Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS-Azure/mysqlCmk #2074

Merged
merged 4 commits into from
Sep 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -867,6 +867,7 @@ module.exports = {
'mysqlFlexibleServersMinTls' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'),
'mysqlFlexibleServerVersion' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerVersion.js'),
'mysqlServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'),
'mysqlFlexibleServerCMKEncrypted': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js'),
'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'),
'mysqlFlexibleServerDignosticLogs': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerDignosticLogs.js'),
'mysqlFlexibleServerIdentity' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerIdentity.js'),
Expand Down
2 changes: 1 addition & 1 deletion plugins/aws/eks/eksKubernetesVersion.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ describe('eksKubernetesVersion', function () {
"cluster": {
"name": "mycluster",
"arn": "arn:aws:eks:us-east-1:012345678911:cluster/mycluster",
"version": "1.27",
"version": "1.29",
}
}
);
Expand Down
53 changes: 53 additions & 0 deletions plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
const async = require('async');
const helpers = require('../../../helpers/azure');

module.exports = {
title: 'MySQL Flexible Server Data CMK Encrypted',
category: 'MySQL Server',
domain: 'Databases',
severity: 'High',
description: 'Ensures that MySQL flexible servers data is encrypted using CMK.',
more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault. It adds an extra layer of protection against unauthorized access to sensitive data stored in the database.',
recommended_action: 'Ensure that MySQL flexible server have CMK encryption enabled.',
link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-customer-managed-key',
apis: ['servers:listMysqlFlexibleServer'],
realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'],

run: function(cache, settings, callback) {
const results = [];
const source = {};
const locations = helpers.locations(settings.govcloud);

async.each(locations.servers, (location, rcb) => {
const servers = helpers.addSource(cache, source,
['servers', 'listMysqlFlexibleServer', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3,
'Unable to query for MySQL flexible servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No existing MySQL flexible servers found', location);
return rcb();
}

for (var flexibleServer of servers.data) {
if (!flexibleServer.id) continue;

if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI) {
helpers.addResult(results, 0, 'MySQL flexible server data is encrypted using CMK', location, flexibleServer.id);
} else {
helpers.addResult(results, 2, 'MySQL flexible server data is not encrypted using CMK', location, flexibleServer.id);
}
}
rcb();
}, function() {
// Global checking goes here
callback(null, results, source);
});
}
};
103 changes: 103 additions & 0 deletions plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
var assert = require('assert');
var expect = require('chai').expect;
var auth = require('./mysqlFlexibleServerCMKEncrypted');

const createCache = (err, list) => {
return {
servers: {
listMysqlFlexibleServer: {
'eastus': {
err: err,
data: list
}
}
}
}
};

describe('mysqlFlexibleServerManagedIdentity', function() {
describe('run', function() {
it('should PASS if no existing servers found', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No existing MySQL flexible servers found');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[],
{}
);

auth.run(cache, {}, callback);
});

it('should FAIL if MySQL server is not CMK encrypted', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('MySQL flexible server data is not encrypted using CMK');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[
{
"id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
"type": "Microsoft.DBforMySQL/flexibleServers",
"version": '5.8'
}
],
);

auth.run(cache, {}, callback);
});

it('should PASS if MySQL server is CMK encrypted', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('MySQL flexible server data is encrypted using CMK');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null,
[
{
"id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
"type": "Microsoft.DBforMySQL/flexibleServers",
"version": "8.0",
"dataEncryption": {
"primaryKeyURI" : "https://test.vault.azure.net/keys/test2/9e0e3453676456e"
}
}
]
);

auth.run(cache, {}, callback);
});

it('should UNKNOWN if unable to query for server', function(done) {
const callback = (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for MySQL flexible servers: ');
expect(results[0].region).to.equal('eastus');
done()
};

const cache = createCache(
null, null
);

auth.run(cache, {}, callback);
});
})
})
Loading