feat(azure): filtering scans at resource group level (#10657)

Signed-off-by: Legin-ML <leginml2004@gmail.com>
This commit is contained in:
Legin
2026-07-02 14:57:53 +05:30
committed by GitHub
parent b6f74c7284
commit 537c3ea71e
91 changed files with 4461 additions and 99 deletions
+1
View File
@@ -237,6 +237,7 @@
"user-guide/providers/azure/authentication",
"user-guide/providers/azure/use-non-default-cloud",
"user-guide/providers/azure/subscriptions",
"user-guide/providers/azure/resource-groups",
"user-guide/providers/azure/create-prowler-service-principal"
]
},
@@ -0,0 +1,47 @@
---
title: 'Azure Resource Group Scope'
---
Prowler supports narrowing security scans to specific resource groups within Azure subscriptions. This is useful when you want to audit only a subset of resources rather than scanning an entire subscription.
By default, Prowler scans all resource groups it has permission to access. Passing `--azure-resource-group` limits the scan to only the specified resource groups across all accessible subscriptions.
## Configuring Resource Group Scoped Scans
To restrict a scan to one or more resource groups, pass them as arguments using the `--azure-resource-group` flag:
```console
prowler azure --az-cli-auth --azure-resource-group <resource-group-1> <resource-group-2> ... <resource-group-N>
```
For example, to scan only `rg-production` and `rg-staging`:
```console
prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2
```
This works with all supported authentication methods:
```console
# Service Principal
prowler azure --sp-env-auth --azure-resource-group rg-production
# Browser
prowler azure --browser-auth --tenant-id <tenant-id> --azure-resource-group rg-production
# Managed Identity
prowler azure --managed-identity-auth --azure-resource-group rg-production
```
## How It Works
When `--azure-resource-group` is provided, Prowler validates each specified resource group against all accessible subscriptions. A resource group is included in the scan if it exists in **at least one** subscription.
- If a resource group is found in one or more subscriptions, it will be scanned in those subscriptions only.
- If a resource group is **not found in any** subscription, Prowler logs a warning and skips it.
- If **none** of the provided resource groups are found across any subscription, Prowler logs a warning and no resource group scoped checks will run.
- Resource group names are matched case-insensitively, so `MyGroup` and `mygroup` are treated as the same group, mirroring Azure's own behavior.
<Warning>
If `--azure-resource-group` is used, checks that apply to specific resources are limited to the relevant resource groups. But if checks that apply to tenant or subscription scope (identity, policy, or subscription-level configuration checks) are involved, then these checks will run in their natural scope.
</Warning>
+1 -1
View File
@@ -26,6 +26,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- AWS Bedrock AgentCore privilege escalation paths in the IAM privilege escalation checks, covering Runtime, Harness, Code Interpreter and Custom Browser [(#11726)](https://github.com/prowler-cloud/prowler/pull/11726)
- `--scan-secrets-validate` flag and `aws.secrets_validate` configuration option to optionally validate the secrets discovered by the secret-scanning checks against the provider APIs; secrets confirmed to be live are reported as critical [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694)
- `apigateway_restapi_no_secrets_in_stage_variables` check for AWS provider, scanning API Gateway REST API stage variables for hardcoded secrets such as passwords, API keys, and tokens [(#11188)](https://github.com/prowler-cloud/prowler/pull/11188)
- Azure provider now supports `--azure-resource-group` to scope resource-level checks to specific resource groups across all accessible subscriptions [(#10657)](https://github.com/prowler-cloud/prowler/pull/10657)
### 🔄 Changed
@@ -324,7 +325,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
- `bedrock_prompt_management_exists` check for AWS provider [(#10878)](https://github.com/prowler-cloud/prowler/pull/10878)
- 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API [(#10980)](https://github.com/prowler-cloud/prowler/pull/10980)
- `bedrock_prompt_encrypted_with_cmk` check for AWS provider [(#10905)](https://github.com/prowler-cloud/prowler/pull/10905)
### 🔄 Changed
- Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645)
+67 -2
View File
@@ -16,6 +16,7 @@ from azure.identity import (
DefaultAzureCredential,
InteractiveBrowserCredential,
)
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.subscription import SubscriptionClient
from colorama import Fore, Style
from msgraph import GraphServiceClient
@@ -104,6 +105,7 @@ class AzureProvider(Provider):
_region_config: AzureRegionConfig
_locations: dict
_mutelist: AzureMutelist
_resource_groups: dict[str, list[str]]
# TODO: this is not optional, enforce for all providers
audit_metadata: Audit_Metadata
@@ -123,6 +125,7 @@ class AzureProvider(Provider):
mutelist_content: dict = None,
client_id: str = None,
client_secret: str = None,
resource_groups: list = [],
):
"""
Initializes the Azure provider.
@@ -142,6 +145,7 @@ class AzureProvider(Provider):
mutelist_content (dict): The mutelist content.
client_id (str): The Azure client ID.
client_secret (str): The Azure client secret.
resource_groups (list): List of resource group names.
Returns:
None
@@ -206,7 +210,7 @@ class AzureProvider(Provider):
... managed_identity_auth=False,
... region="AzureUSGovernment",
... )
- Subscriptions: rowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one.
- Subscriptions: Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one.
Prowler also allows you to specify the subscriptions you want to scan by passing a list of subscription IDs.
>>> AzureProvider(
... az_cli_auth=False,
@@ -215,6 +219,11 @@ class AzureProvider(Provider):
... managed_identity_auth=False,
... subscription_ids=["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],
... )
- Resource Groups: Prowler allows you to narrow the scan to specific resource groups.
>>> AzureProvider(
... az_cli_auth=True,
... resource_groups=["rg-production", "rg-staging"],
... )
"""
logger.info("Setting Azure provider ...")
@@ -272,6 +281,8 @@ class AzureProvider(Provider):
# TODO: should we keep this here or within the identity?
self._locations = self.get_locations()
self._resource_groups = self.validate_resource_groups(resource_groups)
# Audit Config
if config_content:
self._audit_config = config_content
@@ -337,6 +348,11 @@ class AzureProvider(Provider):
"""Mutelist object associated with this Azure provider."""
return self._mutelist
@property
def resource_groups(self) -> dict[str, list[str]]:
"""Mapping of subscription name to the list of resource groups to scan within it."""
return self._resource_groups
# TODO: this should be moved to the argparse, if not we need to enforce it from the Provider
# previously was using the AzureException
@staticmethod
@@ -439,7 +455,7 @@ class AzureProvider(Provider):
"""Azure credentials information.
This method prints the Azure Tenant Domain, Azure Tenant ID, Azure Region,
Azure Subscriptions, Azure Identity Type, and Azure Identity ID.
Azure Subscriptions, Azure Resource Groups, Azure Identity Type, and Azure Identity ID.
