From 537c3ea71e0463a5c8509f55bab6e30996a12f9a Mon Sep 17 00:00:00 2001 From: Legin <140829993+Legin-ML@users.noreply.github.com> Date: Thu, 2 Jul 2026 14:57:53 +0530 Subject: [PATCH] feat(azure): filtering scans at resource group level (#10657) Signed-off-by: Legin-ML --- docs/docs.json | 1 + .../providers/azure/resource-groups.mdx | 47 + prowler/CHANGELOG.md | 2 +- prowler/providers/azure/azure_provider.py | 69 +- .../azure/lib/arguments/arguments.py | 10 + .../providers/azure/lib/service/service.py | 21 + .../services/aisearch/aisearch_service.py | 6 +- .../azure/services/aks/aks_service.py | 6 +- .../azure/services/apim/apim_service.py | 6 +- .../azure/services/app/app_service.py | 12 +- .../appinsights/appinsights_service.py | 6 +- .../containerregistry_service.py | 6 +- .../services/cosmosdb/cosmosdb_service.py | 7 +- .../services/databricks/databricks_service.py | 7 +- .../services/defender/defender_service.py | 15 +- .../services/keyvault/keyvault_service.py | 6 +- .../azure/services/mysql/mysql_service.py | 6 +- .../azure/services/network/network_service.py | 49 +- .../azure/services/policy/policy_service.py | 2 +- .../services/postgresql/postgresql_service.py | 7 +- .../services/recovery/recovery_service.py | 9 +- .../services/sqlserver/sqlserver_service.py | 7 +- .../azure/services/storage/storage_service.py | 7 +- .../providers/azure/services/vm/vm_service.py | 20 +- prowler/providers/common/provider.py | 1 + tests/providers/azure/azure_fixtures.py | 4 + tests/providers/azure/azure_provider_test.py | 96 ++ .../aisearch/aisearch_service_test.py | 124 ++- .../azure/services/aks/aks_service_test.py | 129 ++- .../azure/services/apim/apim_service_test.py | 170 +++- .../azure/services/app/app_service_test.py | 278 ++++++ .../appinsights/appinsights_service_test.py | 122 ++- .../containerregistry_service_test.py | 207 ++++ .../cosmosdb/cosmosdb_service_test.py | 115 ++- .../databricks/databricks_service_test.py | 124 ++- ...configured_with_a_security_contact_test.py | 3 + ...s_vm_endpoint_protection_installed_test.py | 4 + ..._notifications_properly_configured_test.py | 8 + ...sioning_log_analytics_agent_vms_on_test.py | 4 + ...lnerabilty_assessments_machines_on_test.py | 3 + ...er_images_resolved_vulnerabilities_test.py | 6 + ...nder_container_images_scan_enabled_test.py | 6 + ...re_defender_for_app_services_is_on_test.py | 3 + ...nder_ensure_defender_for_arm_is_on_test.py | 3 + ...nder_for_azure_sql_databases_is_on_test.py | 3 + ...sure_defender_for_containers_is_on_test.py | 3 + ...ensure_defender_for_cosmosdb_is_on_test.py | 3 + ...nsure_defender_for_databases_is_on_test.py | 7 + ...nder_ensure_defender_for_dns_is_on_test.py | 3 + ...ensure_defender_for_keyvault_is_on_test.py | 3 + ..._for_os_relational_databases_is_on_test.py | 3 + ...r_ensure_defender_for_server_is_on_test.py | 3 + ...ure_defender_for_sql_servers_is_on_test.py | 3 + ..._ensure_defender_for_storage_is_on_test.py | 3 + ...nder_ensure_iot_hub_defender_is_on_test.py | 5 + .../defender_ensure_mcas_is_enabled_test.py | 4 + ...ure_notify_alerts_severity_is_high_test.py | 5 + ...der_ensure_notify_emails_to_owners_test.py | 4 + ..._ensure_system_updates_are_applied_test.py | 5 + .../defender_ensure_wdatp_is_enabled_test.py | 4 + .../defender/defender_service_test.py | 264 ++++- ...licy_require_mfa_for_admin_portals_test.py | 9 +- ...icy_require_mfa_for_management_api_test.py | 9 +- ...obal_admin_in_less_than_five_users_test.py | 10 +- .../entra_non_privileged_user_has_mfa_test.py | 10 +- ...sers_cannot_create_security_groups_test.py | 4 + ...re_default_user_cannot_create_apps_test.py | 7 +- ...default_user_cannot_create_tenants_test.py | 6 +- ..._guest_invite_only_for_admin_roles_test.py | 6 +- ...cy_guest_users_access_restrictions_test.py | 6 +- ...cy_restricts_user_consent_for_apps_test.py | 9 +- ...icy_user_consent_for_verified_apps_test.py | 6 +- .../entra_privileged_user_has_mfa_test.py | 8 +- .../entra_security_defaults_enabled_test.py | 8 +- ...tra_trusted_named_locations_exists_test.py | 10 +- .../entra_user_with_vm_access_has_mfa_test.py | 11 +- ...cannot_create_microsoft_365_groups_test.py | 10 +- .../services/iam/azure_iam_service_test.py | 162 +++ ...sions_to_administer_resource_locks_test.py | 5 + ..._role_user_access_admin_restricted_test.py | 3 + ...ion_roles_owner_custom_not_created_test.py | 3 + .../keyvault/keyvault_service_test.py | 207 ++++ .../services/mysql/mysql_service_test.py | 132 ++- .../services/network/network_service_test.py | 925 +++++++++++++++++- .../services/policy/policy_service_test.py | 100 +- .../postgresql/postgresql_service_test.py | 99 ++ .../azure/services/recovery/__init__.py | 0 .../recovery/recovery_service_test.py | 142 ++- .../sqlserver/sqlserver_service_test.py | 101 +- .../services/storage/storage_service_test.py | 156 ++- .../azure/services/vm/vm_service_test.py | 327 +++++++ 91 files changed, 4461 insertions(+), 99 deletions(-) create mode 100644 docs/user-guide/providers/azure/resource-groups.mdx create mode 100644 tests/providers/azure/services/iam/azure_iam_service_test.py create mode 100644 tests/providers/azure/services/recovery/__init__.py diff --git a/docs/docs.json b/docs/docs.json index fe3bc8cd51..84caec3a04 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -237,6 +237,7 @@ "user-guide/providers/azure/authentication", "user-guide/providers/azure/use-non-default-cloud", "user-guide/providers/azure/subscriptions", + "user-guide/providers/azure/resource-groups", "user-guide/providers/azure/create-prowler-service-principal" ] }, diff --git a/docs/user-guide/providers/azure/resource-groups.mdx b/docs/user-guide/providers/azure/resource-groups.mdx new file mode 100644 index 0000000000..323193ea49 --- /dev/null +++ b/docs/user-guide/providers/azure/resource-groups.mdx @@ -0,0 +1,47 @@ +--- +title: 'Azure Resource Group Scope' +--- + +Prowler supports narrowing security scans to specific resource groups within Azure subscriptions. This is useful when you want to audit only a subset of resources rather than scanning an entire subscription. + +By default, Prowler scans all resource groups it has permission to access. Passing `--azure-resource-group` limits the scan to only the specified resource groups across all accessible subscriptions. + +## Configuring Resource Group Scoped Scans + +To restrict a scan to one or more resource groups, pass them as arguments using the `--azure-resource-group` flag: + +```console +prowler azure --az-cli-auth --azure-resource-group ... +``` + +For example, to scan only `rg-production` and `rg-staging`: + +```console +prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2 +``` + +This works with all supported authentication methods: + +```console +# Service Principal +prowler azure --sp-env-auth --azure-resource-group rg-production + +# Browser +prowler azure --browser-auth --tenant-id --azure-resource-group rg-production + +# Managed Identity +prowler azure --managed-identity-auth --azure-resource-group rg-production +``` + +## How It Works + +When `--azure-resource-group` is provided, Prowler validates each specified resource group against all accessible subscriptions. A resource group is included in the scan if it exists in **at least one** subscription. + +- If a resource group is found in one or more subscriptions, it will be scanned in those subscriptions only. +- If a resource group is **not found in any** subscription, Prowler logs a warning and skips it. +- If **none** of the provided resource groups are found across any subscription, Prowler logs a warning and no resource group scoped checks will run. +- Resource group names are matched case-insensitively, so `MyGroup` and `mygroup` are treated as the same group, mirroring Azure's own behavior. + + +If `--azure-resource-group` is used, checks that apply to specific resources are limited to the relevant resource groups. But if checks that apply to tenant or subscription scope (identity, policy, or subscription-level configuration checks) are involved, then these checks will run in their natural scope. + diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 69bb1de446..9161cee8b8 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -26,6 +26,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - AWS Bedrock AgentCore privilege escalation paths in the IAM privilege escalation checks, covering Runtime, Harness, Code Interpreter and Custom Browser [(#11726)](https://github.com/prowler-cloud/prowler/pull/11726) - `--scan-secrets-validate` flag and `aws.secrets_validate` configuration option to optionally validate the secrets discovered by the secret-scanning checks against the provider APIs; secrets confirmed to be live are reported as critical [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694) - `apigateway_restapi_no_secrets_in_stage_variables` check for AWS provider, scanning API Gateway REST API stage variables for hardcoded secrets such as passwords, API keys, and tokens [(#11188)](https://github.com/prowler-cloud/prowler/pull/11188) +- Azure provider now supports `--azure-resource-group` to scope resource-level checks to specific resource groups across all accessible subscriptions [(#10657)](https://github.com/prowler-cloud/prowler/pull/10657) ### 🔄 Changed @@ -324,7 +325,6 @@ All notable changes to the **Prowler SDK** are documented in this file. - `bedrock_prompt_management_exists` check for AWS provider [(#10878)](https://github.com/prowler-cloud/prowler/pull/10878) - 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API [(#10980)](https://github.com/prowler-cloud/prowler/pull/10980) - `bedrock_prompt_encrypted_with_cmk` check for AWS provider [(#10905)](https://github.com/prowler-cloud/prowler/pull/10905) - ### 🔄 Changed - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645) diff --git a/prowler/providers/azure/azure_provider.py b/prowler/providers/azure/azure_provider.py index cb27bdfdb1..8b399cdc48 100644 --- a/prowler/providers/azure/azure_provider.py +++ b/prowler/providers/azure/azure_provider.py @@ -16,6 +16,7 @@ from azure.identity import ( DefaultAzureCredential, InteractiveBrowserCredential, ) +from azure.mgmt.resource import ResourceManagementClient from azure.mgmt.subscription import SubscriptionClient from colorama import Fore, Style from msgraph import GraphServiceClient @@ -104,6 +105,7 @@ class AzureProvider(Provider): _region_config: AzureRegionConfig _locations: dict _mutelist: AzureMutelist + _resource_groups: dict[str, list[str]] # TODO: this is not optional, enforce for all providers audit_metadata: Audit_Metadata @@ -123,6 +125,7 @@ class AzureProvider(Provider): mutelist_content: dict = None, client_id: str = None, client_secret: str = None, + resource_groups: list = [], ): """ Initializes the Azure provider. @@ -142,6 +145,7 @@ class AzureProvider(Provider): mutelist_content (dict): The mutelist content. client_id (str): The Azure client ID. client_secret (str): The Azure client secret. + resource_groups (list): List of resource group names. Returns: None @@ -206,7 +210,7 @@ class AzureProvider(Provider): ... managed_identity_auth=False, ... region="AzureUSGovernment", ... ) - - Subscriptions: rowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. + - Subscriptions: Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. Prowler also allows you to specify the subscriptions you want to scan by passing a list of subscription IDs. >>> AzureProvider( ... az_cli_auth=False, @@ -215,6 +219,11 @@ class AzureProvider(Provider): ... managed_identity_auth=False, ... subscription_ids=["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"], ... ) + - Resource Groups: Prowler allows you to narrow the scan to specific resource groups. + >>> AzureProvider( + ... az_cli_auth=True, + ... resource_groups=["rg-production", "rg-staging"], + ... ) """ logger.info("Setting Azure provider ...") @@ -272,6 +281,8 @@ class AzureProvider(Provider): # TODO: should we keep this here or within the identity? self._locations = self.get_locations() + self._resource_groups = self.validate_resource_groups(resource_groups) + # Audit Config if config_content: self._audit_config = config_content @@ -337,6 +348,11 @@ class AzureProvider(Provider): """Mutelist object associated with this Azure provider.""" return self._mutelist + @property + def resource_groups(self) -> dict[str, list[str]]: + """Mapping of subscription name to the list of resource groups to scan within it.""" + return self._resource_groups + # TODO: this should be moved to the argparse, if not we need to enforce it from the Provider # previously was using the AzureException @staticmethod @@ -439,7 +455,7 @@ class AzureProvider(Provider): """Azure credentials information. This method prints the Azure Tenant Domain, Azure Tenant ID, Azure Region, - Azure Subscriptions, Azure Identity Type, and Azure Identity ID. + Azure Subscriptions, Azure Resource Groups, Azure Identity Type, and Azure Identity ID. Args: None @@ -455,6 +471,7 @@ class AzureProvider(Provider): f"Azure Tenant Domain: {Fore.YELLOW}{self._identity.tenant_domain}{Style.RESET_ALL} Azure Tenant ID: {Fore.YELLOW}{self._identity.tenant_ids[0]}{Style.RESET_ALL}", f"Azure Region: {Fore.YELLOW}{self.region_config.name}{Style.RESET_ALL}", f"Azure Subscriptions: {Fore.YELLOW}{printed_subscriptions}{Style.RESET_ALL}", + f"Azure Resource Groups: {Fore.YELLOW}{sorted({rg for rgs in self._resource_groups.values() for rg in rgs}) if any(self._resource_groups.values()) else ('NONE (no matching resource groups found)' if self._resource_groups else 'ALL')}{Style.RESET_ALL}", f"Azure Identity Type: {Fore.YELLOW}{self._identity.identity_type}{Style.RESET_ALL} Azure Identity ID: {Fore.YELLOW}{self._identity.identity_id}{Style.RESET_ALL}", ] report_title = ( @@ -1102,6 +1119,54 @@ class AzureProvider(Provider): return set(chain.from_iterable(locations.values())) + def validate_resource_groups(self, resource_groups: list) -> dict[str, list[str]]: + resource_groups = [r.strip() for r in resource_groups if r and r.strip()] + if not resource_groups: + return {} + + rg_map = { + subscription_id: [] for subscription_id in self._identity.subscriptions + } + credentials = self.session + + for subscription_id, display_name in self._identity.subscriptions.items(): + try: + rg_client = ResourceManagementClient( + credentials, + subscription_id, + base_url=self._region_config.base_url, + credential_scopes=self._region_config.credential_scopes, + ) + existing_rgs = { + rg.name.lower(): rg.name for rg in rg_client.resource_groups.list() + } + except Exception as e: + logger.warning( + f"Could not list resource groups for subscription '{display_name}' " + f"({subscription_id}): {e}. Skipping resource group filtering for this subscription." + ) + continue + + for rg in resource_groups: + real_name = existing_rgs.get(rg.lower()) + if real_name: + rg_map[subscription_id].append(real_name) + + for rg in resource_groups: + if not any(rg.lower() == r.lower() for rgs in rg_map.values() for r in rgs): + logger.warning( + f"Resource group '{rg}' was not found in any subscription. " + "Please check the resource group name and try again." + ) + + if not any(rgs for rgs in rg_map.values()): + logger.warning( + f"None of the provided resource groups {resource_groups} were found " + "in any subscription. Please check the resource group names and try again." + ) + + return rg_map + @staticmethod def validate_static_credentials( tenant_id: str = None, diff --git a/prowler/providers/azure/lib/arguments/arguments.py b/prowler/providers/azure/lib/arguments/arguments.py index 2b624a3f23..87bea948aa 100644 --- a/prowler/providers/azure/lib/arguments/arguments.py +++ b/prowler/providers/azure/lib/arguments/arguments.py @@ -53,6 +53,16 @@ def init_parser(self): type=validate_azure_region, help="Azure region from `az cloud list --output table`, by default AzureCloud", ) + # Resource Groups + azure_rg_subparser = azure_parser.add_argument_group("Resource Groups") + azure_rg_subparser.add_argument( + "--azure-resource-group", + "--azure-resource-groups", + nargs="+", + default=[], + dest="resource_groups", + help="Azure Resource Group names to scope the scan to specific groups.", + ) def validate_azure_region(region): diff --git a/prowler/providers/azure/lib/service/service.py b/prowler/providers/azure/lib/service/service.py index a0a832ca01..ae9b127647 100644 --- a/prowler/providers/azure/lib/service/service.py +++ b/prowler/providers/azure/lib/service/service.py @@ -26,6 +26,7 @@ class AzureService: ) self.subscriptions = provider.identity.subscriptions + self.resource_groups = provider.resource_groups self.locations = provider.locations self.audit_config = provider.audit_config self.fixer_config = provider.fixer_config @@ -49,6 +50,26 @@ class AzureService: return results + def list_with_rg_scope(self, subscription_id, list_all_fn, list_by_rg_fn): + if not self.resource_groups: + return list(list_all_fn()) + resource_groups = self.resource_groups.get(subscription_id, []) + if not resource_groups: + logger.info( + f"No valid resource groups for subscription {subscription_id}, skipping." + ) + return [] + output = [] + for resource_group in resource_groups: + try: + output += list(list_by_rg_fn(resource_group_name=resource_group)) + except Exception as error: + logger.warning( + f"Subscription ID: {subscription_id} -- Resource Group: {resource_group} -- " + f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + return output + def __set_clients__(self, identity, session, service, region_config): clients = {} try: diff --git a/prowler/providers/azure/services/aisearch/aisearch_service.py b/prowler/providers/azure/services/aisearch/aisearch_service.py index 3f482a41a5..01c6a458f7 100644 --- a/prowler/providers/azure/services/aisearch/aisearch_service.py +++ b/prowler/providers/azure/services/aisearch/aisearch_service.py @@ -17,7 +17,11 @@ class AISearch(AzureService): for subscription, client in self.clients.items(): try: aisearch_services.update({subscription: {}}) - aisearch_services_list = client.services.list_by_subscription() + aisearch_services_list = self.list_with_rg_scope( + subscription, + client.services.list_by_subscription, + client.services.list_by_resource_group, + ) for aisearch_service in aisearch_services_list: aisearch_services[subscription].update( { diff --git a/prowler/providers/azure/services/aks/aks_service.py b/prowler/providers/azure/services/aks/aks_service.py index 081edd7b17..0bd7c4d63c 100644 --- a/prowler/providers/azure/services/aks/aks_service.py +++ b/prowler/providers/azure/services/aks/aks_service.py @@ -19,8 +19,12 @@ class AKS(AzureService): for subscription_id, client in self.clients.items(): try: - clusters_list = client.managed_clusters.list() clusters.update({subscription_id: {}}) + clusters_list = self.list_with_rg_scope( + subscription_id, + client.managed_clusters.list, + client.managed_clusters.list_by_resource_group, + ) for cluster in clusters_list: if getattr(cluster, "kubernetes_version", None): diff --git a/prowler/providers/azure/services/apim/apim_service.py b/prowler/providers/azure/services/apim/apim_service.py index 98fb00f276..3186716ddb 100644 --- a/prowler/providers/azure/services/apim/apim_service.py +++ b/prowler/providers/azure/services/apim/apim_service.py @@ -131,7 +131,11 @@ class APIM(AzureService): for subscription, client in self.clients.items(): try: instances.update({subscription: []}) - apim_instances = client.api_management_service.list() + apim_instances = self.list_with_rg_scope( + subscription, + client.api_management_service.list, + client.api_management_service.list_by_resource_group, + ) for instance in apim_instances: workspace_id = self._get_log_analytics_workspace_id( diff --git a/prowler/providers/azure/services/app/app_service.py b/prowler/providers/azure/services/app/app_service.py index 201cd6a344..83d23be516 100644 --- a/prowler/providers/azure/services/app/app_service.py +++ b/prowler/providers/azure/services/app/app_service.py @@ -22,8 +22,12 @@ class App(AzureService): for subscription_id, client in self.clients.items(): try: - apps_list = client.web_apps.list() apps.update({subscription_id: {}}) + apps_list = self.list_with_rg_scope( + subscription_id, + client.web_apps.list, + client.web_apps.list_by_resource_group, + ) for app in apps_list: # Filter function apps @@ -117,8 +121,12 @@ class App(AzureService): for subscription_id, client in self.clients.items(): try: - functions_list = client.web_apps.list() functions.update({subscription_id: {}}) + functions_list = self.list_with_rg_scope( + subscription_id, + client.web_apps.list, + client.web_apps.list_by_resource_group, + ) for function in functions_list: # Filter function apps diff --git a/prowler/providers/azure/services/appinsights/appinsights_service.py b/prowler/providers/azure/services/appinsights/appinsights_service.py index 918a0f1b0f..6e92a7b275 100644 --- a/prowler/providers/azure/services/appinsights/appinsights_service.py +++ b/prowler/providers/azure/services/appinsights/appinsights_service.py @@ -17,8 +17,12 @@ class AppInsights(AzureService): for subscription_id, client in self.clients.items(): try: - components_list = client.components.list() components.update({subscription_id: {}}) + components_list = self.list_with_rg_scope( + subscription_id, + client.components.list, + client.components.list_by_resource_group, + ) for component in components_list: components[subscription_id].update( diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_service.py b/prowler/providers/azure/services/containerregistry/containerregistry_service.py index ee6cce39f2..c44a0c7ef1 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_service.