From f289c8fb2e72afd9d821c888758e0ef28dd264fa Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Thu, 3 Aug 2023 14:43:18 +0200 Subject: [PATCH] test(azure): SQL Server Service (#2671) --- .../sqlserver_auditing_enabled_test.py | 106 +++++++++++++ ...rver_azuread_administrator_enabled_test.py | 144 ++++++++++++++++++ ...server_unrestricted_inbound_access_test.py | 110 +++++++++++++ 3 files changed, 360 insertions(+) diff --git a/tests/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled_test.py index e69de29b..37c90028 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled_test.py @@ -0,0 +1,106 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.sql.models import ( + FirewallRule, + ServerBlobAuditingPolicy, + ServerExternalAdministrator, +) + +from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_defender_ensure_defender_for_storage_is_on: + def test_no_sql_servers(self): + sqlserver_client = mock.MagicMock + sqlserver_client.sql_servers = {} + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( + sqlserver_auditing_enabled, + ) + + check = sqlserver_auditing_enabled() + result = check.execute() + assert len(result) == 0 + + def test_sql_servers_auditing_disabled(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=ServerExternalAdministrator(), + auditing_policies=[ServerBlobAuditingPolicy(state="Disabled")], + firewall_rules=FirewallRule(), + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( + sqlserver_auditing_enabled, + ) + + check = sqlserver_auditing_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have any auditing policy configured" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_auditing_enabled(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=ServerExternalAdministrator(), + auditing_policies=[ServerBlobAuditingPolicy(state="Enabled")], + firewall_rules=FirewallRule(), + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( + sqlserver_auditing_enabled, + ) + + check = sqlserver_auditing_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has a auditing policy configured" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id diff --git a/tests/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled_test.py index e69de29b..e9630bdb 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled_test.py @@ -0,0 +1,144 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.sql.models import ServerExternalAdministrator + +from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_defender_ensure_defender_for_storage_is_on: + def test_no_sql_servers(self): + sqlserver_client = mock.MagicMock + sqlserver_client.sql_servers = {} + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( + sqlserver_azuread_administrator_enabled, + ) + + check = sqlserver_azuread_administrator_enabled() + result = check.execute() + assert len(result) == 0 + + def test_sql_servers_azuread_no_administrator(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[], + firewall_rules=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( + sqlserver_azuread_administrator_enabled, + ) + + check = sqlserver_azuread_administrator_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have an Active Directory administrator" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_azuread_administrator_no_active_directory(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=ServerExternalAdministrator( + administrator_type="No ActiveDirectory" + ), + auditing_policies=[], + firewall_rules=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( + sqlserver_azuread_administrator_enabled, + ) + + check = sqlserver_azuread_administrator_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have an Active Directory administrator" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_azuread_administrator_active_directory(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=ServerExternalAdministrator( + administrator_type="ActiveDirectory" + ), + auditing_policies=[], + firewall_rules=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( + sqlserver_azuread_administrator_enabled, + ) + + check = sqlserver_azuread_administrator_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has an Active Directory administrator" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id diff --git a/tests/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access_test.py b/tests/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access_test.py index e69de29b..57955edd 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access_test.py @@ -0,0 +1,110 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.sql.models import FirewallRule + +from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_defender_ensure_defender_for_storage_is_on: + def test_no_sql_servers(self): + sqlserver_client = mock.MagicMock + sqlserver_client.sql_servers = {} + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( + sqlserver_unrestricted_inbound_access, + ) + + check = sqlserver_unrestricted_inbound_access() + result = check.execute() + assert len(result) == 0 + + def test_sql_servers_unrestricted_inbound_access(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[], + firewall_rules=[ + FirewallRule( + start_ip_address="0.0.0.0", end_ip_address="255.255.255.255" + ) + ], + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( + sqlserver_unrestricted_inbound_access, + ) + + check = sqlserver_unrestricted_inbound_access() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has firewall rules allowing 0.0.0.0-255.255.255.255" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_restricted_inbound_access(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[], + firewall_rules=[ + FirewallRule( + start_ip_address="10.10.10.10", end_ip_address="10.10.10.10" + ) + ], + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( + sqlserver_unrestricted_inbound_access, + ) + + check = sqlserver_unrestricted_inbound_access() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have firewall rules allowing 0.0.0.0-255.255.255.255" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id