feat(azure): filtering scans at resource group level (#10657)

Signed-off-by: Legin-ML <leginml2004@gmail.com>
This commit is contained in:
Legin
2026-07-02 14:57:53 +05:30
committed by GitHub
parent b6f74c7284
commit 537c3ea71e
91 changed files with 4461 additions and 99 deletions
+1
View File
@@ -237,6 +237,7 @@
"user-guide/providers/azure/authentication", "user-guide/providers/azure/authentication",
"user-guide/providers/azure/use-non-default-cloud", "user-guide/providers/azure/use-non-default-cloud",
"user-guide/providers/azure/subscriptions", "user-guide/providers/azure/subscriptions",
"user-guide/providers/azure/resource-groups",
"user-guide/providers/azure/create-prowler-service-principal" "user-guide/providers/azure/create-prowler-service-principal"
] ]
}, },
@@ -0,0 +1,47 @@
---
title: 'Azure Resource Group Scope'
---
Prowler supports narrowing security scans to specific resource groups within Azure subscriptions. This is useful when you want to audit only a subset of resources rather than scanning an entire subscription.
By default, Prowler scans all resource groups it has permission to access. Passing `--azure-resource-group` limits the scan to only the specified resource groups across all accessible subscriptions.
## Configuring Resource Group Scoped Scans
To restrict a scan to one or more resource groups, pass them as arguments using the `--azure-resource-group` flag:
```console
prowler azure --az-cli-auth --azure-resource-group <resource-group-1> <resource-group-2> ... <resource-group-N>
```
For example, to scan only `rg-production` and `rg-staging`:
```console
prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2
```
This works with all supported authentication methods:
```console
# Service Principal
prowler azure --sp-env-auth --azure-resource-group rg-production
# Browser
prowler azure --browser-auth --tenant-id <tenant-id> --azure-resource-group rg-production
# Managed Identity
prowler azure --managed-identity-auth --azure-resource-group rg-production
```
## How It Works
When `--azure-resource-group` is provided, Prowler validates each specified resource group against all accessible subscriptions. A resource group is included in the scan if it exists in **at least one** subscription.
- If a resource group is found in one or more subscriptions, it will be scanned in those subscriptions only.
- If a resource group is **not found in any** subscription, Prowler logs a warning and skips it.
- If **none** of the provided resource groups are found across any subscription, Prowler logs a warning and no resource group scoped checks will run.
- Resource group names are matched case-insensitively, so `MyGroup` and `mygroup` are treated as the same group, mirroring Azure's own behavior.
<Warning>
If `--azure-resource-group` is used, checks that apply to specific resources are limited to the relevant resource groups. But if checks that apply to tenant or subscription scope (identity, policy, or subscription-level configuration checks) are involved, then these checks will run in their natural scope.
</Warning>
+1 -1
View File
@@ -26,6 +26,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- AWS Bedrock AgentCore privilege escalation paths in the IAM privilege escalation checks, covering Runtime, Harness, Code Interpreter and Custom Browser [(#11726)](https://github.com/prowler-cloud/prowler/pull/11726) - AWS Bedrock AgentCore privilege escalation paths in the IAM privilege escalation checks, covering Runtime, Harness, Code Interpreter and Custom Browser [(#11726)](https://github.com/prowler-cloud/prowler/pull/11726)
- `--scan-secrets-validate` flag and `aws.secrets_validate` configuration option to optionally validate the secrets discovered by the secret-scanning checks against the provider APIs; secrets confirmed to be live are reported as critical [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694) - `--scan-secrets-validate` flag and `aws.secrets_validate` configuration option to optionally validate the secrets discovered by the secret-scanning checks against the provider APIs; secrets confirmed to be live are reported as critical [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694)
- `apigateway_restapi_no_secrets_in_stage_variables` check for AWS provider, scanning API Gateway REST API stage variables for hardcoded secrets such as passwords, API keys, and tokens [(#11188)](https://github.com/prowler-cloud/prowler/pull/11188) - `apigateway_restapi_no_secrets_in_stage_variables` check for AWS provider, scanning API Gateway REST API stage variables for hardcoded secrets such as passwords, API keys, and tokens [(#11188)](https://github.com/prowler-cloud/prowler/pull/11188)
- Azure provider now supports `--azure-resource-group` to scope resource-level checks to specific resource groups across all accessible subscriptions [(#10657)](https://github.com/prowler-cloud/prowler/pull/10657)
### 🔄 Changed ### 🔄 Changed
@@ -324,7 +325,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
- `bedrock_prompt_management_exists` check for AWS provider [(#10878)](https://github.com/prowler-cloud/prowler/pull/10878) - `bedrock_prompt_management_exists` check for AWS provider [(#10878)](https://github.com/prowler-cloud/prowler/pull/10878)
- 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API [(#10980)](https://github.com/prowler-cloud/prowler/pull/10980) - 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API [(#10980)](https://github.com/prowler-cloud/prowler/pull/10980)
- `bedrock_prompt_encrypted_with_cmk` check for AWS provider [(#10905)](https://github.com/prowler-cloud/prowler/pull/10905) - `bedrock_prompt_encrypted_with_cmk` check for AWS provider [(#10905)](https://github.com/prowler-cloud/prowler/pull/10905)
### 🔄 Changed ### 🔄 Changed
- Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645) - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645)
+67 -2
View File
@@ -16,6 +16,7 @@ from azure.identity import (
DefaultAzureCredential, DefaultAzureCredential,
InteractiveBrowserCredential, InteractiveBrowserCredential,
) )
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.subscription import SubscriptionClient from azure.mgmt.subscription import SubscriptionClient
from colorama import Fore, Style from colorama import Fore, Style
from msgraph import GraphServiceClient from msgraph import GraphServiceClient
@@ -104,6 +105,7 @@ class AzureProvider(Provider):
_region_config: AzureRegionConfig _region_config: AzureRegionConfig
_locations: dict _locations: dict
_mutelist: AzureMutelist _mutelist: AzureMutelist
_resource_groups: dict[str, list[str]]
# TODO: this is not optional, enforce for all providers # TODO: this is not optional, enforce for all providers
audit_metadata: Audit_Metadata audit_metadata: Audit_Metadata
@@ -123,6 +125,7 @@ class AzureProvider(Provider):
mutelist_content: dict = None, mutelist_content: dict = None,
client_id: str = None, client_id: str = None,
client_secret: str = None, client_secret: str = None,
resource_groups: list = [],
): ):
""" """
Initializes the Azure provider. Initializes the Azure provider.
@@ -142,6 +145,7 @@ class AzureProvider(Provider):
mutelist_content (dict): The mutelist content. mutelist_content (dict): The mutelist content.
client_id (str): The Azure client ID. client_id (str): The Azure client ID.
client_secret (str): The Azure client secret. client_secret (str): The Azure client secret.
resource_groups (list): List of resource group names.
Returns: Returns:
None None
@@ -206,7 +210,7 @@ class AzureProvider(Provider):
... managed_identity_auth=False, ... managed_identity_auth=False,
... region="AzureUSGovernment", ... region="AzureUSGovernment",
... ) ... )
- Subscriptions: rowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. - Subscriptions: Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one.
Prowler also allows you to specify the subscriptions you want to scan by passing a list of subscription IDs. Prowler also allows you to specify the subscriptions you want to scan by passing a list of subscription IDs.
>>> AzureProvider( >>> AzureProvider(
... az_cli_auth=False, ... az_cli_auth=False,
@@ -215,6 +219,11 @@ class AzureProvider(Provider):
... managed_identity_auth=False, ... managed_identity_auth=False,
... subscription_ids=["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"], ... subscription_ids=["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],
... ) ... )
- Resource Groups: Prowler allows you to narrow the scan to specific resource groups.
>>> AzureProvider(
... az_cli_auth=True,
... resource_groups=["rg-production", "rg-staging"],
... )
""" """
logger.info("Setting Azure provider ...") logger.info("Setting Azure provider ...")
@@ -272,6 +281,8 @@ class AzureProvider(Provider):
# TODO: should we keep this here or within the identity? # TODO: should we keep this here or within the identity?
self._locations = self.get_locations() self._locations = self.get_locations()
self._resource_groups = self.validate_resource_groups(resource_groups)
# Audit Config # Audit Config
if config_content: if config_content:
self._audit_config = config_content self._audit_config = config_content
@@ -337,6 +348,11 @@ class AzureProvider(Provider):
"""Mutelist object associated with this Azure provider.""" """Mutelist object associated with this Azure provider."""
return self._mutelist return self._mutelist
@property
def resource_groups(self) -> dict[str, list[str]]:
"""Mapping of subscription name to the list of resource groups to scan within it."""
return self._resource_groups
# TODO: this should be moved to the argparse, if not we need to enforce it from the Provider # TODO: this should be moved to the argparse, if not we need to enforce it from the Provider
# previously was using the AzureException # previously was using the AzureException
@staticmethod @staticmethod
@@ -439,7 +455,7 @@ class AzureProvider(Provider):
"""Azure credentials information. """Azure credentials information.
This method prints the Azure Tenant Domain, Azure Tenant ID, Azure Region, This method prints the Azure Tenant Domain, Azure Tenant ID, Azure Region,
Azure Subscriptions, Azure Identity Type, and Azure Identity ID. Azure Subscriptions, Azure Resource Groups, Azure Identity Type, and Azure Identity ID.
Args: Args:
None None
@@ -455,6 +471,7 @@ class AzureProvider(Provider):
f"Azure Tenant Domain: {Fore.YELLOW}{self._identity.tenant_domain}{Style.RESET_ALL} Azure Tenant ID: {Fore.YELLOW}{self._identity.tenant_ids[0]}{Style.RESET_ALL}", f"Azure Tenant Domain: {Fore.YELLOW}{self._identity.tenant_domain}{Style.RESET_ALL} Azure Tenant ID: {Fore.YELLOW}{self._identity.tenant_ids[0]}{Style.RESET_ALL}",
f"Azure Region: {Fore.YELLOW}{self.region_config.name}{Style.RESET_ALL}", f"Azure Region: {Fore.YELLOW}{self.region_config.name}{Style.RESET_ALL}",
f"Azure Subscriptions: {Fore.YELLOW}{printed_subscriptions}{Style.RESET_ALL}", f"Azure Subscriptions: {Fore.YELLOW}{printed_subscriptions}{Style.RESET_ALL}",
f"Azure Resource Groups: {Fore.YELLOW}{sorted({rg for rgs in self._resource_groups.values() for rg in rgs}) if any(self._resource_groups.values()) else ('NONE (no matching resource groups found)' if self._resource_groups else 'ALL')}{Style.RESET_ALL}",
f"Azure Identity Type: {Fore.YELLOW}{self._identity.identity_type}{Style.RESET_ALL} Azure Identity ID: {Fore.YELLOW}{self._identity.identity_id}{Style.RESET_ALL}", f"Azure Identity Type: {Fore.YELLOW}{self._identity.identity_type}{Style.RESET_ALL} Azure Identity ID: {Fore.YELLOW}{self._identity.identity_id}{Style.RESET_ALL}",
] ]
report_title = ( report_title = (
@@ -1102,6 +1119,54 @@ class AzureProvider(Provider):
return set(chain.from_iterable(locations.values())) return set(chain.from_iterable(locations.values()))
def validate_resource_groups(self, resource_groups: list) -> dict[str, list[str]]:
resource_groups = [r.strip() for r in resource_groups if r and r.strip()]
if not resource_groups:
return {}
rg_map = {
subscription_id: [] for subscription_id in self._identity.subscriptions
}
credentials = self.session
for subscription_id, display_name in self._identity.subscriptions.items():
try:
rg_client = ResourceManagementClient(
credentials,
subscription_id,
base_url=self._region_config.base_url,
credential_scopes=self._region_config.credential_scopes,
)
existing_rgs = {
rg.name.lower(): rg.name for rg in rg_client.resource_groups.list()
}
except Exception as e:
logger.warning(
f"Could not list resource groups for subscription '{display_name}' "
f"({subscription_id}): {e}. Skipping resource group filtering for this subscription."