Args:
None
@@ -455,6 +471,7 @@ class AzureProvider(Provider):
f"Azure Tenant Domain: {Fore.YELLOW}{self._identity.tenant_domain}{Style.RESET_ALL} Azure Tenant ID: {Fore.YELLOW}{self._identity.tenant_ids[0]}{Style.RESET_ALL}",
f"Azure Region: {Fore.YELLOW}{self.region_config.name}{Style.RESET_ALL}",
f"Azure Subscriptions: {Fore.YELLOW}{printed_subscriptions}{Style.RESET_ALL}",
f"Azure Resource Groups: {Fore.YELLOW}{sorted({rg for rgs in self._resource_groups.values() for rg in rgs}) if any(self._resource_groups.values()) else ('NONE (no matching resource groups found)' if self._resource_groups else 'ALL')}{Style.RESET_ALL}",
f"Azure Identity Type: {Fore.YELLOW}{self._identity.identity_type}{Style.RESET_ALL} Azure Identity ID: {Fore.YELLOW}{self._identity.identity_id}{Style.RESET_ALL}",
]
report_title = (
@@ -1102,6 +1119,54 @@ class AzureProvider(Provider):
return set(chain.from_iterable(locations.values()))
def validate_resource_groups(self, resource_groups: list) -> dict[str, list[str]]:
resource_groups = [r.strip() for r in resource_groups if r and r.strip()]
if not resource_groups:
return {}
rg_map = {
subscription_id: [] for subscription_id in self._identity.subscriptions
}
credentials = self.session
for subscription_id, display_name in self._identity.subscriptions.items():
try:
rg_client = ResourceManagementClient(
credentials,
subscription_id,
base_url=self._region_config.base_url,
credential_scopes=self._region_config.credential_scopes,
)
existing_rgs = {
rg.name.lower(): rg.name for rg in rg_client.resource_groups.list()
}
except Exception as e:
logger.warning(
f"Could not list resource groups for subscription '{display_name}' "
f"({subscription_id}): {e}. Skipping resource group filtering for this subscription."
)
continue
for rg in resource_groups:
real_name = existing_rgs.get(rg.lower())
if real_name:
rg_map[subscription_id].append(real_name)
for rg in resource_groups:
if not any(rg.lower() == r.lower() for rgs in rg_map.values() for r in rgs):
logger.warning(
f"Resource group '{rg}' was not found in any subscription. "
"Please check the resource group name and try again."
)
if not any(rgs for rgs in rg_map.values()):
logger.warning(
f"None of the provided resource groups {resource_groups} were found "
"in any subscription. Please check the resource group names and try again."
)
return rg_map
@staticmethod
def validate_static_credentials(
tenant_id: str = None,
@@ -53,6 +53,16 @@ def init_parser(self):
type=validate_azure_region,
help="Azure region from `az cloud list --output table`, by default AzureCloud",
)
# Resource Groups
azure_rg_subparser = azure_parser.add_argument_group("Resource Groups")
azure_rg_subparser.add_argument(
"--azure-resource-group",
"--azure-resource-groups",
nargs="+",
default=[],
dest="resource_groups",
help="Azure Resource Group names to scope the scan to specific groups.",
)
def validate_azure_region(region):
@@ -26,6 +26,7 @@ class AzureService:
)
self.subscriptions = provider.identity.subscriptions
self.resource_groups = provider.resource_groups
self.locations = provider.locations
self.audit_config = provider.audit_config
self.fixer_config = provider.fixer_config
@@ -49,6 +50,26 @@ class AzureService:
return results
def list_with_rg_scope(self, subscription_id, list_all_fn, list_by_rg_fn):
if not self.resource_groups:
return list(list_all_fn())
resource_groups = self.resource_groups.get(subscription_id, [])
if not resource_groups:
logger.info(
f"No valid resource groups for subscription {subscription_id}, skipping."
)
return []
output = []
for resource_group in resource_groups:
try:
output += list(list_by_rg_fn(resource_group_name=resource_group))
except Exception as error:
logger.warning(
f"Subscription ID: {subscription_id} -- Resource Group: {resource_group} -- "
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
return output
def __set_clients__(self, identity, session, service, region_config):
clients = {}
try:
@@ -17,7 +17,11 @@ class AISearch(AzureService):
for subscription, client in self.clients.items():
try:
aisearch_services.update({subscription: {}})
aisearch_services_list = client.services.list_by_subscription()
aisearch_services_list = self.list_with_rg_scope(
subscription,
client.services.list_by_subscription,
client.services.list_by_resource_group,
)
for aisearch_service in aisearch_services_list:
aisearch_services[subscription].update(
{
@@ -19,8 +19,12 @@ class AKS(AzureService):
for subscription_id, client in self.clients.items():
try:
clusters_list = client.managed_clusters.list()
clusters.update({subscription_id: {}})
clusters_list = self.list_with_rg_scope(
subscription_id,
client.managed_clusters.list,
client.managed_clusters.list_by_resource_group,
)
for cluster in clusters_list:
if getattr(cluster, "kubernetes_version", None):
@@ -131,7 +131,11 @@ class APIM(AzureService):
for subscription, client in self.clients.items():
try:
instances.update({subscription: []})
apim_instances = client.api_management_service.list()
apim_instances = self.list_with_rg_scope(
subscription,
client.api_management_service.list,
client.api_management_service.list_by_resource_group,
)
for instance in apim_instances:
workspace_id = self._get_log_analytics_workspace_id(
@@ -22,8 +22,12 @@ class App(AzureService):
for subscription_id, client in self.clients.items():
try:
apps_list = client.web_apps.list()
apps.update({subscription_id: {}})
apps_list = self.list_with_rg_scope(
subscription_id,
client.web_apps.list,
client.web_apps.list_by_resource_group,
)
for app in apps_list:
# Filter function apps
@@ -117,8 +121,12 @@ class App(AzureService):
for subscription_id, client in self.clients.items():
try:
functions_list = client.web_apps.list()
functions.update({subscription_id: {}})
functions_list = self.list_with_rg_scope(
subscription_id,
client.web_apps.list,
client.web_apps.list_by_resource_group,
)
for function in functions_list:
# Filter function apps
@@ -17,8 +17,12 @@ class AppInsights(AzureService):
for subscription_id, client in self.clients.items():
try:
components_list = client.components.list()
components.update({subscription_id: {}})
components_list = self.list_with_rg_scope(
subscription_id,
client.components.list,
client.components.list_by_resource_group,
)
for component in components_list:
components[subscription_id].update(
@@ -19,8 +19,12 @@ class ContainerRegistry(AzureService):
registries = {}
for subscription, client in self.clients.items():
try:
registries_list = client.registries.list()
registries.update({subscription: {}})
registries_list = self.list_with_rg_scope(
subscription,
client.registries.list,
client.registries.list_by_resource_group,
)
for registry in registries_list:
resource_group = self._get_resource_group(registry.id)
@@ -18,8 +18,13 @@ class CosmosDB(AzureService):
accounts = {}
for subscription, client in self.clients.items():
try:
accounts_list = client.database_accounts.list()
accounts.update({subscription: []})
accounts_list = self.list_with_rg_scope(
subscription,
client.database_accounts.list,
client.database_accounts.list_by_resource_group,
)
for account in accounts_list:
accounts[subscription].append(
Account(
@@ -38,8 +38,13 @@ class Databricks(AzureService):
for subscription, client in self.clients.items():
try:
workspaces[subscription] = {}
workspaces_list = self.list_with_rg_scope(
subscription,
client.workspaces.list_by_subscription,
client.workspaces.list_by_resource_group,
)
for workspace in client.workspaces.list_by_subscription():
for workspace in workspaces_list:
workspace_parameters = getattr(workspace, "parameters", None)
workspace_managed_disk_encryption = getattr(
getattr(
@@ -230,8 +230,10 @@ class Defender(AzureService):
iot_security_solutions = {}
for subscription_id, client in self.clients.items():
try:
iot_security_solutions_list = (
client.iot_security_solution.list_by_subscription()
iot_security_solutions_list = self.list_with_rg_scope(
subscription_id,
client.iot_security_solution.list_by_subscription,
client.iot_security_solution.list_by_resource_group,
)
iot_security_solutions.update({subscription_id: {}})
for iot_security_solution in iot_security_solutions_list:
@@ -267,8 +269,13 @@ class Defender(AzureService):
for subscription_id, client in self.clients.items():
try:
jit_policies[subscription_id] = {}
policies = client.jit_network_access_policies.list()
for policy in policies:
policies_list = self.list_with_rg_scope(
subscription_id,
client.jit_network_access_policies.list,
client.jit_network_access_policies.list_by_resource_group,
)
for policy in policies_list:
vm_ids = set()
for vm in getattr(policy, "virtual_machines", []):
vm_ids.add(vm.id)
@@ -35,7 +35,11 @@ class KeyVault(AzureService):
for subscription, client in self.clients.items():
try:
key_vaults[subscription] = []
vaults_list = list(client.vaults.list_by_subscription())
vaults_list = self.list_with_rg_scope(
subscription,
client.vaults.list_by_subscription,
client.vaults.list_by_resource_group,
)
if not vaults_list:
continue
@@ -19,8 +19,12 @@ class MySQL(AzureService):
servers = {}
for subscription_id, client in self.clients.items():
try:
servers_list = client.servers.list()
servers.update({subscription_id: {}})
servers_list = self.list_with_rg_scope(
subscription_id,
client.servers.list,
client.servers.list_by_resource_group,
)
for server in servers_list:
backup = getattr(server, "backup", None)
ha = getattr(server, "high_availability", None)
@@ -24,8 +24,13 @@ class Network(AzureService):
security_groups = {}
for subscription, client in self.clients.items():
try:
security_groups_list = self.list_with_rg_scope(
subscription,
client.network_security_groups.list_all,
client.network_security_groups.list,
)
security_groups.update({subscription: []})
security_groups_list = client.network_security_groups.list_all()
for security_group in security_groups_list:
security_groups[subscription].append(
SecurityGroup(
@@ -64,8 +69,8 @@ class Network(AzureService):
network_watchers = {}
for subscription, client in self.clients.items():
try:
network_watchers.update({subscription: []})
network_watchers_list = client.network_watchers.list_all()
network_watchers.update({subscription: []})
for network_watcher in network_watchers_list:
flow_logs = self._get_flow_logs(
subscription, network_watcher.name, network_watcher.id
@@ -164,8 +169,13 @@ class Network(AzureService):
bastion_hosts = {}
