Skip to content

Commit

Permalink
fix(misconf): fix for Azure Storage Account network acls adaptation
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <[email protected]>
  • Loading branch information
nikpivkin committed Oct 17, 2024
1 parent c8c14d3 commit 00c86a5
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 17 deletions.
24 changes: 11 additions & 13 deletions pkg/iac/adapters/arm/storage/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,18 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
var accounts []storage.Account
for _, resource := range deployment.GetResourcesByType("Microsoft.Storage/storageAccounts") {

var networkRules []storage.NetworkRule
for _, acl := range resource.Properties.GetMapValue("networkAcls").AsList() {
acl := resource.Properties.GetMapValue("networkAcls")

var bypasses []types.StringValue
bypassProp := acl.GetMapValue("bypass")
for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
bypasses = append(bypasses, types.String(bypass, bypassProp.GetMetadata()))
}
var bypasses []types.StringValue
bypassProp := acl.GetMapValue("bypass")
for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata()))
}

networkRules = append(networkRules, storage.NetworkRule{
Metadata: acl.GetMetadata(),
Bypass: bypasses,
AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
})
networkRule := storage.NetworkRule{
Metadata: acl.GetMetadata(),
Bypass: bypasses,
AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
}

var queues []storage.Queue
Expand All @@ -52,7 +50,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {

account := storage.Account{
Metadata: resource.Metadata,
NetworkRules: networkRules,
NetworkRules: []storage.NetworkRule{networkRule},
EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
Containers: containers,
QueueProperties: storage.QueueProperties{
Expand Down
25 changes: 21 additions & 4 deletions pkg/iac/adapters/arm/storage/adapt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/aquasecurity/trivy/internal/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/storage"
"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
"github.com/aquasecurity/trivy/pkg/iac/types"
)
Expand Down Expand Up @@ -43,6 +45,10 @@ func Test_AdaptStorage(t *testing.T) {
"minimumTlsVersion": azure.NewValue("TLS1_2", types.NewTestMetadata()),
"supportsHttpsTrafficOnly": azure.NewValue(true, types.NewTestMetadata()),
"publicNetworkAccess": azure.NewValue("Disabled", types.NewTestMetadata()),
"networkAcls": azure.NewValue(map[string]azure.Value{
"bypass": azure.NewValue("Logging, Metrics", types.NewTestMetadata()),
"defaultAction": azure.NewValue("Allow", types.NewTestMetadata()),
}, types.NewTestMetadata()),
}, types.NewTestMetadata()),
},
},
Expand All @@ -52,9 +58,20 @@ func Test_AdaptStorage(t *testing.T) {

require.Len(t, output.Accounts, 1)

account := output.Accounts[0]
assert.Equal(t, "TLS1_2", account.MinimumTLSVersion.Value())
assert.True(t, account.EnforceHTTPS.Value())
assert.False(t, account.PublicNetworkAccess.Value())
expected := storage.Storage{
Accounts: []storage.Account{{
MinimumTLSVersion: types.StringTest("TLS1_2"),
EnforceHTTPS: types.BoolTest(true),
PublicNetworkAccess: types.BoolTest(true),
NetworkRules: []storage.NetworkRule{{
Bypass: []types.StringValue{
types.StringTest("Logging"),
types.StringTest("Metrics"),
},
AllowByDefault: types.BoolTest(true),
}},
}},
}

testutil.AssertDefsecEqual(t, expected, output)
}

0 comments on commit 00c86a5

Please sign in to comment.