Create rule S6380: add language AzureResourceManager (JSON) (#2274)

Specification ticket:
[APPSEC-775](https://sonarsource.atlassian.net/browse/APPSEC-775)
Implementation ticket:
[SONARIAC-899](https://sonarsource.atlassian.net/browse/SONARIAC-899)
[RSPEC
Preview](https://sonarsource.github.io/rspec/#/rspec/S6378/azureresourcemanager)

Bicep PR for S6380: #2298 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)



[APPSEC-775]:
https://sonarsource.atlassian.net/browse/APPSEC-775?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
[SONARIAC-899]:
https://sonarsource.atlassian.net/browse/SONARIAC-899?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: egon-okerman-sonarsource <[email protected]>
Co-authored-by: Egon Okerman <[email protected]>
Co-authored-by: Jamie Anderson <[email protected]>

rules/S6380/ask-yourself.adoc

@@ -0,0 +1,8 @@
+== Ask Yourself Whether
+
+* This Azure resource is essential for the information system infrastructure.
+* This Azure resource is essential for mission-critical functions.
+* This Azure resource stores or processes sensitive data.
+* Compliance policies require access to this resource to be authenticated.
+
+There is a risk if you answered yes to any of these questions.

rules/S6380/azureresourcemanager/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6380/azureresourcemanager/rule.adoc