for subscription, client in self.clients.items():
try:
bastion_hosts_list = self.list_with_rg_scope(
subscription,
client.bastion_hosts.list,
client.bastion_hosts.list_by_resource_group,
)
bastion_hosts.update({subscription: []})
bastion_hosts_list = client.bastion_hosts.list()
for bastion_host in bastion_hosts_list:
bastion_hosts[subscription].append(
BastionHost(
@@ -186,8 +196,13 @@ class Network(AzureService):
public_ip_addresses = {}
for subscription, client in self.clients.items():
try:
public_ip_addresses_list = self.list_with_rg_scope(
subscription,
client.public_ip_addresses.list_all,
client.public_ip_addresses.list,
)
public_ip_addresses.update({subscription: []})
public_ip_addresses_list = client.public_ip_addresses.list_all()
for public_ip_address in public_ip_addresses_list:
public_ip_addresses[subscription].append(
PublicIp(
@@ -207,13 +222,17 @@ class Network(AzureService):
def _get_virtual_networks(self):
logger.info("Network - Getting Virtual Networks...")
virtual_networks = {}
for subscription, client in self.clients.items():
for subscription_id, client in self.clients.items():
try:
virtual_networks[subscription] = []
vnet_list = client.virtual_networks.list_all()
for vnet in vnet_list:
virtual_networks[subscription_id] = []
virtual_networks_list = self.list_with_rg_scope(
subscription_id,
client.virtual_networks.list_all,
client.virtual_networks.list,
)
for virtual_network in virtual_networks_list:
subnets = []
for subnet in getattr(vnet, "subnets", []) or []:
for subnet in getattr(virtual_network, "subnets", []) or []:
nsg = getattr(subnet, "network_security_group", None)
subnets.append(
VNetSubnet(
@@ -222,20 +241,20 @@ class Network(AzureService):
nsg_id=getattr(nsg, "id", None) if nsg else None,
)
)
virtual_networks[subscription].append(
virtual_networks[subscription_id].append(
VirtualNetwork(
id=vnet.id,
name=vnet.name,
location=vnet.location,
id=virtual_network.id,
name=virtual_network.name,
location=virtual_network.location,
enable_ddos_protection=getattr(
vnet, "enable_ddos_protection", False
virtual_network, "enable_ddos_protection", False
),
subnets=subnets,
)
)
except Exception as error:
logger.error(
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
f"Subscription ID: {subscription_id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
return virtual_networks
@@ -18,8 +18,8 @@ class Policy(AzureService):
for subscription_id, client in self.clients.items():
try:
policy_assigments_list = client.policy_assignments.list()
policy_assigments.update({subscription_id: {}})
policy_assigments_list = client.policy_assignments.list()
for policy_assigment in policy_assigments_list:
policy_assigments[subscription_id].update(
@@ -19,8 +19,13 @@ class PostgreSQL(AzureService):
flexible_servers = {}
for subscription, client in self.clients.items():
try:
flexible_servers_list = self.list_with_rg_scope(
subscription,
client.servers.list,
client.servers.list_by_resource_group,
)
flexible_servers.update({subscription: []})
flexible_servers_list = client.servers.list()
for postgresql_server in flexible_servers_list:
# Isolate each server: a failure collecting one server must
# not abort collection of the remaining servers in the
@@ -56,9 +56,14 @@ class Recovery(AzureService):
try:
vaults_dict: dict[str, dict[str, BackupVault]] = {}
for subscription_id, client in self.clients.items():
vaults = client.vaults.list_by_subscription_id()
vaults_list = self.list_with_rg_scope(
subscription_id,
client.vaults.list_by_subscription_id,
client.vaults.list_by_resource_group,
)
vaults_dict[subscription_id] = {}
for vault in vaults:
for vault in vaults_list:
vault_obj = BackupVault(
id=vault.id,
name=vault.name,
@@ -18,8 +18,13 @@ class SQLServer(AzureService):
sql_servers = {}
for subscription, client in self.clients.items():
try:
sql_servers_list = self.list_with_rg_scope(
subscription,
client.servers.list,
client.servers.list_by_resource_group,
)
sql_servers.update({subscription: []})
sql_servers_list = client.servers.list()
for sql_server in sql_servers_list:
resource_group = self._get_resource_group(sql_server.id)
auditing_policies = self._get_server_blob_auditing_policies(
@@ -20,8 +20,13 @@ class Storage(AzureService):
storage_accounts = {}
for subscription, client in self.clients.items():
try:
storage_accounts_list = self.list_with_rg_scope(
subscription,
client.storage_accounts.list,
client.storage_accounts.list_by_resource_group,
)
storage_accounts.update({subscription: []})
storage_accounts_list = client.storage_accounts.list()
for storage_account in storage_accounts_list:
parts = storage_account.id.split("/")
if "resourceGroups" in parts:
@@ -22,8 +22,12 @@ class VirtualMachines(AzureService):
for subscription_id, client in self.clients.items():
try:
virtual_machines_list = client.virtual_machines.list_all()
virtual_machines.update({subscription_id: {}})
virtual_machines_list = self.list_with_rg_scope(
subscription_id,
client.virtual_machines.list_all,
client.virtual_machines.list,
)
for vm in virtual_machines_list:
storage_profile = getattr(vm, "storage_profile", None)
@@ -155,8 +159,12 @@ class VirtualMachines(AzureService):
for subscription_id, client in self.clients.items():
try:
disks_list = client.disks.list()
disks.update({subscription_id: {}})
disks_list = self.list_with_rg_scope(
subscription_id,
client.disks.list,
client.disks.list_by_resource_group,
)
for disk in disks_list:
vms_attached = []
@@ -202,9 +210,13 @@ class VirtualMachines(AzureService):
vm_scale_sets = {}
for subscription_id, client in self.clients.items():
try:
scale_sets = client.virtual_machine_scale_sets.list_all()
vm_scale_sets[subscription_id] = {}
for scale_set in scale_sets:
scale_sets_list = self.list_with_rg_scope(
subscription_id,
client.virtual_machine_scale_sets.list_all,
client.virtual_machine_scale_sets.list,
)
for scale_set in scale_sets_list:
backend_pools = []
nic_configs = []
virtual_machine_profile = getattr(
+1
View File
@@ -407,6 +407,7 @@ class Provider(ABC):
tenant_id=arguments.tenant_id,
region=arguments.azure_region,
subscription_ids=arguments.subscription_id,
resource_groups=arguments.resource_groups,
config_path=arguments.config_file,
mutelist_path=arguments.mutelist_file,
fixer_config=fixer_config,
+4
View File
@@ -9,6 +9,8 @@ from prowler.providers.azure.models import AzureIdentityInfo, AzureRegionConfig
AZURE_SUBSCRIPTION_ID = str(uuid4())
AZURE_SUBSCRIPTION_NAME = "Subscription Name"
AZURE_SUBSCRIPTION_DISPLAY = f"{AZURE_SUBSCRIPTION_NAME} ({AZURE_SUBSCRIPTION_ID})"
RESOURCE_GROUP = "rg"
RESOURCE_GROUP_LIST = [RESOURCE_GROUP, "rg2"]
# Azure Identity
IDENTITY_ID = "00000000-0000-0000-0000-000000000000"
@@ -30,6 +32,7 @@ def set_mocked_azure_provider(
audit_config: dict = None,
azure_region_config: AzureRegionConfig = AzureRegionConfig(),
locations: list = None,
resource_groups: dict = None,
) -> AzureProvider:
provider = MagicMock()
@@ -39,5 +42,6 @@ def set_mocked_azure_provider(
provider.identity = identity
provider.audit_config = audit_config
provider.region_config = azure_region_config
provider.resource_groups = resource_groups
return provider
@@ -552,6 +552,102 @@ class TestAzureProvider:
assert regions == expected_regions
class TestAzureProviderValidateResourceGroups:
@patch(
"prowler.providers.azure.azure_provider.AzureProvider.__init__",
return_value=None,
)
def _make_provider(self, _mock_init, subscriptions=None):
provider = AzureProvider()
provider._identity = MagicMock()
provider._identity.subscriptions = subscriptions or {str(uuid4()): "Sub"}
provider._session = MagicMock()
provider._region_config = MagicMock()
return provider
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_exact_match(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "mygroup"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["mygroup"])
assert result[sub_name] == ["mygroup"]
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_mixed_case(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "MyGroup"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["mygroup"])
assert result[sub_name] == ["MyGroup"]
mock_resource_groups.list.assert_called_once()
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_multiple_rgs(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
rg1, rg2 = MagicMock(), MagicMock()
rg1.name = "rg1"
rg2.name = "rg2"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [rg1, rg2]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["rg1", "rg2"])
assert set(result[sub_name]) == {"rg1", "rg2"}
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_not_found(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "existing"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["nonexistent"])
assert result[sub_name] == []
def test_validate_resource_groups_empty_input(self):
provider = self._make_provider()
result = provider.validate_resource_groups([])
assert result == {}
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_strips_whitespace(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "rg-prod"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups([" rg-prod "])
assert result[sub_name] == ["rg-prod"]
class TestAzureProviderSetupIdentitySubscriptions:
"""Regression tests ensuring identity.subscriptions preserves every
subscription even when multiple Azure subscriptions share the same
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.aisearch.aisearch_service import (
AISearch,
@@ -6,9 +6,13 @@ from prowler.providers.azure.services.aisearch.aisearch_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
AISEARCH_SERVICE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Search/searchServices/search1"
def mock_storage_get_aisearch_services(_):
return {
@@ -58,3 +62,121 @@ class Test_AISearch_Service:
assert aisearch.aisearch_services[AZURE_SUBSCRIPTION_ID][
"aisearch_service_id-1"
].public_network_access
class Test_AISearch_Service_get_aisearch_services:
def test_get_aisearch_services_no_resource_groups(self):
mock_service = MagicMock()
mock_service.id = AISEARCH_SERVICE_ID
mock_service.name = "search1"
mock_service.location = "westeurope"
mock_service.public_network_access = "Enabled"
mock_client = MagicMock()
mock_client.services.list_by_subscription.return_value = [mock_service]
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = None
result = aisearch._get_aisearch_services()