)
continue
for rg in resource_groups:
real_name = existing_rgs.get(rg.lower())
if real_name:
rg_map[subscription_id].append(real_name)
for rg in resource_groups:
if not any(rg.lower() == r.lower() for rgs in rg_map.values() for r in rgs):
logger.warning(
f"Resource group '{rg}' was not found in any subscription. "
"Please check the resource group name and try again."
)
if not any(rgs for rgs in rg_map.values()):
logger.warning(
f"None of the provided resource groups {resource_groups} were found "
"in any subscription. Please check the resource group names and try again."
)
return rg_map
@staticmethod @staticmethod
def validate_static_credentials( def validate_static_credentials(
tenant_id: str = None, tenant_id: str = None,
@@ -53,6 +53,16 @@ def init_parser(self):
type=validate_azure_region, type=validate_azure_region,
help="Azure region from `az cloud list --output table`, by default AzureCloud", help="Azure region from `az cloud list --output table`, by default AzureCloud",
) )
# Resource Groups
azure_rg_subparser = azure_parser.add_argument_group("Resource Groups")
azure_rg_subparser.add_argument(
"--azure-resource-group",
"--azure-resource-groups",
nargs="+",
default=[],
dest="resource_groups",
help="Azure Resource Group names to scope the scan to specific groups.",
)
def validate_azure_region(region): def validate_azure_region(region):
@@ -26,6 +26,7 @@ class AzureService:
) )
self.subscriptions = provider.identity.subscriptions self.subscriptions = provider.identity.subscriptions
self.resource_groups = provider.resource_groups
self.locations = provider.locations self.locations = provider.locations
self.audit_config = provider.audit_config self.audit_config = provider.audit_config
self.fixer_config = provider.fixer_config self.fixer_config = provider.fixer_config
@@ -49,6 +50,26 @@ class AzureService:
return results return results
def list_with_rg_scope(self, subscription_id, list_all_fn, list_by_rg_fn):
if not self.resource_groups:
return list(list_all_fn())
resource_groups = self.resource_groups.get(subscription_id, [])
if not resource_groups:
logger.info(
f"No valid resource groups for subscription {subscription_id}, skipping."
)
return []
output = []
for resource_group in resource_groups:
try:
output += list(list_by_rg_fn(resource_group_name=resource_group))
except Exception as error:
logger.warning(
f"Subscription ID: {subscription_id} -- Resource Group: {resource_group} -- "
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
return output
def __set_clients__(self, identity, session, service, region_config): def __set_clients__(self, identity, session, service, region_config):
clients = {} clients = {}
try: try:
@@ -17,7 +17,11 @@ class AISearch(AzureService):
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
aisearch_services.update({subscription: {}}) aisearch_services.update({subscription: {}})
aisearch_services_list = client.services.list_by_subscription() aisearch_services_list = self.list_with_rg_scope(
subscription,
client.services.list_by_subscription,
client.services.list_by_resource_group,
)
for aisearch_service in aisearch_services_list: for aisearch_service in aisearch_services_list:
aisearch_services[subscription].update( aisearch_services[subscription].update(
{ {
@@ -19,8 +19,12 @@ class AKS(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
clusters_list = client.managed_clusters.list()
clusters.update({subscription_id: {}}) clusters.update({subscription_id: {}})
clusters_list = self.list_with_rg_scope(
subscription_id,
client.managed_clusters.list,
client.managed_clusters.list_by_resource_group,
)
for cluster in clusters_list: for cluster in clusters_list:
if getattr(cluster, "kubernetes_version", None): if getattr(cluster, "kubernetes_version", None):
@@ -131,7 +131,11 @@ class APIM(AzureService):
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
instances.update({subscription: []}) instances.update({subscription: []})
apim_instances = client.api_management_service.list() apim_instances = self.list_with_rg_scope(
subscription,
client.api_management_service.list,
client.api_management_service.list_by_resource_group,
)
for instance in apim_instances: for instance in apim_instances:
workspace_id = self._get_log_analytics_workspace_id( workspace_id = self._get_log_analytics_workspace_id(
@@ -22,8 +22,12 @@ class App(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
apps_list = client.web_apps.list()
apps.update({subscription_id: {}}) apps.update({subscription_id: {}})
apps_list = self.list_with_rg_scope(
subscription_id,
client.web_apps.list,
client.web_apps.list_by_resource_group,
)
for app in apps_list: for app in apps_list:
# Filter function apps # Filter function apps
@@ -117,8 +121,12 @@ class App(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
functions_list = client.web_apps.list()
functions.update({subscription_id: {}}) functions.update({subscription_id: {}})
functions_list = self.list_with_rg_scope(
subscription_id,
client.web_apps.list,
client.web_apps.list_by_resource_group,
)
for function in functions_list: for function in functions_list:
# Filter function apps # Filter function apps
@@ -17,8 +17,12 @@ class AppInsights(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
components_list = client.components.list()
components.update({subscription_id: {}}) components.update({subscription_id: {}})
components_list = self.list_with_rg_scope(
subscription_id,
client.components.list,
client.components.list_by_resource_group,
)
for component in components_list: for component in components_list:
components[subscription_id].update( components[subscription_id].update(
@@ -19,8 +19,12 @@ class ContainerRegistry(AzureService):
registries = {} registries = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
registries_list = client.registries.list()
registries.update({subscription: {}}) registries.update({subscription: {}})
registries_list = self.list_with_rg_scope(
subscription,
client.registries.list,
client.registries.list_by_resource_group,
)
for registry in registries_list: for registry in registries_list:
resource_group = self._get_resource_group(registry.id) resource_group = self._get_resource_group(registry.id)
@@ -18,8 +18,13 @@ class CosmosDB(AzureService):
accounts = {} accounts = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
accounts_list = client.database_accounts.list()
accounts.update({subscription: []}) accounts.update({subscription: []})
accounts_list = self.list_with_rg_scope(
subscription,
client.database_accounts.list,
client.database_accounts.list_by_resource_group,
)
for account in accounts_list: for account in accounts_list:
accounts[subscription].append( accounts[subscription].append(
Account( Account(
@@ -38,8 +38,13 @@ class Databricks(AzureService):
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
workspaces[subscription] = {} workspaces[subscription] = {}
workspaces_list = self.list_with_rg_scope(
subscription,
client.workspaces.list_by_subscription,
client.workspaces.list_by_resource_group,
)
for workspace in client.workspaces.list_by_subscription(): for workspace in workspaces_list:
workspace_parameters = getattr(workspace, "parameters", None) workspace_parameters = getattr(workspace, "parameters", None)
workspace_managed_disk_encryption = getattr( workspace_managed_disk_encryption = getattr(
getattr( getattr(
@@ -230,8 +230,10 @@ class Defender(AzureService):
iot_security_solutions = {} iot_security_solutions = {}
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
iot_security_solutions_list = ( iot_security_solutions_list = self.list_with_rg_scope(
client.iot_security_solution.list_by_subscription() subscription_id,
client.iot_security_solution.list_by_subscription,
client.iot_security_solution.list_by_resource_group,
) )
iot_security_solutions.update({subscription_id: {}}) iot_security_solutions.update({subscription_id: {}})
for iot_security_solution in iot_security_solutions_list: for iot_security_solution in iot_security_solutions_list:
@@ -267,8 +269,13 @@ class Defender(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
jit_policies[subscription_id] = {} jit_policies[subscription_id] = {}
policies = client.jit_network_access_policies.list() policies_list = self.list_with_rg_scope(
for policy in policies: subscription_id,
client.jit_network_access_policies.list,
client.jit_network_access_policies.list_by_resource_group,
)
for policy in policies_list:
vm_ids = set() vm_ids = set()
for vm in getattr(policy, "virtual_machines", []): for vm in getattr(policy, "virtual_machines", []):
vm_ids.add(vm.id) vm_ids.add(vm.id)
@@ -35,7 +35,11 @@ class KeyVault(AzureService):
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
key_vaults[subscription] = [] key_vaults[subscription] = []
vaults_list = list(client.vaults.list_by_subscription()) vaults_list = self.list_with_rg_scope(
subscription,
client.vaults.list_by_subscription,
client.vaults.list_by_resource_group,
)
if not vaults_list: if not vaults_list:
continue continue
@@ -19,8 +19,12 @@ class MySQL(AzureService):
servers = {} servers = {}
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
servers_list = client.servers.list()
servers.update({subscription_id: {}}) servers.update({subscription_id: {}})
servers_list = self.list_with_rg_scope(
subscription_id,
client.servers.list,
client.servers.list_by_resource_group,
)
for server in servers_list: for server in servers_list:
backup = getattr(server, "backup", None) backup = getattr(server, "backup", None)
ha = getattr(server, "high_availability", None) ha = getattr(server, "high_availability", None)
@@ -24,8 +24,13 @@ class Network(AzureService):
security_groups = {} security_groups = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
security_groups_list = self.list_with_rg_scope(
subscription,
client.network_security_groups.list_all,
client.network_security_groups.list,
)
security_groups.update({subscription: []}) security_groups.update({subscription: []})
security_groups_list = client.network_security_groups.list_all()
for security_group in security_groups_list: for security_group in security_groups_list:
security_groups[subscription].append( security_groups[subscription].append(
SecurityGroup( SecurityGroup(
@@ -64,8 +69,8 @@ class Network(AzureService):
network_watchers = {} network_watchers = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
network_watchers.update({subscription: []})
network_watchers_list = client.network_watchers.list_all() network_watchers_list = client.network_watchers.list_all()
network_watchers.update({subscription: []})
for network_watcher in network_watchers_list: for network_watcher in network_watchers_list:
flow_logs = self._get_flow_logs( flow_logs = self._get_flow_logs(
subscription, network_watcher.name, network_watcher.id subscription, network_watcher.name, network_watcher.id
@@ -164,8 +169,13 @@ class Network(AzureService):
bastion_hosts = {} bastion_hosts = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
bastion_hosts_list = self.list_with_rg_scope(
subscription,
client.bastion_hosts.list,
client.bastion_hosts.list_by_resource_group,
)
bastion_hosts.update({subscription: []}) bastion_hosts.update({subscription: []})
bastion_hosts_list = client.bastion_hosts.list()
for bastion_host in bastion_hosts_list: for bastion_host in bastion_hosts_list:
bastion_hosts[subscription].append( bastion_hosts[subscription].append(
BastionHost( BastionHost(
@@ -186,8 +196,13 @@ class Network(AzureService):
public_ip_addresses = {} public_ip_addresses = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
public_ip_addresses_list = self.list_with_rg_scope(
subscription,
client.public_ip_addresses.list_all,
client.public_ip_addresses.list,
)
public_ip_addresses.update({subscription: []}) public_ip_addresses.update({subscription: []})
public_ip_addresses_list = client.public_ip_addresses.list_all()
for public_ip_address in public_ip_addresses_list: for public_ip_address in public_ip_addresses_list:
public_ip_addresses[subscription].append( public_ip_addresses[subscription].append(
PublicIp( PublicIp(
@@ -207,13 +222,17 @@ class Network(AzureService):
def _get_virtual_networks(self): def _get_virtual_networks(self):
logger.info("Network - Getting Virtual Networks...") logger.info("Network - Getting Virtual Networks...")
virtual_networks = {} virtual_networks = {}
for subscription, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
virtual_networks[subscription] = [] virtual_networks[subscription_id] = []
vnet_list = client.virtual_networks.list_all() virtual_networks_list = self.list_with_rg_scope(
for vnet in vnet_list: subscription_id,
client.virtual_networks.list_all,
client.virtual_networks.list,
)
for virtual_network in virtual_networks_list:
subnets = [] subnets = []
for subnet in getattr(vnet, "subnets", []) or []: for subnet in getattr(virtual_network, "subnets", []) or []:
nsg = getattr(subnet, "network_security_group", None) nsg = getattr(subnet, "network_security_group", None)
subnets.append( subnets.append(
VNetSubnet( VNetSubnet(
@@ -222,20 +241,20 @@ class Network(AzureService):
nsg_id=getattr(nsg, "id", None) if nsg else None, nsg_id=getattr(nsg, "id", None) if nsg else None,
) )
) )
virtual_networks[subscription].append( virtual_networks[subscription_id].append(
VirtualNetwork( VirtualNetwork(
id=vnet.id, id=virtual_network.id,
name=vnet.name, name=virtual_network.name,
location=vnet.location, location=virtual_network.location,
enable_ddos_protection=getattr( enable_ddos_protection=getattr(
vnet, "enable_ddos_protection", False virtual_network, "enable_ddos_protection", False
), ),
subnets=subnets, subnets=subnets,
) )
) )
except Exception as error: except Exception as error:
logger.error( logger.error(
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" f"Subscription ID: {subscription_id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
) )
return virtual_networks return virtual_networks
@@ -18,8 +18,8 @@ class Policy(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
policy_assigments_list = client.policy_assignments.list()
policy_assigments.update({subscription_id: {}}) policy_assigments.update({subscription_id: {}})
policy_assigments_list = client.policy_assignments.list()
for policy_assigment in policy_assigments_list: for policy_assigment in policy_assigments_list:
policy_assigments[subscription_id].update( policy_assigments[subscription_id].update(
@@ -19,8 +19,13 @@ class PostgreSQL(AzureService):
flexible_servers = {} flexible_servers = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
flexible_servers_list = self.list_with_rg_scope(
subscription,
client.servers.list,
client.servers.list_by_resource_group,
)
flexible_servers.update({subscription: []}) flexible_servers.update({subscription: []})
flexible_servers_list = client.servers.list()
for postgresql_server in flexible_servers_list: for postgresql_server in flexible_servers_list:
# Isolate each server: a failure collecting one server must # Isolate each server: a failure collecting one server must
# not abort collection of the remaining servers in the # not abort collection of the remaining servers in the
@@ -56,9 +56,14 @@ class Recovery(AzureService):
try: try:
vaults_dict: dict[str, dict[str, BackupVault]] = {} vaults_dict: dict[str, dict[str, BackupVault]] = {}
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
vaults = client.vaults.list_by_subscription_id() vaults_list = self.list_with_rg_scope(
subscription_id,
client.vaults.list_by_subscription_id,
client.vaults.list_by_resource_group,
)
vaults_dict[subscription_id] = {} vaults_dict[subscription_id] = {}
for vault in vaults: for vault in vaults_list:
vault_obj = BackupVault( vault_obj = BackupVault(
id=vault.id, id=vault.id,
name=vault.name, name=vault.name,
@@ -18,8 +18,13 @@ class SQLServer(AzureService):
sql_servers = {} sql_servers = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
sql_servers_list = self.list_with_rg_scope(
subscription,
client.servers.list,
client.servers.list_by_resource_group,
)
sql_servers.update({subscription: []}) sql_servers.update({subscription: []})
sql_servers_list = client.servers.list()
for sql_server in sql_servers_list: for sql_server in sql_servers_list:
resource_group = self._get_resource_group(sql_server.id) resource_group = self._get_resource_group(sql_server.id)
auditing_policies = self._get_server_blob_auditing_policies( auditing_policies = self._get_server_blob_auditing_policies(
@@ -20,8 +20,13 @@ class Storage(AzureService):
storage_accounts = {} storage_accounts = {}
for subscription, client in self.clients.items(): for subscription, client in self.clients.items():
try: try:
storage_accounts_list = self.list_with_rg_scope(
subscription,
client.storage_accounts.list,
client.storage_accounts.list_by_resource_group,
)
storage_accounts.update({subscription: []}) storage_accounts.update({subscription: []})
storage_accounts_list = client.storage_accounts.list()
for storage_account in storage_accounts_list: for storage_account in storage_accounts_list:
parts = storage_account.id.split("/") parts = storage_account.id.split("/")
if "resourceGroups" in parts: if "resourceGroups" in parts:
@@ -22,8 +22,12 @@ class VirtualMachines(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
virtual_machines_list = client.virtual_machines.list_all()
virtual_machines.update({subscription_id: {}}) virtual_machines.update({subscription_id: {}})
virtual_machines_list = self.list_with_rg_scope(
subscription_id,
client.virtual_machines.list_all,
client.virtual_machines.list,
)
for vm in virtual_machines_list: for vm in virtual_machines_list:
storage_profile = getattr(vm, "storage_profile", None) storage_profile = getattr(vm, "storage_profile", None)
@@ -155,8 +159,12 @@ class VirtualMachines(AzureService):
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
disks_list = client.disks.list()
disks.update({subscription_id: {}}) disks.update({subscription_id: {}})
disks_list = self.list_with_rg_scope(
subscription_id,
client.disks.list,
client.disks.list_by_resource_group,
)
for disk in disks_list: for disk in disks_list:
vms_attached = [] vms_attached = []
@@ -202,9 +210,13 @@ class VirtualMachines(AzureService):
vm_scale_sets = {} vm_scale_sets = {}
for subscription_id, client in self.clients.items(): for subscription_id, client in self.clients.items():
try: try:
scale_sets = client.virtual_machine_scale_sets.list_all()
vm_scale_sets[subscription_id] = {} vm_scale_sets[subscription_id] = {}
for scale_set in scale_sets: scale_sets_list = self.list_with_rg_scope(
subscription_id,
client.virtual_machine_scale_sets.list_all,
client.virtual_machine_scale_sets.list,
)
for scale_set in scale_sets_list:
backend_pools = [] backend_pools = []
nic_configs = [] nic_configs = []
virtual_machine_profile = getattr( virtual_machine_profile = getattr(
+1
View File
@@ -407,6 +407,7 @@ class Provider(ABC):
tenant_id=arguments.tenant_id, tenant_id=arguments.tenant_id,
region=arguments.azure_region, region=arguments.azure_region,
subscription_ids=arguments.subscription_id, subscription_ids=arguments.subscription_id,
resource_groups=arguments.resource_groups,
config_path=arguments.config_file, config_path=arguments.config_file,
mutelist_path=arguments.mutelist_file, mutelist_path=arguments.mutelist_file,
fixer_config=fixer_config, fixer_config=fixer_config,
+4
View File
@@ -9,6 +9,8 @@ from prowler.providers.azure.models import AzureIdentityInfo, AzureRegionConfig
AZURE_SUBSCRIPTION_ID = str(uuid4()) AZURE_SUBSCRIPTION_ID = str(uuid4())
AZURE_SUBSCRIPTION_NAME = "Subscription Name" AZURE_SUBSCRIPTION_NAME = "Subscription Name"
AZURE_SUBSCRIPTION_DISPLAY = f"{AZURE_SUBSCRIPTION_NAME} ({AZURE_SUBSCRIPTION_ID})" AZURE_SUBSCRIPTION_DISPLAY = f"{AZURE_SUBSCRIPTION_NAME} ({AZURE_SUBSCRIPTION_ID})"
RESOURCE_GROUP = "rg"
RESOURCE_GROUP_LIST = [RESOURCE_GROUP, "rg2"]
# Azure Identity # Azure Identity
IDENTITY_ID = "00000000-0000-0000-0000-000000000000" IDENTITY_ID = "00000000-0000-0000-0000-000000000000"
@@ -30,6 +32,7 @@ def set_mocked_azure_provider(
audit_config: dict = None, audit_config: dict = None,
azure_region_config: AzureRegionConfig = AzureRegionConfig(), azure_region_config: AzureRegionConfig = AzureRegionConfig(),
locations: list = None, locations: list = None,
resource_groups: dict = None,
) -> AzureProvider: ) -> AzureProvider:
provider = MagicMock() provider = MagicMock()
@@ -39,5 +42,6 @@ def set_mocked_azure_provider(
provider.identity = identity provider.identity = identity
provider.audit_config = audit_config provider.audit_config = audit_config
provider.region_config = azure_region_config provider.region_config = azure_region_config
provider.resource_groups = resource_groups
return provider return provider
@@ -552,6 +552,102 @@ class TestAzureProvider:
assert regions == expected_regions assert regions == expected_regions
class TestAzureProviderValidateResourceGroups:
@patch(
"prowler.providers.azure.azure_provider.AzureProvider.__init__",
return_value=None,
)
def _make_provider(self, _mock_init, subscriptions=None):
provider = AzureProvider()
provider._identity = MagicMock()
provider._identity.subscriptions = subscriptions or {str(uuid4()): "Sub"}
provider._session = MagicMock()
provider._region_config = MagicMock()
return provider
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_exact_match(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "mygroup"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["mygroup"])
assert result[sub_name] == ["mygroup"]
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_mixed_case(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "MyGroup"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["mygroup"])
assert result[sub_name] == ["MyGroup"]
mock_resource_groups.list.assert_called_once()
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_multiple_rgs(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
rg1, rg2 = MagicMock(), MagicMock()
rg1.name = "rg1"
rg2.name = "rg2"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [rg1, rg2]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["rg1", "rg2"])
assert set(result[sub_name]) == {"rg1", "rg2"}
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_not_found(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "existing"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups(["nonexistent"])
assert result[sub_name] == []
def test_validate_resource_groups_empty_input(self):
provider = self._make_provider()
result = provider.validate_resource_groups([])
assert result == {}
@patch("prowler.providers.azure.azure_provider.ResourceManagementClient")
def test_validate_resource_groups_strips_whitespace(self, mock_rm_client):
provider = self._make_provider()
sub_name = list(provider._identity.subscriptions.keys())[0]
mock_rg = MagicMock()
mock_rg.name = "rg-prod"
mock_resource_groups = MagicMock()
mock_resource_groups.list.return_value = [mock_rg]
mock_rm_client.return_value.resource_groups = mock_resource_groups
result = provider.validate_resource_groups([" rg-prod "])
assert result[sub_name] == ["rg-prod"]
class TestAzureProviderSetupIdentitySubscriptions: class TestAzureProviderSetupIdentitySubscriptions:
"""Regression tests ensuring identity.subscriptions preserves every """Regression tests ensuring identity.subscriptions preserves every
subscription even when multiple Azure subscriptions share the same subscription even when multiple Azure subscriptions share the same
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.aisearch.aisearch_service import ( from prowler.providers.azure.services.aisearch.aisearch_service import (
AISearch, AISearch,
@@ -6,9 +6,13 @@ from prowler.providers.azure.services.aisearch.aisearch_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
AISEARCH_SERVICE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Search/searchServices/search1"
def mock_storage_get_aisearch_services(_): def mock_storage_get_aisearch_services(_):
return { return {
@@ -58,3 +62,121 @@ class Test_AISearch_Service:
assert aisearch.aisearch_services[AZURE_SUBSCRIPTION_ID][ assert aisearch.aisearch_services[AZURE_SUBSCRIPTION_ID][
"aisearch_service_id-1" "aisearch_service_id-1"
].public_network_access ].public_network_access
class Test_AISearch_Service_get_aisearch_services:
def test_get_aisearch_services_no_resource_groups(self):
mock_service = MagicMock()
mock_service.id = AISEARCH_SERVICE_ID
mock_service.name = "search1"
mock_service.location = "westeurope"
mock_service.public_network_access = "Enabled"
mock_client = MagicMock()
mock_client.services.list_by_subscription.return_value = [mock_service]
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = None
result = aisearch._get_aisearch_services()
mock_client.services.list_by_subscription.assert_called_once()
mock_client.services.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert (
result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access
is True
)
def test_get_aisearch_services_with_resource_group(self):
mock_service = MagicMock()
mock_service.id = AISEARCH_SERVICE_ID
mock_service.name = "search1"
mock_service.location = "westeurope"
mock_service.public_network_access = "Disabled"
mock_client = MagicMock()
mock_client.services.list_by_resource_group.return_value = [mock_service]
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.services.list_by_subscription.assert_not_called()
assert (
result[AZURE_SUBSCRIPTION_ID][AISEARCH_SERVICE_ID].public_network_access
is False
)
def test_get_aisearch_services_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_not_called()
mock_client.services.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_aisearch_services_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.services = MagicMock()
mock_client.services.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = aisearch._get_aisearch_services()
assert mock_client.services.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_aisearch_services_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.services = MagicMock()
mock_client.services.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aisearch.aisearch_service.AISearch._get_aisearch_services",
return_value={},
):
aisearch = AISearch(set_mocked_azure_provider())
aisearch.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aisearch.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
aisearch._get_aisearch_services()
mock_client.services.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,8 +1,10 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.aks.aks_service import AKS, Cluster from prowler.providers.azure.services.aks.aks_service import AKS, Cluster
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -66,3 +68,128 @@ class Test_AKS_Service:
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].location == "westeurope" aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].location == "westeurope"
) )
assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled
class Test_AKS_get_clusters:
def test_get_clusters_no_resource_groups(self):
mock_cluster = MagicMock()
mock_cluster.id = "cluster_id-1"
mock_cluster.name = "cluster_name"
mock_cluster.fqdn = "public_fqdn"
mock_cluster.private_fqdn = "private_fqdn"
mock_cluster.location = "westeurope"
mock_cluster.kubernetes_version = "1.28.0"
mock_cluster.network_profile = None
mock_cluster.agent_pool_profiles = []
mock_cluster.enable_rbac = False
mock_client = MagicMock()
mock_client.managed_clusters.list.return_value = [mock_cluster]
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = None
result = aks._get_clusters()
mock_client.managed_clusters.list.assert_called_once()
mock_client.managed_clusters.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_clusters_with_resource_group(self):
mock_cluster = MagicMock()
mock_cluster.id = "cluster_id-1"
mock_cluster.name = "cluster_name"
mock_cluster.fqdn = "public_fqdn"
mock_cluster.private_fqdn = "private_fqdn"
mock_cluster.location = "westeurope"
mock_cluster.kubernetes_version = "1.28.0"
mock_cluster.network_profile = None
mock_cluster.agent_pool_profiles = []
mock_cluster.enable_rbac = False
mock_client = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = [
mock_cluster
]
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.managed_clusters.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "cluster_id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_clusters_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_not_called()
mock_client.managed_clusters.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_clusters_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.managed_clusters = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = aks._get_clusters()
assert mock_client.managed_clusters.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_clusters_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.managed_clusters = MagicMock()
mock_client.managed_clusters.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.aks.aks_service.AKS._get_clusters",
return_value={},
):
aks = AKS(set_mocked_azure_provider())
aks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
aks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
aks._get_clusters()