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_service.py @@ -19,8 +19,12 @@ class ContainerRegistry(AzureService): registries = {} for subscription, client in self.clients.items(): try: - registries_list = client.registries.list() registries.update({subscription: {}}) + registries_list = self.list_with_rg_scope( + subscription, + client.registries.list, + client.registries.list_by_resource_group, + ) for registry in registries_list: resource_group = self._get_resource_group(registry.id) diff --git a/prowler/providers/azure/services/cosmosdb/cosmosdb_service.py b/prowler/providers/azure/services/cosmosdb/cosmosdb_service.py index e7c53799a7..37b06da1c5 100644 --- a/prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_service.py @@ -18,8 +18,13 @@ class CosmosDB(AzureService): accounts = {} for subscription, client in self.clients.items(): try: - accounts_list = client.database_accounts.list() accounts.update({subscription: []}) + accounts_list = self.list_with_rg_scope( + subscription, + client.database_accounts.list, + client.database_accounts.list_by_resource_group, + ) + for account in accounts_list: accounts[subscription].append( Account( diff --git a/prowler/providers/azure/services/databricks/databricks_service.py b/prowler/providers/azure/services/databricks/databricks_service.py index b7367d3cbb..128495a2c7 100644 --- a/prowler/providers/azure/services/databricks/databricks_service.py +++ b/prowler/providers/azure/services/databricks/databricks_service.py @@ -38,8 +38,13 @@ class Databricks(AzureService): for subscription, client in self.clients.items(): try: workspaces[subscription] = {} + workspaces_list = self.list_with_rg_scope( + subscription, + client.workspaces.list_by_subscription, + client.workspaces.list_by_resource_group, + ) - for workspace in client.workspaces.list_by_subscription(): + for workspace in workspaces_list: workspace_parameters = getattr(workspace, "parameters", None) workspace_managed_disk_encryption = getattr( getattr( diff --git a/prowler/providers/azure/services/defender/defender_service.py b/prowler/providers/azure/services/defender/defender_service.py index 7da96cd8ec..b4ce4239cc 100644 --- a/prowler/providers/azure/services/defender/defender_service.py +++ b/prowler/providers/azure/services/defender/defender_service.py @@ -230,8 +230,10 @@ class Defender(AzureService): iot_security_solutions = {} for subscription_id, client in self.clients.items(): try: - iot_security_solutions_list = ( - client.iot_security_solution.list_by_subscription() + iot_security_solutions_list = self.list_with_rg_scope( + subscription_id, + client.iot_security_solution.list_by_subscription, + client.iot_security_solution.list_by_resource_group, ) iot_security_solutions.update({subscription_id: {}}) for iot_security_solution in iot_security_solutions_list: @@ -267,8 +269,13 @@ class Defender(AzureService): for subscription_id, client in self.clients.items(): try: jit_policies[subscription_id] = {} - policies = client.jit_network_access_policies.list() - for policy in policies: + policies_list = self.list_with_rg_scope( + subscription_id, + client.jit_network_access_policies.list, + client.jit_network_access_policies.list_by_resource_group, + ) + + for policy in policies_list: vm_ids = set() for vm in getattr(policy, "virtual_machines", []): vm_ids.add(vm.id) diff --git a/prowler/providers/azure/services/keyvault/keyvault_service.py b/prowler/providers/azure/services/keyvault/keyvault_service.py index 9fb3fd98af..e5b2e76427 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_service.py +++ b/prowler/providers/azure/services/keyvault/keyvault_service.py @@ -35,7 +35,11 @@ class KeyVault(AzureService): for subscription, client in self.clients.items(): try: key_vaults[subscription] = [] - vaults_list = list(client.vaults.list_by_subscription()) + vaults_list = self.list_with_rg_scope( + subscription, + client.vaults.list_by_subscription, + client.vaults.list_by_resource_group, + ) if not vaults_list: continue diff --git a/prowler/providers/azure/services/mysql/mysql_service.py b/prowler/providers/azure/services/mysql/mysql_service.py index b3a386a193..2898d8445c 100644 --- a/prowler/providers/azure/services/mysql/mysql_service.py +++ b/prowler/providers/azure/services/mysql/mysql_service.py @@ -19,8 +19,12 @@ class MySQL(AzureService): servers = {} for subscription_id, client in self.clients.items(): try: - servers_list = client.servers.list() servers.update({subscription_id: {}}) + servers_list = self.list_with_rg_scope( + subscription_id, + client.servers.list, + client.servers.list_by_resource_group, + ) for server in servers_list: backup = getattr(server, "backup", None) ha = getattr(server, "high_availability", None) diff --git a/prowler/providers/azure/services/network/network_service.py b/prowler/providers/azure/services/network/network_service.py index a924cf9609..54cb02989b 100644 --- a/prowler/providers/azure/services/network/network_service.py +++ b/prowler/providers/azure/services/network/network_service.py @@ -24,8 +24,13 @@ class Network(AzureService): security_groups = {} for subscription, client in self.clients.items(): try: + security_groups_list = self.list_with_rg_scope( + subscription, + client.network_security_groups.list_all, + client.network_security_groups.list, + ) + security_groups.update({subscription: []}) - security_groups_list = client.network_security_groups.list_all() for security_group in security_groups_list: security_groups[subscription].append( SecurityGroup( @@ -64,8 +69,8 @@ class Network(AzureService): network_watchers = {} for subscription, client in self.clients.items(): try: - network_watchers.update({subscription: []}) network_watchers_list = client.network_watchers.list_all() + network_watchers.update({subscription: []}) for network_watcher in network_watchers_list: flow_logs = self._get_flow_logs( subscription, network_watcher.name, network_watcher.id @@ -164,8 +169,13 @@ class Network(AzureService): bastion_hosts = {} for subscription, client in self.clients.items(): try: + bastion_hosts_list = self.list_with_rg_scope( + subscription, + client.bastion_hosts.list, + client.bastion_hosts.list_by_resource_group, + ) + bastion_hosts.update({subscription: []}) - bastion_hosts_list = client.bastion_hosts.list() for bastion_host in bastion_hosts_list: bastion_hosts[subscription].append( BastionHost( @@ -186,8 +196,13 @@ class Network(AzureService): public_ip_addresses = {} for subscription, client in self.clients.items(): try: + public_ip_addresses_list = self.list_with_rg_scope( + subscription, + client.public_ip_addresses.list_all, + client.public_ip_addresses.list, + ) + public_ip_addresses.update({subscription: []}) - public_ip_addresses_list = client.public_ip_addresses.list_all() for public_ip_address in public_ip_addresses_list: public_ip_addresses[subscription].append( PublicIp( @@ -207,13 +222,17 @@ class Network(AzureService): def _get_virtual_networks(self): logger.info("Network - Getting Virtual Networks...") virtual_networks = {} - for subscription, client in self.clients.items(): + for subscription_id, client in self.clients.items(): try: - virtual_networks[subscription] = [] - vnet_list = client.virtual_networks.list_all() - for vnet in vnet_list: + virtual_networks[subscription_id] = [] + virtual_networks_list = self.list_with_rg_scope( + subscription_id, + client.virtual_networks.list_all, + client.virtual_networks.list, + ) + for virtual_network in virtual_networks_list: subnets = [] - for subnet in getattr(vnet, "subnets", []) or []: + for subnet in getattr(virtual_network, "subnets", []) or []: nsg = getattr(subnet, "network_security_group", None) subnets.append( VNetSubnet( @@ -222,20 +241,20 @@ class Network(AzureService): nsg_id=getattr(nsg, "id", None) if nsg else None, ) ) - virtual_networks[subscription].append( + virtual_networks[subscription_id].append( VirtualNetwork( - id=vnet.id, - name=vnet.name, - location=vnet.location, + id=virtual_network.id, + name=virtual_network.name, + location=virtual_network.location, enable_ddos_protection=getattr( - vnet, "enable_ddos_protection", False + virtual_network, "enable_ddos_protection", False ), subnets=subnets, ) ) except Exception as error: logger.error( - f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + f"Subscription ID: {subscription_id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" ) return virtual_networks diff --git a/prowler/providers/azure/services/policy/policy_service.py b/prowler/providers/azure/services/policy/policy_service.py index 1d1381202f..663e9b76a3 100644 --- a/prowler/providers/azure/services/policy/policy_service.py +++ b/prowler/providers/azure/services/policy/policy_service.py @@ -18,8 +18,8 @@ class Policy(AzureService): for subscription_id, client in self.clients.items(): try: - policy_assigments_list = client.policy_assignments.list() policy_assigments.update({subscription_id: {}}) + policy_assigments_list = client.policy_assignments.list() for policy_assigment in policy_assigments_list: policy_assigments[subscription_id].update( diff --git a/prowler/providers/azure/services/postgresql/postgresql_service.py b/prowler/providers/azure/services/postgresql/postgresql_service.py index 681c57a32c..e7fe98fe79 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_service.py +++ b/prowler/providers/azure/services/postgresql/postgresql_service.py @@ -19,8 +19,13 @@ class PostgreSQL(AzureService): flexible_servers = {} for subscription, client in self.clients.items(): try: + flexible_servers_list = self.list_with_rg_scope( + subscription, + client.servers.list, + client.servers.list_by_resource_group, + ) + flexible_servers.update({subscription: []}) - flexible_servers_list = client.servers.list() for postgresql_server in flexible_servers_list: # Isolate each server: a failure collecting one server must # not abort collection of the remaining servers in the diff --git a/prowler/providers/azure/services/recovery/recovery_service.py b/prowler/providers/azure/services/recovery/recovery_service.py index 38645219bd..6c414ee446 100644 --- a/prowler/providers/azure/services/recovery/recovery_service.py +++ b/prowler/providers/azure/services/recovery/recovery_service.py @@ -56,9 +56,14 @@ class Recovery(AzureService): try: vaults_dict: dict[str, dict[str, BackupVault]] = {} for subscription_id, client in self.clients.items(): - vaults = client.vaults.list_by_subscription_id() + vaults_list = self.list_with_rg_scope( + subscription_id, + client.vaults.list_by_subscription_id, + client.vaults.list_by_resource_group, + ) + vaults_dict[subscription_id] = {} - for vault in vaults: + for vault in vaults_list: vault_obj = BackupVault( id=vault.id, name=vault.name, diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_service.py b/prowler/providers/azure/services/sqlserver/sqlserver_service.py index af02dace0d..274025fd7b 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_service.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_service.py @@ -18,8 +18,13 @@ class SQLServer(AzureService): sql_servers = {} for subscription, client in self.clients.items(): try: + sql_servers_list = self.list_with_rg_scope( + subscription, + client.servers.list, + client.servers.list_by_resource_group, + ) + sql_servers.update({subscription: []}) - sql_servers_list = client.servers.list() for sql_server in sql_servers_list: resource_group = self._get_resource_group(sql_server.id) auditing_policies = self._get_server_blob_auditing_policies( diff --git a/prowler/providers/azure/services/storage/storage_service.py b/prowler/providers/azure/services/storage/storage_service.py index 74b8b3da30..863b33256e 100644 --- a/prowler/providers/azure/services/storage/storage_service.py +++ b/prowler/providers/azure/services/storage/storage_service.py @@ -20,8 +20,13 @@ class Storage(AzureService): storage_accounts = {} for subscription, client in self.clients.items(): try: + storage_accounts_list = self.list_with_rg_scope( + subscription, + client.storage_accounts.list, + client.storage_accounts.list_by_resource_group, + ) + storage_accounts.update({subscription: []}) - storage_accounts_list = client.storage_accounts.list() for storage_account in storage_accounts_list: parts = storage_account.id.split("/") if "resourceGroups" in parts: diff --git a/prowler/providers/azure/services/vm/vm_service.py b/prowler/providers/azure/services/vm/vm_service.py index b20f4b5678..8ef27c57f4 100644 --- a/prowler/providers/azure/services/vm/vm_service.py +++ b/prowler/providers/azure/services/vm/vm_service.py @@ -22,8 +22,12 @@ class VirtualMachines(AzureService): for subscription_id, client in self.clients.items(): try: - virtual_machines_list = client.virtual_machines.list_all() virtual_machines.update({subscription_id: {}}) + virtual_machines_list = self.list_with_rg_scope( + subscription_id, + client.virtual_machines.list_all, + client.virtual_machines.list, + ) for vm in virtual_machines_list: storage_profile = getattr(vm, "storage_profile", None) @@ -155,8 +159,12 @@ class VirtualMachines(AzureService): for subscription_id, client in self.clients.items(): try: - disks_list = client.disks.list() disks.update({subscription_id: {}}) + disks_list = self.list_with_rg_scope( + subscription_id, + client.disks.list, + client.disks.list_by_resource_group, + ) for disk in disks_list: vms_attached = [] @@ -202,9 +210,13 @@ class VirtualMachines(AzureService): vm_scale_sets = {} for subscription_id, client in self.clients.items(): try: - scale_sets = client.virtual_machine_scale_sets.list_all() vm_scale_sets[subscription_id] = {} - for scale_set in scale_sets: + scale_sets_list = self.list_with_rg_scope( + subscription_id, + client.virtual_machine_scale_sets.list_all, + client.virtual_machine_scale_sets.list, + ) + for scale_set in scale_sets_list: backend_pools = [] nic_configs = [] virtual_machine_profile = getattr( diff --git a/prowler/providers/common/provider.py b/prowler/providers/common/provider.py index 8c2d90b837..981d11fe00 100644 --- a/prowler/providers/common/provider.py +++ b/prowler/providers/common/provider.py @@ -407,6 +407,7 @@ class Provider(ABC): tenant_id=arguments.tenant_id, region=arguments.azure_region, subscription_ids=arguments.subscription_id, + resource_groups=arguments.resource_groups, config_path=arguments.config_file, mutelist_path=arguments.mutelist_file, fixer_config=fixer_config, diff --git a/tests/providers/azure/azure_fixtures.py b/tests/providers/azure/azure_fixtures.py index 84d43fd2c3..d095645e1f 100644 --- a/tests/providers/azure/azure_fixtures.py +++ b/tests/providers/azure/azure_fixtures.py @@ -9,6 +9,8 @@ from prowler.providers.azure.models import AzureIdentityInfo, AzureRegionConfig AZURE_SUBSCRIPTION_ID = str(uuid4()) AZURE_SUBSCRIPTION_NAME = "Subscription Name" AZURE_SUBSCRIPTION_DISPLAY = f"{AZURE_SUBSCRIPTION_NAME} ({AZURE_SUBSCRIPTION_ID})" +RESOURCE_GROUP = "rg" +RESOURCE_GROUP_LIST = [RESOURCE_GROUP, "rg2"] # Azure Identity IDENTITY_ID = "00000000-0000-0000-0000-000000000000" @@ -30,6 +32,7 @@ def set_mocked_azure_provider( audit_config: dict = None, azure_region_config: AzureRegionConfig = AzureRegionConfig(), locations: list = None, + resource_groups: dict = None, ) -> AzureProvider: provider = MagicMock() @@ -39,5 +42,6 @@ def set_mocked_azure_provider( provider.identity = identity provider.audit_config = audit_config provider.region_config = azure_region_config + provider.resource_groups = resource_groups return provider diff --git a/tests/providers/azure/azure_provider_test.py b/tests/providers/azure/azure_provider_test.py index 1d9aa97e6b..b4fba94691 100644 --- a/tests/providers/azure/azure_provider_test.py +++ b/tests/providers/azure/azure_provider_test.py @@ -552,6 +552,102 @@ class TestAzureProvider: assert regions == expected_regions +class TestAzureProviderValidateResourceGroups: + @patch( + "prowler.providers.azure.azure_provider.AzureProvider.__init__", + return_value=None, + ) + def _make_provider(self, _mock_init, subscriptions=None): + provider = AzureProvider() + provider._identity = MagicMock() + provider._identity.subscriptions = subscriptions or {str(uuid4()): "Sub"} + provider._session = MagicMock() + provider._region_config = MagicMock() + return provider + + @patch("prowler.providers.azure.azure_provider.ResourceManagementClient") + def test_validate_resource_groups_exact_match(self, mock_rm_client): + provider = self._make_provider() + sub_name = list(provider._identity.subscriptions.keys())[0] + + mock_rg = MagicMock() + mock_rg.name = "mygroup" + mock_resource_groups = MagicMock() + mock_resource_groups.list.return_value = [mock_rg] + mock_rm_client.return_value.resource_groups = mock_resource_groups + + result = provider.validate_resource_groups(["mygroup"]) + + assert result[sub_name] == ["mygroup"] + + @patch("prowler.providers.azure.azure_provider.ResourceManagementClient") + def test_validate_resource_groups_mixed_case(self, mock_rm_client): + provider = self._make_provider() + sub_name = list(provider._identity.subscriptions.keys())[0] + + mock_rg = MagicMock() + mock_rg.name = "MyGroup" + mock_resource_groups = MagicMock() + mock_resource_groups.list.return_value = [mock_rg] + mock_rm_client.return_value.resource_groups = mock_resource_groups + + result = provider.validate_resource_groups(["mygroup"]) + + assert result[sub_name] == ["MyGroup"] + mock_resource_groups.list.assert_called_once() + + @patch("prowler.providers.azure.azure_provider.ResourceManagementClient") + def test_validate_resource_groups_multiple_rgs(self, mock_rm_client): + provider = self._make_provider() + sub_name = list(provider._identity.subscriptions.keys())[0] + + rg1, rg2 = MagicMock(), MagicMock() + rg1.name = "rg1" + rg2.name = "rg2" + mock_resource_groups = MagicMock() + mock_resource_groups.list.return_value = [rg1, rg2] + mock_rm_client.return_value.resource_groups = mock_resource_groups + + result = provider.validate_resource_groups(["rg1", "rg2"]) + + assert set(result[sub_name]) == {"rg1", "rg2"} + + @patch("prowler.providers.azure.azure_provider.ResourceManagementClient") + def test_validate_resource_groups_not_found(self, mock_rm_client): + provider = self._make_provider() + sub_name = list(provider._identity.subscriptions.keys())[0] + + mock_rg = MagicMock() + mock_rg.name = "existing" + mock_resource_groups = MagicMock() + mock_resource_groups.list.return_value = [mock_rg] + mock_rm_client.return_value.resource_groups = mock_resource_groups + + result = provider.validate_resource_groups(["nonexistent"]) + + assert result[sub_name] == [] + + def test_validate_resource_groups_empty_input(self): + provider = self._make_provider() + result = provider.validate_resource_groups([]) + assert result == {} + + @patch("prowler.providers.azure.azure_provider.ResourceManagementClient") + def test_validate_resource_groups_strips_whitespace(self, mock_rm_client): + provider = self._make_provider() + sub_name = list(provider._identity.subscriptions.keys())[0] + + mock_rg = MagicMock() + mock_rg.name = "rg-prod" + mock_resource_groups = MagicMock() + mock_resource_groups.list.return_value = [mock_rg] + mock_rm_client.return_value.resource_groups = mock_resource_groups + + result = provider.validate_resource_groups([" rg-prod "]) + + assert result[sub_name] == ["rg-prod"] + + class TestAzureProviderSetupIdentitySubscriptions: """Regression tests ensuring identity.subscriptions preserves every subscription even when multiple Azure subscriptions share the same diff --git a/tests/providers/azure/services/aisearch/aisearch_service_test.py b/tests/providers/azure/services/aisearch/aisearch_service_test.py index ff041e7eab..e8bc94675f 100644 --- a/tests/providers/azure/services/aisearch/aisearch_service_test.py +++ b/tests/providers/azure/services/aisearch/aisearch_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.aisearch.aisearch_service import ( AISearch, @@ -6,9 +6,13 @@ from prowler.providers.azure.services.aisearch.aisearch_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) +AISEARCH_SERVICE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Search/searchServices/search1" + def mock_storage_get_aisearch_services(_): return { @@ -58,3 +62,121 @@ class Test_AISearch_Service: assert aisearch.aisearch_services[AZURE_SUBSCRIPTION_ID][ "aisearch_service_id-1" ].public_network_access + + +class Test_AISearch_Service_get_aisearch_services: + def test_get_aisearch_services_no_resource_groups(self): + mock_service = MagicMock() + mock_service.id = AISEARCH_SERVICE_ID + mock_service.name = "search1" + mock_service.location = "westeurope" + mock_service.public_network_access = "Enabled" + + mock_client = MagicMock() + mock_client.services.list_by_subscription.return_value = [mock_service] + + with patch( + "prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services", + return_value={}, + ): + aisearch = AISearch(set_mocked_azure_provider()) + + aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aisearch.resource_groups = None + + result = aisearch._get_aisearch_services() + + mock_client.services.list_by_subscription.assert_called_once() + mock_client.services.