-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test(azure): SQL Server Service (#2671)
- Loading branch information
Showing
3 changed files
with
360 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from azure.mgmt.sql.models import ( | ||
FirewallRule, | ||
ServerBlobAuditingPolicy, | ||
ServerExternalAdministrator, | ||
) | ||
|
||
from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_defender_ensure_defender_for_storage_is_on: | ||
def test_no_sql_servers(self): | ||
sqlserver_client = mock.MagicMock | ||
sqlserver_client.sql_servers = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( | ||
sqlserver_auditing_enabled, | ||
) | ||
|
||
check = sqlserver_auditing_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_sql_servers_auditing_disabled(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=ServerExternalAdministrator(), | ||
auditing_policies=[ServerBlobAuditingPolicy(state="Disabled")], | ||
firewall_rules=FirewallRule(), | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( | ||
sqlserver_auditing_enabled, | ||
) | ||
|
||
check = sqlserver_auditing_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have any auditing policy configured" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id | ||
|
||
def test_sql_servers_auditing_enabled(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=ServerExternalAdministrator(), | ||
auditing_policies=[ServerBlobAuditingPolicy(state="Enabled")], | ||
firewall_rules=FirewallRule(), | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_auditing_enabled.sqlserver_auditing_enabled import ( | ||
sqlserver_auditing_enabled, | ||
) | ||
|
||
check = sqlserver_auditing_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has a auditing policy configured" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from azure.mgmt.sql.models import ServerExternalAdministrator | ||
|
||
from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_defender_ensure_defender_for_storage_is_on: | ||
def test_no_sql_servers(self): | ||
sqlserver_client = mock.MagicMock | ||
sqlserver_client.sql_servers = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( | ||
sqlserver_azuread_administrator_enabled, | ||
) | ||
|
||
check = sqlserver_azuread_administrator_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_sql_servers_azuread_no_administrator(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=None, | ||
auditing_policies=[], | ||
firewall_rules=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( | ||
sqlserver_azuread_administrator_enabled, | ||
) | ||
|
||
check = sqlserver_azuread_administrator_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have an Active Directory administrator" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id | ||
|
||
def test_sql_servers_azuread_administrator_no_active_directory(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=ServerExternalAdministrator( | ||
administrator_type="No ActiveDirectory" | ||
), | ||
auditing_policies=[], | ||
firewall_rules=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( | ||
sqlserver_azuread_administrator_enabled, | ||
) | ||
|
||
check = sqlserver_azuread_administrator_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have an Active Directory administrator" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id | ||
|
||
def test_sql_servers_azuread_administrator_active_directory(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=ServerExternalAdministrator( | ||
administrator_type="ActiveDirectory" | ||
), | ||
auditing_policies=[], | ||
firewall_rules=None, | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_azuread_administrator_enabled.sqlserver_azuread_administrator_enabled import ( | ||
sqlserver_azuread_administrator_enabled, | ||
) | ||
|
||
check = sqlserver_azuread_administrator_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has an Active Directory administrator" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
from unittest import mock | ||
from uuid import uuid4 | ||
|
||
from azure.mgmt.sql.models import FirewallRule | ||
|
||
from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server | ||
|
||
AZURE_SUSCRIPTION = str(uuid4()) | ||
|
||
|
||
class Test_defender_ensure_defender_for_storage_is_on: | ||
def test_no_sql_servers(self): | ||
sqlserver_client = mock.MagicMock | ||
sqlserver_client.sql_servers = {} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( | ||
sqlserver_unrestricted_inbound_access, | ||
) | ||
|
||
check = sqlserver_unrestricted_inbound_access() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
def test_sql_servers_unrestricted_inbound_access(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=None, | ||
auditing_policies=[], | ||
firewall_rules=[ | ||
FirewallRule( | ||
start_ip_address="0.0.0.0", end_ip_address="255.255.255.255" | ||
) | ||
], | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( | ||
sqlserver_unrestricted_inbound_access, | ||
) | ||
|
||
check = sqlserver_unrestricted_inbound_access() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has firewall rules allowing 0.0.0.0-255.255.255.255" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id | ||
|
||
def test_sql_servers_restricted_inbound_access(self): | ||
sqlserver_client = mock.MagicMock | ||
sql_server_name = "SQL Server Name" | ||
sql_server_id = str(uuid4()) | ||
sqlserver_client.sql_servers = { | ||
AZURE_SUSCRIPTION: [ | ||
SQL_Server( | ||
id=sql_server_id, | ||
name=sql_server_name, | ||
public_network_access="", | ||
minimal_tls_version="", | ||
administrators=None, | ||
auditing_policies=[], | ||
firewall_rules=[ | ||
FirewallRule( | ||
start_ip_address="10.10.10.10", end_ip_address="10.10.10.10" | ||
) | ||
], | ||
) | ||
] | ||
} | ||
|
||
with mock.patch( | ||
"prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access.sqlserver_client", | ||
new=sqlserver_client, | ||
): | ||
from prowler.providers.azure.services.sqlserver.sqlserver_unrestricted_inbound_access.sqlserver_unrestricted_inbound_access import ( | ||
sqlserver_unrestricted_inbound_access, | ||
) | ||
|
||
check = sqlserver_unrestricted_inbound_access() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} does not have firewall rules allowing 0.0.0.0-255.255.255.255" | ||
) | ||
assert result[0].subscription == AZURE_SUSCRIPTION | ||
assert result[0].resource_name == sql_server_name | ||
assert result[0].resource_id == sql_server_id |