From 841d939abc6d2091a24bd8f3511c87c45e7f974e Mon Sep 17 00:00:00 2001 From: johannes-engler-mw <132657752+johannes-engler-mw@users.noreply.github.com> Date: Tue, 14 Jan 2025 18:34:52 +0100 Subject: [PATCH 1/2] fix(Azure TDE): add filter for master DB (#6351) (cherry picked from commit 1c4426ea4b0983004ac3a00db40ad2f3de7678ce) # Conflicts: # tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py --- .../sqlserver_tde_encryption_enabled.py | 2 + .../sqlserver_tde_encryption_enabled_test.py | 69 +++++++++++++++++++ 2 files changed, 71 insertions(+) diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py index f65e3292c48..d37a659ff07 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py @@ -12,6 +12,8 @@ def execute(self) -> Check_Report_Azure: ) if len(databases) > 0: for database in databases: + if database.name.lower() == "master": + continue report = Check_Report_Azure(self.metadata()) report.subscription = subscription report.resource_name = database.name diff --git a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py index 05308a8fc5a..f3874701e97 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py @@ -157,3 +157,72 @@ def test_sql_servers_database_encryption_enabled(self): assert result[0].subscription == AZURE_SUBSCRIPTION assert result[0].resource_name == database_name assert result[0].resource_id == database_id +<<<<<<< HEAD +======= + assert result[0].location == "location" + + def test_sql_servers_database_encryption_disabled_on_master_db(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + database_master_name = "MASTER" + database_master_id = str(uuid4()) + database_master = Database( + id=database_master_id, + name=database_master_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Disabled"), + ) + database_name = "Database Name" + database_id = str(uuid4()) + database = Database( + id=database_id, + name=database_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Enabled"), + ) + sqlserver_client.sql_servers = { + AZURE_SUBSCRIPTION_ID: [ + Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=None, + firewall_rules=None, + databases=[database_master, database], + encryption_protector=None, + location="location", + ) + ] + } + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import ( + sqlserver_tde_encryption_enabled, + ) + + check = sqlserver_tde_encryption_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUBSCRIPTION_ID} has TDE enabled" + ) + assert result[0].subscription == AZURE_SUBSCRIPTION_ID + assert result[0].resource_name == database_name + assert result[0].resource_id == database_id + assert result[0].location == "location" +>>>>>>> 1c4426ea4 (fix(Azure TDE): add filter for master DB (#6351)) From 3d85f7c921c467233aa80dd06056ca32283bec33 Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Tue, 14 Jan 2025 17:20:09 -0500 Subject: [PATCH 2/2] fix: test --- .../sqlserver_tde_encryption_enabled_test.py | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py index f3874701e97..e79f3fe6a8c 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py @@ -157,9 +157,6 @@ def test_sql_servers_database_encryption_enabled(self): assert result[0].subscription == AZURE_SUBSCRIPTION assert result[0].resource_name == database_name assert result[0].resource_id == database_id -<<<<<<< HEAD -======= - assert result[0].location == "location" def test_sql_servers_database_encryption_disabled_on_master_db(self): sqlserver_client = mock.MagicMock @@ -186,7 +183,7 @@ def test_sql_servers_database_encryption_disabled_on_master_db(self): tde_encryption=TransparentDataEncryption(status="Enabled"), ) sqlserver_client.sql_servers = { - AZURE_SUBSCRIPTION_ID: [ + AZURE_SUBSCRIPTION: [ Server( id=sql_server_id, name=sql_server_name, @@ -197,15 +194,11 @@ def test_sql_servers_database_encryption_disabled_on_master_db(self): firewall_rules=None, databases=[database_master, database], encryption_protector=None, - location="location", ) ] } with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( "prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client", new=sqlserver_client, ): @@ -219,10 +212,8 @@ def test_sql_servers_database_encryption_disabled_on_master_db(self): assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUBSCRIPTION_ID} has TDE enabled" + == f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUBSCRIPTION} has TDE enabled" ) - assert result[0].subscription == AZURE_SUBSCRIPTION_ID + assert result[0].subscription == AZURE_SUBSCRIPTION assert result[0].resource_name == database_name assert result[0].resource_id == database_id - assert result[0].location == "location" ->>>>>>> 1c4426ea4 (fix(Azure TDE): add filter for master DB (#6351))