mock_client.services.list_by_subscription.assert_called_once()
mock_client.services.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert (
result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access
is True
)
def test_get_aisearch_services_with_resource_group(self):
mock_service = MagicMock()
mock_service.id = AISEARCH_SERVICE_ID
mock_service.name = "search1"
mock_service.location = "westeurope"
mock_service.public_network_access = "Disabled"
mock_client = MagicMock()
mock_client.services.list_by_resource_group.return_value = [mock_service]
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.services.list_by_subscription.assert_not_called()
assert (
result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access
is False
)
def test_get_aisearch_services_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_not_called()
mock_client.services.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_aisearch_services_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.services = MagicMock()
mock_client.services.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = aisearch._get_aisearch_services()
assert mock_client.services.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_aisearch_services_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.services = MagicMock()
mock_client.services.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,8 +1,10 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.aks.aks_service import AKS, Cluster
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -66,3 +68,128 @@ class Test_AKS_Service:
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].location == "westeurope"
)
assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled
class Test_AKS_get_clusters:
def test_get_clusters_no_resource_groups(self):
mock_cluster = MagicMock()
mock_cluster.id = "cluster_id-1"
mock_cluster.name = "cluster_name"
mock_cluster.fqdn = "public_fqdn"
mock_cluster.private_fqdn = "private_fqdn"
mock_cluster.location = "westeurope"
mock_cluster.kubernetes_version = "1.28.0"
mock_cluster.network_profile = None
mock_cluster.agent_pool_profiles = []
mock_cluster.enable_rbac = False
mock_client = MagicMock()
mock_client.managed_clusters.list.return_value = [mock_cluster]
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = None
result = aks._get_clusters()
mock_client.managed_clusters.list.assert_called_once()
mock_client.managed_clusters.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_clusters_with_resource_group(self):
mock_cluster = MagicMock()
mock_cluster.id = "cluster_id-1"
mock_cluster.name = "cluster_name"
mock_cluster.fqdn = "public_fqdn"
mock_cluster.private_fqdn = "private_fqdn"
mock_cluster.location = "westeurope"
mock_cluster.kubernetes_version = "1.28.0"
mock_cluster.network_profile = None
mock_cluster.agent_pool_profiles = []
mock_cluster.enable_rbac = False
mock_client = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = [
mock_cluster
]
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.managed_clusters.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_clusters_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_not_called()
mock_client.managed_clusters.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_clusters_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.managed_clusters = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = aks._get_clusters()
assert mock_client.managed_clusters.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_clusters_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.managed_clusters = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,6 +1,6 @@
from datetime import timedelta
from unittest import TestCase, mock
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from azure.mgmt.loganalytics.models import Workspace
from azure.mgmt.monitor.models import DiagnosticSettingsResource
@@ -9,6 +9,8 @@ from azure.monitor.query import LogsQueryResult
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
AZURE_SUBSCRIPTION_NAME,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -16,7 +18,6 @@ from tests.providers.azure.azure_fixtures import (
APIM_INSTANCE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg/providers/Microsoft.ApiManagement/service/apim1"
APIM_INSTANCE_NAME = "apim1"
LOCATION = "West US"
RESOURCE_GROUP = "rg"
WORKSPACE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/loganalytics"
WORKSPACE_CUSTOMER_ID = "12345678-1234-1234-1234-1234567890ab"
@@ -323,3 +324,168 @@ class Test_APIM_Service(TestCase):
instance = apim.instances[AZURE_SUBSCRIPTION_ID][0]
result = apim.get_llm_operations_logs(AZURE_SUBSCRIPTION_ID, instance)
self.assertEqual(result, [{"log": "data"}])
class Test_APIM_get_instances:
def test_get_instances_no_resource_groups(self):
mock_instance = MagicMock()
mock_instance.id = APIM_INSTANCE_ID
mock_instance.name = APIM_INSTANCE_NAME
mock_instance.location = LOCATION
mock_client = MagicMock()
mock_client.api_management_service.list.return_value = [mock_instance]
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = None
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
mock_client.api_management_service.list.assert_called_once()
mock_client.api_management_service.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
assert result[AZURE_SUBSCRIPTION_ID][0].id == APIM_INSTANCE_ID
def test_get_instances_with_resource_group(self):
mock_instance = MagicMock()
mock_instance.id = APIM_INSTANCE_ID
mock_instance.name = APIM_INSTANCE_NAME
mock_instance.location = LOCATION
mock_client = MagicMock()
mock_client.api_management_service.list_by_resource_group.return_value = [
mock_instance
]
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.api_management_service.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
assert result[AZURE_SUBSCRIPTION_ID][0].name == APIM_INSTANCE_NAME
def test_get_instances_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_not_called()
mock_client.api_management_service.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_instances_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
assert mock_client.api_management_service.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_instances_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -5,6 +5,8 @@ from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -244,3 +246,279 @@ class Test_App_Service:
].name
== "functionapp-1"
)
class Test_App_get_apps:
def test_get_apps_no_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = None
result = app._get_apps()
mock_client.web_apps.list.assert_called_once()
mock_client.web_apps.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_with_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.web_apps.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_not_called()
mock_client.web_apps.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_App_get_functions:
def test_get_functions_no_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = None
result = app._get_functions()
mock_client.web_apps.list.assert_called_once()
mock_client.web_apps.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_with_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.web_apps.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_not_called()
mock_client.web_apps.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_apps_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app._get_apps()
assert mock_client.web_apps.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_App_get_functions_extra:
def test_get_functions_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app._get_functions()
assert mock_client.web_apps.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.appinsights.appinsights_service import (
AppInsights,
@@ -6,6 +6,8 @@ from prowler.providers.azure.services.appinsights.appinsights_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -54,3 +56,121 @@ class Test_AppInsights_Service:
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].location
== "westeurope"
)
class Test_AppInsights_get_components:
def test_get_components_no_resource_groups(self):
mock_component = MagicMock()
mock_component.app_id = "comp-app-id"
mock_component.id = "/subscriptions/sub/rg/appinsights"
mock_component.name = "ai-component"
mock_component.location = "westeurope"
mock_component.instrumentation_key = "ikey-123"
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list.return_value = [mock_component]
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = None
result = app_insights._get_components()
mock_client.components.list.assert_called_once()
mock_client.components.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID]
def test_get_components_with_resource_group(self):
mock_component = MagicMock()
mock_component.app_id = "comp-app-id"
mock_component.id = "/subscriptions/sub/rg/appinsights"
mock_component.name = "ai-component"
mock_component.location = "westeurope"
mock_component.instrumentation_key = "ikey-123"
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = [mock_component]
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app_insights._get_components()
mock_client.components.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.components.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID]
def test_get_components_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app_insights._get_components()
mock_client.components.list_by_resource_group.assert_not_called()
mock_client.components.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_components_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app_insights._get_components()
assert mock_client.components.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_components_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app_insights._get_components()
mock_client.components.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -3,6 +3,8 @@ from uuid import uuid4
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -89,3 +91,208 @@ class TestContainerRegistryService:
assert monitor_setting["logs"][0]["enabled"] is True
assert monitor_setting["logs"][1]["category"] == "AdminLogs"
assert monitor_setting["logs"][1]["enabled"] is False
class Test_ContainerRegistry_get_registries:
def test_get_container_registries_no_resource_groups(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = None
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list.assert_called_once()
