From 1797b54259cf365476a8e772aadc2f1a790d6afb Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Thu, 3 Aug 2023 15:07:17 +0200 Subject: [PATCH] test(azure): Storage Service (#2672) --- ...ge_blob_public_access_level_is_disabled.py | 8 +- ...ob_public_access_level_is_disabled_test.py | 102 +++++++++++++++++ ...ault_network_access_rule_is_denied_test.py | 104 ++++++++++++++++++ ...s_are_trusted_to_access_is_enabled_test.py | 104 ++++++++++++++++++ ...ryption_with_customer_managed_keys_test.py | 102 +++++++++++++++++ ...rage_ensure_minimum_tls_version_12_test.py | 102 +++++++++++++++++ ...frastructure_encryption_is_enabled_test.py | 102 +++++++++++++++++ ...ecure_transfer_required_is_enabled_test.py | 102 +++++++++++++++++ 8 files changed, 722 insertions(+), 4 deletions(-) diff --git a/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py b/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py index 551d795c09..448242f02e 100644 --- a/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py +++ b/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py @@ -9,13 +9,13 @@ def execute(self) -> Check_Report_Azure: for storage_account in storage_accounts: report = Check_Report_Azure(self.metadata()) report.subscription = subscription - report.status = "PASS" - report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access disabled" + report.status = "FAIL" + report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access enabled" report.resource_name = storage_account.name report.resource_id = storage_account.id if not storage_account.allow_blob_public_access: - report.status = "FAIL" - report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access enabled" + report.status = "PASS" + report.status_extended = f"Storage account {storage_account.name} from subscription {subscription} has allow blob public access disabled" findings.append(report) diff --git a/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py b/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py index e69de29bb2..0c6c91d4e1 100644 --- a/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py +++ b/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py @@ -0,0 +1,102 @@ +from unittest import mock +from uuid import uuid4 + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_blob_public_access_level_is_disabled: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( + storage_blob_public_access_level_is_disabled, + ) + + check = storage_blob_public_access_level_is_disabled() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_public_access_level_enabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=True, + network_rule_set=None, + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( + storage_blob_public_access_level_is_disabled, + ) + + check = storage_blob_public_access_level_is_disabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access enabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_public_access_level_disabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=False, + network_rule_set=None, + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_blob_public_access_level_is_disabled.storage_blob_public_access_level_is_disabled import ( + storage_blob_public_access_level_is_disabled, + ) + + check = storage_blob_public_access_level_is_disabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has allow blob public access disabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py b/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py index e69de29bb2..1da7bca686 100644 --- a/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py +++ b/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py @@ -0,0 +1,104 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_default_network_access_rule_is_denied: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( + storage_default_network_access_rule_is_denied, + ) + + check = storage_default_network_access_rule_is_denied() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_default_network_access_rule_allowed(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=NetworkRuleSet(default_action="Allow"), + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( + storage_default_network_access_rule_is_denied, + ) + + check = storage_default_network_access_rule_is_denied() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Allow" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_default_network_access_rule_denied(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=NetworkRuleSet(default_action="Deny"), + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_default_network_access_rule_is_denied.storage_default_network_access_rule_is_denied import ( + storage_default_network_access_rule_is_denied, + ) + + check = storage_default_network_access_rule_is_denied() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has network access rule set to Deny" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py b/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py index e69de29bb2..4c2972f378 100644 --- a/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py +++ b/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py @@ -0,0 +1,104 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( + storage_ensure_azure_services_are_trusted_to_access_is_enabled, + ) + + check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_azure_services_are_not_trusted_to_access(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=NetworkRuleSet(bypass=[None]), + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( + storage_ensure_azure_services_are_trusted_to_access_is_enabled, + ) + + check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not allow trusted Microsoft services to access this storage account" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_azure_services_are_trusted_to_access(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=NetworkRuleSet(bypass=["AzureServices"]), + encryption_type=None, + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_azure_services_are_trusted_to_access_is_enabled.storage_ensure_azure_services_are_trusted_to_access_is_enabled import ( + storage_ensure_azure_services_are_trusted_to_access_is_enabled, + ) + + check = storage_ensure_azure_services_are_trusted_to_access_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} allows trusted Microsoft services to access this storage account" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py b/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py index e69de29bb2..a05bcf54bf 100644 --- a/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py +++ b/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py @@ -0,0 +1,102 @@ +from unittest import