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert ( + result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access + is True + ) + + def test_get_aisearch_services_with_resource_group(self): + mock_service = MagicMock() + mock_service.id = AISEARCH_SERVICE_ID + mock_service.name = "search1" + mock_service.location = "westeurope" + mock_service.public_network_access = "Disabled" + + mock_client = MagicMock() + mock_client.services.list_by_resource_group.return_value = [mock_service] + + with patch( + "prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services", + return_value={}, + ): + aisearch = AISearch(set_mocked_azure_provider()) + + aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = aisearch._get_aisearch_services() + + mock_client.services.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.services.list_by_subscription.assert_not_called() + assert ( + result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access + is False + ) + + def test_get_aisearch_services_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with patch( + "prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services", + return_value={}, + ): + aisearch = AISearch(set_mocked_azure_provider()) + + aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = aisearch._get_aisearch_services() + + mock_client.services.list_by_resource_group.assert_not_called() + mock_client.services.list_by_subscription.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_aisearch_services_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.services = MagicMock() + mock_client.services.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services", + return_value={}, + ): + aisearch = AISearch(set_mocked_azure_provider()) + + aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = aisearch._get_aisearch_services() + + assert mock_client.services.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_aisearch_services_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.services = MagicMock() + mock_client.services.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services", + return_value={}, + ): + aisearch = AISearch(set_mocked_azure_provider()) + + aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + aisearch._get_aisearch_services() + + mock_client.services.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/aks/aks_service_test.py b/tests/providers/azure/services/aks/aks_service_test.py index 8644dcb03b..494c224b6b 100644 --- a/tests/providers/azure/services/aks/aks_service_test.py +++ b/tests/providers/azure/services/aks/aks_service_test.py @@ -1,8 +1,10 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.aks.aks_service import AKS, Cluster from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -66,3 +68,128 @@ class Test_AKS_Service: aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].location == "westeurope" ) assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled + + +class Test_AKS_get_clusters: + def test_get_clusters_no_resource_groups(self): + mock_cluster = MagicMock() + mock_cluster.id = "cluster_id-1" + mock_cluster.name = "cluster_name" + mock_cluster.fqdn = "public_fqdn" + mock_cluster.private_fqdn = "private_fqdn" + mock_cluster.location = "westeurope" + mock_cluster.kubernetes_version = "1.28.0" + mock_cluster.network_profile = None + mock_cluster.agent_pool_profiles = [] + mock_cluster.enable_rbac = False + + mock_client = MagicMock() + mock_client.managed_clusters.list.return_value = [mock_cluster] + + with patch( + "prowler.providers.azure.services.aks.aks_service.AKS._get_clusters", + return_value={}, + ): + aks = AKS(set_mocked_azure_provider()) + + aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aks.resource_groups = None + + result = aks._get_clusters() + + mock_client.managed_clusters.list.assert_called_once() + mock_client.managed_clusters.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_clusters_with_resource_group(self): + mock_cluster = MagicMock() + mock_cluster.id = "cluster_id-1" + mock_cluster.name = "cluster_name" + mock_cluster.fqdn = "public_fqdn" + mock_cluster.private_fqdn = "private_fqdn" + mock_cluster.location = "westeurope" + mock_cluster.kubernetes_version = "1.28.0" + mock_cluster.network_profile = None + mock_cluster.agent_pool_profiles = [] + mock_cluster.enable_rbac = False + + mock_client = MagicMock() + mock_client.managed_clusters.list_by_resource_group.return_value = [ + mock_cluster + ] + + with patch( + "prowler.providers.azure.services.aks.aks_service.AKS._get_clusters", + return_value={}, + ): + aks = AKS(set_mocked_azure_provider()) + + aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = aks._get_clusters() + + mock_client.managed_clusters.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.managed_clusters.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_clusters_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with patch( + "prowler.providers.azure.services.aks.aks_service.AKS._get_clusters", + return_value={}, + ): + aks = AKS(set_mocked_azure_provider()) + + aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aks.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = aks._get_clusters() + + mock_client.managed_clusters.list_by_resource_group.assert_not_called() + mock_client.managed_clusters.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_clusters_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.managed_clusters = MagicMock() + mock_client.managed_clusters.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.aks.aks_service.AKS._get_clusters", + return_value={}, + ): + aks = AKS(set_mocked_azure_provider()) + + aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = aks._get_clusters() + + assert mock_client.managed_clusters.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_clusters_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.managed_clusters = MagicMock() + mock_client.managed_clusters.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.aks.aks_service.AKS._get_clusters", + return_value={}, + ): + aks = AKS(set_mocked_azure_provider()) + + aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + aks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + aks._get_clusters() + + mock_client.managed_clusters.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/apim/apim_service_test.py b/tests/providers/azure/services/apim/apim_service_test.py index f2141aee6b..cb78225e99 100644 --- a/tests/providers/azure/services/apim/apim_service_test.py +++ b/tests/providers/azure/services/apim/apim_service_test.py @@ -1,6 +1,6 @@ from datetime import timedelta from unittest import TestCase, mock -from unittest.mock import patch +from unittest.mock import MagicMock, patch from azure.mgmt.loganalytics.models import Workspace from azure.mgmt.monitor.models import DiagnosticSettingsResource @@ -9,6 +9,8 @@ from azure.monitor.query import LogsQueryResult from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_NAME, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -16,7 +18,6 @@ from tests.providers.azure.azure_fixtures import ( APIM_INSTANCE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg/providers/Microsoft.ApiManagement/service/apim1" APIM_INSTANCE_NAME = "apim1" LOCATION = "West US" -RESOURCE_GROUP = "rg" WORKSPACE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/loganalytics" WORKSPACE_CUSTOMER_ID = "12345678-1234-1234-1234-1234567890ab" @@ -323,3 +324,168 @@ class Test_APIM_Service(TestCase): instance = apim.instances[AZURE_SUBSCRIPTION_ID][0] result = apim.get_llm_operations_logs(AZURE_SUBSCRIPTION_ID, instance) self.assertEqual(result, [{"log": "data"}]) + + +class Test_APIM_get_instances: + def test_get_instances_no_resource_groups(self): + mock_instance = MagicMock() + mock_instance.id = APIM_INSTANCE_ID + mock_instance.name = APIM_INSTANCE_NAME + mock_instance.location = LOCATION + + mock_client = MagicMock() + mock_client.api_management_service.list.return_value = [mock_instance] + + mock_provider = mock.MagicMock() + mock_provider.identity = mock.MagicMock() + with ( + patch( + "prowler.providers.azure.azure_provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.apim.apim_service.APIM._get_instances", + return_value={}, + ), + ): + from prowler.providers.azure.services.apim.apim_service import APIM + + apim = APIM(set_mocked_azure_provider()) + + apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + apim.resource_groups = None + + with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None): + result = apim._get_instances() + + mock_client.api_management_service.list.assert_called_once() + mock_client.api_management_service.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert len(result[AZURE_SUBSCRIPTION_ID]) == 1 + assert result[AZURE_SUBSCRIPTION_ID][0].id == APIM_INSTANCE_ID + + def test_get_instances_with_resource_group(self): + mock_instance = MagicMock() + mock_instance.id = APIM_INSTANCE_ID + mock_instance.name = APIM_INSTANCE_NAME + mock_instance.location = LOCATION + + mock_client = MagicMock() + mock_client.api_management_service.list_by_resource_group.return_value = [ + mock_instance + ] + + mock_provider = mock.MagicMock() + mock_provider.identity = mock.MagicMock() + with ( + patch( + "prowler.providers.azure.azure_provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.apim.apim_service.APIM._get_instances", + return_value={}, + ), + ): + from prowler.providers.azure.services.apim.apim_service import APIM + + apim = APIM(set_mocked_azure_provider()) + + apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + apim.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None): + result = apim._get_instances() + + mock_client.api_management_service.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.api_management_service.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert len(result[AZURE_SUBSCRIPTION_ID]) == 1 + assert result[AZURE_SUBSCRIPTION_ID][0].name == APIM_INSTANCE_NAME + + def test_get_instances_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + mock_provider = mock.MagicMock() + mock_provider.identity = mock.MagicMock() + with ( + patch( + "prowler.providers.azure.azure_provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.apim.apim_service.APIM._get_instances", + return_value={}, + ), + ): + from prowler.providers.azure.services.apim.apim_service import APIM + + apim = APIM(set_mocked_azure_provider()) + + apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + apim.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = apim._get_instances() + + mock_client.api_management_service.list_by_resource_group.assert_not_called() + mock_client.api_management_service.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_instances_with_multiple_resource_groups(self): + mock_client = MagicMock() + + mock_provider = mock.MagicMock() + mock_provider.identity = mock.MagicMock() + with ( + patch( + "prowler.providers.azure.azure_provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.apim.apim_service.APIM._get_instances", + return_value={}, + ), + ): + from prowler.providers.azure.services.apim.apim_service import APIM + + apim = APIM(set_mocked_azure_provider()) + + apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + apim.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None): + result = apim._get_instances() + + assert mock_client.api_management_service.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_instances_with_mixed_case_resource_group(self): + mock_client = MagicMock() + + mock_provider = mock.MagicMock() + mock_provider.identity = mock.MagicMock() + with ( + patch( + "prowler.providers.azure.azure_provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.apim.apim_service.APIM._get_instances", + return_value={}, + ), + ): + from prowler.providers.azure.services.apim.apim_service import APIM + + apim = APIM(set_mocked_azure_provider()) + + apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + apim.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None): + apim._get_instances() + + mock_client.api_management_service.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/app/app_service_test.py b/tests/providers/azure/services/app/app_service_test.py index cc33c662a1..8cbc5ad54f 100644 --- a/tests/providers/azure/services/app/app_service_test.py +++ b/tests/providers/azure/services/app/app_service_test.py @@ -5,6 +5,8 @@ from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -244,3 +246,279 @@ class Test_App_Service: ].name == "functionapp-1" ) + + +class Test_App_get_apps: + def test_get_apps_no_resource_groups(self): + mock_client = MagicMock() + mock_client.web_apps.list.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = None + + result = app._get_apps() + + mock_client.web_apps.list.assert_called_once() + mock_client.web_apps.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_apps_with_resource_group(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = app._get_apps() + + mock_client.web_apps.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.web_apps.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_apps_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = app._get_apps() + + mock_client.web_apps.list_by_resource_group.assert_not_called() + mock_client.web_apps.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + +class Test_App_get_functions: + def test_get_functions_no_resource_groups(self): + mock_client = MagicMock() + mock_client.web_apps.list.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = None + + result = app._get_functions() + + mock_client.web_apps.list.assert_called_once() + mock_client.web_apps.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_functions_with_resource_group(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = app._get_functions() + + mock_client.web_apps.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.web_apps.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_functions_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = app._get_functions() + + mock_client.web_apps.list_by_resource_group.assert_not_called() + mock_client.web_apps.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_apps_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = app._get_apps() + + assert mock_client.web_apps.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_apps_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + app._get_apps() + + mock_client.web_apps.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_App_get_functions_extra: + def test_get_functions_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = app._get_functions() + + assert mock_client.web_apps.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_functions_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.web_apps.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + ): + from prowler.providers.azure.services.app.app_service import App + + app = App(set_mocked_azure_provider()) + + app.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + app._get_functions() + + mock_client.web_apps.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/appinsights/appinsights_service_test.py b/tests/providers/azure/services/appinsights/appinsights_service_test.py index 6d821ff3e6..7a0c80acc6 100644 --- a/tests/providers/azure/services/appinsights/appinsights_service_test.py +++ b/tests/providers/azure/services/appinsights/appinsights_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.appinsights.appinsights_service import ( AppInsights, @@ -6,6 +6,8 @@ from prowler.providers.azure.services.appinsights.appinsights_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -54,3 +56,121 @@ class Test_AppInsights_Service: appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].location == "westeurope" ) + + +class Test_AppInsights_get_components: + def test_get_components_no_resource_groups(self): + mock_component = MagicMock() + mock_component.app_id = "comp-app-id" + mock_component.id = "/subscriptions/sub/rg/appinsights" + mock_component.name = "ai-component" + mock_component.location = "westeurope" + mock_component.instrumentation_key = "ikey-123" + + mock_client = MagicMock() + mock_client.components = MagicMock() + mock_client.components.list.return_value = [mock_component] + + with patch( + "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components", + return_value={}, + ): + app_insights = AppInsights(set_mocked_azure_provider()) + + app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app_insights.resource_groups = None + + result = app_insights._get_components() + + mock_client.components.list.assert_called_once() + mock_client.components.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_components_with_resource_group(self): + mock_component = MagicMock() + mock_component.app_id = "comp-app-id" + mock_component.id = "/subscriptions/sub/rg/appinsights" + mock_component.name = "ai-component" + mock_component.location = "westeurope" + mock_component.instrumentation_key = "ikey-123" + + mock_client = MagicMock() + mock_client.components = MagicMock() + mock_client.components.list_by_resource_group.return_value = [mock_component] + + with patch( + "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components", + return_value={}, + ): + app_insights = AppInsights(set_mocked_azure_provider()) + + app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = app_insights._get_components() + + mock_client.components.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.components.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_components_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.components = MagicMock() + + with patch( + "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components", + return_value={}, + ): + app_insights = AppInsights(set_mocked_azure_provider()) + + app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = app_insights._get_components() + + mock_client.components.list_by_resource_group.assert_not_called() + mock_client.components.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_components_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.components = MagicMock() + mock_client.components.