mock_client.registries.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_with_resource_group(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.registries.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_empty_resource_group_for_subscription(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_not_called()
mock_client.registries.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_container_registries_with_multiple_resource_groups(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
assert mock_client.registries.list_by_resource_group.call_count == len(
RESOURCE_GROUP_LIST
)
mock_client.registries.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_with_mixed_case_resource_group(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRegistry-RG"]}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_called_once_with(
resource_group_name="MyRegistry-RG"
)
@@ -1,8 +1,10 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -133,3 +135,114 @@ class Test_CosmosDB_Service_None_Handling:
== "Microsoft.Network/privateEndpoints"
)
assert account.disable_local_auth is True
class Test_CosmosDB_get_accounts:
def test_get_accounts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.database_accounts.list.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = None
result = cosmosdb._get_accounts()
mock_client.database_accounts.list.assert_called_once()
mock_client.database_accounts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_accounts_with_resource_group(self):
mock_account = MagicMock()
mock_account.id = "account-id"
mock_account.name = "my-cosmos"
mock_account.kind = "GlobalDocumentDB"
mock_account.location = "eastus"
mock_account.type = "Microsoft.DocumentDB/databaseAccounts"
mock_account.tags = {}
mock_account.is_virtual_network_filter_enabled = False
mock_account.private_endpoint_connections = []
mock_account.disable_local_auth = False
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = [
mock_account
]
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.database_accounts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
def test_get_accounts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_not_called()
mock_client.database_accounts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_accounts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = cosmosdb._get_accounts()
assert mock_client.database_accounts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_accounts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.databricks.databricks_service import (
Databricks,
@@ -7,6 +7,8 @@ from prowler.providers.azure.services.databricks.databricks_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -94,3 +96,123 @@ class Test_Databricks_Service_No_Encryption:
assert workspace.location == "eastus"
assert workspace.custom_managed_vnet_id == "test-vnet-id"
assert workspace.managed_disk_encryption is None
class Test_Databricks_get_workspaces:
def test_get_workspaces_no_resource_groups(self):
mock_workspace = MagicMock()
mock_workspace.id = "ws-id-1"
mock_workspace.name = "my-workspace"
mock_workspace.location = "eastus"
mock_workspace.parameters = None
mock_workspace.encryption = None
mock_workspace.public_network_access = None
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_subscription.return_value = [mock_workspace]
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = None
result = databricks._get_workspaces()
mock_client.workspaces.list_by_subscription.assert_called_once()
mock_client.workspaces.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_workspaces_with_resource_group(self):
mock_workspace = MagicMock()
mock_workspace.id = "ws-id-1"
mock_workspace.name = "my-workspace"
mock_workspace.location = "eastus"
mock_workspace.parameters = None
mock_workspace.encryption = None
mock_workspace.public_network_access = None
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = [mock_workspace]
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.workspaces.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_workspaces_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_not_called()
mock_client.workspaces.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_workspaces_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = databricks._get_workspaces()
assert mock_client.workspaces.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_workspaces_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_no_additional_emails(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -87,6 +89,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_additional_email_configured(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {}
@@ -36,6 +37,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_no_assessments(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
@@ -59,6 +61,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_healthy_assessments(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
resource_id = str(uuid4())
defender_client.assessments = {
@@ -98,6 +101,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_unhealthy_assessments(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
resource_id = str(uuid4())
defender_client.assessments = {
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_attack_path_notifications_properly_configured:
def test_no_subscriptions(self):
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {}
defender_client.audit_config = {}
@@ -41,6 +42,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -89,6 +91,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +142,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -189,6 +193,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -237,6 +242,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -285,6 +291,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -333,6 +340,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4())
contact_name = "default"
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_no_app_services(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = {}
@@ -39,6 +40,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_off(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -80,6 +82,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_on(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -121,6 +124,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_on_and_off(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_no_app_services(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {}
@@ -37,6 +38,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_machines_no_vulnerability_assessment_solution(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -77,6 +79,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_machines_vulnerability_assessment_solution(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {}
@@ -36,6 +37,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
@@ -59,6 +61,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_no_assesment(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -90,6 +93,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_unhealthy(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +143,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_healthy(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -188,6 +193,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_not_applicable(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_container_images_scan_enabled:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}}
@@ -60,6 +62,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_no_containers(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -92,6 +95,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_no_extensions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -137,6 +141,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_container_images_scan_off(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -182,6 +187,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_container_images_scan_on(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_no_app_services(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_app_services_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_app_services_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_no_arm(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_arm_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_arm_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_no_sql_databases(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_sql_databases_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_sql_databases_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_no_container_registries(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_container_registries_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_container_registries_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_no_cosmosdb(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_cosmosdb_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_cosmosdb_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_no_databases(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_sql_servers(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -70,6 +72,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_sql_server_virtual_machines(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -103,6 +106,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_open_source_relation_databases(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -136,6 +140,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_cosmosdbs(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -169,6 +174,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_all_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -228,6 +234,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_cosmosdb_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_no_dns(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_dns_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_dns_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_no_keyvaults(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_keyvaults_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_keyvaults_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_no_os_relational_databases(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_os_relational_databases_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -81,6 +83,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_os_relational_databases_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_server_is_on:
