Skip to content

Commit

Permalink
merged master
Browse files Browse the repository at this point in the history
  • Loading branch information
@fatima99s
fatima99s committed Jun 14, 2024
2 parents 49d7829 + a704fb7 commit 86851fe
Show file tree
Hide file tree
Showing 32 changed files with 427 additions and 257 deletions.
2 changes: 1 addition & 1 deletion plugins/aws/lambda/lambdaOldRuntimes.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const listFunctions = [
{
"FunctionName": "test-lambda",
"FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:test-lambda",
"Runtime": "nodejs16.x",
"Runtime": "nodejs18.x",
"Role": "arn:aws:iam::000011112222:role/lambda-role",
"Handler": "index.handler",
"TracingConfig": { "Mode": "PassThrough" }
Expand Down
17 changes: 12 additions & 5 deletions plugins/azure/appConfigurations/appConfigurationCmkEncrypted.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = {
var locations = helpers.locations(settings.govcloud);

async.each(locations.appConfigurations, function(location, rcb){
var appConfigurations = helpers.addSource(cache, source,
var appConfigurations = helpers.addSource(cache, source,
['appConfigurations', 'list', location]);

if (!appConfigurations) return rcb();
Expand All @@ -37,10 +37,17 @@ module.exports = {
for (let appConfiguration of appConfigurations.data) {
if (!appConfiguration.id) continue;

if (appConfiguration.encryption && appConfiguration.encryption.keyVaultProperties && appConfiguration.encryption.keyVaultProperties.keyIdentifier) {
helpers.addResult(results, 0, 'App Configuration is encrypted using CMK', location, appConfiguration.id);
if (appConfiguration.sku &&
appConfiguration.sku.name &&
appConfiguration.sku.name.toLowerCase() === 'free') {
helpers.addResult(results, 0, 'App Configuration tier is free', location, appConfiguration.id);
} else {
helpers.addResult(results, 2, 'App Configuration is not encrypted using CMK', location, appConfiguration.id);

if (appConfiguration.encryption && appConfiguration.encryption.keyVaultProperties && appConfiguration.encryption.keyVaultProperties.keyIdentifier) {
helpers.addResult(results, 0, 'App Configuration is encrypted using CMK', location, appConfiguration.id);
} else {
helpers.addResult(results, 2, 'App Configuration is not encrypted using CMK', location, appConfiguration.id);
}
}
}

Expand All @@ -49,4 +56,4 @@ module.exports = {
callback(null, results, source);
});
}
};
};
67 changes: 51 additions & 16 deletions plugins/azure/appConfigurations/appConfigurationCmkEncrypted.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@ const appConfigurations = [
"creationDate": "2023-12-27T09:26:54+00:00",
"endpoint": "https://dummy-test-rg.azconfig.io",
"encryption": {
"keyVaultProperties": {
"keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key",
"identityClientId": null
},
"privateEndpointConnections": null,
"publicNetworkAccess": "Disabled",
"disableLocalAuth": false,
"softDeleteRetentionInDays": 0,
"enablePurgeProtection": false
"keyVaultProperties": {
"keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key",
"identityClientId": null
},
"privateEndpointConnections": null,
"publicNetworkAccess": "Disabled",
"disableLocalAuth": false,
"softDeleteRetentionInDays": 0,
"enablePurgeProtection": false
},
"id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg",
"name": "meerab-test-rg",
Expand All @@ -30,7 +30,7 @@ const appConfigurations = [
"creationDate": "2023-12-27T09:26:54+00:00",
"endpoint": "https://dummy-test-rg.azconfig.io",
"encryption": {
"keyVaultProperties": null
"keyVaultProperties": null
},
"privateEndpointConnections": null,
"publicNetworkAccess": "Disabled",
Expand All @@ -45,13 +45,37 @@ const appConfigurations = [
"principalId": "12345",
"tenantId": "123456",
"userAssignedIdentities": {
"/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": {
"PrincipalId": "1234567",
"ClientId": "123456789"
}
"/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": {
"PrincipalId": "1234567",
"ClientId": "123456789"
}
}
}
}
},
{
"type": "Microsoft.AppConfiguration/configurationStores",
"location": "eastus",
"provisioningState": "Succeeded",
"creationDate": "2023-12-27T09:26:54+00:00",
"endpoint": "https://dummy-test-rg.azconfig.io",
"encryption": {
"keyVaultProperties": {
"keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key",
"identityClientId": null
},
"privateEndpointConnections": null,
"publicNetworkAccess": "Disabled",
"disableLocalAuth": false,
"softDeleteRetentionInDays": 0,
"enablePurgeProtection": false
},
"id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg",
"name": "meerab-test-rg",
"tags": {},
"sku": {
"name": "free"
}
},
];

