ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(azure): Azure new checks related with AKS (#3476)

Browse Source
This commit is contained in:
Rubén De la Torre Vico
2024-03-05 13:20:56 +00:00
committed by GitHub
parent 00ab5b5fc2
commit ddd43bae5d
33 changed files with 1380 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
tests/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities_test.py Normal file
View File

@@ -0,0 +1,171 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Assesment
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.assessments = {}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_no_assesment(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
"": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
status="Unhealthy",
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_assesment_unhealthy(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
status="Unhealthy",
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].resource_id
== defender_client.assessments[AZURE_SUBSCRIPTION][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_id
)
assert (
result[0].resource_name
== defender_client.assessments[AZURE_SUBSCRIPTION][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_name
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert (
result[0].status_extended
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
)
def test_defender_subscription_assesment_healthy(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
status="Healthy",
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].resource_id
== defender_client.assessments[AZURE_SUBSCRIPTION][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_id
)
assert (
result[0].resource_name
== defender_client.assessments[AZURE_SUBSCRIPTION][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_name
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert (
result[0].status_extended
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
)
def test_defender_subscription_assesment_not_applicable(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
status="NotApplicable",
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities import (
defender_container_images_resolved_vulnerabilities,
)
check = defender_container_images_resolved_vulnerabilities()
result = check.execute()
assert len(result) == 0

175
tests/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled_test.py Normal file
View File

@@ -0,0 +1,175 @@
from datetime import timedelta
from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_defender_container_images_scan_enabled:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.pricings = {}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.pricings = {AZURE_SUBSCRIPTION: {}}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_no_containers(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
"NotContainers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
free_trial_remaining_time=timedelta(days=1),
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 0
def test_defender_subscription_containers_no_extensions(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
free_trial_remaining_time=timedelta(days=1),
extensions={},
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status_extended == (
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_defender_subscription_containers_container_images_scan_off(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
free_trial_remaining_time=timedelta(days=1),
extensions={"ContainerRegistriesVulnerabilityAssessments": False},
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status_extended == (
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION
def test_defender_subscription_containers_container_images_scan_on(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
free_trial_remaining_time=timedelta(days=1),
extensions={"ContainerRegistriesVulnerabilityAssessments": True},
)
}
}
with mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
from prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled import (
defender_container_images_scan_enabled,
)
check = defender_container_images_scan_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].status_extended == (
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION

2
tests/providers/azure/services/defender/defender_service_test.py
View File

@@ -23,6 +23,7 @@ def mock_defender_get_pricings(_):
resource_id="resource_id",
pricing_tier="pricing_tier",
free_trial_remaining_time=timedelta(days=1),
extensions={},
)
}
}
@@ -143,6 +144,7 @@ class Test_Defender_Service:
assert defender.pricings[AZURE_SUBSCRIPTION][
"Standard"
].free_trial_remaining_time == timedelta(days=1)
assert defender.pricings[AZURE_SUBSCRIPTION]["Standard"].extensions == {}
def test__get_auto_provisioning_settings__(self):
defender = Defender(set_mocked_azure_audit_info())