Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: migrate Azure resource models to avoid using SDK defaults #6880

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

fix: migrate Azure resource models to avoid using SDK defaults #6880

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
a838d98
fix: use own model ManagedClusterAgentPoolProfile
puchy22 Feb 7, 2025
3d30209
fix: add dataclass to ManagedClusterAgentPool
puchy22 Feb 7, 2025
b79419c
fix: use own models ManagedServiceIdentity and SiteConfigResource
puchy22 Feb 7, 2025
bb69a33
fix: use own model PrivateEndpointConnection
puchy22 Feb 7, 2025
d4f14ac
fix: use own model Permissions
puchy22 Feb 7, 2025
eb1f4ab
fix: use own model KeyAttributes
puchy22 Feb 7, 2025
2d0b4cb
fix: use own model SecretAttributes
puchy22 Feb 7, 2025
0182b4f
fix: use own model VaultProperties
puchy22 Feb 7, 2025
c45b334
fix: use own model PrivateEndpointConnection and delete unused Contai…
puchy22 Feb 10, 2025
33a4f3e
fix: use own model AlertRuleAllOfCondition
puchy22 Feb 10, 2025
0b16e3a
fix: use own model LogSettings
puchy22 Feb 10, 2025
311ed3e
fix: use own model TransparentDataEncryption
puchy22 Feb 10, 2025
81daec5
fix: use own models for SQL Servers model
puchy22 Feb 10, 2025
e29a9f6
fix: use own models for Storage service
puchy22 Feb 10, 2025
1aa9116
fix: use own model StorageProfile
puchy22 Feb 10, 2025
1868b8b
fix: add default values to not mandatory attributes
puchy22 Feb 11, 2025
6444e98
fix: add realistic default values
puchy22 Feb 11, 2025
f49a4a3
fix: typo
puchy22 Feb 11, 2025
bd4cb6d
fix: stop using princpal name
puchy22 Feb 11, 2025
82f5fb0
fix: change default value
puchy22 Feb 12, 2025
1210bce
fix: create own KeyRotationPolicy model
puchy22 Feb 12, 2025
f60a230
fix: add needed default values
puchy22 Feb 12, 2025
96acaec
fix: add FlowLog as own model
puchy22 Feb 12, 2025
8070f42
fix: add getattr to container_delete_retention_policy attribute
puchy22 Feb 12, 2025
feb78ac
fix: return the correct list
puchy22 Feb 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions prowler/providers/azure/services/aks/aks_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
from typing import List

from azure.mgmt.containerservice import ContainerServiceClient
from azure.mgmt.containerservice.models import ManagedClusterAgentPoolProfile

from prowler.lib.logger import logger
from prowler.providers.azure.azure_provider import AzureProvider
Expand Down Expand Up @@ -42,9 +41,19 @@ def _get_clusters(self):
if getattr(cluster, "network_profile", None)
else None
),
agent_pool_profiles=getattr(
cluster, "agent_pool_profiles", []
),
agent_pool_profiles=[
ManagedClusterAgentPoolProfile(
name=agent_pool_profile.name,
enable_node_public_ip=getattr(
agent_pool_profile,
"enable_node_public_ip",
False,
),
)
for agent_pool_profile in getattr(
cluster, "agent_pool_profiles", []
)
],
rbac_enabled=getattr(cluster, "enable_rbac", False),
)
}
Expand All @@ -57,6 +66,12 @@ def _get_clusters(self):
return clusters


@dataclass
class ManagedClusterAgentPoolProfile:
name: str
enable_node_public_ip: bool


@dataclass
class Cluster:
id: str
Expand Down
75 changes: 67 additions & 8 deletions prowler/providers/azure/services/app/app_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
from dataclasses import dataclass
from typing import Dict
from dataclasses import dataclass, field
from typing import Dict, List

from azure.mgmt.web import WebSiteManagementClient
from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource

from prowler.lib.logger import logger
from prowler.providers.azure.azure_provider import AzureProvider
Expand Down Expand Up @@ -37,6 +36,11 @@
None,
)

