-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_70 to ensure that Function apps is only acce…
…ssible over HTTPS (#6457) added a new arm policy for resource: FunctionAppsAccessibleOverHttps Co-authored-by: ChanochShayner <[email protected]>
- Loading branch information
1 parent
872338b
commit 4454a21
Showing
8 changed files
with
501 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckResult, CheckCategories | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class FunctionAppsAccessibleOverHttps(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that Function apps is only accessible over HTTPS" | ||
| id = "CKV_AZURE_70" | ||
| supported_resources = ( | ||
| "Microsoft.Web/sites/config", | ||
| "Microsoft.Web/sites", | ||
| "Microsoft.Web/sites/slots", | ||
| ) | ||
| categories = (CheckCategories.NETWORKING,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| if "properties" in conf: | ||
| if self.entity_type == "Microsoft.Web/sites" or self.entity_type == "Microsoft.Web/sites/slots": | ||
| if "httpsOnly" not in conf["properties"]: | ||
| return CheckResult.FAILED | ||
|
|
||
| https_only = conf["properties"]["httpsOnly"] | ||
| if not https_only: | ||
| return CheckResult.FAILED | ||
|
|
||
| if "httpSettings" in conf["properties"]: | ||
| auth_settings_v2 = conf["properties"]["httpSettings"] | ||
|
|
||
| # default=true for require_https | ||
| if 'requireHttps' not in auth_settings_v2: | ||
| return CheckResult.PASSED | ||
|
|
||
| require_https = auth_settings_v2.get("requireHttps") | ||
| if not require_https: | ||
| return CheckResult.FAILED | ||
|
|
||
| return CheckResult.PASSED | ||
|
|
||
|
|
||
| check = FunctionAppsAccessibleOverHttps() |
57 changes: 57 additions & 0 deletions
57
tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.15.31.15270", | ||
| "templateHash": "11556880252039009077" | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "hostingPlanName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the hosting plan to use in Azure." | ||
| } | ||
| }, | ||
| "webSiteName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the Azure Web app to create." | ||
| } | ||
| } | ||
| }, | ||
| "resources": [ | ||
|
|
||
|
|
||
| { | ||
| "type": "Microsoft.Web/sites/config", | ||
| "apiVersion": "2022-03-01", | ||
| "name": "sites_config_fail", | ||
| "properties": { | ||
| "globalValidation": { | ||
| "requireAuthentication": true, | ||
| "unauthenticatedClientAction": "Return401" | ||
| }, | ||
| "httpSettings": { | ||
| "forwardProxy": { | ||
| "convention": "NoProxy" | ||
| }, | ||
| "requireHttps": false, | ||
| "routes": { | ||
| "apiPrefix": "/.auth" | ||
| } | ||
| }, | ||
| "javaVersion": "1.8", | ||
| "javaContainer": "TOMCAT", | ||
| "javaContainerVersion": "9.0" | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]" | ||
| ] | ||
| } | ||
| ] | ||
| } |
57 changes: 57 additions & 0 deletions
57
tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.15.31.15270", | ||
| "templateHash": "11556880252039009077" | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "hostingPlanName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the hosting plan to use in Azure." | ||
| } | ||
| }, | ||
| "webSiteName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the Azure Web app to create." | ||
| } | ||
| } | ||
| }, | ||
| "resources": [ | ||
|
|
||
|
|
||
| { | ||
| "type": "Microsoft.Web/sites/config", | ||
| "apiVersion": "2022-03-01", | ||
| "name": "sites_config_pass", | ||
| "properties": { | ||
| "globalValidation": { | ||
| "requireAuthentication": true, | ||
| "unauthenticatedClientAction": "Return401" | ||
| }, | ||
| "httpSettings": { | ||
| "forwardProxy": { | ||
| "convention": "NoProxy" | ||
| }, | ||
| "requireHttps": true, | ||
| "routes": { | ||
| "apiPrefix": "/.auth" | ||
| } | ||
| }, | ||
| "javaVersion": "1.8", | ||
| "javaContainer": "TOMCAT", | ||
| "javaContainerVersion": "9.0" | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]" | ||
| ] | ||
| } | ||
| ] | ||
| } |
56 changes: 56 additions & 0 deletions
56
tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.15.31.15270", | ||
| "templateHash": "11556880252039009077" | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "hostingPlanName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the hosting plan to use in Azure." | ||
| } | ||
| }, | ||
| "webSiteName": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Name of the Azure Web app to create." | ||
| } | ||
| } | ||
| }, | ||
| "resources": [ | ||
|
|
||
|