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components", + return_value={}, + ): + app_insights = AppInsights(set_mocked_azure_provider()) + + app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = app_insights._get_components() + + assert mock_client.components.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_components_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.components = MagicMock() + mock_client.components.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components", + return_value={}, + ): + app_insights = AppInsights(set_mocked_azure_provider()) + + app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + app_insights._get_components() + + mock_client.components.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/containerregistry/containerregistry_service_test.py b/tests/providers/azure/services/containerregistry/containerregistry_service_test.py index 3e4a02406e..c3468ca086 100644 --- a/tests/providers/azure/services/containerregistry/containerregistry_service_test.py +++ b/tests/providers/azure/services/containerregistry/containerregistry_service_test.py @@ -3,6 +3,8 @@ from uuid import uuid4 from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -89,3 +91,208 @@ class TestContainerRegistryService: assert monitor_setting["logs"][0]["enabled"] is True assert monitor_setting["logs"][1]["category"] == "AdminLogs" assert monitor_setting["logs"][1]["enabled"] is False + + +class Test_ContainerRegistry_get_registries: + def test_get_container_registries_no_resource_groups(self): + from unittest.mock import MagicMock, patch + + mock_client = MagicMock() + mock_client.registries.list.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries", + return_value={}, + ), + ): + from prowler.providers.azure.services.containerregistry.containerregistry_service import ( + ContainerRegistry, + ) + + cr = ContainerRegistry(set_mocked_azure_provider()) + + cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cr.resource_groups = None + + with patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client" + ): + result = cr._get_container_registries() + + mock_client.registries.list.assert_called_once() + mock_client.registries.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_container_registries_with_resource_group(self): + from unittest.mock import MagicMock, patch + + mock_client = MagicMock() + mock_client.registries.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries", + return_value={}, + ), + ): + from prowler.providers.azure.services.containerregistry.containerregistry_service import ( + ContainerRegistry, + ) + + cr = ContainerRegistry(set_mocked_azure_provider()) + + cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cr.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + with patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client" + ): + result = cr._get_container_registries() + + mock_client.registries.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.registries.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_container_registries_empty_resource_group_for_subscription(self): + from unittest.mock import MagicMock, patch + + mock_client = MagicMock() + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries", + return_value={}, + ), + ): + from prowler.providers.azure.services.containerregistry.containerregistry_service import ( + ContainerRegistry, + ) + + cr = ContainerRegistry(set_mocked_azure_provider()) + + cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cr.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + with patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client" + ): + result = cr._get_container_registries() + + mock_client.registries.list_by_resource_group.assert_not_called() + mock_client.registries.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_container_registries_with_multiple_resource_groups(self): + from unittest.mock import MagicMock, patch + + mock_client = MagicMock() + mock_client.registries.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries", + return_value={}, + ), + ): + from prowler.providers.azure.services.containerregistry.containerregistry_service import ( + ContainerRegistry, + ) + + cr = ContainerRegistry(set_mocked_azure_provider()) + + cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cr.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + with patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client" + ): + result = cr._get_container_registries() + + assert mock_client.registries.list_by_resource_group.call_count == len( + RESOURCE_GROUP_LIST + ) + mock_client.registries.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_container_registries_with_mixed_case_resource_group(self): + from unittest.mock import MagicMock, patch + + mock_client = MagicMock() + mock_client.registries.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries", + return_value={}, + ), + ): + from prowler.providers.azure.services.containerregistry.containerregistry_service import ( + ContainerRegistry, + ) + + cr = ContainerRegistry(set_mocked_azure_provider()) + + cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cr.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRegistry-RG"]} + + with patch( + "prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client" + ): + cr._get_container_registries() + + mock_client.registries.list_by_resource_group.assert_called_once_with( + resource_group_name="MyRegistry-RG" + ) diff --git a/tests/providers/azure/services/cosmosdb/cosmosdb_service_test.py b/tests/providers/azure/services/cosmosdb/cosmosdb_service_test.py index 09293d7dcd..b1cc8d0e1b 100644 --- a/tests/providers/azure/services/cosmosdb/cosmosdb_service_test.py +++ b/tests/providers/azure/services/cosmosdb/cosmosdb_service_test.py @@ -1,8 +1,10 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -133,3 +135,114 @@ class Test_CosmosDB_Service_None_Handling: == "Microsoft.Network/privateEndpoints" ) assert account.disable_local_auth is True + + +class Test_CosmosDB_get_accounts: + def test_get_accounts_no_resource_groups(self): + mock_client = MagicMock() + mock_client.database_accounts.list.return_value = [] + + with patch( + "prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts", + return_value={}, + ): + cosmosdb = CosmosDB(set_mocked_azure_provider()) + + cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cosmosdb.resource_groups = None + + result = cosmosdb._get_accounts() + + mock_client.database_accounts.list.assert_called_once() + mock_client.database_accounts.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_accounts_with_resource_group(self): + mock_account = MagicMock() + mock_account.id = "account-id" + mock_account.name = "my-cosmos" + mock_account.kind = "GlobalDocumentDB" + mock_account.location = "eastus" + mock_account.type = "Microsoft.DocumentDB/databaseAccounts" + mock_account.tags = {} + mock_account.is_virtual_network_filter_enabled = False + mock_account.private_endpoint_connections = [] + mock_account.disable_local_auth = False + + mock_client = MagicMock() + mock_client.database_accounts.list_by_resource_group.return_value = [ + mock_account + ] + + with patch( + "prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts", + return_value={}, + ): + cosmosdb = CosmosDB(set_mocked_azure_provider()) + + cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = cosmosdb._get_accounts() + + mock_client.database_accounts.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.database_accounts.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert len(result[AZURE_SUBSCRIPTION_ID]) == 1 + + def test_get_accounts_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with patch( + "prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts", + return_value={}, + ): + cosmosdb = CosmosDB(set_mocked_azure_provider()) + + cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = cosmosdb._get_accounts() + + mock_client.database_accounts.list_by_resource_group.assert_not_called() + mock_client.database_accounts.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_accounts_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.database_accounts.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts", + return_value={}, + ): + cosmosdb = CosmosDB(set_mocked_azure_provider()) + + cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = cosmosdb._get_accounts() + + assert mock_client.database_accounts.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_accounts_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.database_accounts.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts", + return_value={}, + ): + cosmosdb = CosmosDB(set_mocked_azure_provider()) + + cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + cosmosdb._get_accounts() + + mock_client.database_accounts.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/databricks/databricks_service_test.py b/tests/providers/azure/services/databricks/databricks_service_test.py index f663d81fe2..669558f0e0 100644 --- a/tests/providers/azure/services/databricks/databricks_service_test.py +++ b/tests/providers/azure/services/databricks/databricks_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.databricks.databricks_service import ( Databricks, @@ -7,6 +7,8 @@ from prowler.providers.azure.services.databricks.databricks_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -94,3 +96,123 @@ class Test_Databricks_Service_No_Encryption: assert workspace.location == "eastus" assert workspace.custom_managed_vnet_id == "test-vnet-id" assert workspace.managed_disk_encryption is None + + +class Test_Databricks_get_workspaces: + def test_get_workspaces_no_resource_groups(self): + mock_workspace = MagicMock() + mock_workspace.id = "ws-id-1" + mock_workspace.name = "my-workspace" + mock_workspace.location = "eastus" + mock_workspace.parameters = None + mock_workspace.encryption = None + mock_workspace.public_network_access = None + + mock_client = MagicMock() + mock_client.workspaces = MagicMock() + mock_client.workspaces.list_by_subscription.return_value = [mock_workspace] + + with patch( + "prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces", + return_value={}, + ): + databricks = Databricks(set_mocked_azure_provider()) + + databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + databricks.resource_groups = None + + result = databricks._get_workspaces() + + mock_client.workspaces.list_by_subscription.assert_called_once() + mock_client.workspaces.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_workspaces_with_resource_group(self): + mock_workspace = MagicMock() + mock_workspace.id = "ws-id-1" + mock_workspace.name = "my-workspace" + mock_workspace.location = "eastus" + mock_workspace.parameters = None + mock_workspace.encryption = None + mock_workspace.public_network_access = None + + mock_client = MagicMock() + mock_client.workspaces = MagicMock() + mock_client.workspaces.list_by_resource_group.return_value = [mock_workspace] + + with patch( + "prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces", + return_value={}, + ): + databricks = Databricks(set_mocked_azure_provider()) + + databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = databricks._get_workspaces() + + mock_client.workspaces.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.workspaces.list_by_subscription.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_workspaces_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.workspaces = MagicMock() + + with patch( + "prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces", + return_value={}, + ): + databricks = Databricks(set_mocked_azure_provider()) + + databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = databricks._get_workspaces() + + mock_client.workspaces.list_by_resource_group.assert_not_called() + mock_client.workspaces.list_by_subscription.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_workspaces_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.workspaces = MagicMock() + mock_client.workspaces.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces", + return_value={}, + ): + databricks = Databricks(set_mocked_azure_provider()) + + databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = databricks._get_workspaces() + + assert mock_client.workspaces.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_workspaces_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.workspaces = MagicMock() + mock_client.workspaces.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces", + return_value={}, + ): + databricks = Databricks(set_mocked_azure_provider()) + + databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + databricks._get_workspaces() + + mock_client.workspaces.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact_test.py b/tests/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact_test.py index 75f3d5014a..8a57fa0fcb 100644 --- a/tests/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact_test.py +++ b/tests/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact_test.py @@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_additional_email_configured_with_a_security_contact: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = {} @@ -40,6 +41,7 @@ class Test_defender_additional_email_configured_with_a_security_contact: def test_defender_no_additional_emails(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -87,6 +89,7 @@ class Test_defender_additional_email_configured_with_a_security_contact: def test_defender_additional_email_configured(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed_test.py b/tests/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed_test.py index 1e567ac153..e9030a2a52 100644 --- a/tests/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed_test.py +++ b/tests/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_assessments_vm_endpoint_protection_installed: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {} @@ -36,6 +37,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed: def test_defender_subscriptions_with_no_assessments(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}} @@ -59,6 +61,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed: def test_defender_subscriptions_with_healthy_assessments(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} resource_id = str(uuid4()) defender_client.assessments = { @@ -98,6 +101,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed: def test_defender_subscriptions_with_unhealthy_assessments(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} resource_id = str(uuid4()) defender_client.assessments = { diff --git a/tests/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured_test.py b/tests/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured_test.py index ebece2e029..220fbbf4bf 100644 --- a/tests/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured_test.py +++ b/tests/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured_test.py @@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_attack_path_notifications_properly_configured: def test_no_subscriptions(self): defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = {} defender_client.audit_config = {} @@ -41,6 +42,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -89,6 +91,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -139,6 +142,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -189,6 +193,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -237,6 +242,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -285,6 +291,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -333,6 +340,7 @@ class Test_defender_attack_path_notifications_properly_configured: resource_id = str(uuid4()) contact_name = "default" defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py b/tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py index 9a99281e94..bfc540f0eb 100644 --- a/tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py +++ b/tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py @@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_auto_provisioning_log_analytics_agent_vms_on: def test_defender_no_app_services(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.auto_provisioning_settings = {} @@ -39,6 +40,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on: def test_defender_auto_provisioning_log_analytics_off(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.auto_provisioning_settings = { AZURE_SUBSCRIPTION_ID: { @@ -80,6 +82,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on: def test_defender_auto_provisioning_log_analytics_on(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.auto_provisioning_settings = { AZURE_SUBSCRIPTION_ID: { @@ -121,6 +124,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on: def test_defender_auto_provisioning_log_analytics_on_and_off(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.auto_provisioning_settings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on_test.py b/tests/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on_test.py index eeddb61012..b5cf053127 100644 --- a/tests/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on_test.py +++ b/tests/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on: def test_defender_no_app_services(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {} @@ -37,6 +38,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on: def test_defender_machines_no_vulnerability_assessment_solution(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -77,6 +79,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on: def test_defender_machines_vulnerability_assessment_solution(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities_test.py b/tests/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities_test.py index 510a995692..3eb5ffd4a5 100644 --- a/tests/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities_test.py +++ b/tests/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_container_images_resolved_vulnerabilities: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {} @@ -36,6 +37,7 @@ class Test_defender_container_images_resolved_vulnerabilities: def test_defender_subscription_empty(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}} @@ -59,6 +61,7 @@ class Test_defender_container_images_resolved_vulnerabilities: def test_defender_subscription_no_assesment(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -90,6 +93,7 @@ class Test_defender_container_images_resolved_vulnerabilities: def test_defender_subscription_assesment_unhealthy(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -139,6 +143,7 @@ class Test_defender_container_images_resolved_vulnerabilities: def test_defender_subscription_assesment_healthy(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -188,6 +193,7 @@ class Test_defender_container_images_resolved_vulnerabilities: def test_defender_subscription_assesment_not_applicable(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled_test.py b/tests/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled_test.py index 977ee8acdb..63e89a844a 100644 --- a/tests/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled_test.py +++ b/tests/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled_test.py @@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_container_images_scan_enabled: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_container_images_scan_enabled: def test_defender_subscription_empty(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}} @@ -60,6 +62,7 @@ class Test_defender_container_images_scan_enabled: def test_defender_subscription_no_containers(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -92,6 +95,7 @@ class Test_defender_container_images_scan_enabled: def test_defender_subscription_containers_no_extensions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -137,6 +141,7 @@ class Test_defender_container_images_scan_enabled: def test_defender_subscription_containers_container_images_scan_off(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -182,6 +187,7 @@ class Test_defender_container_images_scan_enabled: def test_defender_subscription_containers_container_images_scan_on(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on_test.py index b2528e28e7..9164b7dfdb 