# Get app configurations
app_configurations = client.web_apps.get_configuration(

Check warning on line 40 in prowler/providers/azure/services/app/app_service.py

View check run for this annotation

Codecov / codecov/patch

prowler/providers/azure/services/app/app_service.py#L40 

Added line #L40 was not covered by tests
resource_group_name=app.resource_group, name=app.name
)

apps[subscription_name].update(
{
app.id: WebApp(
Expand All @@ -47,9 +51,30 @@
if platform_auth
else False
),
configurations=client.web_apps.get_configuration(
resource_group_name=app.resource_group,
name=app.name,
configurations=SiteConfigResource(
id=app_configurations.id,
name=app_configurations.name,
linux_fx_version=getattr(
app_configurations, "linux_fx_version", ""
),
java_version=getattr(
app_configurations, "java_version", ""
),
php_version=getattr(
app_configurations, "php_version", ""
),
python_version=getattr(
app_configurations, "python_version", ""
),
http20_enabled=getattr(
app_configurations, "http20_enabled", False
),
ftps_state=getattr(
app_configurations, "ftps_state", ""
),
min_tls_version=getattr(
app_configurations, "min_tls_version", ""
),
),
client_cert_mode=self._get_client_cert_mode(
getattr(app, "client_cert_enabled", False),
Expand All @@ -59,7 +84,21 @@
app.name, app.resource_group, subscription_name
),
https_only=getattr(app, "https_only", False),
identity=getattr(app, "identity", None),
identity=ManagedServiceIdentity(
principal_id=getattr(
getattr(app, "identity", {}),
"principal_id",
"",
),
tenant_id=getattr(
getattr(app, "identity", {}),
"tenant_id",
"",
),
type=getattr(
getattr(app, "identity", {}), "type", ""
),
),
location=app.location,
kind=app.kind,
)
Expand Down Expand Up @@ -171,6 +210,26 @@
return monitor_diagnostics_settings


@dataclass
class ManagedServiceIdentity:
principal_id: str
tenant_id: str
type: str


@dataclass
class SiteConfigResource:
id: str
name: str
linux_fx_version: str
java_version: str
php_version: str
python_version: str
http20_enabled: bool
ftps_state: str
min_tls_version: str


@dataclass
class WebApp:
resource_id: str
Expand All @@ -181,7 +240,7 @@
client_cert_mode: str = "Ignore"
auth_enabled: bool = False
https_only: bool = False
monitor_diagnostic_settings: list[DiagnosticSetting] = None
monitor_diagnostic_settings: List[DiagnosticSetting] = field(default_factory=list)
kind: str = "app"


Expand Down
29 changes: 20 additions & 9 deletions prowler/providers/azure/services/containerregistry/containerregistry_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
from dataclasses import dataclass

from azure.mgmt.containerregistry import ContainerRegistryManagementClient
from azure.mgmt.containerregistry.models import (
NetworkRuleSet,
PrivateEndpointConnection,
)

from prowler.lib.logger import logger
from prowler.providers.azure.azure_provider import AzureProvider
Expand Down Expand Up @@ -40,7 +36,9 @@ def _get_container_registries(self):
public_network_access=(
False
if getattr(
registry, "public_network_access" "Enabled"
registry,
"public_network_access_enabled",
"Enabled",
)
== "Disabled"
else True
Expand All @@ -54,9 +52,16 @@ def _get_container_registries(self):
monitor_diagnostic_settings=self._get_registry_monitor_settings(
registry.name, resource_group, subscription
),
private_endpoint_connections=getattr(
registry, "private_endpoint_connections", []
),
private_endpoint_connections=[
PrivateEndpointConnection(
id=pec.id,
name=pec.name,
type=pec.type,
)
for pec in getattr(
registry, "private_endpoint_connections", []
)
],
)
},
)
Expand Down Expand Up @@ -90,6 +95,13 @@ def _get_registry_monitor_settings(
return monitor_diagnostics_settings


@dataclass
class PrivateEndpointConnection:
id: str
name: str
type: str


@dataclass
class ContainerRegistryInfo:
id: str
Expand All @@ -100,6 +112,5 @@ class ContainerRegistryInfo:
login_server: str
public_network_access: bool
admin_user_enabled: bool
network_rule_set: NetworkRuleSet
monitor_diagnostic_settings: list[DiagnosticSetting]
private_endpoint_connections: list[PrivateEndpointConnection]
24 changes: 18 additions & 6 deletions prowler/providers/azure/services/cosmosdb/cosmosdb_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from dataclasses import dataclass, field
from dataclasses import dataclass
from typing import List

from azure.mgmt.cosmosdb import CosmosDBManagementClient
from azure.mgmt.cosmosdb.models import PrivateEndpointConnection

from prowler.lib.logger import logger
from prowler.providers.azure.azure_provider import AzureProvider
Expand Down Expand Up @@ -30,7 +30,14 @@ def _get_accounts(self):
type=account.type,
tags=account.tags,
is_virtual_network_filter_enabled=account.is_virtual_network_filter_enabled,
private_endpoint_connections=account.private_endpoint_connections,
private_endpoint_connections=[
PrivateEndpointConnection(
id=private_endpoint_connection.id,
name=private_endpoint_connection.name,
type=private_endpoint_connection.type,
)
for private_endpoint_connection in account.private_endpoint_connections
],
disable_local_auth=account.disable_local_auth,
)
)
Expand All @@ -41,6 +48,13 @@ def _get_accounts(self):
return accounts