const createCache = (appConfigurations,err) => {
Expand Down Expand Up @@ -103,6 +127,17 @@ describe('appConfigurationCmkEncrypted', function () {
});
});

it('should give passing result if App Configuration tier is free', function (done) {
const cache = createCache([appConfigurations[2]]);
appConfigurationCmkEncrypted.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('App Configuration tier is free');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give failing result if App Configuration is not encrypted using CMK', function (done) {
const cache = createCache([appConfigurations[1]]);
appConfigurationCmkEncrypted.run(cache, {}, (err, results) => {
Expand All @@ -114,4 +149,4 @@ describe('appConfigurationCmkEncrypted', function () {
});
});
});
});
});
2 changes: 1 addition & 1 deletion plugins/azure/applicationGateway/agHttpsListenerOnly.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ module.exports = {

if (appGateway.httpListeners && appGateway.httpListeners.length) {
var httpListeners = appGateway.httpListeners
.filter(listener => listener.protocol && listener.protocol.toLowerCase() !== 'https')
.filter(listener => listener.properties.protocol && listener.properties.protocol.toLowerCase() !== 'https')
.map(listener => listener.name);

if (httpListeners && httpListeners.length) {
Expand Down
70 changes: 39 additions & 31 deletions plugins/azure/applicationGateway/agHttpsListenerOnly.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,60 +3,68 @@ var agHttpsListenerOnly = require('./agHttpsListenerOnly');

const appGateway = [
{ "sku": {
"tier": "WAF_v2"
"tier": "WAF_v2"
},
"name": 'test-gateway',
"id": '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-gateway",',
"type": "Microsoft.Network/applicationGateways",
"httpListeners": [
{
"name": "listenerhttp",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"protocol": "Http",
"hostNames": [],
"requireServerNameIndication": false,
"type": "Microsoft.Network/applicationGateways/httpListeners"
"name": "listenerhttp",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"properties": {
"protocol": "Http",
"hostNames": [],
"requireServerNameIndication": false,
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
},
{
"name": "listenerhttp2",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"protocol": "Http",
"hostNames": [],
"requireServerNameIndication": false,
"properties": {
"protocol": "Http",
"hostNames": [],
"requireServerNameIndication": false,
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
},
{
},
{
"name": "listenerhttp3",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"protocol": "Https",
"hostNames": [],
"requireServerNameIndication": false,
"properties": {
"protocol": "Https",
"hostNames": [],
"requireServerNameIndication": false,
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
}
],
}
],
},
{
{
"sku": {
"tier": "WAF_v2"
"tier": "WAF_v2"
},
"name": 'test-gateway',
"name": 'test-gateway',
"id": '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test",',
"type": "Microsoft.Network/applicationGateways",
"location": "eastus",
"httpListeners": [
{
"name": "listenerhttp",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"protocol": "Https",
"hostNames": [],
"requireServerNameIndication": false,
"type": "Microsoft.Network/applicationGateways/httpListeners"
"name": "listenerhttp",
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp",
"etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"",
"properties": {
"protocol": "Https",
"hostNames": [],
"requireServerNameIndication": false,
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
}
],
],
},
];