mock_client.managed_clusters.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,6 +1,6 @@
from datetime import timedelta from datetime import timedelta
from unittest import TestCase, mock from unittest import TestCase, mock
from unittest.mock import patch from unittest.mock import MagicMock, patch
from azure.mgmt.loganalytics.models import Workspace from azure.mgmt.loganalytics.models import Workspace
from azure.mgmt.monitor.models import DiagnosticSettingsResource from azure.mgmt.monitor.models import DiagnosticSettingsResource
@@ -9,6 +9,8 @@ from azure.monitor.query import LogsQueryResult
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
AZURE_SUBSCRIPTION_NAME, AZURE_SUBSCRIPTION_NAME,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -16,7 +18,6 @@ from tests.providers.azure.azure_fixtures import (
APIM_INSTANCE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg/providers/Microsoft.ApiManagement/service/apim1" APIM_INSTANCE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg/providers/Microsoft.ApiManagement/service/apim1"
APIM_INSTANCE_NAME = "apim1" APIM_INSTANCE_NAME = "apim1"
LOCATION = "West US" LOCATION = "West US"
RESOURCE_GROUP = "rg"
WORKSPACE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/loganalytics" WORKSPACE_ID = f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourcegroups/rg/providers/microsoft.operationalinsights/workspaces/loganalytics"
WORKSPACE_CUSTOMER_ID = "12345678-1234-1234-1234-1234567890ab" WORKSPACE_CUSTOMER_ID = "12345678-1234-1234-1234-1234567890ab"
@@ -323,3 +324,168 @@ class Test_APIM_Service(TestCase):
instance = apim.instances[AZURE_SUBSCRIPTION_ID][0] instance = apim.instances[AZURE_SUBSCRIPTION_ID][0]
result = apim.get_llm_operations_logs(AZURE_SUBSCRIPTION_ID, instance) result = apim.get_llm_operations_logs(AZURE_SUBSCRIPTION_ID, instance)
self.assertEqual(result, [{"log": "data"}]) self.assertEqual(result, [{"log": "data"}])
class Test_APIM_get_instances:
def test_get_instances_no_resource_groups(self):
mock_instance = MagicMock()
mock_instance.id = APIM_INSTANCE_ID
mock_instance.name = APIM_INSTANCE_NAME
mock_instance.location = LOCATION
mock_client = MagicMock()
mock_client.api_management_service.list.return_value = [mock_instance]
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = None
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
mock_client.api_management_service.list.assert_called_once()
mock_client.api_management_service.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
assert result[AZURE_SUBSCRIPTION_ID][0].id == APIM_INSTANCE_ID
def test_get_instances_with_resource_group(self):
mock_instance = MagicMock()
mock_instance.id = APIM_INSTANCE_ID
mock_instance.name = APIM_INSTANCE_NAME
mock_instance.location = LOCATION
mock_client = MagicMock()
mock_client.api_management_service.list_by_resource_group.return_value = [
mock_instance
]
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.api_management_service.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
assert result[AZURE_SUBSCRIPTION_ID][0].name == APIM_INSTANCE_NAME
def test_get_instances_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_not_called()
mock_client.api_management_service.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_instances_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
result = apim._get_instances()
assert mock_client.api_management_service.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_instances_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_provider = mock.MagicMock()
mock_provider.identity = mock.MagicMock()
with (
patch(
"prowler.providers.azure.azure_provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.apim.apim_service.APIM._get_instances",
return_value={},
),
):
from prowler.providers.azure.services.apim.apim_service import APIM
apim = APIM(set_mocked_azure_provider())
apim.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
apim.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
with patch.object(apim, "_get_log_analytics_workspace_id", return_value=None):
apim._get_instances()
mock_client.api_management_service.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -5,6 +5,8 @@ from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -244,3 +246,279 @@ class Test_App_Service:
].name ].name
== "functionapp-1" == "functionapp-1"
) )
class Test_App_get_apps:
def test_get_apps_no_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = None
result = app._get_apps()
mock_client.web_apps.list.assert_called_once()
mock_client.web_apps.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_with_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.web_apps.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_not_called()
mock_client.web_apps.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_App_get_functions:
def test_get_functions_no_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = None
result = app._get_functions()
mock_client.web_apps.list.assert_called_once()
mock_client.web_apps.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_with_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.web_apps.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_not_called()
mock_client.web_apps.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_apps_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app._get_apps()
assert mock_client.web_apps.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_apps_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app._get_apps()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_App_get_functions_extra:
def test_get_functions_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app._get_functions()
assert mock_client.web_apps.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_functions_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.web_apps.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_azure_provider(),
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
):
from prowler.providers.azure.services.app.app_service import App
app = App(set_mocked_azure_provider())
app.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app._get_functions()
mock_client.web_apps.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.appinsights.appinsights_service import ( from prowler.providers.azure.services.appinsights.appinsights_service import (
AppInsights, AppInsights,
@@ -6,6 +6,8 @@ from prowler.providers.azure.services.appinsights.appinsights_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -54,3 +56,121 @@ class Test_AppInsights_Service:
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].location appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].location
== "westeurope" == "westeurope"
) )
class Test_AppInsights_get_components:
def test_get_components_no_resource_groups(self):
mock_component = MagicMock()
mock_component.app_id = "comp-app-id"
mock_component.id = "/subscriptions/sub/rg/appinsights"
mock_component.name = "ai-component"
mock_component.location = "westeurope"
mock_component.instrumentation_key = "ikey-123"
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list.return_value = [mock_component]
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = None
result = app_insights._get_components()
mock_client.components.list.assert_called_once()
mock_client.components.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID]
def test_get_components_with_resource_group(self):
mock_component = MagicMock()
mock_component.app_id = "comp-app-id"
mock_component.id = "/subscriptions/sub/rg/appinsights"
mock_component.name = "ai-component"
mock_component.location = "westeurope"
mock_component.instrumentation_key = "ikey-123"
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = [mock_component]
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = app_insights._get_components()
mock_client.components.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.components.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "comp-app-id" in result[AZURE_SUBSCRIPTION_ID]
def test_get_components_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = app_insights._get_components()
mock_client.components.list_by_resource_group.assert_not_called()
mock_client.components.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_components_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = app_insights._get_components()
assert mock_client.components.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_components_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.components = MagicMock()
mock_client.components.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
return_value={},
):
app_insights = AppInsights(set_mocked_azure_provider())
app_insights.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
app_insights.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
app_insights._get_components()
mock_client.components.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -3,6 +3,8 @@ from uuid import uuid4
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -89,3 +91,208 @@ class TestContainerRegistryService:
assert monitor_setting["logs"][0]["enabled"] is True assert monitor_setting["logs"][0]["enabled"] is True
assert monitor_setting["logs"][1]["category"] == "AdminLogs" assert monitor_setting["logs"][1]["category"] == "AdminLogs"
assert monitor_setting["logs"][1]["enabled"] is False assert monitor_setting["logs"][1]["enabled"] is False
class Test_ContainerRegistry_get_registries:
def test_get_container_registries_no_resource_groups(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = None
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list.assert_called_once()
mock_client.registries.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_with_resource_group(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.registries.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_empty_resource_group_for_subscription(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_not_called()
mock_client.registries.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_container_registries_with_multiple_resource_groups(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
result = cr._get_container_registries()
assert mock_client.registries.list_by_resource_group.call_count == len(
RESOURCE_GROUP_LIST
)
mock_client.registries.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_container_registries_with_mixed_case_resource_group(self):
from unittest.mock import MagicMock, patch
mock_client = MagicMock()
mock_client.registries.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.ContainerRegistry._get_container_registries",
return_value={},
),
):
from prowler.providers.azure.services.containerregistry.containerregistry_service import (
ContainerRegistry,
)
cr = ContainerRegistry(set_mocked_azure_provider())
cr.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cr.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRegistry-RG"]}
with patch(
"prowler.providers.azure.services.containerregistry.containerregistry_service.monitor_client"
):
cr._get_container_registries()
mock_client.registries.list_by_resource_group.assert_called_once_with(
resource_group_name="MyRegistry-RG"
)
@@ -1,8 +1,10 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -133,3 +135,114 @@ class Test_CosmosDB_Service_None_Handling:
== "Microsoft.Network/privateEndpoints" == "Microsoft.Network/privateEndpoints"
) )
assert account.disable_local_auth is True assert account.disable_local_auth is True
class Test_CosmosDB_get_accounts:
def test_get_accounts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.database_accounts.list.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = None
result = cosmosdb._get_accounts()
mock_client.database_accounts.list.assert_called_once()
mock_client.database_accounts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_accounts_with_resource_group(self):
mock_account = MagicMock()
mock_account.id = "account-id"
mock_account.name = "my-cosmos"
mock_account.kind = "GlobalDocumentDB"
mock_account.location = "eastus"
mock_account.type = "Microsoft.DocumentDB/databaseAccounts"
mock_account.tags = {}
mock_account.is_virtual_network_filter_enabled = False
mock_account.private_endpoint_connections = []
mock_account.disable_local_auth = False
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = [
mock_account
]
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.database_accounts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert len(result[AZURE_SUBSCRIPTION_ID]) == 1
def test_get_accounts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_not_called()
mock_client.database_accounts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_accounts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = cosmosdb._get_accounts()
assert mock_client.database_accounts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_accounts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.database_accounts.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_service.CosmosDB._get_accounts",
return_value={},
):
cosmosdb = CosmosDB(set_mocked_azure_provider())
cosmosdb.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
cosmosdb.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
cosmosdb._get_accounts()
mock_client.database_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.databricks.databricks_service import ( from prowler.providers.azure.services.databricks.databricks_service import (
Databricks, Databricks,
@@ -7,6 +7,8 @@ from prowler.providers.azure.services.databricks.databricks_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -94,3 +96,123 @@ class Test_Databricks_Service_No_Encryption:
assert workspace.location == "eastus" assert workspace.location == "eastus"
assert workspace.custom_managed_vnet_id == "test-vnet-id" assert workspace.custom_managed_vnet_id == "test-vnet-id"
assert workspace.managed_disk_encryption is None assert workspace.managed_disk_encryption is None
class Test_Databricks_get_workspaces:
def test_get_workspaces_no_resource_groups(self):
mock_workspace = MagicMock()
mock_workspace.id = "ws-id-1"
mock_workspace.name = "my-workspace"
mock_workspace.location = "eastus"
mock_workspace.parameters = None
mock_workspace.encryption = None
mock_workspace.public_network_access = None
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_subscription.return_value = [mock_workspace]
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = None
result = databricks._get_workspaces()
mock_client.workspaces.list_by_subscription.assert_called_once()
mock_client.workspaces.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_workspaces_with_resource_group(self):
mock_workspace = MagicMock()
mock_workspace.id = "ws-id-1"
mock_workspace.name = "my-workspace"
mock_workspace.location = "eastus"
mock_workspace.parameters = None
mock_workspace.encryption = None
mock_workspace.public_network_access = None
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = [mock_workspace]
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.workspaces.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "ws-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_workspaces_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_not_called()
mock_client.workspaces.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_workspaces_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = databricks._get_workspaces()
assert mock_client.workspaces.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_workspaces_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.workspaces = MagicMock()
mock_client.workspaces.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.databricks.databricks_service.Databricks._get_workspaces",
return_value={},
):
databricks = Databricks(set_mocked_azure_provider())
databricks.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
databricks.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
databricks._get_workspaces()
mock_client.workspaces.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_additional_email_configured_with_a_security_contact: class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {} defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_no_additional_emails(self): def test_defender_no_additional_emails(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -87,6 +89,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
def test_defender_additional_email_configured(self): def test_defender_additional_email_configured(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_assessments_vm_endpoint_protection_installed: class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {} defender_client.assessments = {}
@@ -36,6 +37,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_no_assessments(self): def test_defender_subscriptions_with_no_assessments(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}} defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
