-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_173 to ensure that API management uses at le…
…ast TLS 1.2 (#6478) added a new arm policy for resource: APIManagementMinTLS12 Co-authored-by: ChanochShayner <[email protected]> Co-authored-by: AdamDev <[email protected]>
- Loading branch information
3 people
authored
Jul 4, 2024
1 parent
50b60be
commit 3c46f43
Showing
4 changed files
with
307 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckCategories, CheckResult | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class APIManagementMinTLS12(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure API management uses at least TLS 1.2" | ||
| id = "CKV_AZURE_173" | ||
| supported_resources = ("Microsoft.ApiManagement/service",) | ||
| categories = (CheckCategories.ENCRYPTION,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| properties = conf.get("properties") | ||
| if isinstance(properties, dict) and "customProperties" in properties: | ||
| customProperties = properties.get("customProperties") | ||
| if isinstance(customProperties, dict): | ||
| if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30"): | ||
| return CheckResult.FAILED | ||
| if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10"): | ||
| return CheckResult.FAILED | ||
| if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30"): | ||
| return CheckResult.FAILED | ||
| if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10"): | ||
| return CheckResult.FAILED | ||
| if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11"): | ||
| return CheckResult.FAILED | ||
| return CheckResult.PASSED | ||
|
|
||
|
|
||
| check = APIManagementMinTLS12() |
149 changes: 149 additions & 0 deletions
149
tests/arm/checks/resource/example_APIManagementMinTLS12/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,149 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.26.54.24096", | ||
| "templateHash": "15176578550391235821" | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "publisherEmail": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "The email address of the owner of the service" | ||
| } | ||
| }, | ||
| "publisherName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "The name of the owner of the service" | ||
| } | ||
| }, | ||
| "sku": { | ||
| "type": "string", | ||
| "defaultValue": "Developer", | ||
| "allowedValues": [ | ||
| "Consumption", | ||
| "Developer", | ||
| "Basic", | ||
| "Basicv2", | ||
| "Standard", | ||
| "Standardv2", | ||
| "Premium" | ||
| ], | ||
| "metadata": { | ||
| "description": "The pricing tier of this API Management service" | ||
| } | ||
| }, | ||
| "skuCount": { | ||
| "type": "int", | ||
| "defaultValue": 1, | ||
| "allowedValues": [ | ||
| 0, | ||
| 1, | ||
| 2 | ||
| ], | ||
| "metadata": { | ||
| "description": "The instance size of this API Management service." | ||
| } | ||
| }, | ||
| "location": { | ||
| "type": "string", | ||
| "defaultValue": "[resourceGroup().location]", | ||
| "metadata": { | ||
| "description": "Location for all resources." | ||
| } | ||
| } | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion":"2023-05-01-preview", | ||
| "name": "fail", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]", | ||
| "customProperties":{ | ||
| "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion": "2023-05-01-preview", | ||
| "name": "fail2", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]", | ||
| "customProperties":{ | ||
| "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion": "2023-05-01-preview", | ||
| "name": "fail3", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]", | ||
| "customProperties":{ | ||
| "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion": "2023-05-01-preview", | ||
| "name": "fail4", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]", | ||
| "customProperties":{ | ||
| "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion": "2023-05-01-preview", | ||
| "name": "fail5", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]", | ||
| "customProperties":{ | ||
| "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": true | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| } |
78 changes: 78 additions & 0 deletions
78
tests/arm/checks/resource/example_APIManagementMinTLS12/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.26.54.24096", | ||
| "templateHash": "15176578550391235821" | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "publisherEmail": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "The email address of the owner of the service" | ||
| } | ||
| }, | ||
| "publisherName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "The name of the owner of the service" | ||
| } | ||
| }, | ||
| "sku": { | ||
| "type": "string", | ||
| "defaultValue": "Developer", | ||
| "allowedValues": [ | ||
| "Consumption", | ||
| "Developer", | ||
| "Basic", | ||
| "Basicv2", | ||
| "Standard", | ||
| "Standardv2", | ||
| "Premium" | ||
| ], | ||
| "metadata": { | ||
| "description": "The pricing tier of this API Management service" | ||
| } | ||
| }, | ||
| "skuCount": { | ||
| "type": "int", | ||
| "defaultValue": 1, | ||
| "allowedValues": [ | ||
| 0, | ||
| 1, | ||
| 2 | ||
| ], | ||
| "metadata": { | ||
| "description": "The instance size of this API Management service." | ||
| } | ||
| }, | ||
| "location": { | ||
| "type": "string", | ||
| "defaultValue": "[resourceGroup().location]", | ||
| "metadata": { | ||
| "description": "Location for all resources." | ||
| } | ||
| } | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.ApiManagement/service", | ||
| "apiVersion": "2023-05-01-preview", | ||
| "name": "pass", | ||
| "location": "[parameters('location')]", | ||
| "sku": { | ||
| "name": "[parameters('sku')]", | ||
| "capacity": "[parameters('skuCount')]" | ||
| }, | ||
| "properties": { | ||
| "publisherEmail": "[parameters('publisherEmail')]", | ||
| "publisherName": "[parameters('publisherName')]" | ||
| } | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| import unittest | ||
| from pathlib import Path | ||
|
|
||
| from checkov.runner_filter import RunnerFilter | ||
| from checkov.arm.checks.resource.APIManagementMinTLS12 import check | ||
| from checkov.arm.runner import Runner | ||
|
|
||
|
|
||
| class TestAPIManagementMinTLS12(unittest.TestCase): | ||
| def test(self): | ||
| # given | ||
| test_files_dir = Path(__file__).parent / "example_APIManagementMinTLS12" | ||
|
|
||
| # when | ||
| report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) | ||
|
|
||
| # then | ||
| summary = report.get_summary() | ||
|
|
||
| passing_resources = { | ||
| "Microsoft.ApiManagement/service.pass", | ||
| } | ||
|
|
||
| failing_resources = { | ||
| "Microsoft.ApiManagement/service.fail", | ||
| "Microsoft.ApiManagement/service.fail2", | ||
| "Microsoft.ApiManagement/service.fail3", | ||
| "Microsoft.ApiManagement/service.fail4", | ||
| "Microsoft.ApiManagement/service.fail5", | ||
| } | ||
|
|
||
| passed_check_resources = {c.resource for c in report.passed_checks} | ||
| failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
|
||
| self.assertEqual(summary["passed"], len(passed_check_resources)) | ||
| self.assertEqual(summary["failed"], len(failed_check_resources)) | ||
| self.assertEqual(summary["skipped"], 0) | ||
| self.assertEqual(summary["parsing_errors"], 0) | ||
|
|
||
| self.assertEqual(passing_resources, passed_check_resources) | ||
| self.assertEqual(failing_resources, failed_check_resources) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| unittest.main() |