TlsVersionCheck

exports.js

@@ -816,6 +816,7 @@ module.exports = {
         'postgresqlServerHasTags'       : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'),
         'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'),
         'azureServicesAccessDisabled'   : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'),
+        'postgresqlTlsVersion'          : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlTlsVersion.js'),
 
         'openOracleAutoDataWarehouse'   : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'),
         'networkWatcherEnabled'         : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'),

plugins/azure/postgresqlserver/postgresqlTlsVersion.js

@@ -0,0 +1,69 @@
+var async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'PostgreSQL Minimum TLS Version',
+    category: 'PostgreSQL Server',
+    domain: 'Databases',
+    description: 'Ensures Microsoft Azure PostgreSQL Servers do not allow outdated TLS certificate versions.',
+    more_info: 'TLS 1.2 or higher should be used for all TLS connections to Microsoft Azure PostgreSQL server. This setting applies to all databases associated with the server.',
+    recommended_action: 'Modify PostgreSQL server to use TLS version 1.2 or higher.',
+    link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations',
+    apis: ['servers:listPostgres'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.servers, function(location, rcb) {
+            var servers = helpers.addSource(cache, source,
+                ['servers', 'listPostgres', location]);
+
+            if (!servers) return rcb();
+
+            if (servers.err || !servers.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for PostgreSQL servers: ' + helpers.addError(servers), location);
+                return rcb();
+            }
+
+            if (!servers.data.length) {
+                helpers.addResult(results, 0, 'No PostgreSQL servers found', location);
+                return rcb();
+            }
+
+            servers.data.forEach(function(server) {
+                if (!server.id) return;
+
+                if (server.minimalTlsVersion) {
+                    if (server.minimalTlsVersion === 'TLSEnforcementDisabled') {
+                        helpers.addResult(results, 2,
+                            'PostgreSQL server allows all TLS versions',
+                            location, server.id);
+                    } else {
+                        var numericTlsVersion = parseFloat(server.minimalTlsVersion.replace('TLS', '').replace('_', '.'));
+                        if (numericTlsVersion >= 1.2) {
+                            helpers.addResult(results, 0,
+                                `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than 1.2`,
+                                location, server.id);
+                        } else {
+                            helpers.addResult(results, 2,
+                                `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is less than 1.2`,
+                                location, server.id);  
+                        }    
+
+                    }
+                } else {
+                    helpers.addResult(results, 2,
+                        'PostgreSQL server allows all TLS versions',
+                        location, server.id);
+                }
+            });
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};

plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js

@@ -0,0 +1,172 @@
+var expect = require('chai').expect;
+var postgresqlTlsVersion = require('./postgresqlTlsVersion');
+
+const listPostgres = [
+    {
+        'sku': {
+            'name': 'B_Gen5_1',
+            'tier': 'Basic',
+            'family': 'Gen5',
+            'capacity': 1
+        },
+        'location': 'eastus',
+        'tags': { "key": "value" },
+        'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
+        'name': 'server1',
+        'type': 'Microsoft.DBforPostgreSQL/servers',
+        'administratorLogin': 'Aquaadmin',
+        'storageProfile': {
+            'storageMB': 5120,
+            'backupRetentionDays': 7,
+            'geoRedundantBackup': 'Disabled',
+            'storageAutogrow': 'Enabled'
+        },
+        'version': '11',
+        'sslEnforcement': 'Enabled',
+        'minimalTlsVersion': 'TLS1_0',
+        'userVisibleState': 'Ready',
+        'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
+        'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
+        'replicationRole': '',
+        'masterServerId': '',
+        'byokEnforcement': 'Disabled',
+        'privateEndpointConnections': [],
+        'infrastructureEncryption': 'Disabled',
+        'publicNetworkAccess': 'Enabled'
+    },
+    {
+        'sku': {
+            'name': 'B_Gen5_1',
+            'tier': 'Basic',
+            'family': 'Gen5',
+            'capacity': 1
+        },
+        'location': 'eastus',
+        'tags': { "key": "value" },
+        'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
+        'name': 'server1',
+        'type': 'Microsoft.DBforPostgreSQL/servers',
+        'administratorLogin': 'Aquaadmin',
+        'storageProfile': {
+            'storageMB': 5120,
+            'backupRetentionDays': 7,
+            'geoRedundantBackup': 'Disabled',
+            'storageAutogrow': 'Enabled'
+        },
+        'version': '11',
+        'sslEnforcement': 'Enabled',
+        'minimalTlsVersion': 'TLS1_2',
+        'userVisibleState': 'Ready',
+        'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
+        'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
+        'replicationRole': '',
+        'masterServerId': '',
+        'byokEnforcement': 'Disabled',
+        'privateEndpointConnections': [],
+        'infrastructureEncryption': 'Disabled',
+        'publicNetworkAccess': 'Enabled'
+    },
+    {
+        'sku': {
+            'name': 'B_Gen5_1',
+            'tier': 'Basic',
+            'family': 'Gen5',
+            'capacity': 1
+        },
+        'location': 'eastus',
+        'tags': {},
+        'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
+        'name': 'server1',
+        'type': 'Microsoft.DBforPostgreSQL/servers',
+        'administratorLogin': 'Aquaadmin',
+        'storageProfile': {
+            'storageMB': 5120,
+            'backupRetentionDays': 7,
+            'geoRedundantBackup': 'Disabled',
+            'storageAutogrow': 'Disabled'
+        },
+        'version': '11',
+        'sslEnforcement': 'Enabled',
+        'minimalTlsVersion': 'TLSEnforcementDisabled',
+        'userVisibleState': 'Ready',
+        'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
+        'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
+        'replicationRole': '',
+        'masterServerId': '',
+        'byokEnforcement': 'Disabled',
+        'privateEndpointConnections': [],
+        'infrastructureEncryption': 'Disabled',
+        'publicNetworkAccess': 'Enabled'
+    }
+];
+
+const createCache = (listPostgres) => {
+    return {
+        servers: {
+            listPostgres: {
+                'eastus': {
+                    data: listPostgres
+                }
+            }
+        }
+    };
+};
+
+describe('postgresqlTlsVersion', function() {
+    describe('run', function() {
+        it('should give passing result if no servers', function(done) {
+            const cache = createCache({});
+            postgresqlTlsVersion.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No PostgreSQL servers found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if PostgreSQL Server is using TLS version less than desired TLS version', function(done) {
+            const cache = createCache([listPostgres[0]]);
+            postgresqlTlsVersion.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('which is less than 1.2');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if PostgreSQL Server is using TLS version equal to or higher than desired TLS version', function(done) {
+            const cache = createCache([listPostgres[1]]);
+            postgresqlTlsVersion.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('which is equal to or higher than 1.2');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+        it('should give failing result if PostgreSQL Server allows all TLS versions', function(done) {
+            const cache = createCache([listPostgres[2]]);
+            postgresqlTlsVersion.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('PostgreSQL server allows all TLS versions');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give UnKnown result if unable to query postgreSQL Server', function(done) {
+            const cache = createCache(null);
+            postgresqlTlsVersion.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for PostgreSQL servers: ');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+    })
+})