@@ -59,6 +61,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_healthy_assessments(self): def test_defender_subscriptions_with_healthy_assessments(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client.assessments = { defender_client.assessments = {
@@ -98,6 +101,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_unhealthy_assessments(self): def test_defender_subscriptions_with_unhealthy_assessments(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client.assessments = { defender_client.assessments = {
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_attack_path_notifications_properly_configured: class Test_defender_attack_path_notifications_properly_configured:
def test_no_subscriptions(self): def test_no_subscriptions(self):
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {} defender_client.security_contact_configurations = {}
defender_client.audit_config = {} defender_client.audit_config = {}
@@ -41,6 +42,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -89,6 +91,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +142,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -189,6 +193,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -237,6 +242,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -285,6 +291,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -333,6 +340,7 @@ class Test_defender_attack_path_notifications_properly_configured:
resource_id = str(uuid4()) resource_id = str(uuid4())
contact_name = "default" contact_name = "default"
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_auto_provisioning_log_analytics_agent_vms_on: class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_no_app_services(self): def test_defender_no_app_services(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = {} defender_client.auto_provisioning_settings = {}
@@ -39,6 +40,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_off(self): def test_defender_auto_provisioning_log_analytics_off(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = { defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -80,6 +82,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_on(self): def test_defender_auto_provisioning_log_analytics_on(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = { defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -121,6 +124,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
def test_defender_auto_provisioning_log_analytics_on_and_off(self): def test_defender_auto_provisioning_log_analytics_on_and_off(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.auto_provisioning_settings = { defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on: class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_no_app_services(self): def test_defender_no_app_services(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {} defender_client.assessments = {}
@@ -37,6 +38,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_machines_no_vulnerability_assessment_solution(self): def test_defender_machines_no_vulnerability_assessment_solution(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -77,6 +79,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
def test_defender_machines_vulnerability_assessment_solution(self): def test_defender_machines_vulnerability_assessment_solution(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_container_images_resolved_vulnerabilities: class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {} defender_client.assessments = {}
@@ -36,6 +37,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_empty(self): def test_defender_subscription_empty(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}} defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
@@ -59,6 +61,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_no_assesment(self): def test_defender_subscription_no_assesment(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -90,6 +93,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_unhealthy(self): def test_defender_subscription_assesment_unhealthy(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +143,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_healthy(self): def test_defender_subscription_assesment_healthy(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -188,6 +193,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_not_applicable(self): def test_defender_subscription_assesment_not_applicable(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_container_images_scan_enabled: class Test_defender_container_images_scan_enabled:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_empty(self): def test_defender_subscription_empty(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}} defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}}
@@ -60,6 +62,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_no_containers(self): def test_defender_subscription_no_containers(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -92,6 +95,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_no_extensions(self): def test_defender_subscription_containers_no_extensions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -137,6 +141,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_container_images_scan_off(self): def test_defender_subscription_containers_container_images_scan_off(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -182,6 +187,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_container_images_scan_on(self): def test_defender_subscription_containers_container_images_scan_on(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_app_services_is_on: class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_no_app_services(self): def test_defender_no_app_services(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_app_services_pricing_tier_not_standard(self): def test_defender_app_services_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
def test_defender_app_services_pricing_tier_standard(self): def test_defender_app_services_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_arm_is_on: class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_no_arm(self): def test_defender_no_arm(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_arm_pricing_tier_not_standard(self): def test_defender_arm_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
def test_defender_arm_pricing_tier_standard(self): def test_defender_arm_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_azure_sql_databases_is_on: class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_no_sql_databases(self): def test_defender_no_sql_databases(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_sql_databases_pricing_tier_not_standard(self): def test_defender_sql_databases_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
def test_defender_sql_databases_pricing_tier_standard(self): def test_defender_sql_databases_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_containers_is_on: class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_no_container_registries(self): def test_defender_no_container_registries(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_container_registries_pricing_tier_not_standard(self): def test_defender_container_registries_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
def test_defender_container_registries_pricing_tier_standard(self): def test_defender_container_registries_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_cosmosdb_is_on: class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_no_cosmosdb(self): def test_defender_no_cosmosdb(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_cosmosdb_pricing_tier_not_standard(self): def test_defender_cosmosdb_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
def test_defender_cosmosdb_pricing_tier_standard(self): def test_defender_cosmosdb_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_databases_is_on: class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_no_databases(self): def test_defender_no_databases(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_sql_servers(self): def test_defender_databases_sql_servers(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -70,6 +72,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_sql_server_virtual_machines(self): def test_defender_databases_sql_server_virtual_machines(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -103,6 +106,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_open_source_relation_databases(self): def test_defender_databases_open_source_relation_databases(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -136,6 +140,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_cosmosdbs(self): def test_defender_databases_cosmosdbs(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -169,6 +174,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_all_standard(self): def test_defender_databases_all_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -228,6 +234,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
def test_defender_databases_cosmosdb_not_standard(self): def test_defender_databases_cosmosdb_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_dns_is_on: class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_no_dns(self): def test_defender_no_dns(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_dns_pricing_tier_not_standard(self): def test_defender_dns_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
def test_defender_dns_pricing_tier_standard(self): def test_defender_dns_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_keyvault_is_on: class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_no_keyvaults(self): def test_defender_no_keyvaults(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_keyvaults_pricing_tier_not_standard(self): def test_defender_keyvaults_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
def test_defender_keyvaults_pricing_tier_standard(self): def test_defender_keyvaults_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_os_relational_databases_is_on: class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_no_os_relational_databases(self): def test_defender_no_os_relational_databases(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_os_relational_databases_pricing_tier_not_standard(self): def test_defender_os_relational_databases_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -81,6 +83,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
def test_defender_os_relational_databases_pricing_tier_standard(self): def test_defender_os_relational_databases_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_server_is_on: class Test_defender_ensure_defender_for_server_is_on:
def test_defender_no_server(self): def test_defender_no_server(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_server_is_on:
def test_defender_server_pricing_tier_not_standard(self): def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_server_is_on:
def test_defender_server_pricing_tier_standard(self): def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_sql_servers_is_on: class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_no_server(self): def test_defender_no_server(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_server_pricing_tier_not_standard(self): def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
def test_defender_server_pricing_tier_standard(self): def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_defender_for_storage_is_on: class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_no_server(self): def test_defender_no_server(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = {} defender_client.pricings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_server_pricing_tier_not_standard(self): def test_defender_server_pricing_tier_not_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -78,6 +80,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
def test_defender_server_pricing_tier_standard(self): def test_defender_server_pricing_tier_standard(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.pricings = { defender_client.pricings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -15,6 +15,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_iot_hub_defender_is_on: class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = {} defender_client.iot_security_solutions = {}
@@ -38,6 +39,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_no_iot_hub_solutions(self): def test_defender_no_iot_hub_solutions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}} defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -69,6 +71,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_iot_hub_solution_disabled(self): def test_defender_iot_hub_solution_disabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = { defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -106,6 +109,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_iot_hub_solution_enabled(self): def test_defender_iot_hub_solution_enabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = { defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -145,6 +149,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
resource_id_enabled = str(uuid4()) resource_id_enabled = str(uuid4())
resource_id_disabled = str(uuid4()) resource_id_disabled = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.iot_security_solutions = { defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_mcas_is_enabled: class Test_defender_ensure_mcas_is_enabled:
def test_defender_no_settings(self): def test_defender_no_settings(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {} defender_client.settings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_disabled(self): def test_defender_mcas_disabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = { defender_client.settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -79,6 +81,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_enabled(self): def test_defender_mcas_enabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = { defender_client.settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -120,6 +123,7 @@ class Test_defender_ensure_mcas_is_enabled:
def test_defender_mcas_no_settings(self): def test_defender_mcas_no_settings(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}} defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_notify_alerts_severity_is_high: class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {} defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_critical(self): def test_defender_severity_alerts_critical(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -87,6 +89,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_high(self): def test_defender_severity_alerts_high(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -135,6 +138,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_severity_alerts_low(self): def test_defender_severity_alerts_low(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -182,6 +186,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
def test_defender_default_security_contact_not_found(self): def test_defender_default_security_contact_not_found(self):
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -16,6 +16,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_notify_emails_to_owners: class Test_defender_ensure_notify_emails_to_owners:
def test_defender_no_subscriptions(self): def test_defender_no_subscriptions(self):
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = {} defender_client.security_contact_configurations = {}
@@ -40,6 +41,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_no_notify_emails_to_owners(self): def test_defender_no_notify_emails_to_owners(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -80,6 +82,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_notify_emails_to_owners_off(self): def test_defender_notify_emails_to_owners_off(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -127,6 +130,7 @@ class Test_defender_ensure_notify_emails_to_owners:
def test_defender_notify_emails_to_owners(self): def test_defender_notify_emails_to_owners(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock() defender_client = mock.MagicMock()
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.security_contact_configurations = { defender_client.security_contact_configurations = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_system_updates_are_applied: class Test_defender_ensure_system_updates_are_applied:
def test_defender_no_app_services(self): def test_defender_no_app_services(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = {} defender_client.assessments = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_system_updates_are_applied:
def test_defender_machines_no_log_analytics_installed(self): def test_defender_machines_no_log_analytics_installed(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -89,6 +91,7 @@ class Test_defender_ensure_system_updates_are_applied:
