-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test(azure): Storage Service (#2672)
- Loading branch information
Showing
8 changed files
with
722 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from prowler.providers.azure.services.storage.storage_service import Storage_Account | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_storage_blob_public_access_level_is_disabled: | ||
def test_storage_no_storage_accounts(self): | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( | ||
storage_blob_public_access_level_is_disabled, | ||
) | ||
|
||
check = storage_blob_public_access_level_is_disabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_storage_storage_accounts_public_access_level_enabled(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=True, | ||
network_rule_set=None, | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( | ||
storage_blob_public_access_level_is_disabled, | ||
) | ||
|
||
check = storage_blob_public_access_level_is_disabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access enabled" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id | ||
|
||
def test_storage_storage_accounts_public_access_level_disabled(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=False, | ||
network_rule_set=None, | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( | ||
storage_blob_public_access_level_is_disabled, | ||
) | ||
|
||
check = storage_blob_public_access_level_is_disabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access disabled" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet | ||
|
||
from prowler.providers.azure.services.storage.storage_service import Storage_Account | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_storage_default_network_access_rule_is_denied: | ||
def test_storage_no_storage_accounts(self): | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( | ||
storage_default_network_access_rule_is_denied, | ||
) | ||
|
||
check = storage_default_network_access_rule_is_denied() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_storage_storage_accounts_default_network_access_rule_allowed(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=None, | ||
network_rule_set=NetworkRuleSet(default_action="Allow"), | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( | ||
storage_default_network_access_rule_is_denied, | ||
) | ||
|
||
check = storage_default_network_access_rule_is_denied() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Allow" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id | ||
|
||
def test_storage_storage_accounts_default_network_access_rule_denied(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=None, | ||
network_rule_set=NetworkRuleSet(default_action="Deny"), | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( | ||
storage_default_network_access_rule_is_denied, | ||
) | ||
|
||
check = storage_default_network_access_rule_is_denied() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Deny" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet | ||
|
||
from prowler.providers.azure.services.storage.storage_service import Storage_Account | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled: | ||
def test_storage_no_storage_accounts(self): | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( | ||
storage_ensure_azure_services_are_trusted_to_access_is_enabled, | ||
) | ||
|
||
check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_storage_storage_accounts_azure_services_are_not_trusted_to_access(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=None, | ||
network_rule_set=NetworkRuleSet(bypass=[None]), | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( | ||
storage_ensure_azure_services_are_trusted_to_access_is_enabled, | ||
) | ||
|
||
check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not allow trusted Microsoft services to access this storage account" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id | ||
|
||
def test_storage_storage_accounts_azure_services_are_trusted_to_access(self): | ||
storage_account_id = str(uuid4()) | ||
storage_account_name = "Test Storage Account" | ||
storage_client = mock.MagicMock | ||
storage_client.storage_accounts = { | ||
AZURE_SUSCRIPTION: [ | ||
Storage_Account( | ||
id=storage_account_id, | ||
name=storage_account_name, | ||
enable_https_traffic_only=False, | ||
infrastructure_encryption=False, | ||
allow_blob_public_access=None, | ||
network_rule_set=NetworkRuleSet(bypass=["AzureServices"]), | ||
encryption_type=None, | ||
minimum_tls_version=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", | ||
new=storage_client, | ||
): | ||
from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( | ||
storage_ensure_azure_services_are_trusted_to_access_is_enabled, | ||
) | ||
|
||
check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} allows trusted Microsoft services to access this storage account" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == storage_account_name | ||
assert result[0].resource_id == storage_account_id |
Oops, something went wrong.