-
Notifications
You must be signed in to change notification settings - Fork 531
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added new test for Azure Function App Authentication Enabled (#1058)
- Loading branch information
1 parent
e13983e
commit 9b913f8
Showing
4 changed files
with
119 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
internal/app/tfsec/rules/azure/functionapp/authentication_enabled_rule.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
package functionapp | ||
|
||
import ( | ||
"github.com/aquasecurity/tfsec/internal/app/tfsec/block" | ||
"github.com/aquasecurity/tfsec/internal/app/tfsec/scanner" | ||
"github.com/aquasecurity/tfsec/pkg/provider" | ||
"github.com/aquasecurity/tfsec/pkg/result" | ||
"github.com/aquasecurity/tfsec/pkg/rule" | ||
"github.com/aquasecurity/tfsec/pkg/severity" | ||
) | ||
|
||
func init() { | ||
scanner.RegisterCheckRule(rule.Rule{ | ||
Provider: provider.AzureProvider, | ||
Service: "functionapp", | ||
ShortCode: "authentication-enabled", | ||
Documentation: rule.RuleDocumentation{ | ||
Summary: "Function App authentication is activated", | ||
Explanation: `Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings`, | ||
Impact: "Anonymous HTTP requests will be accepted", | ||
Resolution: "Enable authentication to prevent anonymous request being accepted", | ||
BadExample: []string{` | ||
resource "azurerm_function_app" "bad_example" { | ||
name = "example-function-app" | ||
location = azurerm_resource_group.example.location | ||
resource_group_name = azurerm_resource_group.example.name | ||
app_service_plan_id = azurerm_function_app_plan.example.id | ||
} | ||
`}, | ||
GoodExample: []string{` | ||
resource "azurerm_function_app" "good_example" { | ||
name = "example-function-app" | ||
location = azurerm_resource_group.example.location | ||
resource_group_name = azurerm_resource_group.example.name | ||
app_service_plan_id = azurerm_function_app_plan.example.id | ||
auth_settings { | ||
enabled = true | ||
} | ||
} | ||
`}, | ||
Links: []string{ | ||
"https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled", | ||
}, | ||
}, | ||
RequiredTypes: []string{ | ||
"resource", | ||
}, | ||
RequiredLabels: []string{ | ||
"azurerm_function_app", | ||
}, | ||
DefaultSeverity: severity.Low, | ||
CheckFunc: func(set result.Set, resourceBlock block.Block, module block.Module) { | ||
if enabledAttr := resourceBlock.GetBlock("auth_settings").GetAttribute("enabled"); enabledAttr.IsNil() { // alert on use of default value | ||
set.AddResult(). | ||
WithDescription("Resource '%s' uses default value for auth_settings.enabled", resourceBlock.FullName()) | ||
} else if enabledAttr.IsFalse() { | ||
set.AddResult(). | ||
WithDescription("Resource '%s' has attribute auth_settings.enabled that is false", resourceBlock.FullName()). | ||
WithAttribute(enabledAttr) | ||
} | ||
}, | ||
}) | ||
} |
53 changes: 53 additions & 0 deletions
53
internal/app/tfsec/rules/azure/functionapp/authentication_enabled_rule_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
package functionapp | ||
|
||
import ( | ||
"strings" | ||
"testing" | ||
|
||
"github.com/aquasecurity/tfsec/internal/app/tfsec/scanner" | ||
"github.com/aquasecurity/tfsec/internal/app/tfsec/testutil" | ||
) | ||
|
||
func Test_AzureAuthenticationEnabled_FailureExamples(t *testing.T) { | ||
expectedCode := "azure-functionapp-authentication-enabled" | ||
|
||
rule, err := scanner.GetRuleById(expectedCode) | ||
if err != nil { | ||
t.Fatalf("Rule not found: %s", expectedCode) | ||
} | ||
for i, badExample := range rule.Documentation.BadExample { | ||
t.Logf("Running bad example for '%s' #%d", expectedCode, i+1) | ||
if strings.TrimSpace(badExample) == "" { | ||
t.Fatalf("bad example code not provided for %s", rule.ID()) | ||
} | ||
defer func() { | ||
if err := recover(); err != nil { | ||
t.Fatalf("Scan (bad) failed: %s", err) | ||
} | ||
}() | ||
results := testutil.ScanHCL(badExample, t) | ||
testutil.AssertCheckCode(t, rule.ID(), "", results) | ||
} | ||
} | ||
|
||
func Test_AzureAuthenticationEnabled_SuccessExamples(t *testing.T) { | ||
expectedCode := "azure-functionapp-authentication-enabled" | ||
|
||
rule, err := scanner.GetRuleById(expectedCode) | ||
if err != nil { | ||
t.Fatalf("Rule not found: %s", expectedCode) | ||
} | ||
for i, example := range rule.Documentation.GoodExample { | ||
t.Logf("Running good example for '%s' #%d", expectedCode, i+1) | ||
if strings.TrimSpace(example) == "" { | ||
t.Fatalf("good example code not provided for %s", rule.ID()) | ||
} | ||
defer func() { | ||
if err := recover(); err != nil { | ||
t.Fatalf("Scan (good) failed: %s", err) | ||
} | ||
}() | ||
results := testutil.ScanHCL(example, t) | ||
testutil.AssertCheckCode(t, "", rule.ID(), results) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters