Skip to content

Commit

Permalink
Merge pull request #2054 from AkhtarAmir/F/Azure-mysqlFlexibleServerP…
Browse files Browse the repository at this point in the history 
…ublicAccess

F/Azure-mysqlFlexibleServerPublicAccess
  • Loading branch information
@alphadev4
alphadev4 authored Jun 19, 2024
2 parents 93b8011 + 2577794 commit 6a3597d
Show file tree
Hide file tree
Showing 3 changed files with 195 additions and 0 deletions.
1 change: 1 addition & 0 deletions exports.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -864,6 +864,7 @@ module.exports = {
'mysqlFlexibleServersMinTls' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'),
'mysqlFlexibleServerVersion' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerVersion.js'),
'mysqlServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'),
'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'),
'mysqlFlexibleServerDignosticLogs': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerDignosticLogs.js'),
'mysqlFlexibleServerIdentity' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerIdentity.js'),

Expand Down
56 changes: 56 additions & 0 deletions plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
const async = require('async');
const helpers = require('../../../helpers/azure');

module.exports = {
title: 'MySQL Flexible Server Public Access',
category: 'MySQL Server',
domain: 'Databases',
severity: 'High',
description: 'Ensures that MySQL flexible servers are not publicly accessible.',
more_info: 'Configuring public access for MySQL flexible server instance allows the server to be accessible through public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.',
recommended_action: 'Modify MySQL flexible server and disable public network access.',
link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public',
apis: ['servers:listMysqlFlexibleServer'],
realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'],

run: function(cache, settings, callback) {
const results = [];
const source = {};
const locations = helpers.locations(settings.govcloud);

async.each(locations.servers, (location, rcb) => {
const servers = helpers.addSource(cache, source,
['servers', 'listMysqlFlexibleServer', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3,
'Unable to query for MySQL flexible servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No existing MySQL flexible servers found', location);
return rcb();
}

for (var flexibleServer of servers.data) {
if (!flexibleServer.id) continue;

if (flexibleServer.properties &&
flexibleServer.properties.network &&
flexibleServer.properties.network.publicNetworkAccess &&
flexibleServer.properties.network.publicNetworkAccess.toLowerCase() == 'enabled') {
helpers.addResult(results, 2, 'MySQL flexible server is publicly accessible', location, flexibleServer.id);
} else {
helpers.addResult(results, 0, 'MySQL flexible server is not publicly accessible', location, flexibleServer.id);
}
}
rcb();
}, function() {
// Global checking goes here
callback(null, results, source);
});
}
};
138 changes: 138 additions & 0 deletions plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.spec.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
var assert = require('assert');
var expect = require('chai').expect;
var auth = require('./mysqlFlexibleServerPublicAccess');

const createCache = (err, list) => {
return {
servers: {
listMysqlFlexibleServer: {
'eastus': {
err: err,
data: list
}
}
}
}
};

describe('mysqlFlexibleServerPublicAccess', function() {
describe('run', function() {
it('should PASS if no existing servers found', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No existing MySQL flexible servers found');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[],
{}
);

auth.run(cache, {}, callback);
});

it('should FAIL if MySQL server is not publicly accessible', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('MySQL flexible server is not publicly accessible');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[
{
"id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
"type": "Microsoft.DBforMySQL/flexibleServers",
"properties": {
"administratorLogin": "test",
"storage": {
"storageSizeGB": 20,
"iops": 360,
"autoGrow": "Enabled",
"autoIoScaling": "Enabled",
"storageSku": "Premium_LRS",
"logOnDisk": "Disabled"
},
"version": "5.7",
"state": "Ready",
"fullyQualifiedDomainName": "test-flexibleserverr-mysql.mysql.database.azure.com",
"availabilityZone": "3",
"replicationRole": "None",
"replicaCapacity": 10,
"network": {
"publicNetworkAccess": "Disabled"
},
}
}
]
);

auth.run(cache, {}, callback);
});

it('should FAIL if MySQL server is publicly accessible', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('MySQL flexible server is publicly accessible');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[
{
"id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
"type": "Microsoft.DBforMySQL/flexibleServers",
"properties": {
"administratorLogin": "test",
"storage": {
"storageSizeGB": 20,
"iops": 360,
"autoGrow": "Enabled",
"autoIoScaling": "Enabled",
"storageSku": "Premium_LRS",
"logOnDisk": "Disabled"
},
"version": "5.7",
"state": "Ready",
"fullyQualifiedDomainName": "test-flexibleserverr-mysql.mysql.database.azure.com",
"availabilityZone": "3",
"replicationRole": "None",
"replicaCapacity": 10,
"network": {
"publicNetworkAccess": "Enabled"
},
}
}
],
);

auth.run(cache, {}, callback);
});

it('should UNKNOWN if unable to query for server', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for MySQL flexible servers: ');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null, null
);

auth.run(cache, {}, callback);
})
})
})

0 comments on commit 6a3597d

Please sign in to comment.