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_app_services_is_on: def test_defender_no_app_services(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_app_services_is_on: def test_defender_app_services_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_app_services_is_on: def test_defender_app_services_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on_test.py index 357e3ca9e7..2c83113dc6 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_arm_is_on: def test_defender_no_arm(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_arm_is_on: def test_defender_arm_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_arm_is_on: def test_defender_arm_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on_test.py index c10314042b..f4ff5f6471 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_azure_sql_databases_is_on: def test_defender_no_sql_databases(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on: def test_defender_sql_databases_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on: def test_defender_sql_databases_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on_test.py index 7ff728add9..02563454a5 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_containers_is_on: def test_defender_no_container_registries(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_containers_is_on: def test_defender_container_registries_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_containers_is_on: def test_defender_container_registries_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on_test.py index 351f38d97f..a48b3678fe 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_cosmosdb_is_on: def test_defender_no_cosmosdb(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on: def test_defender_cosmosdb_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on: def test_defender_cosmosdb_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on_test.py index 48cbc57ad1..8cde319553 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_databases_is_on: def test_defender_no_databases(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_sql_servers(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -70,6 +72,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_sql_server_virtual_machines(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -103,6 +106,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_open_source_relation_databases(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -136,6 +140,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_cosmosdbs(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -169,6 +174,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_all_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -228,6 +234,7 @@ class Test_defender_ensure_defender_for_databases_is_on: def test_defender_databases_cosmosdb_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on_test.py index 6b50ea4c5f..e41f6499d8 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_dns_is_on: def test_defender_no_dns(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_dns_is_on: def test_defender_dns_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_dns_is_on: def test_defender_dns_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on_test.py index f587a92961..e32d7b6b24 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_keyvault_is_on: def test_defender_no_keyvaults(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on: def test_defender_keyvaults_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on: def test_defender_keyvaults_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on_test.py index dc28fb3bb2..7d74712097 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_os_relational_databases_is_on: def test_defender_no_os_relational_databases(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on: def test_defender_os_relational_databases_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -81,6 +83,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on: def test_defender_os_relational_databases_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on_test.py index 226b26ad3a..d8d60d0507 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_server_is_on: def test_defender_no_server(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_server_is_on: def test_defender_server_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_server_is_on: def test_defender_server_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on_test.py index 1907cdbb6c..1f63aed4c8 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_sql_servers_is_on: def test_defender_no_server(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on: def test_defender_server_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on: def test_defender_server_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on_test.py index f5eee6879a..d534db195f 100644 --- a/tests/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_defender_for_storage_is_on: def test_defender_no_server(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_storage_is_on: def test_defender_server_pricing_tier_not_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { @@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_storage_is_on: def test_defender_server_pricing_tier_standard(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.pricings = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py b/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py index f4ac17c5ae..54b8f17f9a 100644 --- a/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on_test.py @@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_iot_hub_defender_is_on: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.iot_security_solutions = {} @@ -38,6 +39,7 @@ class Test_defender_ensure_iot_hub_defender_is_on: def test_defender_no_iot_hub_solutions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} @@ -69,6 +71,7 @@ class Test_defender_ensure_iot_hub_defender_is_on: def test_defender_iot_hub_solution_disabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.iot_security_solutions = { AZURE_SUBSCRIPTION_ID: { @@ -106,6 +109,7 @@ class Test_defender_ensure_iot_hub_defender_is_on: def test_defender_iot_hub_solution_enabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.iot_security_solutions = { AZURE_SUBSCRIPTION_ID: { @@ -145,6 +149,7 @@ class Test_defender_ensure_iot_hub_defender_is_on: resource_id_enabled = str(uuid4()) resource_id_disabled = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.iot_security_solutions = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled_test.py b/tests/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled_test.py index 7770ab0baf..23abc7beb2 100644 --- a/tests/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_mcas_is_enabled: def test_defender_no_settings(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_mcas_is_enabled: def test_defender_mcas_disabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = { AZURE_SUBSCRIPTION_ID: { @@ -79,6 +81,7 @@ class Test_defender_ensure_mcas_is_enabled: def test_defender_mcas_enabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = { AZURE_SUBSCRIPTION_ID: { @@ -120,6 +123,7 @@ class Test_defender_ensure_mcas_is_enabled: def test_defender_mcas_no_settings(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} diff --git a/tests/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high_test.py b/tests/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high_test.py index 8d2a3a05f7..b5c3508016 100644 --- a/tests/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high_test.py @@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_notify_alerts_severity_is_high: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = {} @@ -40,6 +41,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high: def test_defender_severity_alerts_critical(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -87,6 +89,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high: def test_defender_severity_alerts_high(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -135,6 +138,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high: def test_defender_severity_alerts_low(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -182,6 +186,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high: def test_defender_default_security_contact_not_found(self): defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners_test.py b/tests/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners_test.py index b125320764..d95712806f 100644 --- a/tests/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners_test.py @@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_notify_emails_to_owners: def test_defender_no_subscriptions(self): defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = {} @@ -40,6 +41,7 @@ class Test_defender_ensure_notify_emails_to_owners: def test_defender_no_notify_emails_to_owners(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -80,6 +82,7 @@ class Test_defender_ensure_notify_emails_to_owners: def test_defender_notify_emails_to_owners_off(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { @@ -127,6 +130,7 @@ class Test_defender_ensure_notify_emails_to_owners: def test_defender_notify_emails_to_owners(self): resource_id = str(uuid4()) defender_client = mock.MagicMock() + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.security_contact_configurations = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied_test.py b/tests/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied_test.py index e6a80853dd..4d98db1939 100644 --- a/tests/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_system_updates_are_applied: def test_defender_no_app_services(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_system_updates_are_applied: def test_defender_machines_no_log_analytics_installed(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -89,6 +91,7 @@ class Test_defender_ensure_system_updates_are_applied: ): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -139,6 +142,7 @@ class Test_defender_ensure_system_updates_are_applied: def test_defender_machines_no_system_updates_installed(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { @@ -191,6 +195,7 @@ class Test_defender_ensure_system_updates_are_applied: ): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.assessments = { AZURE_SUBSCRIPTION_ID: { diff --git a/tests/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled_test.py b/tests/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled_test.py index 202e332b3f..2c045b6e49 100644 --- a/tests/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled_test.py +++ b/tests/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_defender_ensure_wdatp_is_enabled: def test_defender_no_settings(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = {} @@ -37,6 +38,7 @@ class Test_defender_ensure_wdatp_is_enabled: def test_defender_wdatp_disabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = { AZURE_SUBSCRIPTION_ID: { @@ -79,6 +81,7 @@ class Test_defender_ensure_wdatp_is_enabled: def test_defender_wdatp_enabled(self): resource_id = str(uuid4()) defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.settings = { AZURE_SUBSCRIPTION_ID: { @@ -120,6 +123,7 @@ class Test_defender_ensure_wdatp_is_enabled: def test_defender_wdatp_no_settings(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} diff --git a/tests/providers/azure/services/defender/defender_service_test.py b/tests/providers/azure/services/defender/defender_service_test.py index 4308467263..71457fc6ac 100644 --- a/tests/providers/azure/services/defender/defender_service_test.py +++ b/tests/providers/azure/services/defender/defender_service_test.py @@ -1,5 +1,5 @@ from datetime import timedelta -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.defender.defender_service import ( Assesment, @@ -13,6 +13,8 @@ from prowler.providers.azure.services.defender.defender_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -358,3 +360,263 @@ class Test_Defender_Service_Assessments_None_Handling: "Assessment Unhealthy" ] assert assessment_unhealthy.status == "Unhealthy" + + +DEFENDER_INIT_PATCHES = [ + "prowler.providers.azure.services.defender.defender_service.Defender._get_pricings", + "prowler.providers.azure.services.defender.defender_service.Defender._get_auto_provisioning_settings", + "prowler.providers.azure.services.defender.defender_service.Defender._get_assessments", + "prowler.providers.azure.services.defender.defender_service.Defender._get_settings", + "prowler.providers.azure.services.defender.defender_service.Defender._get_security_contacts", + "prowler.providers.azure.services.defender.defender_service.Defender._get_iot_security_solutions", + "prowler.providers.azure.services.defender.defender_service.Defender._get_jit_policies", +] + + +class Test_Defender_get_iot_security_solutions: + def test_get_iot_security_solutions_no_resource_groups(self): + mock_client = MagicMock() + mock_client.iot_security_solution.list_by_subscription.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = None + + result = defender._get_iot_security_solutions() + + mock_client.iot_security_solution.list_by_subscription.assert_called_once() + mock_client.iot_security_solution.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_iot_security_solutions_with_resource_group(self): + mock_client = MagicMock() + mock_client.iot_security_solution.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = defender._get_iot_security_solutions() + + mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.iot_security_solution.list_by_subscription.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_iot_security_solutions_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = defender._get_iot_security_solutions() + + mock_client.iot_security_solution.list_by_resource_group.assert_not_called() + mock_client.iot_security_solution.list_by_subscription.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + +class Test_Defender_get_jit_policies: + def test_get_jit_policies_no_resource_groups(self): + mock_client = MagicMock() + mock_client.jit_network_access_policies.list.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = None + + result = defender._get_jit_policies() + + mock_client.jit_network_access_policies.list.assert_called_once() + mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_jit_policies_with_resource_group(self): + mock_client = MagicMock() + mock_client.jit_network_access_policies.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = defender._get_jit_policies() + + mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.jit_network_access_policies.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_jit_policies_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = defender._get_jit_policies() + + mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called() + mock_client.jit_network_access_policies.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_iot_security_solutions_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.iot_security_solution.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = defender._get_iot_security_solutions() + + assert mock_client.iot_security_solution.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_iot_security_solutions_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.iot_security_solution.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + defender._get_iot_security_solutions() + + mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_Defender_get_jit_policies_extra: + def test_get_jit_policies_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.jit_network_access_policies.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = defender._get_jit_policies() + + assert ( + mock_client.jit_network_access_policies.list_by_resource_group.call_count + == 2 + ) + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_jit_policies_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.jit_network_access_policies.list_by_resource_group.return_value = [] + + with ( + patch(DEFENDER_INIT_PATCHES[0], return_value={}), + patch(DEFENDER_INIT_PATCHES[1], return_value={}), + patch(DEFENDER_INIT_PATCHES[2], return_value={}), + patch(DEFENDER_INIT_PATCHES[3], return_value={}), + patch(DEFENDER_INIT_PATCHES[4], return_value={}), + patch(DEFENDER_INIT_PATCHES[5], return_value={}), + patch(DEFENDER_INIT_PATCHES[6], return_value={}), + ): + defender = Defender(set_mocked_azure_provider()) + + defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + defender._get_jit_policies() + + mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_admin_portals/entra_conditional_access_policy_require_mfa_for_admin_portals_test.py b/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_admin_portals/entra_conditional_access_policy_require_mfa_for_admin_portals_test.py index 3909b80568..aa572cffb6 100644 --- a/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_admin_portals/entra_conditional_access_policy_require_mfa_for_admin_portals_test.py +++ b/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_admin_portals/entra_conditional_access_policy_require_mfa_for_admin_portals_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_no_subscriptions(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_no_policies(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_policy_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_policy_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_policy_mfa_disabled(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_policy_mfa_no_target(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: def test_entra_tenant_policy_mfa_no_users(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api_test.py b/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api_test.py index 3c880886ee..82362135a9 100644 --- a/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api_test.py +++ b/tests/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_no_subscriptions(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_no_policies(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_policy_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_policy_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_policy_mfa_disabled(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_policy_mfa_no_target(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( @@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api: def test_entra_tenant_policy_mfa_no_users(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} policy_id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py b/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py index 4820f13ad9..4270f485f3 100644 --- a/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py +++ b/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_global_admin_in_less_than_five_users: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -32,7 +32,7 @@ class Test_entra_global_admin_in_less_than_five_users: def test_entra_tenant_empty(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -57,7 +57,7 @@ class Test_entra_global_admin_in_less_than_five_users: def test_entra_less_than_five_global_admins(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -110,7 +110,7 @@ class Test_entra_global_admin_in_less_than_five_users: def test_entra_more_than_five_global_admins(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -178,7 +178,7 @@ class Test_entra_global_admin_in_less_than_five_users: def test_entra_exactly_five_global_admins(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py b/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py index 4d2f289a90..04d838a2c0 100644 --- a/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_non_privileged_user_has_mfa: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_tenant_no_users(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -53,6 +53,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_user_no_privileged_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -100,6 +101,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_user_no_privileged_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -144,6 +146,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_disabled_user_no_privileged_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -184,6 +187,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_disabled_user_no_privileged_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -224,6 +228,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_user_privileged_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -265,6 +270,7 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_user_privileged_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py b/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py index 603fae5863..df614a06e4 100644 --- a/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py +++ b/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py @@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_default_users_cannot_create_security_groups: def test_entra_no_tenants(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.authorization_policy = {} with ( @@ -29,6 +30,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups: def test_entra_tenant_empty(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -75,6 +77,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups: self, ): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -124,6 +127,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups: self, ): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py index d62941388c..5bfa9b2b4b 100644 --- a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_ensure_default_user_cannot_create_apps: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps: def test_entra_tenant_empty(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -75,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps: def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self): id = str(uuid4()) entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -122,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps: def test_entra_default_user_role_permissions_allowed_to_create_apps(self): id = str(uuid4()) entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py index b9a678bc08..391c3f424f 100644 --- a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py +++ b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py @@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_ensure_default_user_cannot_create_tenants: def test_entra_no_tenants(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.authorization_policy = {} with ( @@ -29,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants: def test_entra_empty_tenant(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -74,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants: def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self): id = str(uuid4()) entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -121,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants: def test_entra_default_user_role_permissions_allowed_to_create_tenants(self): id = str(uuid4()) entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py b/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py index a59c84b6b3..e844b900f1 100644 --- a/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py +++ b/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,6 +30,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_empty_tenant(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -76,6 +77,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_tenant_policy_allow_invites_from_everyone(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -120,6 +122,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_tenant_policy_allow_invites_from_admins(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -164,6 +167,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_tenant_policy_allow_invites_from_none(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py b/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py index 4f70895846..9b7aecf053 100644 --- a/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py +++ b/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_guest_users_access_restrictions: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,6 +30,7 @@ class Test_entra_policy_guest_users_access_restrictions: def test_entra_tenant_empty(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -74,6 +75,7 @@ class Test_entra_policy_guest_users_access_restrictions: def test_entra_tenant_policy_access_same_as_member(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -117,6 +119,7 @@ class Test_entra_policy_guest_users_access_restrictions: def test_entra_tenant_policy_limited_access(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -160,6 +163,7 @@ class Test_entra_policy_guest_users_access_restrictions: def test_entra_tenant_policy_access_restricted(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py b/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py index 36a03cab1d..bf4c43b2c2 100644 --- a/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,6 +30,7 @@ class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_tenant_empty(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} id = str(uuid4()) with ( @@ -74,7 +75,7 @@ class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_tenant_no_default_user_role_permissions(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -116,7 +117,7 @@ class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_tenant_no_consent(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -162,7 +163,7 @@ class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_tenant_legacy_consent(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py b/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py index 02bd0a2220..74dc98fd2a 100644 --- a/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_policy_user_consent_for_verified_apps: def test_entra_no_subscriptions(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_policy_user_consent_for_verified_apps: def test_entra_tenant_no_consent(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -76,7 +76,7 @@ class Test_entra_policy_user_consent_for_verified_apps: def test_entra_tenant_legacy_consent(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py b/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py index 31e0a57bff..3475baf592 100644 --- a/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_privileged_user_has_mfa: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_privileged_user_has_mfa: def test_entra_tenant_no_users(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -53,6 +53,7 @@ class Test_entra_privileged_user_has_mfa: def test_entra_user_no_privileged_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -92,6 +93,7 @@ class Test_entra_privileged_user_has_mfa: def test_entra_user_no_privileged_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -131,6 +133,7 @@ class Test_entra_privileged_user_has_mfa: def test_entra_user_privileged_no_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( @@ -177,6 +180,7 @@ class Test_entra_privileged_user_has_mfa: def test_entra_user_privileged_mfa(self): entra_client = mock.MagicMock + entra_client.resource_groups = {} user_id = str(uuid4()) with ( diff --git a/tests/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled_test.py b/tests/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled_test.py index 562c008c52..11d6d8ff8e 100644 --- a/tests/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled_test.py +++ b/tests/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled_test.py @@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid class Test_entra_security_defaults_enabled: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -30,7 +30,7 @@ class Test_entra_security_defaults_enabled: def test_entra_tenant_empty(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -58,7 +58,7 @@ class Test_entra_security_defaults_enabled: def test_entra_security_default_enabled(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -93,7 +93,7 @@ class Test_entra_security_defaults_enabled: def test_entra_security_default_disabled(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists_test.py b/tests/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists_test.py index 2af5c975cb..89a8ba7f07 100644 --- a/tests/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists_test.py +++ b/tests/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists_test.py @@ -10,7 +10,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_entra_trusted_named_locations_exists: def test_entra_no_tenants(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -34,7 +34,7 @@ class Test_entra_trusted_named_locations_exists: def test_entra_tenant_empty(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -67,7 +67,7 @@ class Test_entra_trusted_named_locations_exists: def test_entra_named_location_with_ip_ranges(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -111,7 +111,7 @@ class Test_entra_trusted_named_locations_exists: def test_entra_named_location_without_ip_ranges(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -156,7 +156,7 @@ class Test_entra_trusted_named_locations_exists: def test_entra_new_named_location_with_ip_ranges_not_trusted(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py b/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py index 46dc9389af..83c06ea5b6 100644 --- a/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py @@ -14,10 +14,11 @@ from tests.providers.azure.azure_fixtures import ( class Test_iam_assignment_priviledge_access_vm_has_mfa: def test_iam_no_roles(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} - with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -41,9 +42,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa: def test_entra_user_with_vm_access_has_mfa(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_assigment_id = str(uuid4()) entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} user_id = str(uuid4()) @@ -112,9 +115,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa: def test_entra_user_with_vm_access_has_mfa_no_mfa(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_assigment_id = str(uuid4()) entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} user_id = str(uuid4()) @@ -183,9 +188,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa: def test_entra_user_with_vm_access_has_mfa_no_user(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_assigment_id = str(uuid4()) entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} user_id = str(uuid4()) @@ -237,9 +244,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa: def test_entra_user_with_vm_access_has_mfa_no_role(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_assigment_id = str(uuid4()) entra_client = mock.MagicMock + entra_client.resource_groups = {} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} user_id = str(uuid4()) diff --git a/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py b/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py index ee82e9a07a..eb7269f6f2 100644 --- a/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py +++ b/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py @@ -11,7 +11,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_entra_users_cannot_create_microsoft_365_groups: def test_entra_no_tenant(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -35,7 +35,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups: def test_entra_tenant_empty(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -65,7 +65,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups: def test_entra_users_cannot_create_microsoft_365_groups(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -114,7 +114,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups: def test_entra_users_can_create_microsoft_365_groups(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", @@ -161,7 +161,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups: def test_entra_users_can_create_microsoft_365_groups_no_setting(self): entra_client = mock.MagicMock - + entra_client.resource_groups = {} with ( mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", diff --git a/tests/providers/azure/services/iam/azure_iam_service_test.py b/tests/providers/azure/services/iam/azure_iam_service_test.py new file mode 100644 index 0000000000..3f1dfec6fc --- /dev/null +++ b/tests/providers/azure/services/iam/azure_iam_service_test.py @@ -0,0 +1,162 @@ +from unittest.mock import MagicMock, patch + +from prowler.providers.azure.services.iam.iam_service import IAM +from tests.providers.azure.azure_fixtures import ( + AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + set_mocked_azure_provider, +) + + +class Test_IAM_get_roles: + def test_get_roles_no_resource_groups(self): + mock_client = MagicMock() + mock_client.role_definitions.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = None + + builtin, custom = iam._get_roles() + + mock_client.role_definitions.list.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in builtin + assert AZURE_SUBSCRIPTION_ID in custom + + def test_get_roles_with_resource_group(self): + mock_client = MagicMock() + mock_client.role_definitions.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + builtin, custom = iam._get_roles() + + mock_client.role_definitions.list.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in builtin + assert AZURE_SUBSCRIPTION_ID in custom + + def test_get_roles_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.role_definitions.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + builtin, custom = iam._get_roles() + + mock_client.role_definitions.list.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in builtin + assert AZURE_SUBSCRIPTION_ID in custom + + +class Test_IAM_get_role_assignments: + def test_get_role_assignments_no_resource_groups(self): + mock_client = MagicMock() + mock_client.role_assignments = MagicMock() + mock_client.role_assignments.list_for_subscription.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = None + + result = iam._get_role_assignments() + + mock_client.role_assignments.list_for_subscription.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_role_assignments_with_resource_group(self): + mock_client = MagicMock() + mock_client.role_assignments = MagicMock() + mock_client.role_assignments.list_for_subscription.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = iam._get_role_assignments() + + mock_client.role_assignments.list_for_subscription.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_role_assignments_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.role_assignments = MagicMock() + mock_client.role_assignments.list_for_subscription.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_roles", + return_value=({}, {}), + ), + patch( + "prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments", + return_value={}, + ), + ): + iam = IAM(set_mocked_azure_provider()) + + iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = iam._get_role_assignments() + + mock_client.role_assignments.list_for_subscription.assert_called_once() + assert AZURE_SUBSCRIPTION_ID in result diff --git a/tests/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks_test.py b/tests/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks_test.py index 5125130871..2d808c7102 100644 --- a/tests/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks_test.py +++ b/tests/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks_test.py @@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_iam_custom_role_has_permissions_to_administer_resource_locks: def test_iam_no_roles(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.custom_roles = {} @@ -39,6 +40,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks: self, ): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_name = "test-role" defender_client.custom_roles = { @@ -95,6 +97,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks: self, ): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_name = "test-role" defender_client.custom_roles = { @@ -144,6 +147,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks: self, ): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_name = "test-role" role_name2 = "test-role2" @@ -212,6 +216,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks: def test_iam_custom_roles_empty_list_but_with_key(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.custom_roles = {AZURE_SUBSCRIPTION_ID: {}} diff --git a/tests/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted_test.py b/tests/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted_test.py index 8ccf6e6f64..3ead279d6b 100644 --- a/tests/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted_test.py +++ b/tests/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted_test.py @@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_iam_role_user_access_admin_restricted: def test_iam_no_role_assignments(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.role_assignments = {} iam_client.roles = {} @@ -37,6 +38,7 @@ class Test_iam_role_user_access_admin_restricted: def test_iam_user_access_administrator_role_assigned(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} role_id = str(uuid4()) role_assignment_id = str(uuid4()) agent_id = str(uuid4()) @@ -97,6 +99,7 @@ class Test_iam_role_user_access_admin_restricted: def test_iam_non_user_access_administrator_role_assigned(self): iam_client = mock.MagicMock + iam_client.resource_groups = {} role_id = str(uuid4()) role_assignment_id = str(uuid4()) agent_id = str(uuid4()) diff --git a/tests/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created_test.py b/tests/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created_test.py index 1d2d37ee11..2687cb75a9 100644 --- a/tests/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created_test.py +++ b/tests/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created_test.py @@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import ( class Test_iam_subscription_roles_owner_custom_not_created: def test_iam_no_roles(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.custom_roles = {} @@ -37,6 +38,7 @@ class Test_iam_subscription_roles_owner_custom_not_created: def test_iam_custom_owner_role_created_with_all(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_name = "test-role" defender_client.custom_roles = { @@ -84,6 +86,7 @@ class Test_iam_subscription_roles_owner_custom_not_created: def test_iam_custom_owner_role_created_with_no_permissions(self): defender_client = mock.MagicMock + defender_client.resource_groups = {} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} role_name = "test-role" defender_client.custom_roles = { diff --git a/tests/providers/azure/services/keyvault/keyvault_service_test.py b/tests/providers/azure/services/keyvault/keyvault_service_test.py index f0a73d9081..e43b7a9fff 100644 --- a/tests/providers/azure/services/keyvault/keyvault_service_test.py +++ b/tests/providers/azure/services/keyvault/keyvault_service_test.py @@ -3,6 +3,8 @@ from unittest.mock import MagicMock, patch from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -263,3 +265,208 @@ class Test_keyvault_service: .storage_account_name == "storage_account_name" ) + + +class Test_KeyVault_get_key_vaults: + def test_get_key_vaults_no_resource_groups(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_subscription.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults", + return_value={}, + ), + ): + from prowler.providers.azure.services.keyvault.keyvault_service import ( + KeyVault, + ) + + keyvault = KeyVault(set_mocked_azure_provider()) + + keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + keyvault.resource_groups = None + + provider = set_mocked_azure_provider() + with patch( + "prowler.providers.azure.services.keyvault.keyvault_service.monitor_client" + ): + result = keyvault._get_key_vaults(provider) + + mock_client.vaults.list_by_subscription.assert_called_once() + mock_client.vaults.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_key_vaults_with_resource_group(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults", + return_value={}, + ), + ): + from prowler.providers.azure.services.keyvault.keyvault_service import ( + KeyVault, + ) + + keyvault = KeyVault(set_mocked_azure_provider()) + + keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + provider = set_mocked_azure_provider() + with patch( + "prowler.providers.azure.services.keyvault.keyvault_service.monitor_client" + ): + result = keyvault._get_key_vaults(provider) + + mock_client.vaults.