From d5bb5e9287c8cf9bd55236fe01f76ecc2d2eacb6 Mon Sep 17 00:00:00 2001 From: StylusFrost <43682773+StylusFrost@users.noreply.github.com> Date: Fri, 29 Nov 2024 14:06:55 +0100 Subject: [PATCH] fix(azure): containerregistry_not_publicly_accesible is not accurate (#5938) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Rubén De la Torre Vico Co-authored-by: Rubén De la Torre Vico --- .../containerregistry_not_publicly_accessible.py | 7 +------ .../containerregistry/containerregistry_service.py | 11 ++++++++--- .../containerregistry_not_publicly_accessible_test.py | 4 ++-- .../containerregistry_service_test.py | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py index d8a6a41da4..d63d1a5e28 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py @@ -18,12 +18,7 @@ class containerregistry_not_publicly_accessible(Check): report.status = "FAIL" report.status_extended = f"Container Registry {container_registry_info.name} from subscription {subscription} allows unrestricted network access." - if ( - getattr( - container_registry_info.network_rule_set, "default_action", "" - ).lower() - == "deny" - ): + if not container_registry_info.public_network_access: report.status = "PASS" report.status_extended = f"Container Registry {container_registry_info.name} from subscription {subscription} does not allow unrestricted network access." diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_service.py b/prowler/providers/azure/services/containerregistry/containerregistry_service.py index 6c3840febc..189c89c642 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_service.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_service.py @@ -37,8 +37,13 @@ class ContainerRegistry(AzureService): resource_group=resource_group, sku=getattr(registry.sku, "name", ""), login_server=getattr(registry, "login_server", ""), - public_network_access=getattr( - registry, "public_network_access", "" + public_network_access=( + False + if getattr( + registry, "public_network_access" "Enabled" + ) + == "Disabled" + else True ), admin_user_enabled=getattr( registry, "admin_user_enabled", False @@ -93,7 +98,7 @@ class ContainerRegistryInfo: resource_group: str sku: str login_server: str - public_network_access: str + public_network_access: bool admin_user_enabled: bool network_rule_set: NetworkRuleSet monitor_diagnostic_settings: list[DiagnosticSetting] diff --git a/tests/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py b/tests/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py index 827c889b73..8239aa5b70 100644 --- a/tests/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py +++ b/tests/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py @@ -57,7 +57,7 @@ class Test_containerregistry_not_publicly_accessible: resource_group="mock_resource_group", sku="Basic", login_server="mock_login_server.azurecr.io", - public_network_access="Enabled", + public_network_access=True, admin_user_enabled=True, network_rule_set=NetworkRuleSet(default_action="Allow"), private_endpoint_connections=[], @@ -131,7 +131,7 @@ class Test_containerregistry_not_publicly_accessible: resource_group="mock_resource_group", sku="Basic", login_server="mock_login_server.azurecr.io", - public_network_access="Enabled", + public_network_access=False, admin_user_enabled=False, network_rule_set=NetworkRuleSet(default_action="Deny"), private_endpoint_connections=[], diff --git a/tests/providers/azure/services/containerregistry/containerregistry_service_test.py b/tests/providers/azure/services/containerregistry/containerregistry_service_test.py index 31ca7cea9a..b6ff17fb16 100644 --- a/tests/providers/azure/services/containerregistry/containerregistry_service_test.py +++ b/tests/providers/azure/services/containerregistry/containerregistry_service_test.py @@ -32,7 +32,7 @@ class TestContainerRegistryService: resource_group="mock_resource_group", sku="Basic", login_server="mock_login_server.azurecr.io", - public_network_access="Enabled", + public_network_access=False, admin_user_enabled=True, network_rule_set=None, private_endpoint_connections=[], @@ -71,7 +71,7 @@ class TestContainerRegistryService: assert registry_info.resource_group == "mock_resource_group" assert registry_info.sku == "Basic" assert registry_info.login_server == "mock_login_server.azurecr.io" - assert registry_info.public_network_access == "Enabled" + assert not registry_info.public_network_access assert registry_info.admin_user_enabled is True assert isinstance(registry_info.monitor_diagnostic_settings, list)