def test_defender_no_server(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_server_is_on:
def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_server_is_on:
def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_no_server(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_no_server(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: {
@@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = {}
@@ -38,6 +39,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_no_iot_hub_solutions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -69,6 +71,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_iot_hub_solution_disabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: {
@@ -106,6 +109,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_iot_hub_solution_enabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: {
@@ -145,6 +149,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
resource_id_enabled = str(uuid4())
resource_id_disabled = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_mcas_is_enabled:
def test_defender_no_settings(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_disabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -79,6 +81,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_enabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -120,6 +123,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_no_settings(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_critical(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -87,6 +89,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_high(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -135,6 +138,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_low(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -182,6 +186,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_default_security_contact_not_found(self):
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_notify_emails_to_owners:
def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_no_notify_emails_to_owners(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -80,6 +82,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_notify_emails_to_owners_off(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -127,6 +130,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_notify_emails_to_owners(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_system_updates_are_applied:
def test_defender_no_app_services(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_system_updates_are_applied:
def test_defender_machines_no_log_analytics_installed(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -89,6 +91,7 @@ class Test_defender_ensure_system_updates_are_applied:
):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +142,7 @@ class Test_defender_ensure_system_updates_are_applied:
def test_defender_machines_no_system_updates_installed(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -191,6 +195,7 @@ class Test_defender_ensure_system_updates_are_applied:
):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_wdatp_is_enabled:
def test_defender_no_settings(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_disabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -79,6 +81,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_enabled(self):
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {
AZURE_SUBSCRIPTION_ID: {
@@ -120,6 +123,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_no_settings(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -1,5 +1,5 @@
from datetime import timedelta
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.defender.defender_service import (
Assesment,
@@ -13,6 +13,8 @@ from prowler.providers.azure.services.defender.defender_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -358,3 +360,263 @@ class Test_Defender_Service_Assessments_None_Handling:
"Assessment Unhealthy"
]
assert assessment_unhealthy.status == "Unhealthy"
DEFENDER_INIT_PATCHES = [
"prowler.providers.azure.services.defender.defender_service.Defender._get_pricings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_auto_provisioning_settings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_assessments",
"prowler.providers.azure.services.defender.defender_service.Defender._get_settings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_security_contacts",
"prowler.providers.azure.services.defender.defender_service.Defender._get_iot_security_solutions",
"prowler.providers.azure.services.defender.defender_service.Defender._get_jit_policies",
]
class Test_Defender_get_iot_security_solutions:
def test_get_iot_security_solutions_no_resource_groups(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_subscription.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = None
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_subscription.assert_called_once()
mock_client.iot_security_solution.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_with_resource_group(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.iot_security_solution.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_not_called()
mock_client.iot_security_solution.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_Defender_get_jit_policies:
def test_get_jit_policies_no_resource_groups(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = None
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list.assert_called_once()
mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_with_resource_group(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.jit_network_access_policies.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called()
mock_client.jit_network_access_policies.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_iot_security_solutions_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = defender._get_iot_security_solutions()
assert mock_client.iot_security_solution.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_Defender_get_jit_policies_extra:
def test_get_jit_policies_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = defender._get_jit_policies()
assert (
mock_client.jit_network_access_policies.list_by_resource_group.call_count
== 2
)
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_no_policies(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_disabled(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_no_target(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_no_users(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_no_policies(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_disabled(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_no_target(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_no_users(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_global_admin_in_less_than_five_users:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -32,7 +32,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -57,7 +57,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_less_than_five_global_admins(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -110,7 +110,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_more_than_five_global_admins(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -178,7 +178,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_exactly_five_global_admins(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_non_privileged_user_has_mfa:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_tenant_no_users(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -53,6 +53,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -100,6 +101,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_no_privileged_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -144,6 +146,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_disabled_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -184,6 +187,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_disabled_user_no_privileged_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -224,6 +228,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_privileged_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -265,6 +270,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_privileged_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_default_users_cannot_create_security_groups:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.authorization_policy = {}
with (
@@ -29,6 +30,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -75,6 +77,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
self,
):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -124,6 +127,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
self,
):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -75,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self):
id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -122,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_default_user_role_permissions_allowed_to_create_apps(self):
id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.authorization_policy = {}
with (
@@ -29,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_empty_tenant(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -74,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self):
id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -121,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_default_user_role_permissions_allowed_to_create_tenants(self):
id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_empty_tenant(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -76,6 +77,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_everyone(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -120,6 +122,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_admins(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -164,6 +167,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_none(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_guest_users_access_restrictions:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -74,6 +75,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_access_same_as_member(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -117,6 +119,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_limited_access(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -160,6 +163,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_access_restricted(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4())
