mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
feat(azure): new check sqlserver_vulnerability_assessment_enabled (#3349)
This commit is contained in:
Pedro Martín
@@ -8,8 +8,7 @@ from azure.mgmt.sql.models import (
|
||||
)
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server
|
||||
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION
|
||||
|
||||
|
||||
class Test_sqlserver_auditing_enabled:
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
from unittest.mock import patch
|
||||
|
||||
from azure.mgmt.sql.models import EncryptionProtector, TransparentDataEncryption
|
||||
from azure.mgmt.sql.models import (
|
||||
EncryptionProtector,
|
||||
ServerVulnerabilityAssessment,
|
||||
TransparentDataEncryption,
|
||||
)
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import (
|
||||
DatabaseServer,
|
||||
@@ -36,6 +40,9 @@ def mock_sqlserver_get_sql_servers(_):
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
databases=[database],
|
||||
vulnerability_assessment=ServerVulnerabilityAssessment(
|
||||
storage_container_path="/subcription_id/resource_group/sql_server"
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
@@ -87,6 +94,12 @@ class Test_SqlServer_Service:
|
||||
== "EncryptionProtector"
|
||||
)
|
||||
assert sql_server.sql_servers[AZURE_SUSCRIPTION][0].databases == [database]
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].vulnerability_assessment.__class__.__name__
|
||||
== "ServerVulnerabilityAssessment"
|
||||
)
|
||||
|
||||
def test__get_databases__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
@@ -146,3 +159,19 @@ class Test_SqlServer_Service:
|
||||
id = "/subscriptions/subscription_id/resourceGroups/resource_group/providers/Microsoft.Sql/servers/sql_server"
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
assert sql_server.__get_resource_group__(id) == "resource_group"
|
||||
|
||||
def test__get_vulnerability_assessment__(self):
|
||||
sql_server = SQLServer(set_mocked_azure_audit_info())
|
||||
storage_container_path = "/subcription_id/resource_group/sql_server"
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].vulnerability_assessment.__class__.__name__
|
||||
== "ServerVulnerabilityAssessment"
|
||||
)
|
||||
assert (
|
||||
sql_server.sql_servers[AZURE_SUSCRIPTION][
|
||||
0
|
||||
].vulnerability_assessment.storage_container_path
|
||||
== storage_container_path
|
||||
)
|
||||
|
||||
@@ -0,0 +1,190 @@
|
||||
from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from azure.mgmt.sql.models import (
|
||||
EncryptionProtector,
|
||||
ServerVulnerabilityAssessment,
|
||||
TransparentDataEncryption,
|
||||
)
|
||||
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_service import (
|
||||
DatabaseServer,
|
||||
SQL_Server,
|
||||
)
|
||||
|
||||
AZURE_SUSCRIPTION = str(uuid4())
|
||||
|
||||
|
||||
class Test_sqlserver_vulnerability_assessment_enabled:
|
||||
def test_no_sql_servers(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sqlserver_client.sql_servers = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
|
||||
sqlserver_vulnerability_assessment_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_vulnerability_assessment_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_sql_servers_no_vulnerability_assessment(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=None,
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="ServiceManaged"
|
||||
),
|
||||
vulnerability_assessment=None,
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
|
||||
sqlserver_vulnerability_assessment_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_vulnerability_assessment_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment disabled."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
|
||||
def test_sql_servers_no_vulnerability_assessment_path(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Disabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
vulnerability_assessment=ServerVulnerabilityAssessment(
|
||||
storage_container_path=None
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
|
||||
sqlserver_vulnerability_assessment_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_vulnerability_assessment_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment disabled."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
|
||||
def test_sql_servers_vulnerability_assessment_enabled(self):
|
||||
sqlserver_client = mock.MagicMock
|
||||
sql_server_name = "SQL Server Name"
|
||||
sql_server_id = str(uuid4())
|
||||
database = DatabaseServer(
|
||||
id="id",
|
||||
name="name",
|
||||
type="type",
|
||||
location="location",
|
||||
managed_by="managed_by",
|
||||
tde_encryption=TransparentDataEncryption(status="Enabled"),
|
||||
)
|
||||
sqlserver_client.sql_servers = {
|
||||
AZURE_SUSCRIPTION: [
|
||||
SQL_Server(
|
||||
id=sql_server_id,
|
||||
name=sql_server_name,
|
||||
public_network_access="",
|
||||
minimal_tls_version="",
|
||||
administrators=None,
|
||||
auditing_policies=None,
|
||||
firewall_rules=None,
|
||||
databases=[database],
|
||||
encryption_protector=EncryptionProtector(
|
||||
server_key_type="AzureKeyVault"
|
||||
),
|
||||
vulnerability_assessment=ServerVulnerabilityAssessment(
|
||||
storage_container_path="/subcription_id/resource_group/sql_server"
|
||||
),
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled.sqlserver_client",
|
||||
new=sqlserver_client,
|
||||
):
|
||||
from prowler.providers.azure.services.sqlserver.sqlserver_vulnerability_assessment_enabled.sqlserver_vulnerability_assessment_enabled import (
|
||||
sqlserver_vulnerability_assessment_enabled,
|
||||
)
|
||||
|
||||
check = sqlserver_vulnerability_assessment_enabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has vulnerability assessment enabled."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUSCRIPTION
|
||||
assert result[0].resource_name == sql_server_name
|
||||
assert result[0].resource_id == sql_server_id
|
||||
Reference in New Issue
Block a user