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.vaults.list_by_subscription.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_key_vaults_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults", + return_value={}, + ), + ): + from prowler.providers.azure.services.keyvault.keyvault_service import ( + KeyVault, + ) + + keyvault = KeyVault(set_mocked_azure_provider()) + + keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + provider = set_mocked_azure_provider() + with patch( + "prowler.providers.azure.services.keyvault.keyvault_service.monitor_client" + ): + result = keyvault._get_key_vaults(provider) + + mock_client.vaults.list_by_resource_group.assert_not_called() + mock_client.vaults.list_by_subscription.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_key_vaults_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults", + return_value={}, + ), + ): + from prowler.providers.azure.services.keyvault.keyvault_service import ( + KeyVault, + ) + + keyvault = KeyVault(set_mocked_azure_provider()) + + keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + provider = set_mocked_azure_provider() + with patch( + "prowler.providers.azure.services.keyvault.keyvault_service.monitor_client" + ): + result = keyvault._get_key_vaults(provider) + + assert mock_client.vaults.list_by_resource_group.call_count == len( + RESOURCE_GROUP_LIST + ) + mock_client.vaults.list_by_subscription.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_key_vaults_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [] + + mock_provider = MagicMock() + mock_provider.identity = MagicMock() + with ( + patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=mock_provider, + ), + patch( + "prowler.providers.azure.services.monitor.monitor_service.Monitor", + new=MagicMock(), + ), + patch( + "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults", + return_value={}, + ), + ): + from prowler.providers.azure.services.keyvault.keyvault_service import ( + KeyVault, + ) + + keyvault = KeyVault(set_mocked_azure_provider()) + + keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRG"]} + + provider = set_mocked_azure_provider() + with patch( + "prowler.providers.azure.services.keyvault.keyvault_service.monitor_client" + ): + keyvault._get_key_vaults(provider) + + mock_client.vaults.list_by_resource_group.assert_called_once_with( + resource_group_name="MyRG" + ) diff --git a/tests/providers/azure/services/mysql/mysql_service_test.py b/tests/providers/azure/services/mysql/mysql_service_test.py index 24364f175a..728e50610b 100644 --- a/tests/providers/azure/services/mysql/mysql_service_test.py +++ b/tests/providers/azure/services/mysql/mysql_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.mysql.mysql_service import ( Configuration, @@ -7,6 +7,8 @@ from prowler.providers.azure.services.mysql.mysql_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -117,3 +119,131 @@ class Test_MySQL_Service: assert configurations["test"].resource_id == "/subscriptions/resource_id" assert configurations["test"].description == "description" assert configurations["test"].value == "value" + + +class Test_MySQL_get_flexible_servers: + def test_get_flexible_servers_no_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers", + return_value={}, + ), + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations", + return_value={}, + ), + ): + mysql = MySQL(set_mocked_azure_provider()) + + mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + mysql.resource_groups = None + + result = mysql._get_flexible_servers() + + mock_client.servers.list.assert_called_once() + mock_client.servers.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_with_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers", + return_value={}, + ), + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations", + return_value={}, + ), + ): + mysql = MySQL(set_mocked_azure_provider()) + + mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = mysql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.servers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers", + return_value={}, + ), + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations", + return_value={}, + ), + ): + mysql = MySQL(set_mocked_azure_provider()) + + mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = mysql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_not_called() + mock_client.servers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_flexible_servers_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers", + return_value={}, + ), + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations", + return_value={}, + ), + ): + mysql = MySQL(set_mocked_azure_provider()) + + mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = mysql._get_flexible_servers() + + assert mock_client.servers.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers", + return_value={}, + ), + patch( + "prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations", + return_value={}, + ), + ): + mysql = MySQL(set_mocked_azure_provider()) + + mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + mysql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/network/network_service_test.py b/tests/providers/azure/services/network/network_service_test.py index 8a0e72542f..9a440b90cc 100644 --- a/tests/providers/azure/services/network/network_service_test.py +++ b/tests/providers/azure/services/network/network_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from azure.mgmt.network.models import FlowLog @@ -8,9 +8,12 @@ from prowler.providers.azure.services.network.network_service import ( NetworkWatcher, PublicIp, SecurityGroup, + VirtualNetwork, ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -66,6 +69,20 @@ def mock_network_get_public_ip_addresses(_): } +def mock_network_get_virtual_networks(_): + return { + AZURE_SUBSCRIPTION_ID: [ + VirtualNetwork( + id="id", + name="name", + location="location", + enable_ddos_protection=False, + subnets=[], + ) + ] + } + + @patch( "prowler.providers.azure.services.network.network_service.Network._get_security_groups", new=mock_network_get_security_groups, @@ -82,6 +99,10 @@ def mock_network_get_public_ip_addresses(_): "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", new=mock_network_get_public_ip_addresses, ) +@patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, +) class Test_Network_Service: def test_get_client(self): network = Network(set_mocked_azure_provider()) @@ -162,3 +183,905 @@ class Test_Network_Service: network.public_ip_addresses[AZURE_SUBSCRIPTION_ID][0].ip_address == "ip_address" ) + + +class Test_Network_get_security_groups: + def test_get_security_groups_no_resource_groups(self): + mock_client = MagicMock() + mock_client.network_security_groups.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = None + + result = network._get_security_groups() + + mock_client.network_security_groups.list_all.assert_called_once() + mock_client.network_security_groups.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_security_groups_with_resource_group(self): + mock_client = MagicMock() + mock_client.network_security_groups.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = network._get_security_groups() + + mock_client.network_security_groups.list.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.network_security_groups.list_all.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_security_groups_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = network._get_security_groups() + + mock_client.network_security_groups.list.assert_not_called() + mock_client.network_security_groups.list_all.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + +class Test_Network_get_network_watchers: + def test_get_network_watchers_no_resource_groups(self): + mock_client = MagicMock() + mock_client.network_watchers = MagicMock() + mock_client.network_watchers.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = None + + result = network._get_network_watchers() + + mock_client.network_watchers.list_all.assert_called_once() + mock_client.network_watchers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_network_watchers_with_resource_group(self): + mock_client = MagicMock() + mock_client.network_watchers = MagicMock() + mock_client.network_watchers.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = network._get_network_watchers() + + mock_client.network_watchers.list_all.assert_called_once() + mock_client.network_watchers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_network_watchers_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.network_watchers = MagicMock() + mock_client.network_watchers.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = network._get_network_watchers() + + mock_client.network_watchers.list_all.assert_called_once() + mock_client.network_watchers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + +class Test_Network_get_bastion_hosts: + def test_get_bastion_hosts_no_resource_groups(self): + mock_client = MagicMock() + mock_client.bastion_hosts = MagicMock() + mock_client.bastion_hosts.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = None + + result = network._get_bastion_hosts() + + mock_client.bastion_hosts.list.assert_called_once() + mock_client.bastion_hosts.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_bastion_hosts_with_resource_group(self): + mock_client = MagicMock() + mock_client.bastion_hosts = MagicMock() + mock_client.bastion_hosts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = network._get_bastion_hosts() + + mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.bastion_hosts.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_bastion_hosts_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.bastion_hosts = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = network._get_bastion_hosts() + + mock_client.bastion_hosts.list_by_resource_group.assert_not_called() + mock_client.bastion_hosts.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + +class Test_Network_get_public_ip_addresses: + def test_get_public_ip_addresses_no_resource_groups(self): + mock_client = MagicMock() + mock_client.public_ip_addresses = MagicMock() + mock_client.public_ip_addresses.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = None + + result = network._get_public_ip_addresses() + + mock_client.public_ip_addresses.list_all.assert_called_once() + mock_client.public_ip_addresses.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_public_ip_addresses_with_resource_group(self): + mock_client = MagicMock() + mock_client.public_ip_addresses = MagicMock() + mock_client.public_ip_addresses.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = network._get_public_ip_addresses() + + mock_client.public_ip_addresses.list.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.public_ip_addresses.list_all.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_public_ip_addresses_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.public_ip_addresses = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = network._get_public_ip_addresses() + + mock_client.public_ip_addresses.list.assert_not_called() + mock_client.public_ip_addresses.list_all.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_security_groups_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.network_security_groups = MagicMock() + mock_client.network_security_groups.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = network._get_security_groups() + + assert mock_client.network_security_groups.list.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_security_groups_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.network_security_groups = MagicMock() + mock_client.network_security_groups.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + network._get_security_groups() + + mock_client.network_security_groups.list.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_Network_get_network_watchers_extra: + def test_get_network_watchers_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.network_watchers = MagicMock() + mock_client.network_watchers.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = network._get_network_watchers() + + mock_client.network_watchers.list_all.assert_called_once() + mock_client.network_watchers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_network_watchers_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.network_watchers = MagicMock() + mock_client.network_watchers.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + network._get_network_watchers() + + mock_client.network_watchers.list_all.assert_called_once() + mock_client.network_watchers.list.assert_not_called() + + +class Test_Network_get_bastion_hosts_extra: + def test_get_bastion_hosts_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.bastion_hosts = MagicMock() + mock_client.bastion_hosts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = network._get_bastion_hosts() + + assert mock_client.bastion_hosts.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_bastion_hosts_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.bastion_hosts = MagicMock() + mock_client.bastion_hosts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + network._get_bastion_hosts() + + mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_Network_get_public_ip_addresses_extra: + def test_get_public_ip_addresses_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.public_ip_addresses = MagicMock() + mock_client.public_ip_addresses.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = network._get_public_ip_addresses() + + assert mock_client.public_ip_addresses.list.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_public_ip_addresses_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.public_ip_addresses = MagicMock() + mock_client.public_ip_addresses.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + network._get_public_ip_addresses() + + mock_client.public_ip_addresses.list.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_Network_get_virtual_networks_extra: + def _ctx(self): + return ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + ) + + def test_get_virtual_networks_no_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_networks = MagicMock() + mock_client.virtual_networks.list_all.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = None + + result = network._get_virtual_networks() + + mock_client.virtual_networks.list_all.assert_called_once() + mock_client.virtual_networks.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_networks_with_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_networks = MagicMock() + mock_client.virtual_networks.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = network._get_virtual_networks() + + mock_client.virtual_networks.list.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.virtual_networks.list_all.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_networks_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.virtual_networks = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = network._get_virtual_networks() + + mock_client.virtual_networks.list.assert_not_called() + mock_client.virtual_networks.list_all.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_virtual_networks_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_networks = MagicMock() + mock_client.virtual_networks.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = network._get_virtual_networks() + + assert mock_client.virtual_networks.list.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_networks_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_networks = MagicMock() + mock_client.virtual_networks.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.network.network_service.Network._get_security_groups", + new=mock_network_get_security_groups, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts", + new=mock_network_get_bastion_hosts, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_network_watchers", + new=mock_network_get_network_watchers, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", + new=mock_network_get_public_ip_addresses, + ), + patch( + "prowler.providers.azure.services.network.network_service.Network._get_virtual_networks", + new=mock_network_get_virtual_networks, + ), + ): + network = Network(set_mocked_azure_provider()) + + network.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + network._get_virtual_networks() + + mock_client.virtual_networks.list.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/policy/policy_service_test.py b/tests/providers/azure/services/policy/policy_service_test.py index 381ab82466..5a983d8610 100644 --- a/tests/providers/azure/services/policy/policy_service_test.py +++ b/tests/providers/azure/services/policy/policy_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.policy.policy_service import ( Policy, @@ -6,6 +6,8 @@ from prowler.providers.azure.services.policy.policy_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -52,3 +54,99 @@ class Test_Policy_Service: policy.policy_assigments[AZURE_SUBSCRIPTION_ID]["policy-1"].enforcement_mode == "Default" ) + + +class Test_Policy_get_policy_assigments: + def test_get_policy_assigments_no_resource_groups(self): + mock_client = MagicMock() + mock_client.policy_assignments.list.return_value = [] + + with patch( + "prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments", + return_value={}, + ): + policy = Policy(set_mocked_azure_provider()) + + policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + policy.resource_groups = None + + result = policy._get_policy_assigments() + + mock_client.policy_assignments.list.assert_called_once() + mock_client.policy_assignments.list_for_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_policy_assigments_with_resource_group(self): + mock_client = MagicMock() + mock_client.policy_assignments.list.return_value = [] + + with patch( + "prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments", + return_value={}, + ): + policy = Policy(set_mocked_azure_provider()) + + policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + policy.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = policy._get_policy_assigments() + + mock_client.policy_assignments.list.assert_called_once() + mock_client.policy_assignments.list_for_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_policy_assigments_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.policy_assignments.list.return_value = [] + + with patch( + "prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments", + return_value={}, + ): + policy = Policy(set_mocked_azure_provider()) + + policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + policy.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = policy._get_policy_assigments() + + mock_client.policy_assignments.list.assert_called_once() + mock_client.policy_assignments.list_for_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_policy_assigments_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.policy_assignments.list.return_value = [] + + with patch( + "prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments", + return_value={}, + ): + policy = Policy(set_mocked_azure_provider()) + + policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + policy.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = policy._get_policy_assigments() + + mock_client.policy_assignments.list.assert_called_once() + mock_client.policy_assignments.list_for_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_policy_assigments_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.policy_assignments.list.return_value = [] + + with patch( + "prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments", + return_value={}, + ): + policy = Policy(set_mocked_azure_provider()) + + policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + policy.