with (
@@ -74,7 +75,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_no_default_user_role_permissions(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -116,7 +117,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_no_consent(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -162,7 +163,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_legacy_consent(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_tenant_no_consent(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -76,7 +76,7 @@ class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_tenant_legacy_consent(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_privileged_user_has_mfa:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_tenant_no_users(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -53,6 +53,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -92,6 +93,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_no_privileged_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -131,6 +133,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_privileged_no_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -177,6 +180,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_privileged_mfa(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4())
with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_security_defaults_enabled:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -58,7 +58,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_security_default_enabled(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -93,7 +93,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_security_default_disabled(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -10,7 +10,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_entra_trusted_named_locations_exists:
def test_entra_no_tenants(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -34,7 +34,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -67,7 +67,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_named_location_with_ip_ranges(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -111,7 +111,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_named_location_without_ip_ranges(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -156,7 +156,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_new_named_location_with_ip_ranges_not_trusted(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -14,10 +14,11 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_iam_no_roles(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -41,9 +42,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4())
@@ -112,9 +115,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_mfa(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4())
@@ -183,9 +188,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_user(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4())
@@ -237,9 +244,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_role(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4())
@@ -11,7 +11,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_no_tenant(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -35,7 +35,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_tenant_empty(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -65,7 +65,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_cannot_create_microsoft_365_groups(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -114,7 +114,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_can_create_microsoft_365_groups(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -161,7 +161,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_can_create_microsoft_365_groups_no_setting(self):
entra_client = mock.MagicMock
entra_client.resource_groups = {}
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
@@ -0,0 +1,162 @@
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.iam.iam_service import IAM
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
set_mocked_azure_provider,
)
class Test_IAM_get_roles:
def test_get_roles_no_resource_groups(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = None
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
def test_get_roles_with_resource_group(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
def test_get_roles_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
class Test_IAM_get_role_assignments:
def test_get_role_assignments_no_resource_groups(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = None
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_role_assignments_with_resource_group(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_role_assignments_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
def test_iam_no_roles(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {}
@@ -39,6 +40,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self,
):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role"
defender_client.custom_roles = {
@@ -95,6 +97,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self,
):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role"
defender_client.custom_roles = {
@@ -144,6 +147,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self,
):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role"
role_name2 = "test-role2"
@@ -212,6 +216,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
def test_iam_custom_roles_empty_list_but_with_key(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {AZURE_SUBSCRIPTION_ID: {}}
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_role_user_access_admin_restricted:
def test_iam_no_role_assignments(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
iam_client.role_assignments = {}
iam_client.roles = {}
@@ -37,6 +38,7 @@ class Test_iam_role_user_access_admin_restricted:
def test_iam_user_access_administrator_role_assigned(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
role_id = str(uuid4())
role_assignment_id = str(uuid4())
agent_id = str(uuid4())
@@ -97,6 +99,7 @@ class Test_iam_role_user_access_admin_restricted:
def test_iam_non_user_access_administrator_role_assigned(self):
iam_client = mock.MagicMock
iam_client.resource_groups = {}
role_id = str(uuid4())
role_assignment_id = str(uuid4())
agent_id = str(uuid4())
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_no_roles(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {}
@@ -37,6 +38,7 @@ class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_custom_owner_role_created_with_all(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role"
defender_client.custom_roles = {
@@ -84,6 +86,7 @@ class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_custom_owner_role_created_with_no_permissions(self):
defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role"
defender_client.custom_roles = {
@@ -3,6 +3,8 @@ from unittest.mock import MagicMock, patch
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -263,3 +265,208 @@ class Test_keyvault_service:
.storage_account_name
== "storage_account_name"
)
class Test_KeyVault_get_key_vaults:
def test_get_key_vaults_no_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_subscription.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = None
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_subscription.assert_called_once()
mock_client.vaults.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_with_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.vaults.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_not_called()
mock_client.vaults.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_key_vaults_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
assert mock_client.vaults.list_by_resource_group.call_count == len(
RESOURCE_GROUP_LIST
)
mock_client.vaults.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRG"]}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name="MyRG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.mysql.mysql_service import (
Configuration,
@@ -7,6 +7,8 @@ from prowler.providers.azure.services.mysql.mysql_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -117,3 +119,131 @@ class Test_MySQL_Service:
assert configurations["test"].resource_id == "/subscriptions/resource_id"
assert configurations["test"].description == "description"
assert configurations["test"].value == "value"
class Test_MySQL_get_flexible_servers:
def test_get_flexible_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = None
result = mysql._get_flexible_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_flexible_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = mysql._get_flexible_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from azure.mgmt.network.models import FlowLog
@@ -8,9 +8,12 @@ from prowler.providers.azure.services.network.network_service import (
NetworkWatcher,
PublicIp,
SecurityGroup,
VirtualNetwork,
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -66,6 +69,20 @@ def mock_network_get_public_ip_addresses(_):
}
def mock_network_get_virtual_networks(_):
return {
AZURE_SUBSCRIPTION_ID: [
VirtualNetwork(
id="id",
name="name",
location="location",
enable_ddos_protection=False,
subnets=[],
)
]
}
@patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
@@ -82,6 +99,10 @@ def mock_network_get_public_ip_addresses(_):
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
)
@patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
)
class Test_Network_Service:
def test_get_client(self):
network = Network(set_mocked_azure_provider())
@@ -162,3 +183,905 @@ class Test_Network_Service:
network.public_ip_addresses[AZURE_SUBSCRIPTION_ID][0].ip_address
== "ip_address"
)
class Test_Network_get_security_groups:
def test_get_security_groups_no_resource_groups(self):
mock_client = MagicMock()
mock_client.network_security_groups.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_security_groups()
mock_client.network_security_groups.list_all.assert_called_once()
mock_client.network_security_groups.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_with_resource_group(self):
mock_client = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_security_groups()
mock_client.network_security_groups.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.network_security_groups.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_security_groups()