Expand Down Expand Up @@ -127,7 +135,7 @@ describe('agHttpsListenerOnly', function() {
done();
});
});

});
});
});

11 changes: 8 additions & 3 deletions plugins/azure/eventhub/eventHubManagedIdentity.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,15 @@ module.exports = {
for (let eventHub of eventHubs.data){
if (!eventHub.id) continue;

if (eventHub.identity) {
helpers.addResult(results, 0, 'Event Hubs namespace has managed identity enabled', location, eventHub.id);
if (eventHub.sku && eventHub.sku.tier && eventHub.sku.tier.toLowerCase() === 'basic') {
helpers.addResult(results, 0,
'Event Hubs namespace tier is basic', location, eventHub.id);
} else {
helpers.addResult(results, 2, 'Event Hubs namespace does not have managed identity enabled', location, eventHub.id);
if (eventHub.identity) {
helpers.addResult(results, 0, 'Event Hubs namespace has managed identity enabled', location, eventHub.id);
} else {
helpers.addResult(results, 2, 'Event Hubs namespace does not have managed identity enabled', location, eventHub.id);
}
}
}

Expand Down
39 changes: 37 additions & 2 deletions plugins/azure/eventhub/eventHubManagedIdentity.spec.js
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
var expect = require('chai').expect;
var eventHubManagedIdentity = require('./eventHubManagedIdentity');
const eventHubPublicAccess = require("./eventHubPublicAccess");

const eventHubs = [
{
Expand Down Expand Up @@ -40,7 +41,28 @@ const eventHubs = [
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"kafkaEnabled": false,
}
},
{
"kind": "v12.0",
"location": "eastus",
"tags": {},
"id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/testHub'",
"name": "testHub2",
"type": 'Microsoft.EventHub/Namespaces',
"location": 'East US',
"tags": {},
"sku": {
"name": "Basic",
"tier": "Basic",
"capacity": 1
},
"minimumTlsVersion": '1.2',
"publicNetworkAccess": 'Enabled',
"disableLocalAuth": true,
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"kafkaEnabled": false
},
];

const createCache = (hub) => {
Expand Down Expand Up @@ -96,6 +118,19 @@ describe('eventHubManagedIdentity', function() {
eventHubManagedIdentity.run(cache, {}, callback);
});

it('should give passing result if eventHub is of basic tier', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('Event Hubs namespace tier is basic');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache([eventHubs[2]]);
eventHubManagedIdentity.run(cache, {}, callback);
});

it('should give unknown result if unable to query for event hubs', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
Expand All @@ -109,4 +144,4 @@ describe('eventHubManagedIdentity', function() {
eventHubManagedIdentity.run(cache, {}, callback);
});
})
})
})
15 changes: 10 additions & 5 deletions plugins/azure/eventhub/eventHubPublicAccess.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,17 @@ module.exports = {
for (let eventHub of eventHubs.data){
if (!eventHub.id) continue;

if (eventHub.publicNetworkAccess && eventHub.publicNetworkAccess.toLowerCase() === 'enabled') {
helpers.addResult(results, 2,
'Event Hubs namespace is publicly accessible',location, eventHub.id);
} else {
if (eventHub.sku && eventHub.sku.tier && eventHub.sku.tier.toLowerCase() === 'basic') {
helpers.addResult(results, 0,
'Event Hubs namespace is not publicly accessible', location, eventHub.id);
'Event Hubs namespace tier is basic', location, eventHub.id);
} else {
if (eventHub.publicNetworkAccess && eventHub.publicNetworkAccess.toLowerCase() === 'enabled') {
helpers.addResult(results, 2,
'Event Hubs namespace is publicly accessible',location, eventHub.id);
} else {
helpers.addResult(results, 0,
'Event Hubs namespace is not publicly accessible', location, eventHub.id);
}
}
}
rcb();
Expand Down
Loading

0 comments on commit 86851fe

Please sign in to comment.