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + policy._get_policy_assigments() + + mock_client.policy_assignments.list.assert_called_once() + mock_client.policy_assignments.list_for_resource_group.assert_not_called() diff --git a/tests/providers/azure/services/postgresql/postgresql_service_test.py b/tests/providers/azure/services/postgresql/postgresql_service_test.py index f372de8844..c9fea2b307 100644 --- a/tests/providers/azure/services/postgresql/postgresql_service_test.py +++ b/tests/providers/azure/services/postgresql/postgresql_service_test.py @@ -11,6 +11,8 @@ from prowler.providers.azure.services.postgresql.postgresql_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -243,6 +245,103 @@ class Test_SqlServer_Service: ) +class Test_PostgreSQL_get_flexible_servers: + def test_get_flexible_servers_no_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list.return_value = [] + + with patch( + "prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers", + return_value={}, + ): + postgresql = PostgreSQL(set_mocked_azure_provider()) + + postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + postgresql.resource_groups = None + + result = postgresql._get_flexible_servers() + + mock_client.servers.list.assert_called_once() + mock_client.servers.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_with_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers", + return_value={}, + ): + postgresql = PostgreSQL(set_mocked_azure_provider()) + + postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = postgresql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.servers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with patch( + "prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers", + return_value={}, + ): + postgresql = PostgreSQL(set_mocked_azure_provider()) + + postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = postgresql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_not_called() + mock_client.servers.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_flexible_servers_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers", + return_value={}, + ): + postgresql = PostgreSQL(set_mocked_azure_provider()) + + postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = postgresql._get_flexible_servers() + + assert mock_client.servers.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_flexible_servers_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers", + return_value={}, + ): + postgresql = PostgreSQL(set_mocked_azure_provider()) + + postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + postgresql._get_flexible_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + def _make_server(name): server = MagicMock() server.id = ( diff --git a/tests/providers/azure/services/recovery/__init__.py b/tests/providers/azure/services/recovery/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/providers/azure/services/recovery/recovery_service_test.py b/tests/providers/azure/services/recovery/recovery_service_test.py index 93dcad1e38..96c358b7d2 100644 --- a/tests/providers/azure/services/recovery/recovery_service_test.py +++ b/tests/providers/azure/services/recovery/recovery_service_test.py @@ -1,11 +1,18 @@ from types import SimpleNamespace from unittest import mock +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.recovery.recovery_service import ( BackupVault, + Recovery, RecoveryBackup, ) -from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION_ID +from tests.providers.azure.azure_fixtures import ( + AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, + set_mocked_azure_provider, +) VAULT_ID = ( f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg1/" @@ -20,6 +27,139 @@ class BackupClientFake: self.backup_policies.list.return_value = policies +class Test_Recovery_get_vaults: + def test_get_vaults_no_resource_groups(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_subscription_id.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults", + return_value={}, + ), + patch( + "prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup", + ), + ): + recovery = Recovery(set_mocked_azure_provider()) + + recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + recovery.resource_groups = None + + result = recovery._get_vaults() + + mock_client.vaults.list_by_subscription_id.assert_called_once() + mock_client.vaults.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_vaults_with_resource_group(self): + mock_vault = MagicMock() + mock_vault.id = "vault-id-1" + mock_vault.name = "my-vault" + mock_vault.location = "eastus" + + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [mock_vault] + + with ( + patch( + "prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults", + return_value={}, + ), + patch( + "prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup", + ), + ): + recovery = Recovery(set_mocked_azure_provider()) + + recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = recovery._get_vaults() + + mock_client.vaults.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.vaults.list_by_subscription_id.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + assert "vault-id-1" in result[AZURE_SUBSCRIPTION_ID] + + def test_get_vaults_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults", + return_value={}, + ), + patch( + "prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup", + ), + ): + recovery = Recovery(set_mocked_azure_provider()) + + recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = recovery._get_vaults() + + mock_client.vaults.list_by_resource_group.assert_not_called() + mock_client.vaults.list_by_subscription_id.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_vaults_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults", + return_value={}, + ), + patch( + "prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup", + ), + ): + recovery = Recovery(set_mocked_azure_provider()) + + recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = recovery._get_vaults() + + assert mock_client.vaults.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_vaults_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.vaults = MagicMock() + mock_client.vaults.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults", + return_value={}, + ), + patch( + "prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup", + ), + ): + recovery = Recovery(set_mocked_azure_provider()) + + recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + recovery._get_vaults() + + mock_client.vaults.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + class Test_RecoveryBackup_Service: def test_get_backup_policies_lists_unprotected_vault_policies(self): policy = SimpleNamespace( diff --git a/tests/providers/azure/services/sqlserver/sqlserver_service_test.py b/tests/providers/azure/services/sqlserver/sqlserver_service_test.py index 4fc4f073fe..7da2fe8b58 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_service_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from azure.mgmt.sql.models import ( EncryptionProtector, @@ -16,6 +16,8 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -245,3 +247,100 @@ class Test_SqlServer_Service: ].security_alert_policies.state == "Disabled" ) + + +class Test_SQLServer_get_sql_servers: + def test_get_sql_servers_no_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list.return_value = [] + + with patch( + "prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers", + return_value={}, + ): + sql_server = SQLServer(set_mocked_azure_provider()) + + sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + sql_server.resource_groups = None + + result = sql_server._get_sql_servers() + + mock_client.servers.list.assert_called_once() + mock_client.servers.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_sql_servers_with_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers", + return_value={}, + ): + sql_server = SQLServer(set_mocked_azure_provider()) + + sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = sql_server._get_sql_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.servers.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_sql_servers_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + + with patch( + "prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers", + return_value={}, + ): + sql_server = SQLServer(set_mocked_azure_provider()) + + sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = sql_server._get_sql_servers() + + mock_client.servers.list_by_resource_group.assert_not_called() + mock_client.servers.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_sql_servers_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers", + return_value={}, + ): + sql_server = SQLServer(set_mocked_azure_provider()) + + sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = sql_server._get_sql_servers() + + assert mock_client.servers.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_sql_servers_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.servers.list_by_resource_group.return_value = [] + + with patch( + "prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers", + return_value={}, + ): + sql_server = SQLServer(set_mocked_azure_provider()) + + sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + sql_server._get_sql_servers() + + mock_client.servers.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/storage/storage_service_test.py b/tests/providers/azure/services/storage/storage_service_test.py index 67fba33877..563b1b6a21 100644 --- a/tests/providers/azure/services/storage/storage_service_test.py +++ b/tests/providers/azure/services/storage/storage_service_test.py @@ -1,4 +1,4 @@ -from unittest.mock import patch +from unittest.mock import MagicMock, patch from prowler.providers.azure.services.storage.storage_service import ( Account, @@ -11,6 +11,8 @@ from prowler.providers.azure.services.storage.storage_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -387,3 +389,155 @@ class Test_Storage_Service_Retention_Policy_None_Handling: is False ) assert account.file_service_properties.share_delete_retention_policy.days == 0 + + +class Test_Storage_get_storage_accounts: + def test_get_storage_accounts_no_resource_groups(self): + mock_client = MagicMock() + mock_client.storage_accounts = MagicMock() + mock_client.storage_accounts.list.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts", + return_value={}, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties", + return_value=None, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties", + return_value=None, + ), + ): + storage = Storage(set_mocked_azure_provider()) + + storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + storage.resource_groups = None + + result = storage._get_storage_accounts() + + mock_client.storage_accounts.list.assert_called_once() + mock_client.storage_accounts.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_storage_accounts_with_resource_group(self): + mock_client = MagicMock() + mock_client.storage_accounts = MagicMock() + mock_client.storage_accounts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts", + return_value={}, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties", + return_value=None, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties", + return_value=None, + ), + ): + storage = Storage(set_mocked_azure_provider()) + + storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + storage.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = storage._get_storage_accounts() + + mock_client.storage_accounts.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.storage_accounts.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_storage_accounts_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.storage_accounts = MagicMock() + + with ( + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts", + return_value={}, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties", + return_value=None, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties", + return_value=None, + ), + ): + storage = Storage(set_mocked_azure_provider()) + + storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + storage.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = storage._get_storage_accounts() + + mock_client.storage_accounts.list_by_resource_group.assert_not_called() + mock_client.storage_accounts.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == [] + + def test_get_storage_accounts_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.storage_accounts = MagicMock() + mock_client.storage_accounts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts", + return_value={}, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties", + return_value=None, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties", + return_value=None, + ), + ): + storage = Storage(set_mocked_azure_provider()) + + storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + storage.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = storage._get_storage_accounts() + + assert mock_client.storage_accounts.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_storage_accounts_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.storage_accounts = MagicMock() + mock_client.storage_accounts.list_by_resource_group.return_value = [] + + with ( + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts", + return_value={}, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties", + return_value=None, + ), + patch( + "prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties", + return_value=None, + ), + ): + storage = Storage(set_mocked_azure_provider()) + + storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + storage.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + storage._get_storage_accounts() + + mock_client.storage_accounts.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) diff --git a/tests/providers/azure/services/vm/vm_service_test.py b/tests/providers/azure/services/vm/vm_service_test.py index 49b8045cf8..e25c6ffce3 100644 --- a/tests/providers/azure/services/vm/vm_service_test.py +++ b/tests/providers/azure/services/vm/vm_service_test.py @@ -14,6 +14,8 @@ from prowler.providers.azure.services.vm.vm_service import ( ) from tests.providers.azure.azure_fixtures import ( AZURE_SUBSCRIPTION_ID, + RESOURCE_GROUP, + RESOURCE_GROUP_LIST, set_mocked_azure_provider, ) @@ -465,3 +467,328 @@ class Test_VirtualMachine_SecurityProfile_Validation: assert isinstance(vm.security_profile.uefi_settings, UefiSettings) assert vm.security_profile.uefi_settings.secure_boot_enabled is True assert vm.security_profile.uefi_settings.v_tpm_enabled is True + + +class Test_VM_get_virtual_machines: + def test_get_virtual_machines_no_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_machines = MagicMock() + mock_client.virtual_machines.list_all.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = None + + result = vm_service._get_virtual_machines() + + mock_client.virtual_machines.list_all.assert_called_once() + mock_client.virtual_machines.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_machines_with_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_machines = MagicMock() + mock_client.virtual_machines.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = vm_service._get_virtual_machines() + + mock_client.virtual_machines.list.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.virtual_machines.list_all.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_machines_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.virtual_machines = MagicMock() + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = vm_service._get_virtual_machines() + + mock_client.virtual_machines.list.assert_not_called() + mock_client.virtual_machines.list_all.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + +class Test_VM_get_disks: + def test_get_disks_no_resource_groups(self): + mock_client = MagicMock() + mock_client.disks = MagicMock() + mock_client.disks.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = None + + result = vm_service._get_disks() + + mock_client.disks.list.assert_called_once() + mock_client.disks.list_by_resource_group.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_disks_with_resource_group(self): + mock_client = MagicMock() + mock_client.disks = MagicMock() + mock_client.disks.list_by_resource_group.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = vm_service._get_disks() + + mock_client.disks.list_by_resource_group.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.disks.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_disks_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.disks = MagicMock() + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = vm_service._get_disks() + + mock_client.disks.list_by_resource_group.assert_not_called() + mock_client.disks.list.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + +class Test_VM_get_vm_scale_sets: + def test_get_vm_scale_sets_no_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_machine_scale_sets = MagicMock() + mock_client.virtual_machine_scale_sets.list_all.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = None + + result = vm_service._get_vm_scale_sets() + + mock_client.virtual_machine_scale_sets.list_all.assert_called_once() + mock_client.virtual_machine_scale_sets.list.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_vm_scale_sets_with_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_machine_scale_sets = MagicMock() + mock_client.virtual_machine_scale_sets.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]} + + result = vm_service._get_vm_scale_sets() + + mock_client.virtual_machine_scale_sets.list.assert_called_once_with( + resource_group_name=RESOURCE_GROUP + ) + mock_client.virtual_machine_scale_sets.list_all.assert_not_called() + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_vm_scale_sets_empty_resource_group_for_subscription(self): + mock_client = MagicMock() + mock_client.virtual_machine_scale_sets = MagicMock() + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []} + + result = vm_service._get_vm_scale_sets() + + mock_client.virtual_machine_scale_sets.list.assert_not_called() + mock_client.virtual_machine_scale_sets.list_all.assert_not_called() + assert result[AZURE_SUBSCRIPTION_ID] == {} + + def test_get_virtual_machines_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_machines = MagicMock() + mock_client.virtual_machines.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = vm_service._get_virtual_machines() + + assert mock_client.virtual_machines.list.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_virtual_machines_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_machines = MagicMock() + mock_client.virtual_machines.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + vm_service._get_virtual_machines() + + mock_client.virtual_machines.list.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_VM_get_disks_extra: + def test_get_disks_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.disks = MagicMock() + mock_client.disks.list_by_resource_group.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = vm_service._get_disks() + + assert mock_client.disks.list_by_resource_group.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_disks_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.disks = MagicMock() + mock_client.disks.list_by_resource_group.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + vm_service._get_disks() + + mock_client.disks.list_by_resource_group.assert_called_once_with( + resource_group_name="RG" + ) + + +class Test_VM_get_vm_scale_sets_extra: + def test_get_vm_scale_sets_with_multiple_resource_groups(self): + mock_client = MagicMock() + mock_client.virtual_machine_scale_sets = MagicMock() + mock_client.virtual_machine_scale_sets.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST} + + result = vm_service._get_vm_scale_sets() + + assert mock_client.virtual_machine_scale_sets.list.call_count == 2 + assert AZURE_SUBSCRIPTION_ID in result + + def test_get_vm_scale_sets_with_mixed_case_resource_group(self): + mock_client = MagicMock() + mock_client.virtual_machine_scale_sets = MagicMock() + mock_client.virtual_machine_scale_sets.list.return_value = [] + + with ( + patch.object(VirtualMachines, "_get_virtual_machines", return_value={}), + patch.object(VirtualMachines, "_get_disks", return_value={}), + patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}), + ): + vm_service = VirtualMachines(set_mocked_azure_provider()) + + vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client} + vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]} + + vm_service._get_vm_scale_sets() + + mock_client.virtual_machine_scale_sets.list.assert_called_once_with( + resource_group_name="RG" + )