@@ -0,0 +1,337 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
+
+[source,json,diff-id=1,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2022-03-01",
+            "name": "example"
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
+
+[source,json,diff-id=2,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.ApiManagement/service",
+            "apiVersion": "2022-09-01-preview",
+            "name": "example"
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
+
+[source,json,diff-id=3,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.DataFactory/factories/linkedservices",
+            "apiVersion": "2018-06-01",
+            "name": "example",
+            "properties": {
+                "type": "Web",
+                "typeProperties": {
+                    "authenticationType": "Anonymous"
+                }
+            }
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts and Storage Containers]:
+
+[source,json,diff-id=4,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2022-09-01",
+            "name": "example",
+            "properties": {
+                "allowBlobPublicAccess": true
+            }
+        }
+    ]
+}
+----
+[source,json,diff-id=5,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2022-09-01",
+            "name": "example",
+            "resources": [
+                {
+                    "type": "blobServices/containers",
+                    "apiVersion": "2022-09-01",
+                    "name": "blobContainerExample",
+                    "properties": {
+                        "publicAccess": "Blob"
+                    }
+                }
+            ]
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
+
+[source,json,diff-id=6,diff-type=noncompliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Cache/redis",
+            "apiVersion": "2022-06-01",
+            "name": "example",
+            "properties": {
+                "redisConfiguration": {
+                    "authnotrequired": "true"
+                }
+            }
+        }
+    ]
+}
+----
+
+== Compliant Solution
+
+For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:
+
+[source,json,diff-id=1,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2022-03-01",
+            "name": "example",
+            "resources": [
+                {
+                    "type": "config",
+                    "apiVersion": "2022-03-01",
+                    "name": "authsettingsV2",
+                    "properties": {
+                        "globalValidation": {
+                            "requireAuthentication": true,
+                            "unauthenticatedClientAction": "RedirectToLoginPage"
+                        }
+                    }
+                }
+            ]
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
+
+[source,json,diff-id=2,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.ApiManagement/service",
+            "apiVersion": "2022-09-01-preview",
+            "name": "example",
+            "resources": [
+                {
+                    "type": "portalsettings",
+                    "apiVersion": "2022-09-01-preview",
+                    "name": "signin",
+                    "properties": {
+                        "enabled": true
+                    }
+                },
+                {
+                    "type": "apis",
+                    "apiVersion": "2022-09-01-preview",
+                    "name": "exampleApi",
+                    "properties": {
+                        "authenticationSettings": {
+                            "openid": {
+                                "bearerTokenSendingMethods": ["authorizationHeader"],
+                                "openidProviderId": "<an OpenID provider ID>"
+                            }
+                        }
+                    }
+                }
+            ]
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
+
+[source,json,diff-id=3,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.DataFactory/factories/linkedservices",
+            "apiVersion": "2018-06-01",
+            "name": "example",
+            "properties": {
+                "type": "Web",
+                "typeProperties": {
+                    "authenticationType": "Basic"
+                }
+            }
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:
+
+[source,json,diff-id=4,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2022-09-01",
+            "name": "example",
+            "properties": {
+                "allowBlobPublicAccess": false
+            }
+        }
+    ]
+}
+----
+[source,json,diff-id=5,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2022-09-01",
+            "name": "example",
+            "resources": [
+                {
+                    "type": "blobServices/containers",
+                    "apiVersion": "2022-09-01",
+                    "name": "blobContainerExample",
+                    "properties": {
+                        "publicAccess": "None"
+                    }
+                }
+            ]
+        }
+    ]
+}
+----
+
+For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
+
+[source,json,diff-id=6,diff-type=compliant]
+----
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Cache/redis",
+            "apiVersion": "2022-06-01",
+            "name": "example",
+            "properties": {
+                "redisConfiguration": {}
+            }
+        }
+    ]
+}
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+* For ``Microsoft.Web/sites``:
+** If the resource is not found: Omitting ``authsettingsV2`` disables authentication. Make sure it is safe here.
+** If ``properties.platform.enabled == false`` or ``properties.globalValidation.requireAuthentication == false``: Make sure that disabling authentication is safe here.
+
+* For ``Microsoft.ApiManagement/service/portalsettings``:
+** If ``properties.enabled == false``: Make sure that giving anonymous access without enforcing sign-in is safe here.
+** If the resource is not found: Omitting ``sign_in`` authorizes anonymous access. Make sure it is safe here.
+* For ``Microsoft.ApiManagement/service/apis`` (if ``authenticationSettings`` is not set): Omitting ``authenticationSettings`` disables authentication. Make sure it is safe here.
+
+* For ``Microsoft.DataFactory/factories/linkedservices``: Make sure that authorizing anonymous access is safe here.
+
+* For ``Microsoft.Storage/storageAccounts``: Make sure that authorizing potential anonymous access is safe here.
+
+* For ``Microsoft.Storage/storageAccounts/blobServices/containers``: Make sure that authorizing potential anonymous access is safe here.
+
+* For ``Microsoft.Cache/redis``: Make sure that disabling authentication is safe here.
+
+=== Highlighting
+
+* For ``Microsoft.Web/sites``:
+** If ``authsettingsV2`` is not found: Highlight the ``Web/sites`` resource.
+** If ``properties.platform.enabled == false`` or ``properties.globalValidation.requireAuthentication == false``: Highlight the property.
+
+* For ``Microsoft.ApiManagement/service/portalsettings``:
+** If ``properties.enabled == false``: Highlight the property.
+** If the resource is not found: Highlight the ``ApiManagement/service`` resource.
+* For ``Microsoft.ApiManagement/service/apis`` (if ``authenticationSettings`` is not set): Highlight the ``ApiManagement/service/apis`` resource.
+
+* For ``Microsoft.DataFactory/factories/linkedservices``: Highlight the ``authenticationType`` property.
+
+* For ``Microsoft.Storage/storageAccounts``: Highlight the ``properties.allowBlobPublicAccess`` property.
+
+* For ``Microsoft.Storage/storageAccounts/blobServices/containers``: Highlight the ``properties.publicAccess`` property.
+
+* For ``Microsoft.Cache/redis``: Highlight the ``properties.redisConfiguration.authnotrequired`` property.
+
+endif::env-github,rspecator-view[]

rules/S6380/description.adoc

@@ -0,0 +1,7 @@
+Allowing anonymous access can reduce an organization's ability to protect itself against attacks on its Azure resources.
+
+Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.
+
+Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security incidents.
+
+Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.

rules/S6380/metadata.json

@@ -1,2 +1,39 @@
 {
+  "title": "Authorizing anonymous access to Azure resources is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "45min"
+  },
+  "tags": [
+    "cwe",
+    "azure"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
+  },
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6380",
+  "sqKey": "S6380",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      668
+    ],
+    "PCI DSS 3.2": [
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
 }