|
||
| { | ||
| "type": "Microsoft.Web/sites/config", | ||
| "apiVersion": "2022-03-01", | ||
| "name": "sites_config_pass1", | ||
| "properties": { | ||
| "globalValidation": { | ||
| "requireAuthentication": true, | ||
| "unauthenticatedClientAction": "Return401" | ||
| }, | ||
| "httpSettings": { | ||
| "forwardProxy": { | ||
| "convention": "NoProxy" | ||
| }, | ||
| "routes": { | ||
| "apiPrefix": "/.auth" | ||
| } | ||
| }, | ||
| "javaVersion": "1.8", | ||
| "javaContainer": "TOMCAT", | ||
| "javaContainerVersion": "9.0" | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]" | ||
| ] | ||
| } | ||
| ] | ||
| } |
76 changes: 76 additions & 0 deletions
76
tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.5.6.12127", | ||
| "templateHash": "10602523904429381366" | ||
| } | ||
| }, | ||
| "parameters": { | ||
|
|
||
| "location": { | ||
| "type": "string", | ||
| "defaultValue": "[resourceGroup().location]", | ||
| "metadata": { | ||
| "description": "Location for all resources." | ||
| } | ||
| }, | ||
| "linuxFxVersion": { | ||
| "type": "string", | ||
| "defaultValue": "DOTNETCORE|3.0", | ||
| "metadata": { | ||
| "description": "The Runtime stack of current web app" | ||
| } | ||
| } | ||
| }, | ||
| "variables": { | ||
| "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]" | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.Web/sites/slots", | ||
| "apiVersion": "2022-03-01", | ||
| "name": "sites_fail", | ||
| "location": "[parameters('location')]", | ||
| "kind": "app", | ||
| "properties": { | ||
| "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]", | ||
| "httpsOnly": false, | ||
| "siteConfig": { | ||
| "detailedErrorLoggingEnabled": true, | ||
| "httpLoggingEnabled": true, | ||
| "requestTracingEnabled": true, | ||
| "ftpsState": "Disabled", | ||
| "minTlsVersion": "1.2" | ||
| } | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]", | ||
| "[resourceId('Microsoft.Web/sites', parameters('webAppNameBackend'))]" | ||
| ] | ||
| }, | ||
| { | ||
| "type": "Microsoft.Web/sites", | ||
| "apiVersion": "2021-02-01", | ||
| "name": "sites_fail", | ||
| "location": "[parameters('location')]", | ||
| "properties": { | ||
| "httpsOnly": false, | ||
| "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]", | ||
| "siteConfig": { | ||
| "linuxFxVersion": "[parameters('linuxFxVersion')]", | ||
| "minTlsVersion": "1.2", | ||
| "ftpsState": "FtpsOnly" | ||
| } | ||
| }, | ||
| "identity": { | ||
| "type": "SystemAssigned" | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]" | ||
| ] | ||
| } | ||
| ] | ||
| } |
74 changes: 74 additions & 0 deletions
74
tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.5.6.12127", | ||
| "templateHash": "10602523904429381366" | ||
| } | ||
| }, | ||
| "parameters": { | ||
|
|
||
| "location": { | ||
| "type": "string", | ||
| "defaultValue": "[resourceGroup().location]", | ||
| "metadata": { | ||
| "description": "Location for all resources." | ||
| } | ||
| }, | ||
| "linuxFxVersion": { | ||
| "type": "string", | ||
| "defaultValue": "DOTNETCORE|3.0", | ||
| "metadata": { | ||
| "description": "The Runtime stack of current web app" | ||
| } | ||
| } | ||
| }, | ||
| "variables": { | ||
| "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]" | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.Web/sites/slots", | ||
| "apiVersion": "2022-03-01", | ||
| "name": "sites_fail1", | ||
| "location": "[parameters('location')]", | ||
| "kind": "app", | ||
| "properties": { | ||
| "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]", | ||
| "siteConfig": { | ||
| "detailedErrorLoggingEnabled": true, | ||
| "httpLoggingEnabled": true, | ||
| "requestTracingEnabled": true, | ||
| "ftpsState": "Disabled", | ||
| "minTlsVersion": "1.2" | ||
| } | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]", | ||
| "[resourceId('Microsoft.Web/sites', parameters('webAppNameBackend'))]" | ||
| ] | ||
| }, | ||
| { | ||
| "type": "Microsoft.Web/sites", | ||
| "apiVersion": "2021-02-01", | ||
| "name": "sites_fail1", | ||
| "location": "[parameters('location')]", | ||
| "properties": { | ||
| "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]", | ||
| "siteConfig": { | ||
| "linuxFxVersion": "[parameters('linuxFxVersion')]", | ||
| "minTlsVersion": "1.2", | ||
| "ftpsState": "FtpsOnly" | ||
| } | ||
| }, | ||
| "identity": { | ||
| "type": "SystemAssigned" | ||
| }, | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]" | ||
| ] | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.