ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-05-06 08:47:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(m365): add exchange_organization_delicensing_resiliency_enabled security check (#10608)

Browse Source
This commit is contained in:
Hugo Pereira Brito
2026-04-14 12:30:45 +01:00
committed by GitHub
parent bc3fd79457
commit e24e1ab771
10 changed files with 616 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/providers/m365/services/exchange/exchange_organization_delicensing_resiliency_enabled/exchange_organization_delicensing_resiliency_enabled_fixer_test.py
+61
View File
@@ -0,0 +1,61 @@
from unittest import mock
from tests.providers.m365.m365_fixtures import set_mocked_m365_provider
class Test_exchange_organization_delicensing_resiliency_enabled_fixer:
def test_creates_new_powershell_session(self):
created_session = mock.MagicMock()
created_session.connect_exchange_online.return_value = True
created_session.execute.return_value = ""
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled_fixer.M365PowerShell",
return_value=created_session,
) as mocked_powershell,
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled_fixer import (
fixer,
)
assert fixer()
mocked_powershell.assert_called_once()
created_session.connect_exchange_online.assert_called_once()
created_session.execute.assert_any_call(
"Set-OrganizationConfig -DelayedDelicensingEnabled $true",
timeout=30,
)
created_session.close.assert_called_once()
def test_logs_power_shell_execution_error(self):
created_session = mock.MagicMock()
created_session.connect_exchange_online.return_value = True
created_session.execute.return_value = "Access is denied."
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled_fixer.M365PowerShell",
return_value=created_session,
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled_fixer.logger.error",
) as mocked_logger_error,
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled_fixer import (
fixer,
)
assert not fixer()
mocked_logger_error.assert_any_call(
'PowerShell execution failed while running "Set-OrganizationConfig -DelayedDelicensingEnabled $true": Access is denied.'
)
created_session.close.assert_called_once()
tests/providers/m365/services/exchange/exchange_organization_delicensing_resiliency_enabled/exchange_organization_delicensing_resiliency_enabled_test.py
+278
View File
@@ -0,0 +1,278 @@
from unittest import mock
from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
ORGANIZATION_KWARGS = dict(
name="test-org",
guid="org-guid",
audit_disabled=False,
oauth_enabled=True,
mailtips_enabled=True,
mailtips_external_recipient_enabled=False,
mailtips_group_metrics_enabled=True,
mailtips_large_audience_threshold=25,
)
class Test_exchange_organization_delicensing_resiliency_enabled:
def test_no_organization(self):
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
exchange_client.organization_config = None
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 0
def test_delicensing_resiliency_disabled_above_threshold(self):
"""Disabled + >= 5000 total licenses -> FAIL (fixer confirms eligibility)."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=False,
total_paid_licenses=6000,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert "preventive FAIL" in result[0].status_extended
assert result[0].resource_name == "test-org"
assert result[0].resource_id == "org-guid"
assert result[0].location == "global"
def test_delicensing_resiliency_disabled_at_threshold(self):
"""Disabled + exactly 5000 total licenses -> FAIL."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=False,
total_paid_licenses=5000,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
def test_delicensing_resiliency_disabled_below_threshold(self):
"""Disabled + < 5000 total licenses -> PASS (not applicable)."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=False,
total_paid_licenses=4999,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert "not applicable" in result[0].status_extended
assert "4999 total licenses" in result[0].status_extended
def test_delicensing_resiliency_disabled_licenses_unknown(self):
"""Disabled + unknown license count -> FAIL."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=False,
total_paid_licenses=None,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert "preventive FAIL" in result[0].status_extended
def test_delicensing_resiliency_enabled(self):
"""Enabled -> PASS regardless of license count."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=True,
total_paid_licenses=6000,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert "is enabled" in result[0].status_extended
assert result[0].resource == exchange_client.organization_config.dict()
assert result[0].resource_name == "test-org"
assert result[0].resource_id == "org-guid"
assert result[0].location == "global"
def test_delicensing_resiliency_enabled_below_threshold(self):
"""Enabled + below threshold -> still PASS (enabled always wins)."""
exchange_client = mock.MagicMock()
exchange_client.audited_tenant = "audited_tenant"
exchange_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch(
"prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled.exchange_client",
new=exchange_client,
),
):
from prowler.providers.m365.services.exchange.exchange_organization_delicensing_resiliency_enabled.exchange_organization_delicensing_resiliency_enabled import (
exchange_organization_delicensing_resiliency_enabled,
)
from prowler.providers.m365.services.exchange.exchange_service import (
Organization,
)
exchange_client.organization_config = Organization(
**ORGANIZATION_KWARGS,
delayed_delicensing_enabled=True,
total_paid_licenses=100,
)
check = exchange_organization_delicensing_resiliency_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert "is enabled" in result[0].status_extended
tests/providers/m365/services/exchange/exchange_service_test.py
+37
View File
@@ -161,6 +161,18 @@ def mock_exchange_get_shared_mailboxes(_):
]
async def mock_exchange_get_total_paid_licenses(_):
return 6000
async def mock_exchange_get_total_paid_licenses_none(_):
return None
@patch(
"prowler.providers.m365.services.exchange.exchange_service.Exchange._get_total_paid_licenses",
new=mock_exchange_get_total_paid_licenses,
)
class Test_Exchange_Service:
def test_get_client(self):
with (
@@ -201,6 +213,7 @@ class Test_Exchange_Service:
assert organization_config.mailtips_external_recipient_enabled is False
assert organization_config.mailtips_group_metrics_enabled is True
assert organization_config.mailtips_large_audience_threshold == 25
assert organization_config.total_paid_licenses == 6000
exchange_client.powershell.close()
@@ -481,3 +494,27 @@ class Test_Exchange_Service:
assert shared_mailboxes[1].identity == "info@contoso.com"
exchange_client.powershell.close()
def test_get_total_paid_licenses_none(self):
with (
mock.patch(
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
),
mock.patch.object(
Exchange,
"_get_organization_config",
mock_exchange_get_organization_config,
),
mock.patch.object(
Exchange,
"_get_total_paid_licenses",
mock_exchange_get_total_paid_licenses_none,
),
):
exchange_client = Exchange(
set_mocked_m365_provider(
identity=M365IdentityInfo(tenant_domain=DOMAIN)
)
)
assert exchange_client.organization_config.total_paid_licenses is None
exchange_client.powershell.close()