@dataclass
class PrivateEndpointConnection:
id: str
name: str
type: str


@dataclass
class Account:
id: str
Expand All @@ -50,7 +64,5 @@ class Account:
tags: dict
is_virtual_network_filter_enabled: bool
location: str
private_endpoint_connections: list[PrivateEndpointConnection] = field(
default_factory=list
)
private_endpoint_connections: List[PrivateEndpointConnection]
disable_local_auth: bool = False
8 changes: 3 additions & 5 deletions prowler/providers/azure/services/entra/entra_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ async def _get_users(self):
for user in users_list.value:
users[tenant].update(
{
user.user_principal_name: User(
user.id: User(
id=user.id,
name=user.display_name,
authentication_methods=[
Expand Down Expand Up @@ -261,11 +261,9 @@ async def _get_directory_roles(self):
directory_role.display_name: DirectoryRole(
id=directory_role.id,
members=[
self.users[tenant][member.user_principal_name]
self.users[tenant][member.id]
for member in directory_role_members.value
if self.users[tenant].get(
member.user_principal_name, None
)
if self.users[tenant].get(member.id, None)
],
)
}
Expand Down
24 changes: 20 additions & 4 deletions prowler/providers/azure/services/iam/iam_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from dataclasses import dataclass
from typing import List

from azure.mgmt.authorization import AuthorizationManagementClient
from azure.mgmt.authorization.v2022_04_01.models import Permission

from prowler.lib.logger import logger
from prowler.providers.azure.azure_provider import AzureProvider
Expand Down Expand Up @@ -33,7 +33,16 @@ def _get_roles(self):
name=role.role_name,
type=role.role_type,
assignable_scopes=role.assignable_scopes,
permissions=role.permissions,
permissions=[
Permission(
condition=getattr(permission, "condition", ""),
condition_version=getattr(
permission, "condition_version", ""
),
actions=getattr(permission, "actions", []),
)
for permission in getattr(role, "permissions", [])
],
)
)
else:
Expand Down Expand Up @@ -82,13 +91,20 @@ def _get_role_assignments(self):
return role_assignments


@dataclass
class Permission:
actions: List[str]
condition: str
condition_version: str


@dataclass
class Role:
id: str
name: str
type: str
assignable_scopes: list[str]
permissions: list[Permission]
assignable_scopes: List[str]
permissions: List[Permission]


@dataclass
Expand Down
6 changes: 1 addition & 5 deletions ...yvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ def execute(self) -> Check_Report_Azure:
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the keys with expiration date set."
has_key_without_expiration = False
for key in keyvault.keys:
if (
key.attributes
and not key.attributes.expires
and key.enabled
):
if not key.attributes.expires and key.enabled:
report.status = "FAIL"
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} without expiration date set."
has_key_without_expiration = True
Expand Down
6 changes: 1 addition & 5 deletions ...yvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,7 @@ def execute(self) -> Check_Report_Azure:
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the secrets with expiration date set."
has_secret_without_expiration = False
for secret in keyvault.secrets:
if (
secret.attributes
and not secret.attributes.expires
and secret.enabled
):
if not secret.attributes.expires and secret.enabled:
report.status = "FAIL"
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the secret {secret.name} without expiration date set."
has_secret_without_expiration = True
Expand Down
6 changes: 1 addition & 5 deletions ...re/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ def execute(self) -> Check_Report_Azure:
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the keys with expiration date set."
has_key_without_expiration = False
for key in keyvault.keys:
if (
key.attributes
and not key.attributes.expires
and key.enabled
):
if not key.attributes.expires and key.enabled:
report.status = "FAIL"
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} without expiration date set."
has_key_without_expiration = True
Expand Down
6 changes: 1 addition & 5 deletions ...vices/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ def execute(self) -> Check_Report_Azure:
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the secrets with expiration date set."
has_secret_without_expiration = False
for secret in keyvault.secrets:
if (
secret.attributes
and not secret.attributes.expires
and secret.enabled
):
if not secret.attributes.expires and secret.enabled:
report.status = "FAIL"
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the secret {secret.name} without expiration date set."
has_secret_without_expiration = True
Expand Down
Loading
Loading