mock_client.network_security_groups.list.assert_not_called()
mock_client.network_security_groups.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
class Test_Network_get_network_watchers:
def test_get_network_watchers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_with_resource_group(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
class Test_Network_get_bastion_hosts:
def test_get_bastion_hosts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list.assert_called_once()
mock_client.bastion_hosts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_with_resource_group(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.bastion_hosts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_not_called()
mock_client.bastion_hosts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
class Test_Network_get_public_ip_addresses:
def test_get_public_ip_addresses_no_resource_groups(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list_all.assert_called_once()
mock_client.public_ip_addresses.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_with_resource_group(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.public_ip_addresses.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_not_called()
mock_client.public_ip_addresses.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_security_groups_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.network_security_groups = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_security_groups()
assert mock_client.network_security_groups.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.network_security_groups = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_security_groups()
mock_client.network_security_groups.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_network_watchers_extra:
def test_get_network_watchers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
class Test_Network_get_bastion_hosts_extra:
def test_get_bastion_hosts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_bastion_hosts()
assert mock_client.bastion_hosts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_public_ip_addresses_extra:
def test_get_public_ip_addresses_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_public_ip_addresses()
assert mock_client.public_ip_addresses.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_virtual_networks_extra:
def _ctx(self):
return (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
)
def test_get_virtual_networks_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_virtual_networks()
mock_client.virtual_networks.list_all.assert_called_once()
mock_client.virtual_networks.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_virtual_networks()
mock_client.virtual_networks.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_networks.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_virtual_networks()
mock_client.virtual_networks.list.assert_not_called()
mock_client.virtual_networks.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_virtual_networks_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_virtual_networks()
assert mock_client.virtual_networks.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_virtual_networks()
mock_client.virtual_networks.list.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.policy.policy_service import (
Policy,
@@ -6,6 +6,8 @@ from prowler.providers.azure.services.policy.policy_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -52,3 +54,99 @@ class Test_Policy_Service:
policy.policy_assigments[AZURE_SUBSCRIPTION_ID]["policy-1"].enforcement_mode
== "Default"
)
class Test_Policy_get_policy_assigments:
def test_get_policy_assigments_no_resource_groups(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = None
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_resource_group(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
@@ -11,6 +11,8 @@ from prowler.providers.azure.services.postgresql.postgresql_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -243,6 +245,103 @@ class Test_SqlServer_Service:
)
class Test_PostgreSQL_get_flexible_servers:
def test_get_flexible_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = None
result = postgresql._get_flexible_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_flexible_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = postgresql._get_flexible_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
def _make_server(name):
server = MagicMock()
server.id = (
@@ -1,11 +1,18 @@
from types import SimpleNamespace
from unittest import mock
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.recovery.recovery_service import (
BackupVault,
Recovery,
RecoveryBackup,
)
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION_ID
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
VAULT_ID = (
f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg1/"
@@ -20,6 +27,139 @@ class BackupClientFake:
self.backup_policies.list.return_value = policies
class Test_Recovery_get_vaults:
def test_get_vaults_no_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_subscription_id.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = None
result = recovery._get_vaults()
mock_client.vaults.list_by_subscription_id.assert_called_once()
mock_client.vaults.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vaults_with_resource_group(self):
mock_vault = MagicMock()
mock_vault.id = "vault-id-1"
mock_vault.name = "my-vault"
mock_vault.location = "eastus"
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = [mock_vault]
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.vaults.list_by_subscription_id.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "vault-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_vaults_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_not_called()
mock_client.vaults.list_by_subscription_id.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_vaults_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = recovery._get_vaults()
assert mock_client.vaults.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vaults_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_RecoveryBackup_Service:
def test_get_backup_policies_lists_unprotected_vault_policies(self):
policy = SimpleNamespace(
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from azure.mgmt.sql.models import (
EncryptionProtector,
@@ -16,6 +16,8 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -245,3 +247,100 @@ class Test_SqlServer_Service:
].security_alert_policies.state
== "Disabled"
)
class Test_SQLServer_get_sql_servers:
def test_get_sql_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = None
result = sql_server._get_sql_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_sql_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = sql_server._get_sql_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.storage.storage_service import (
Account,
@@ -11,6 +11,8 @@ from prowler.providers.azure.services.storage.storage_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -387,3 +389,155 @@ class Test_Storage_Service_Retention_Policy_None_Handling:
is False
)
assert account.file_service_properties.share_delete_retention_policy.days == 0
class Test_Storage_get_storage_accounts:
def test_get_storage_accounts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = None
result = storage._get_storage_accounts()
mock_client.storage_accounts.list.assert_called_once()
mock_client.storage_accounts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_with_resource_group(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.storage_accounts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_not_called()
mock_client.storage_accounts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_storage_accounts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = storage._get_storage_accounts()
assert mock_client.storage_accounts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -14,6 +14,8 @@ from prowler.providers.azure.services.vm.vm_service import (
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
@@ -465,3 +467,328 @@ class Test_VirtualMachine_SecurityProfile_Validation:
assert isinstance(vm.security_profile.uefi_settings, UefiSettings)
assert vm.security_profile.uefi_settings.secure_boot_enabled is True
assert vm.security_profile.uefi_settings.v_tpm_enabled is True
class Test_VM_get_virtual_machines:
def test_get_virtual_machines_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list_all.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list_all.assert_called_once()
mock_client.virtual_machines.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_machines.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_not_called()
mock_client.virtual_machines.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_VM_get_disks:
def test_get_disks_no_resource_groups(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_disks()
mock_client.disks.list.assert_called_once()
mock_client.disks.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_with_resource_group(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.disks.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_not_called()
mock_client.disks.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_VM_get_vm_scale_sets:
def test_get_vm_scale_sets_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list_all.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list_all.assert_called_once()
mock_client.virtual_machine_scale_sets.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_machine_scale_sets.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_not_called()
mock_client.virtual_machine_scale_sets.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_virtual_machines_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_virtual_machines()
assert mock_client.virtual_machines.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_VM_get_disks_extra:
def test_get_disks_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_disks()
assert mock_client.disks.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_VM_get_vm_scale_sets_extra:
def test_get_vm_scale_sets_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_vm_scale_sets()
assert mock_client.virtual_machine_scale_sets.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_called_once_with(
resource_group_name="RG"
)