Skip to content

Commit

Permalink
🐛 azure: fail gracefully if unable to get security contacts
Browse files Browse the repository at this point in the history
Closes #4997

Signed-off-by: Salim Afiune Maya <[email protected]>
  • Loading branch information
afiune committed Feb 8, 2025
1 parent d11ff94 commit fb4477f
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 29 deletions.
Binary file added cnquery
Binary file not shown.
60 changes: 31 additions & 29 deletions providers/azure/resources/cloud_defender.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (

"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
security "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
"github.com/rs/zerolog/log"
)

const (
Expand Down Expand Up @@ -61,7 +61,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForServers() (interfa
if err != nil {
return nil, err
}
vmPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "VirtualMachines", &security.PricingsClientGetOptions{})
vmPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "VirtualMachines", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -88,7 +88,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForServers() (interfa
if vmPricing.Properties.PricingTier != nil {
// According to the CIS implementation of checking if the defender for servers is on, we need to check if the pricing tier is standard
// https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/list?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#pricingtier
resp.Enabled = *vmPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *vmPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

for _, it := range list.PolicyAssignments {
Expand Down Expand Up @@ -118,7 +118,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForAppServices() (int
return nil, err
}

appServicePricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "AppServices", &security.PricingsClientGetOptions{})
appServicePricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "AppServices", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -130,7 +130,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForAppServices() (int
resp := defenderForAppServices{}
if appServicePricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for App Services is enabled
resp.Enabled = *appServicePricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *appServicePricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -147,7 +147,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForSqlServersOnMachin
return nil, err
}

sqlServerVmPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "SqlServerVirtualMachines", &security.PricingsClientGetOptions{})
sqlServerVmPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "SqlServerVirtualMachines", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -159,7 +159,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForSqlServersOnMachin
resp := defenderForSqlServersOnMachines{}
if sqlServerVmPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for SQL Servers on Machines is enabled
resp.Enabled = *sqlServerVmPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *sqlServerVmPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -176,7 +176,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForSqlDatabases() (in
return nil, err
}

sqlDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "SqlServers", &security.PricingsClientGetOptions{})
sqlDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "SqlServers", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -188,7 +188,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForSqlDatabases() (in
resp := defenderForSqlDatabases{}
if sqlDbPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for SQL Databases is enabled
resp.Enabled = *sqlDbPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *sqlDbPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -205,7 +205,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForOpenSourceDatabase
return nil, err
}

openSourceDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "OpenSourceRelationalDatabases", &security.PricingsClientGetOptions{})
openSourceDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "OpenSourceRelationalDatabases", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -217,7 +217,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForOpenSourceDatabase
resp := defenderForOpenSourceDatabases{}
if openSourceDbPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for Open-source Relational Databases is enabled
resp.Enabled = *openSourceDbPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *openSourceDbPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -234,7 +234,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForCosmosDb() (interf
return nil, err
}

cosmosDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "CosmosDbs", &security.PricingsClientGetOptions{})
cosmosDbPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "CosmosDbs", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -246,7 +246,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForCosmosDb() (interf
resp := defenderForCosmosDb{}
if cosmosDbPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for Cosmos DB is enabled
resp.Enabled = *cosmosDbPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *cosmosDbPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -263,7 +263,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForStorageAccounts()
return nil, err
}

storageAccountsPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "StorageAccounts", &security.PricingsClientGetOptions{})
storageAccountsPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "StorageAccounts", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -275,7 +275,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForStorageAccounts()
resp := defenderForStorageAccounts{}
if storageAccountsPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for Storage Accounts is enabled
resp.Enabled = *storageAccountsPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *storageAccountsPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -292,7 +292,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForKeyVaults() (inter
return nil, err
}

keyVaultsPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "KeyVaults", &security.PricingsClientGetOptions{})
keyVaultsPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "KeyVaults", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -304,7 +304,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForKeyVaults() (inter
resp := defenderForKeyVaults{}
if keyVaultsPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for Key Vaults is enabled
resp.Enabled = *keyVaultsPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *keyVaultsPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -321,7 +321,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForResourceManager()
return nil, err
}

resourceManagerPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "Arm", &security.PricingsClientGetOptions{})
resourceManagerPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "Arm", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}
Expand All @@ -333,7 +333,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForResourceManager()
resp := defenderForResourceManager{}
if resourceManagerPricing.Properties.PricingTier != nil {
// Check if the pricing tier is set to 'Standard' which indicates that Defender for Resource Manager is enabled
resp.Enabled = *resourceManagerPricing.Properties.PricingTier == security.PricingTierStandard
resp.Enabled = *resourceManagerPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}

return convert.JsonToDict(resp)
Expand All @@ -345,19 +345,19 @@ func (a *mqlAzureSubscriptionCloudDefenderService) monitoringAgentAutoProvision(
token := conn.Token()
subId := a.SubscriptionId.Data

client, err := security.NewAutoProvisioningSettingsClient(subId, token, &arm.ClientOptions{
client, err := armsecurity.NewAutoProvisioningSettingsClient(subId, token, &arm.ClientOptions{
ClientOptions: conn.ClientOptions(),
})
if err != nil {
return false, err
}

setting, err := client.Get(ctx, "default", &security.AutoProvisioningSettingsClientGetOptions{})
setting, err := client.Get(ctx, "default", &armsecurity.AutoProvisioningSettingsClientGetOptions{})
if err != nil {
return false, err
}
autoProvision := *setting.Properties.AutoProvision
return autoProvision == security.AutoProvisionOn, nil
return autoProvision == armsecurity.AutoProvisionOn, nil
}

func (a *mqlAzureSubscriptionCloudDefenderService) defenderForContainers() (interface{}, error) {
Expand Down Expand Up @@ -415,22 +415,22 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForContainers() (inte
return nil, err
}

containersPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "Containers", &security.PricingsClientGetOptions{})
containersPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "Containers", &armsecurity.PricingsClientGetOptions{})
if err != nil {
return nil, err
}

enabled := false
if containersPricing.Properties.PricingTier != nil {
enabled = *containersPricing.Properties.PricingTier == security.PricingTierStandard
enabled = *containersPricing.Properties.PricingTier == armsecurity.PricingTierStandard
}
extensions := []extension{}
for _, ext := range containersPricing.Properties.Extensions {
if ext.IsEnabled == nil || ext.Name == nil {
continue
}
e := false
if *ext.IsEnabled == security.IsEnabledTrue {
if *ext.IsEnabled == armsecurity.IsEnabledTrue {
e = true
}
extensions = append(extensions, extension{Name: *ext.Name, IsEnabled: e})
Expand All @@ -454,19 +454,21 @@ func (a *mqlAzureSubscriptionCloudDefenderService) securityContacts() ([]interfa
if err != nil {
return nil, err
}
res := []interface{}{}
list, err := getSecurityContacts(ctx, armConn)
if err != nil {
return nil, err
// https: //github.com/mondoohq/cnquery/issues/4997
log.Warn().Err(err).Msg("fail gracefully")
return res, nil
}
res := []interface{}{}
for _, contact := range list {
alertNotifications, err := convert.JsonToDict(contact.Properties.AlertNotifications)
if err != nil {
return nil, err
log.Debug().Err(err).Msg("unable to convert armsecurity.Contact.Properties.AlertNotifications to dict")
}
notificationsByRole, err := convert.JsonToDict(contact.Properties.NotificationsByRole)
if err != nil {
return nil, err
log.Debug().Err(err).Msg("unable to convert armsecurity.Contact.Properties.NotificationsByRole to dict")
}
mails := ""
if contact.Properties.Emails != nil {
Expand Down

0 comments on commit fb4477f

Please sign in to comment.