test(azure): Storage Service (#2672)

prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py

@@ -9,13 +9,13 @@ def execute(self) -> Check_Report_Azure:
             for storage_account in storage_accounts:
                 report = Check_Report_Azure(self.metadata())
                 report.subscription = subscription
-                report.status = "PASS"
-                report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access disabled"
+                report.status = "FAIL"
+                report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access enabled"
                 report.resource_name = storage_account.name
                 report.resource_id = storage_account.id
                 if not storage_account.allow_blob_public_access:
-                    report.status = "FAIL"
-                    report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access enabled"
+                    report.status = "PASS"
+                    report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access disabled"
 
                 findings.append(report)
 

tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py

@@ -0,0 +1,102 @@
+from unittest import mock
+from uuid import uuid4
+
+from prowler.providers.azure.services.storage.storage_service import Storage_Account
+
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+class Test_storage_blob_public_access_level_is_disabled:
+    def test_storage_no_storage_accounts(self):
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import (
+                storage_blob_public_access_level_is_disabled,
+            )
+
+            check = storage_blob_public_access_level_is_disabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_storage_storage_accounts_public_access_level_enabled(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=True,
+                    network_rule_set=None,
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import (
+                storage_blob_public_access_level_is_disabled,
+            )
+
+            check = storage_blob_public_access_level_is_disabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access enabled"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id
+
+    def test_storage_storage_accounts_public_access_level_disabled(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=False,
+                    network_rule_set=None,
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import (
+                storage_blob_public_access_level_is_disabled,
+            )
+
+            check = storage_blob_public_access_level_is_disabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access disabled"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id

tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py

@@ -0,0 +1,104 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet
+
+from prowler.providers.azure.services.storage.storage_service import Storage_Account
+
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+class Test_storage_default_network_access_rule_is_denied:
+    def test_storage_no_storage_accounts(self):
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import (
+                storage_default_network_access_rule_is_denied,
+            )
+
+            check = storage_default_network_access_rule_is_denied()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_storage_storage_accounts_default_network_access_rule_allowed(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=NetworkRuleSet(default_action="Allow"),
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import (
+                storage_default_network_access_rule_is_denied,
+            )
+
+            check = storage_default_network_access_rule_is_denied()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Allow"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id
+
+    def test_storage_storage_accounts_default_network_access_rule_denied(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=NetworkRuleSet(default_action="Deny"),
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import (
+                storage_default_network_access_rule_is_denied,
+            )
+
+            check = storage_default_network_access_rule_is_denied()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Deny"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id

tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py

@@ -0,0 +1,104 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet
+
+from prowler.providers.azure.services.storage.storage_service import Storage_Account
+
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:
+    def test_storage_no_storage_accounts(self):
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import (
+                storage_ensure_azure_services_are_trusted_to_access_is_enabled,
+            )
+
+            check = storage_ensure_azure_services_are_trusted_to_access_is_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_storage_storage_accounts_azure_services_are_not_trusted_to_access(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=NetworkRuleSet(bypass=[None]),
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import (
+                storage_ensure_azure_services_are_trusted_to_access_is_enabled,
+            )
+
+            check = storage_ensure_azure_services_are_trusted_to_access_is_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not allow trusted Microsoft services to access this storage account"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id
+
+    def test_storage_storage_accounts_azure_services_are_trusted_to_access(self):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=NetworkRuleSet(bypass=["AzureServices"]),
+                    encryption_type=None,
+                    minimum_tls_version=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import (
+                storage_ensure_azure_services_are_trusted_to_access_is_enabled,
+            )
+
+            check = storage_ensure_azure_services_are_trusted_to_access_is_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} allows trusted Microsoft services to access this storage account"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id