fix(azure): containerregistry_not_publicly_accesible is not accurate (#…

…5966) Co-authored-by: StylusFrost <[email protected]>
prowler-cloud · Nov 29, 2024 · c627a3e · c627a3e
1 parent 1c58644
commit c627a3e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 13 deletions.
diff --git a/...ry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py b/...ry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py
@@ -18,12 +18,7 @@ def execute(self) -> list[Check_Report_Azure]:
                 report.status = "FAIL"
                 report.status_extended = f"Container Registry {container_registry_info.name} from subscription {subscription} allows unrestricted network access."
 
-                if (
-                    getattr(
-                        container_registry_info.network_rule_set, "default_action", ""
-                    ).lower()
-                    == "deny"
-                ):
+                if not container_registry_info.public_network_access:
                     report.status = "PASS"
                     report.status_extended = f"Container Registry {container_registry_info.name} from subscription {subscription} does not allow unrestricted network access."
 

diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_service.py b/prowler/providers/azure/services/containerregistry/containerregistry_service.py
@@ -37,8 +37,13 @@ def _get_container_registries(self):
                                 resource_group=resource_group,
                                 sku=getattr(registry.sku, "name", ""),
                                 login_server=getattr(registry, "login_server", ""),
-                                public_network_access=getattr(
-                                    registry, "public_network_access", ""
+                                public_network_access=(
+                                    False
+                                    if getattr(
+                                        registry, "public_network_access" "Enabled"
+                                    )
+                                    == "Disabled"
+                                    else True
                                 ),
                                 admin_user_enabled=getattr(
                                     registry, "admin_user_enabled", False
@@ -93,7 +98,7 @@ class ContainerRegistryInfo:
     resource_group: str
     sku: str
     login_server: str
-    public_network_access: str
+    public_network_access: bool
     admin_user_enabled: bool
     network_rule_set: NetworkRuleSet
     monitor_diagnostic_settings: list[DiagnosticSetting]

diff --git a/...ntainerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py b/...ntainerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible_test.py
@@ -57,7 +57,7 @@ def test_container_registry_network_access_unrestricted(self):
                         resource_group="mock_resource_group",
                         sku="Basic",
                         login_server="mock_login_server.azurecr.io",
-                        public_network_access="Enabled",
+                        public_network_access=True,
                         admin_user_enabled=True,
                         network_rule_set=NetworkRuleSet(default_action="Allow"),
                         private_endpoint_connections=[],
@@ -131,7 +131,7 @@ def test_container_registry_network_access_restricted(self):
                         resource_group="mock_resource_group",
                         sku="Basic",
                         login_server="mock_login_server.azurecr.io",
-                        public_network_access="Enabled",
+                        public_network_access=False,
                         admin_user_enabled=False,
                         network_rule_set=NetworkRuleSet(default_action="Deny"),
                         private_endpoint_connections=[],

diff --git a/tests/providers/azure/services/containerregistry/containerregistry_service_test.py b/tests/providers/azure/services/containerregistry/containerregistry_service_test.py
@@ -32,7 +32,7 @@ def test_get_container_registry(self):
                         resource_group="mock_resource_group",
                         sku="Basic",
                         login_server="mock_login_server.azurecr.io",
-                        public_network_access="Enabled",
+                        public_network_access=False,
                         admin_user_enabled=True,
                         network_rule_set=None,
                         private_endpoint_connections=[],
@@ -71,7 +71,7 @@ def test_get_container_registry(self):
             assert registry_info.resource_group == "mock_resource_group"
             assert registry_info.sku == "Basic"
             assert registry_info.login_server == "mock_login_server.azurecr.io"
-            assert registry_info.public_network_access == "Enabled"
+            assert not registry_info.public_network_access
             assert registry_info.admin_user_enabled is True
             assert isinstance(registry_info.monitor_diagnostic_settings, list)