): ):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -139,6 +142,7 @@ class Test_defender_ensure_system_updates_are_applied:
def test_defender_machines_no_system_updates_installed(self): def test_defender_machines_no_system_updates_installed(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -191,6 +195,7 @@ class Test_defender_ensure_system_updates_are_applied:
): ):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.assessments = { defender_client.assessments = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_defender_ensure_wdatp_is_enabled: class Test_defender_ensure_wdatp_is_enabled:
def test_defender_no_settings(self): def test_defender_no_settings(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = {} defender_client.settings = {}
@@ -37,6 +38,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_disabled(self): def test_defender_wdatp_disabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = { defender_client.settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -79,6 +81,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_enabled(self): def test_defender_wdatp_enabled(self):
resource_id = str(uuid4()) resource_id = str(uuid4())
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.settings = { defender_client.settings = {
AZURE_SUBSCRIPTION_ID: { AZURE_SUBSCRIPTION_ID: {
@@ -120,6 +123,7 @@ class Test_defender_ensure_wdatp_is_enabled:
def test_defender_wdatp_no_settings(self): def test_defender_wdatp_no_settings(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}} defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
@@ -1,5 +1,5 @@
from datetime import timedelta from datetime import timedelta
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.defender.defender_service import ( from prowler.providers.azure.services.defender.defender_service import (
Assesment, Assesment,
@@ -13,6 +13,8 @@ from prowler.providers.azure.services.defender.defender_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -358,3 +360,263 @@ class Test_Defender_Service_Assessments_None_Handling:
"Assessment Unhealthy" "Assessment Unhealthy"
] ]
assert assessment_unhealthy.status == "Unhealthy" assert assessment_unhealthy.status == "Unhealthy"
DEFENDER_INIT_PATCHES = [
"prowler.providers.azure.services.defender.defender_service.Defender._get_pricings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_auto_provisioning_settings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_assessments",
"prowler.providers.azure.services.defender.defender_service.Defender._get_settings",
"prowler.providers.azure.services.defender.defender_service.Defender._get_security_contacts",
"prowler.providers.azure.services.defender.defender_service.Defender._get_iot_security_solutions",
"prowler.providers.azure.services.defender.defender_service.Defender._get_jit_policies",
]
class Test_Defender_get_iot_security_solutions:
def test_get_iot_security_solutions_no_resource_groups(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_subscription.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = None
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_subscription.assert_called_once()
mock_client.iot_security_solution.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_with_resource_group(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.iot_security_solution.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_not_called()
mock_client.iot_security_solution.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_Defender_get_jit_policies:
def test_get_jit_policies_no_resource_groups(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = None
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list.assert_called_once()
mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_with_resource_group(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.jit_network_access_policies.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_not_called()
mock_client.jit_network_access_policies.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_iot_security_solutions_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = defender._get_iot_security_solutions()
assert mock_client.iot_security_solution.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_iot_security_solutions_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.iot_security_solution.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
defender._get_iot_security_solutions()
mock_client.iot_security_solution.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_Defender_get_jit_policies_extra:
def test_get_jit_policies_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = defender._get_jit_policies()
assert (
mock_client.jit_network_access_policies.list_by_resource_group.call_count
== 2
)
assert AZURE_SUBSCRIPTION_ID in result
def test_get_jit_policies_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.jit_network_access_policies.list_by_resource_group.return_value = []
with (
patch(DEFENDER_INIT_PATCHES[0], return_value={}),
patch(DEFENDER_INIT_PATCHES[1], return_value={}),
patch(DEFENDER_INIT_PATCHES[2], return_value={}),
patch(DEFENDER_INIT_PATCHES[3], return_value={}),
patch(DEFENDER_INIT_PATCHES[4], return_value={}),
patch(DEFENDER_INIT_PATCHES[5], return_value={}),
patch(DEFENDER_INIT_PATCHES[6], return_value={}),
):
defender = Defender(set_mocked_azure_provider())
defender.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
defender.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
defender._get_jit_policies()
mock_client.jit_network_access_policies.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_conditional_access_policy_require_mfa_for_admin_portals: class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_no_subscriptions(self): def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_no_policies(self): def test_entra_tenant_no_policies(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_no_mfa(self): def test_entra_tenant_policy_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa(self): def test_entra_tenant_policy_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_disabled(self): def test_entra_tenant_policy_mfa_disabled(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_no_target(self): def test_entra_tenant_policy_mfa_no_target(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_admin_portals:
def test_entra_tenant_policy_mfa_no_users(self): def test_entra_tenant_policy_mfa_no_users(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_conditional_access_policy_require_mfa_for_management_api: class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_no_subscriptions(self): def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_no_policies(self): def test_entra_tenant_no_policies(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -61,6 +61,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_no_mfa(self): def test_entra_tenant_policy_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -105,6 +106,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa(self): def test_entra_tenant_policy_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -149,6 +151,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_disabled(self): def test_entra_tenant_policy_mfa_disabled(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -193,6 +196,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_no_target(self): def test_entra_tenant_policy_mfa_no_target(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -237,6 +241,7 @@ class Test_entra_conditional_access_policy_require_mfa_for_management_api:
def test_entra_tenant_policy_mfa_no_users(self): def test_entra_tenant_policy_mfa_no_users(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
policy_id = str(uuid4()) policy_id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_global_admin_in_less_than_five_users: class Test_entra_global_admin_in_less_than_five_users:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -32,7 +32,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -57,7 +57,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_less_than_five_global_admins(self): def test_entra_less_than_five_global_admins(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -110,7 +110,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_more_than_five_global_admins(self): def test_entra_more_than_five_global_admins(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -178,7 +178,7 @@ class Test_entra_global_admin_in_less_than_five_users:
def test_entra_exactly_five_global_admins(self): def test_entra_exactly_five_global_admins(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_non_privileged_user_has_mfa: class Test_entra_non_privileged_user_has_mfa:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_tenant_no_users(self): def test_entra_tenant_no_users(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -53,6 +53,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_no_privileged_no_mfa(self): def test_entra_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -100,6 +101,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_no_privileged_mfa(self): def test_entra_user_no_privileged_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -144,6 +146,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_disabled_user_no_privileged_no_mfa(self): def test_entra_disabled_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -184,6 +187,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_disabled_user_no_privileged_mfa(self): def test_entra_disabled_user_no_privileged_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -224,6 +228,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_privileged_no_mfa(self): def test_entra_user_privileged_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -265,6 +270,7 @@ class Test_entra_non_privileged_user_has_mfa:
def test_entra_user_privileged_mfa(self): def test_entra_user_privileged_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_default_users_cannot_create_security_groups: class Test_entra_policy_default_users_cannot_create_security_groups:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.authorization_policy = {} entra_client.authorization_policy = {}
with ( with (
@@ -29,6 +30,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -75,6 +77,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
self, self,
): ):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -124,6 +127,7 @@ class Test_entra_policy_default_users_cannot_create_security_groups:
self, self,
): ):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_ensure_default_user_cannot_create_apps: class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -75,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self): def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self):
id = str(uuid4()) id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -122,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps:
def test_entra_default_user_role_permissions_allowed_to_create_apps(self): def test_entra_default_user_role_permissions_allowed_to_create_apps(self):
id = str(uuid4()) id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,6 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_ensure_default_user_cannot_create_tenants: class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.authorization_policy = {} entra_client.authorization_policy = {}
with ( with (
@@ -29,6 +30,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_empty_tenant(self): def test_entra_empty_tenant(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -74,7 +76,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self): def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self):
id = str(uuid4()) id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -121,7 +123,7 @@ class Test_entra_policy_ensure_default_user_cannot_create_tenants:
def test_entra_default_user_role_permissions_allowed_to_create_tenants(self): def test_entra_default_user_role_permissions_allowed_to_create_tenants(self):
id = str(uuid4()) id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_guest_invite_only_for_admin_roles: class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_empty_tenant(self): def test_entra_empty_tenant(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -76,6 +77,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_everyone(self): def test_entra_tenant_policy_allow_invites_from_everyone(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -120,6 +122,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_admins(self): def test_entra_tenant_policy_allow_invites_from_admins(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -164,6 +167,7 @@ class Test_entra_policy_guest_invite_only_for_admin_roles:
def test_entra_tenant_policy_allow_invites_from_none(self): def test_entra_tenant_policy_allow_invites_from_none(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_guest_users_access_restrictions: class Test_entra_policy_guest_users_access_restrictions:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -74,6 +75,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_access_same_as_member(self): def test_entra_tenant_policy_access_same_as_member(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -117,6 +119,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_limited_access(self): def test_entra_tenant_policy_limited_access(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -160,6 +163,7 @@ class Test_entra_policy_guest_users_access_restrictions:
def test_entra_tenant_policy_access_restricted(self): def test_entra_tenant_policy_access_restricted(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_restricts_user_consent_for_apps: class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,6 +30,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
id = str(uuid4()) id = str(uuid4())
with ( with (
@@ -74,7 +75,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_no_default_user_role_permissions(self): def test_entra_tenant_no_default_user_role_permissions(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -116,7 +117,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_no_consent(self): def test_entra_tenant_no_consent(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -162,7 +163,7 @@ class Test_entra_policy_restricts_user_consent_for_apps:
def test_entra_tenant_legacy_consent(self): def test_entra_tenant_legacy_consent(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_policy_user_consent_for_verified_apps: class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_no_subscriptions(self): def test_entra_no_subscriptions(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_tenant_no_consent(self): def test_entra_tenant_no_consent(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -76,7 +76,7 @@ class Test_entra_policy_user_consent_for_verified_apps:
def test_entra_tenant_legacy_consent(self): def test_entra_tenant_legacy_consent(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_privileged_user_has_mfa: class Test_entra_privileged_user_has_mfa:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_tenant_no_users(self): def test_entra_tenant_no_users(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -53,6 +53,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_no_privileged_no_mfa(self): def test_entra_user_no_privileged_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -92,6 +93,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_no_privileged_mfa(self): def test_entra_user_no_privileged_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -131,6 +133,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_privileged_no_mfa(self): def test_entra_user_privileged_no_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -177,6 +180,7 @@ class Test_entra_privileged_user_has_mfa:
def test_entra_user_privileged_mfa(self): def test_entra_user_privileged_mfa(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
user_id = str(uuid4()) user_id = str(uuid4())
with ( with (
@@ -7,7 +7,7 @@ from tests.providers.azure.azure_fixtures import DOMAIN, set_mocked_azure_provid
class Test_entra_security_defaults_enabled: class Test_entra_security_defaults_enabled:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -30,7 +30,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -58,7 +58,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_security_default_enabled(self): def test_entra_security_default_enabled(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -93,7 +93,7 @@ class Test_entra_security_defaults_enabled:
def test_entra_security_default_disabled(self): def test_entra_security_default_disabled(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -10,7 +10,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_entra_trusted_named_locations_exists: class Test_entra_trusted_named_locations_exists:
def test_entra_no_tenants(self): def test_entra_no_tenants(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -34,7 +34,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -67,7 +67,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_named_location_with_ip_ranges(self): def test_entra_named_location_with_ip_ranges(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -111,7 +111,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_named_location_without_ip_ranges(self): def test_entra_named_location_without_ip_ranges(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -156,7 +156,7 @@ class Test_entra_trusted_named_locations_exists:
def test_entra_new_named_location_with_ip_ranges_not_trusted(self): def test_entra_new_named_location_with_ip_ranges_not_trusted(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -14,10 +14,11 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_assignment_priviledge_access_vm_has_mfa: class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_iam_no_roles(self): def test_iam_no_roles(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -41,9 +42,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa(self): def test_entra_user_with_vm_access_has_mfa(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4()) role_assigment_id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4()) user_id = str(uuid4())
@@ -112,9 +115,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_mfa(self): def test_entra_user_with_vm_access_has_mfa_no_mfa(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4()) role_assigment_id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4()) user_id = str(uuid4())
@@ -183,9 +188,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_user(self): def test_entra_user_with_vm_access_has_mfa_no_user(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4()) role_assigment_id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4()) user_id = str(uuid4())
@@ -237,9 +244,11 @@ class Test_iam_assignment_priviledge_access_vm_has_mfa:
def test_entra_user_with_vm_access_has_mfa_no_role(self): def test_entra_user_with_vm_access_has_mfa_no_role(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_assigment_id = str(uuid4()) role_assigment_id = str(uuid4())
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} entra_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
user_id = str(uuid4()) user_id = str(uuid4())
@@ -11,7 +11,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_entra_users_cannot_create_microsoft_365_groups: class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_no_tenant(self): def test_entra_no_tenant(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -35,7 +35,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_tenant_empty(self): def test_entra_tenant_empty(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -65,7 +65,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_cannot_create_microsoft_365_groups(self): def test_entra_users_cannot_create_microsoft_365_groups(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -114,7 +114,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_can_create_microsoft_365_groups(self): def test_entra_users_can_create_microsoft_365_groups(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -161,7 +161,7 @@ class Test_entra_users_cannot_create_microsoft_365_groups:
def test_entra_users_can_create_microsoft_365_groups_no_setting(self): def test_entra_users_can_create_microsoft_365_groups_no_setting(self):
entra_client = mock.MagicMock entra_client = mock.MagicMock
entra_client.resource_groups = {}
with ( with (
mock.patch( mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider", "prowler.providers.common.provider.Provider.get_global_provider",
@@ -0,0 +1,162 @@
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.iam.iam_service import IAM
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
set_mocked_azure_provider,
)
class Test_IAM_get_roles:
def test_get_roles_no_resource_groups(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = None
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
def test_get_roles_with_resource_group(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
def test_get_roles_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.role_definitions.list.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
builtin, custom = iam._get_roles()
mock_client.role_definitions.list.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in builtin
assert AZURE_SUBSCRIPTION_ID in custom
class Test_IAM_get_role_assignments:
def test_get_role_assignments_no_resource_groups(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = None
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_role_assignments_with_resource_group(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_role_assignments_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.role_assignments = MagicMock()
mock_client.role_assignments.list_for_subscription.return_value = []
with (
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_roles",
return_value=({}, {}),
),
patch(
"prowler.providers.azure.services.iam.iam_service.IAM._get_role_assignments",
return_value={},
),
):
iam = IAM(set_mocked_azure_provider())
iam.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
iam.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = iam._get_role_assignments()
mock_client.role_assignments.list_for_subscription.assert_called_once()
assert AZURE_SUBSCRIPTION_ID in result
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_custom_role_has_permissions_to_administer_resource_locks: class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
def test_iam_no_roles(self): def test_iam_no_roles(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {} defender_client.custom_roles = {}
@@ -39,6 +40,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self, self,
): ):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role" role_name = "test-role"
defender_client.custom_roles = { defender_client.custom_roles = {
@@ -95,6 +97,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self, self,
): ):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role" role_name = "test-role"
defender_client.custom_roles = { defender_client.custom_roles = {
@@ -144,6 +147,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
self, self,
): ):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role" role_name = "test-role"
role_name2 = "test-role2" role_name2 = "test-role2"
@@ -212,6 +216,7 @@ class Test_iam_custom_role_has_permissions_to_administer_resource_locks:
def test_iam_custom_roles_empty_list_but_with_key(self): def test_iam_custom_roles_empty_list_but_with_key(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {AZURE_SUBSCRIPTION_ID: {}} defender_client.custom_roles = {AZURE_SUBSCRIPTION_ID: {}}
@@ -13,6 +13,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_role_user_access_admin_restricted: class Test_iam_role_user_access_admin_restricted:
def test_iam_no_role_assignments(self): def test_iam_no_role_assignments(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} iam_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
iam_client.role_assignments = {} iam_client.role_assignments = {}
iam_client.roles = {} iam_client.roles = {}
@@ -37,6 +38,7 @@ class Test_iam_role_user_access_admin_restricted:
def test_iam_user_access_administrator_role_assigned(self): def test_iam_user_access_administrator_role_assigned(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
role_id = str(uuid4()) role_id = str(uuid4())
role_assignment_id = str(uuid4()) role_assignment_id = str(uuid4())
agent_id = str(uuid4()) agent_id = str(uuid4())
@@ -97,6 +99,7 @@ class Test_iam_role_user_access_admin_restricted:
def test_iam_non_user_access_administrator_role_assigned(self): def test_iam_non_user_access_administrator_role_assigned(self):
iam_client = mock.MagicMock iam_client = mock.MagicMock
iam_client.resource_groups = {}
role_id = str(uuid4()) role_id = str(uuid4())
role_assignment_id = str(uuid4()) role_assignment_id = str(uuid4())
agent_id = str(uuid4()) agent_id = str(uuid4())
@@ -14,6 +14,7 @@ from tests.providers.azure.azure_fixtures import (
class Test_iam_subscription_roles_owner_custom_not_created: class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_no_roles(self): def test_iam_no_roles(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
defender_client.custom_roles = {} defender_client.custom_roles = {}
@@ -37,6 +38,7 @@ class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_custom_owner_role_created_with_all(self): def test_iam_custom_owner_role_created_with_all(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role" role_name = "test-role"
defender_client.custom_roles = { defender_client.custom_roles = {
@@ -84,6 +86,7 @@ class Test_iam_subscription_roles_owner_custom_not_created:
def test_iam_custom_owner_role_created_with_no_permissions(self): def test_iam_custom_owner_role_created_with_no_permissions(self):
defender_client = mock.MagicMock defender_client = mock.MagicMock
defender_client.resource_groups = {}
defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME} defender_client.subscriptions = {AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME}
role_name = "test-role" role_name = "test-role"
defender_client.custom_roles = { defender_client.custom_roles = {
@@ -3,6 +3,8 @@ from unittest.mock import MagicMock, patch
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -263,3 +265,208 @@ class Test_keyvault_service:
.storage_account_name .storage_account_name
== "storage_account_name" == "storage_account_name"
) )
class Test_KeyVault_get_key_vaults:
def test_get_key_vaults_no_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_subscription.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = None
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_subscription.assert_called_once()
mock_client.vaults.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_with_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.vaults.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_not_called()
mock_client.vaults.list_by_subscription.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_key_vaults_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
result = keyvault._get_key_vaults(provider)
assert mock_client.vaults.list_by_resource_group.call_count == len(
RESOURCE_GROUP_LIST
)
mock_client.vaults.list_by_subscription.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_key_vaults_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
mock_provider = MagicMock()
mock_provider.identity = MagicMock()
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mock_provider,
),
patch(
"prowler.providers.azure.services.monitor.monitor_service.Monitor",
new=MagicMock(),
),
patch(
"prowler.providers.azure.services.keyvault.keyvault_service.KeyVault._get_key_vaults",
return_value={},
),
):
from prowler.providers.azure.services.keyvault.keyvault_service import (
KeyVault,
)
keyvault = KeyVault(set_mocked_azure_provider())
keyvault.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
keyvault.resource_groups = {AZURE_SUBSCRIPTION_ID: ["MyRG"]}
provider = set_mocked_azure_provider()
with patch(
"prowler.providers.azure.services.keyvault.keyvault_service.monitor_client"
):
keyvault._get_key_vaults(provider)
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name="MyRG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.mysql.mysql_service import ( from prowler.providers.azure.services.mysql.mysql_service import (
Configuration, Configuration,
@@ -7,6 +7,8 @@ from prowler.providers.azure.services.mysql.mysql_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -117,3 +119,131 @@ class Test_MySQL_Service:
assert configurations["test"].resource_id == "/subscriptions/resource_id" assert configurations["test"].resource_id == "/subscriptions/resource_id"
assert configurations["test"].description == "description" assert configurations["test"].description == "description"
assert configurations["test"].value == "value" assert configurations["test"].value == "value"
class Test_MySQL_get_flexible_servers:
def test_get_flexible_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = None
result = mysql._get_flexible_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_flexible_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = mysql._get_flexible_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_flexible_servers",
return_value={},
),
patch(
"prowler.providers.azure.services.mysql.mysql_service.MySQL._get_configurations",
return_value={},
),
):
mysql = MySQL(set_mocked_azure_provider())
mysql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
mysql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
mysql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from azure.mgmt.network.models import FlowLog from azure.mgmt.network.models import FlowLog
@@ -8,9 +8,12 @@ from prowler.providers.azure.services.network.network_service import (
NetworkWatcher, NetworkWatcher,
PublicIp, PublicIp,
SecurityGroup, SecurityGroup,
VirtualNetwork,
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -66,6 +69,20 @@ def mock_network_get_public_ip_addresses(_):
} }
def mock_network_get_virtual_networks(_):
return {
AZURE_SUBSCRIPTION_ID: [
VirtualNetwork(
id="id",
name="name",
location="location",
enable_ddos_protection=False,
subnets=[],
)
]
}
@patch( @patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups", "prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups, new=mock_network_get_security_groups,
@@ -82,6 +99,10 @@ def mock_network_get_public_ip_addresses(_):
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses", "prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses, new=mock_network_get_public_ip_addresses,
) )
@patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
)
class Test_Network_Service: class Test_Network_Service:
def test_get_client(self): def test_get_client(self):
network = Network(set_mocked_azure_provider()) network = Network(set_mocked_azure_provider())
@@ -162,3 +183,905 @@ class Test_Network_Service:
network.public_ip_addresses[AZURE_SUBSCRIPTION_ID][0].ip_address network.public_ip_addresses[AZURE_SUBSCRIPTION_ID][0].ip_address
== "ip_address" == "ip_address"
) )
class Test_Network_get_security_groups:
def test_get_security_groups_no_resource_groups(self):
mock_client = MagicMock()
mock_client.network_security_groups.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_security_groups()
mock_client.network_security_groups.list_all.assert_called_once()
mock_client.network_security_groups.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_with_resource_group(self):
mock_client = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_security_groups()
mock_client.network_security_groups.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.network_security_groups.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_security_groups()
mock_client.network_security_groups.list.assert_not_called()
mock_client.network_security_groups.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
class Test_Network_get_network_watchers:
def test_get_network_watchers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_with_resource_group(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
class Test_Network_get_bastion_hosts:
def test_get_bastion_hosts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list.assert_called_once()
mock_client.bastion_hosts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_with_resource_group(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.bastion_hosts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_not_called()
mock_client.bastion_hosts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
class Test_Network_get_public_ip_addresses:
def test_get_public_ip_addresses_no_resource_groups(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list_all.assert_called_once()
mock_client.public_ip_addresses.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_with_resource_group(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.public_ip_addresses.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_not_called()
mock_client.public_ip_addresses.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_security_groups_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.network_security_groups = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_security_groups()
assert mock_client.network_security_groups.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_security_groups_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.network_security_groups = MagicMock()
mock_client.network_security_groups.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_security_groups()
mock_client.network_security_groups.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_network_watchers_extra:
def test_get_network_watchers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_network_watchers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.network_watchers = MagicMock()
mock_client.network_watchers.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_network_watchers()
mock_client.network_watchers.list_all.assert_called_once()
mock_client.network_watchers.list.assert_not_called()
class Test_Network_get_bastion_hosts_extra:
def test_get_bastion_hosts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_bastion_hosts()
assert mock_client.bastion_hosts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_bastion_hosts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.bastion_hosts = MagicMock()
mock_client.bastion_hosts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_bastion_hosts()
mock_client.bastion_hosts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_public_ip_addresses_extra:
def test_get_public_ip_addresses_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_public_ip_addresses()
assert mock_client.public_ip_addresses.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_public_ip_addresses_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.public_ip_addresses = MagicMock()
mock_client.public_ip_addresses.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_public_ip_addresses()
mock_client.public_ip_addresses.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_Network_get_virtual_networks_extra:
def _ctx(self):
return (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
)
def test_get_virtual_networks_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list_all.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = None
result = network._get_virtual_networks()
mock_client.virtual_networks.list_all.assert_called_once()
mock_client.virtual_networks.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = network._get_virtual_networks()
mock_client.virtual_networks.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_networks.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = network._get_virtual_networks()
mock_client.virtual_networks.list.assert_not_called()
mock_client.virtual_networks.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_virtual_networks_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = network._get_virtual_networks()
assert mock_client.virtual_networks.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_networks_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_networks = MagicMock()
mock_client.virtual_networks.list.return_value = []
with (
patch(
"prowler.providers.azure.services.network.network_service.Network._get_security_groups",
new=mock_network_get_security_groups,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_bastion_hosts",
new=mock_network_get_bastion_hosts,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_network_watchers",
new=mock_network_get_network_watchers,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_public_ip_addresses",
new=mock_network_get_public_ip_addresses,
),
patch(
"prowler.providers.azure.services.network.network_service.Network._get_virtual_networks",
new=mock_network_get_virtual_networks,
),
):
network = Network(set_mocked_azure_provider())
network.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
network.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
network._get_virtual_networks()
mock_client.virtual_networks.list.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.policy.policy_service import ( from prowler.providers.azure.services.policy.policy_service import (
Policy, Policy,
@@ -6,6 +6,8 @@ from prowler.providers.azure.services.policy.policy_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -52,3 +54,99 @@ class Test_Policy_Service:
policy.policy_assigments[AZURE_SUBSCRIPTION_ID]["policy-1"].enforcement_mode policy.policy_assigments[AZURE_SUBSCRIPTION_ID]["policy-1"].enforcement_mode
== "Default" == "Default"
) )
class Test_Policy_get_policy_assigments:
def test_get_policy_assigments_no_resource_groups(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = None
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_resource_group(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_policy_assigments_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.policy_assignments.list.return_value = []
with patch(
"prowler.providers.azure.services.policy.policy_service.Policy._get_policy_assigments",
return_value={},
):
policy = Policy(set_mocked_azure_provider())
policy.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
policy.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
policy._get_policy_assigments()
mock_client.policy_assignments.list.assert_called_once()
mock_client.policy_assignments.list_for_resource_group.assert_not_called()
@@ -11,6 +11,8 @@ from prowler.providers.azure.services.postgresql.postgresql_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -243,6 +245,103 @@ class Test_SqlServer_Service:
) )
class Test_PostgreSQL_get_flexible_servers:
def test_get_flexible_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = None
result = postgresql._get_flexible_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_flexible_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = postgresql._get_flexible_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_flexible_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.postgresql.postgresql_service.PostgreSQL._get_flexible_servers",
return_value={},
):
postgresql = PostgreSQL(set_mocked_azure_provider())
postgresql.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
postgresql.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
postgresql._get_flexible_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
def _make_server(name): def _make_server(name):
server = MagicMock() server = MagicMock()
server.id = ( server.id = (
@@ -1,11 +1,18 @@
from types import SimpleNamespace from types import SimpleNamespace
from unittest import mock from unittest import mock
from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.recovery.recovery_service import ( from prowler.providers.azure.services.recovery.recovery_service import (
BackupVault, BackupVault,
Recovery,
RecoveryBackup, RecoveryBackup,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION_ID from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider,
)
VAULT_ID = ( VAULT_ID = (
f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg1/" f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/resourceGroups/rg1/"
@@ -20,6 +27,139 @@ class BackupClientFake:
self.backup_policies.list.return_value = policies self.backup_policies.list.return_value = policies
class Test_Recovery_get_vaults:
def test_get_vaults_no_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_subscription_id.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = None
result = recovery._get_vaults()
mock_client.vaults.list_by_subscription_id.assert_called_once()
mock_client.vaults.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vaults_with_resource_group(self):
mock_vault = MagicMock()
mock_vault.id = "vault-id-1"
mock_vault.name = "my-vault"
mock_vault.location = "eastus"
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = [mock_vault]
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.vaults.list_by_subscription_id.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
assert "vault-id-1" in result[AZURE_SUBSCRIPTION_ID]
def test_get_vaults_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_not_called()
mock_client.vaults.list_by_subscription_id.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_vaults_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = recovery._get_vaults()
assert mock_client.vaults.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vaults_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.vaults = MagicMock()
mock_client.vaults.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.recovery.recovery_service.Recovery._get_vaults",
return_value={},
),
patch(
"prowler.providers.azure.services.recovery.recovery_service.RecoveryBackup",
),
):
recovery = Recovery(set_mocked_azure_provider())
recovery.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
recovery.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
recovery._get_vaults()
mock_client.vaults.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_RecoveryBackup_Service: class Test_RecoveryBackup_Service:
def test_get_backup_policies_lists_unprotected_vault_policies(self): def test_get_backup_policies_lists_unprotected_vault_policies(self):
policy = SimpleNamespace( policy = SimpleNamespace(
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from azure.mgmt.sql.models import ( from azure.mgmt.sql.models import (
EncryptionProtector, EncryptionProtector,
@@ -16,6 +16,8 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -245,3 +247,100 @@ class Test_SqlServer_Service:
].security_alert_policies.state ].security_alert_policies.state
== "Disabled" == "Disabled"
) )
class Test_SQLServer_get_sql_servers:
def test_get_sql_servers_no_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = None
result = sql_server._get_sql_servers()
mock_client.servers.list.assert_called_once()
mock_client.servers.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_with_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.servers.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_not_called()
mock_client.servers.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_sql_servers_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = sql_server._get_sql_servers()
assert mock_client.servers.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_sql_servers_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.servers.list_by_resource_group.return_value = []
with patch(
"prowler.providers.azure.services.sqlserver.sqlserver_service.SQLServer._get_sql_servers",
return_value={},
):
sql_server = SQLServer(set_mocked_azure_provider())
sql_server.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
sql_server.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
sql_server._get_sql_servers()
mock_client.servers.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -1,4 +1,4 @@
from unittest.mock import patch from unittest.mock import MagicMock, patch
from prowler.providers.azure.services.storage.storage_service import ( from prowler.providers.azure.services.storage.storage_service import (
Account, Account,
@@ -11,6 +11,8 @@ from prowler.providers.azure.services.storage.storage_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -387,3 +389,155 @@ class Test_Storage_Service_Retention_Policy_None_Handling:
is False is False
) )
assert account.file_service_properties.share_delete_retention_policy.days == 0 assert account.file_service_properties.share_delete_retention_policy.days == 0
class Test_Storage_get_storage_accounts:
def test_get_storage_accounts_no_resource_groups(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = None
result = storage._get_storage_accounts()
mock_client.storage_accounts.list.assert_called_once()
mock_client.storage_accounts.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_with_resource_group(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.storage_accounts.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_not_called()
mock_client.storage_accounts.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == []
def test_get_storage_accounts_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = storage._get_storage_accounts()
assert mock_client.storage_accounts.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_storage_accounts_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.storage_accounts = MagicMock()
mock_client.storage_accounts.list_by_resource_group.return_value = []
with (
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_storage_accounts",
return_value={},
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_blob_properties",
return_value=None,
),
patch(
"prowler.providers.azure.services.storage.storage_service.Storage._get_file_share_properties",
return_value=None,
),
):
storage = Storage(set_mocked_azure_provider())
storage.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
storage.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
storage._get_storage_accounts()
mock_client.storage_accounts.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
@@ -14,6 +14,8 @@ from prowler.providers.azure.services.vm.vm_service import (
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID, AZURE_SUBSCRIPTION_ID,
RESOURCE_GROUP,
RESOURCE_GROUP_LIST,
set_mocked_azure_provider, set_mocked_azure_provider,
) )
@@ -465,3 +467,328 @@ class Test_VirtualMachine_SecurityProfile_Validation:
assert isinstance(vm.security_profile.uefi_settings, UefiSettings) assert isinstance(vm.security_profile.uefi_settings, UefiSettings)
assert vm.security_profile.uefi_settings.secure_boot_enabled is True assert vm.security_profile.uefi_settings.secure_boot_enabled is True
assert vm.security_profile.uefi_settings.v_tpm_enabled is True assert vm.security_profile.uefi_settings.v_tpm_enabled is True
class Test_VM_get_virtual_machines:
def test_get_virtual_machines_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list_all.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list_all.assert_called_once()
mock_client.virtual_machines.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_machines.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_not_called()
mock_client.virtual_machines.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_VM_get_disks:
def test_get_disks_no_resource_groups(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_disks()
mock_client.disks.list.assert_called_once()
mock_client.disks.list_by_resource_group.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_with_resource_group(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.disks.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_not_called()
mock_client.disks.list.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
class Test_VM_get_vm_scale_sets:
def test_get_vm_scale_sets_no_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list_all.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = None
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list_all.assert_called_once()
mock_client.virtual_machine_scale_sets.list.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_with_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: [RESOURCE_GROUP]}
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_called_once_with(
resource_group_name=RESOURCE_GROUP
)
mock_client.virtual_machine_scale_sets.list_all.assert_not_called()
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_empty_resource_group_for_subscription(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: []}
result = vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_not_called()
mock_client.virtual_machine_scale_sets.list_all.assert_not_called()
assert result[AZURE_SUBSCRIPTION_ID] == {}
def test_get_virtual_machines_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_virtual_machines()
assert mock_client.virtual_machines.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_virtual_machines_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machines = MagicMock()
mock_client.virtual_machines.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_virtual_machines()
mock_client.virtual_machines.list.assert_called_once_with(
resource_group_name="RG"
)
class Test_VM_get_disks_extra:
def test_get_disks_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_disks()
assert mock_client.disks.list_by_resource_group.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_disks_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.disks = MagicMock()
mock_client.disks.list_by_resource_group.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_disks()
mock_client.disks.list_by_resource_group.assert_called_once_with(
resource_group_name="RG"
)
class Test_VM_get_vm_scale_sets_extra:
def test_get_vm_scale_sets_with_multiple_resource_groups(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: RESOURCE_GROUP_LIST}
result = vm_service._get_vm_scale_sets()
assert mock_client.virtual_machine_scale_sets.list.call_count == 2
assert AZURE_SUBSCRIPTION_ID in result
def test_get_vm_scale_sets_with_mixed_case_resource_group(self):
mock_client = MagicMock()
mock_client.virtual_machine_scale_sets = MagicMock()
mock_client.virtual_machine_scale_sets.list.return_value = []
with (
patch.object(VirtualMachines, "_get_virtual_machines", return_value={}),
patch.object(VirtualMachines, "_get_disks", return_value={}),
patch.object(VirtualMachines, "_get_vm_scale_sets", return_value={}),
):
vm_service = VirtualMachines(set_mocked_azure_provider())
vm_service.clients = {AZURE_SUBSCRIPTION_ID: mock_client}
vm_service.resource_groups = {AZURE_SUBSCRIPTION_ID: ["RG"]}
vm_service._get_vm_scale_sets()
mock_client.virtual_machine_scale_sets.list.assert_called_once_with(
resource_group_name="RG"
)