessments": True},
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
|
||||
defender_container_images_scan_enabled,
|
||||
)
|
||||
|
||||
check = defender_container_images_scan_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
@@ -23,6 +23,7 @@ def mock_defender_get_pricings(_):
|
||||
resource_id="resource_id",
|
||||
pricing_tier="pricing_tier",
|
||||
free_trial_remaining_time=timedelta(days=1),
|
||||
extensions={},
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -143,6 +144,7 @@ class Test_Defender_Service:
|
||||
assert defender.pricings[AZURE_SUBSCRIPTION][
|
||||
"Standard"
|
||||
].free_trial_remaining_time == timedelta(days=1)
|
||||
assert defender.pricings[AZURE_SUBSCRIPTION]["Standard"].extensions == {}
|
||||
|
||||
def test__get_auto_provisioning_settings__(self):
|
||||
defender = Defender(set_mocked_azure_audit_info())
|
||||
|
||||
Reference in New Issue
Block a user