Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allow_port_from_internet matcher to azurerm_network_security_group #248

Merged
merged 7 commits into from
Jun 4, 2020
Merged

Add allow_port_from_internet matcher to azurerm_network_security_group #248

merged 7 commits into from
Jun 4, 2020

Conversation

gsreynolds
Copy link
Contributor

@gsreynolds gsreynolds commented Jun 3, 2020
edited
Loading

Description

I need to write controls that match on arbitrary ports, not just SSH and RDP.

Additionally:

  • refactor the existing allow_ssh_from_internet and allow_rdp_from_internet matchers to use allow_port_from_internet underneath
  • fix handling of port range(s) (port range and port ranges in the Azure API are strings - but we need integers in matches_port? to create the Ruby Ranges and use .cover? on to check if a port is included in a security rule)
  • add better integration tests for security rules.

Issues Resolved

Related: #243, #244

Check List

gsreynolds added 7 commits June 3, 2020 16:14
@gsreynolds
azurerm_network_security_group tcp method should also match * for pro…
3bd2a2f 
…tocol as this also allows TCP

Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Ranges need integers - Azure API returns strings
d1a258e 
Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Add allow_port_from_internet with port argument
fd07718 
Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Do not use push to combine the destinationPortRanges array and destin…
07f5932 
…ationPortRange string properties as it modifies state. Use Array concatenation that does not modify the destinationPortRanges array and return that instead

Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Remove matching on TCP protocol security rules for all matchers - pot…
3533e01 
…ential source of confusion

Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Refactor allow_ssh_from_internet and allow_rdp_from_internet to use a…
49ea3f9 
…llow_port_from_internet

Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds
Add integration tests for network security group rules, using a wide …
1bb1009 
…variety of source address prefix(es) and destination port range(s)

Signed-off-by: Gavin Reynolds <gavin@chef.io>
@gsreynolds gsreynolds requested a review from a team June 3, 2020 18:36
@gsreynolds
Copy link
Contributor Author

Integration tests pass:

  ✔  azurerm_network_security_group: 'Inspec-NSG' Network Security Group
     ✔  'Inspec-NSG' Network Security Group is expected to exist
     ✔  'Inspec-NSG' Network Security Group is expected not to allow rdp from internet
     ✔  'Inspec-NSG' Network Security Group is expected not to allow ssh from internet
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "1433"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "1521"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "4333"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "5432"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "139"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "1433"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "445"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "1433"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "21"
     ✔  'Inspec-NSG' Network Security Group is expected not to allow port from internet "69"
     ✔  'Inspec-NSG' Network Security Group id is expected to eq "/subscriptions/ab381f11-741d-4d18-a3a0-f0f9b37390c8/resourceGroups/Inspec-Azure-gavin/providers/Microsoft.Network/networkSecurityGroups/Inspec-NSG"
     ✔  'Inspec-NSG' Network Security Group name is expected to eq "Inspec-NSG"
     ✔  'Inspec-NSG' Network Security Group type is expected to eq "Microsoft.Network/networkSecurityGroups"
     ✔  'Inspec-NSG' Network Security Group security_rules is expected not to be empty
     ✔  'Inspec-NSG' Network Security Group default_security_rules is expected not to be empty
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to exist
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow rdp from internet
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow ssh from internet
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "1433"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "1521"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "4333"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "5432"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "139"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "1433"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "445"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "1433"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "21"
     ✔  'Inspec-NSG-Insecure' Network Security Group is expected to allow port from internet "69"
     ✔  'Inspec-NSG-Open' Network Security Group is expected to exist
     ✔  'Inspec-NSG-Open' Network Security Group is expected to allow rdp from internet
     ✔  'Inspec-NSG-Open' Network Security Group is expected to allow ssh from internet
     ✔  '' Network Security Group is expected not to exist
     ✔  '' Network Security Group is expected not to exist

@skpaterson skpaterson added the Version: Bump Minor Used by github.minor_bump_labels to bump the Minor version number. label Jun 4, 2020
skpaterson
skpaterson approved these changes Jun 4, 2020
View reviewed changes
Copy link

@skpaterson skpaterson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @gsreynolds !

@skpaterson skpaterson merged commit e4cc8e1 into inspec:master Jun 4, 2020
@gsreynolds gsreynolds deleted the nsg_rules branch June 4, 2020 16:53
@Sum123it
Copy link

Sum123it commented Jun 7, 2020

Thanks @gsreynolds @skpaterson - This was a very important feature for Inspec users!
Can we go a step ahead with these features in azure as well like we have in aws with ipv4 range for azurerm_network_security_group?

describe aws_security_group(group_name: linux_servers) do
  it { should allow_in(port: 22, ipv4_range: '10.5.0.0/16') }
  it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
end

also below features:

inbound_rules
outbound_rules

@skpaterson skpaterson mentioned this pull request Jun 8, 2020
Closed
@skpaterson
Copy link

We can certainly explore that @Sum123it - #249

@omerdemirok omerdemirok mentioned this pull request Aug 6, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skpaterson skpaterson skpaterson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gsreynolds @Sum123it @skpaterson