mock +from uuid import uuid4 + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_ensure_encryption_with_customer_managed_keys: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys import ( + storage_ensure_encryption_with_customer_managed_keys, + ) + + check = storage_ensure_encryption_with_customer_managed_keys() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_encryption_without_customer_managed_keys(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys import ( + storage_ensure_encryption_with_customer_managed_keys, + ) + + check = storage_ensure_encryption_with_customer_managed_keys() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not encrypt with CMKs" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_encryption_with_customer_managed_keys(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="Microsoft.Keyvault", + minimum_tls_version=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys.storage_ensure_encryption_with_customer_managed_keys import ( + storage_ensure_encryption_with_customer_managed_keys, + ) + + check = storage_ensure_encryption_with_customer_managed_keys() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} encrypts with CMKs" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py b/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py index e69de29bb2..a80a969bd3 100644 --- a/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py +++ b/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py @@ -0,0 +1,102 @@ +from unittest import mock +from uuid import uuid4 + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_ensure_minimum_tls_version_12: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12 import ( + storage_ensure_minimum_tls_version_12, + ) + + check = storage_ensure_minimum_tls_version_12() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_tls_not_1_2(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_1", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12 import ( + storage_ensure_minimum_tls_version_12, + ) + + check = storage_ensure_minimum_tls_version_12() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not have TLS version set to 1.2" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_tls_1_2(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_2", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_ensure_minimum_tls_version_12.storage_ensure_minimum_tls_version_12 import ( + storage_ensure_minimum_tls_version_12, + ) + + check = storage_ensure_minimum_tls_version_12() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has TLS version set to 1.2" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py b/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py index e69de29bb2..c3fbda47d3 100644 --- a/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py +++ b/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py @@ -0,0 +1,102 @@ +from unittest import mock +from uuid import uuid4 + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_infrastructure_encryption_is_enabled: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled import ( + storage_infrastructure_encryption_is_enabled, + ) + + check = storage_infrastructure_encryption_is_enabled() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_infrastructure_encryption_disabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_1", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled import ( + storage_infrastructure_encryption_is_enabled, + ) + + check = storage_infrastructure_encryption_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has infrastructure encryption disabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_infrastructure_encryption_enabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=True, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_1", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_infrastructure_encryption_is_enabled.storage_infrastructure_encryption_is_enabled import ( + storage_infrastructure_encryption_is_enabled, + ) + + check = storage_infrastructure_encryption_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has infrastructure encryption enabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id diff --git a/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py b/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py index e69de29bb2..ed5a921e4e 100644 --- a/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py +++ b/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py @@ -0,0 +1,102 @@ +from unittest import mock +from uuid import uuid4 + +from prowler.providers.azure.services.storage.storage_service import Storage_Account + +AZURE_SUSCRIPTION = str(uuid4()) + + +class Test_storage_secure_transfer_required_is_enabled: + def test_storage_no_storage_accounts(self): + storage_client = mock.MagicMock + storage_client.storage_accounts = {} + + with mock.patch( + "prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled import ( + storage_secure_transfer_required_is_enabled, + ) + + check = storage_secure_transfer_required_is_enabled() + result = check.execute() + assert len(result) == 0 + + def test_storage_storage_accounts_secure_transfer_required_disabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=False, + infrastructure_encryption=False, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_1", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled import ( + storage_secure_transfer_required_is_enabled, + ) + + check = storage_secure_transfer_required_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has secure transfer required disabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id + + def test_storage_storage_accounts_secure_transfer_required_enabled(self): + storage_account_id = str(uuid4()) + storage_account_name = "Test Storage Account" + storage_client = mock.MagicMock + storage_client.storage_accounts = { + AZURE_SUSCRIPTION: [ + Storage_Account( + id=storage_account_id, + name=storage_account_name, + enable_https_traffic_only=True, + infrastructure_encryption=True, + allow_blob_public_access=None, + network_rule_set=None, + encryption_type="None", + minimum_tls_version="TLS1_1", + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled.storage_client", + new=storage_client, + ): + from prowler.providers.azure.services.storage.storage_secure_transfer_required_is_enabled.storage_secure_transfer_required_is_enabled import ( + storage_secure_transfer_required_is_enabled, + ) + + check = storage_secure_transfer_required_is_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has secure transfer required enabled" + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == storage_account_name + assert result[0].resource_id == storage_account_id