Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TlsVersionCheck #1735

Merged
merged 7 commits into from
Dec 5, 2023
Merged

TlsVersionCheck #1735

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0eb9fcf
TlsVersionCheck
fatima99s Nov 22, 2023
a4c968a
TlsVersionCheck
fatima99s Nov 22, 2023
76ad6d4
fixed
fatima99s Dec 1, 2023
b6d1a60
resolve issues
fatima99s Dec 4, 2023
456b057
Update plugins/azure/postgresqlserver/postgresqlTlsVersion.js
fatima99s Dec 4, 2023
2406e21
Merge branch 'master' into postgresqlTlsVersion
alphadev4 Dec 5, 2023
01a837b
Merge branch 'master' into postgresqlTlsVersion
mehakseedat63 Dec 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions exports.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -824,6 +824,7 @@ module.exports = {
'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'),
'postgresqlPrivateEndpoints' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js'),
'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'),
'postgresqlTlsVersion' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlTlsVersion.js'),
'flexibleServerPrivateAccess' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerPrivateAccess'),
'diagnosticLoggingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js'),
'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'),
Expand Down
68 changes: 68 additions & 0 deletions plugins/azure/postgresqlserver/postgresqlTlsVersion.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
var async = require('async');
const helpers = require('../../../helpers/azure');

module.exports = {
title: 'PostgreSQL Minimum TLS Version',
category: 'PostgreSQL Server',
domain: 'Databases',
description: 'Ensures Microsoft Azure PostgreSQL Servers do not allow outdated TLS certificate versions.',
more_info: 'TLS 1.2 or higher should be used for all TLS connections to Microsoft Azure PostgreSQL server. This setting applies to all databases associated with the server.',
recommended_action: 'Modify PostgreSQL server to use TLS version 1.2 or higher.',
link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations',
apis: ['servers:listPostgres'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var locations = helpers.locations(settings.govcloud);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source,
['servers', 'listPostgres', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3,
'Unable to query for PostgreSQL servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No PostgreSQL servers found', location);
return rcb();
}

servers.data.forEach(function(server) {
if (!server.id) return;

if (server.minimalTlsVersion && server.minimalTlsVersion !== 'TLSEnforcementDisabled') {
const tlsVersionRegex = /^TLS\d+_\d+$/;
if (!tlsVersionRegex.test(server.minimalTlsVersion)) {
helpers.addResult(results, 2, 'Postgresql server TLS version cannot be parsed', location, server.id);
} else {
var numericTlsVersion = parseFloat(server.minimalTlsVersion.replace('TLS', '').replace('_', '.'));
fatima99s marked this conversation as resolved.
Show resolved Hide resolved
if (numericTlsVersion >= 1.2) {
helpers.addResult(results, 0,
'PostgreSQL server is using TLS version 1.2 or higher',
location, server.id);
} else {
helpers.addResult(results, 2,
'PostgreSQL server is not using TLS version 1.2',
location, server.id);
}
}
} else {
helpers.addResult(results, 2,
'PostgreSQL server allows all TLS versions',
location, server.id);
}

});

rcb();
}, function() {
callback(null, results, source);
});
}
};
172 changes: 172 additions & 0 deletions plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
var expect = require('chai').expect;
var postgresqlTlsVersion = require('./postgresqlTlsVersion');

const listPostgres = [
{
'sku': {
'name': 'B_Gen5_1',
'tier': 'Basic',
'family': 'Gen5',
'capacity': 1
},
'location': 'eastus',
'tags': { "key": "value" },
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
'name': 'server1',
'type': 'Microsoft.DBforPostgreSQL/servers',
'administratorLogin': 'Aquaadmin',
'storageProfile': {
'storageMB': 5120,
'backupRetentionDays': 7,
'geoRedundantBackup': 'Disabled',
'storageAutogrow': 'Enabled'
},
'version': '11',
'sslEnforcement': 'Enabled',
'minimalTlsVersion': 'TLS1_0',
'userVisibleState': 'Ready',
'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
'replicationRole': '',
'masterServerId': '',
'byokEnforcement': 'Disabled',
'privateEndpointConnections': [],
'infrastructureEncryption': 'Disabled',
'publicNetworkAccess': 'Enabled'
},
{
'sku': {
'name': 'B_Gen5_1',
'tier': 'Basic',
'family': 'Gen5',
'capacity': 1
},
'location': 'eastus',
'tags': { "key": "value" },
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
'name': 'server1',
'type': 'Microsoft.DBforPostgreSQL/servers',
'administratorLogin': 'Aquaadmin',
'storageProfile': {
'storageMB': 5120,
'backupRetentionDays': 7,
'geoRedundantBackup': 'Disabled',
'storageAutogrow': 'Enabled'
},
'version': '11',
'sslEnforcement': 'Enabled',
'minimalTlsVersion': 'TLS1_2',
'userVisibleState': 'Ready',
'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
'replicationRole': '',
'masterServerId': '',
'byokEnforcement': 'Disabled',
'privateEndpointConnections': [],
'infrastructureEncryption': 'Disabled',
'publicNetworkAccess': 'Enabled'
},
{
'sku': {
'name': 'B_Gen5_1',
'tier': 'Basic',
'family': 'Gen5',
'capacity': 1
},
'location': 'eastus',
'tags': {},
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
'name': 'server1',
'type': 'Microsoft.DBforPostgreSQL/servers',
'administratorLogin': 'Aquaadmin',
'storageProfile': {
'storageMB': 5120,
'backupRetentionDays': 7,
'geoRedundantBackup': 'Disabled',
'storageAutogrow': 'Disabled'
},
'version': '11',
'sslEnforcement': 'Enabled',
'minimalTlsVersion': 'TLSEnforcementDisabled',
'userVisibleState': 'Ready',
'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
'replicationRole': '',
'masterServerId': '',
'byokEnforcement': 'Disabled',
'privateEndpointConnections': [],
'infrastructureEncryption': 'Disabled',
'publicNetworkAccess': 'Enabled'
}
];

const createCache = (listPostgres) => {
return {
servers: {
listPostgres: {
'eastus': {
data: listPostgres
}
}
}
};
};

describe('postgresqlTlsVersion', function() {
describe('run', function() {
it('should give passing result if no servers', function(done) {
const cache = createCache({});
postgresqlTlsVersion.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No PostgreSQL servers found');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give failing result if PostgreSQL Server is using TLS version less than desired TLS version', function(done) {
const cache = createCache([listPostgres[0]]);
postgresqlTlsVersion.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('PostgreSQL server is not using TLS version 1.2');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give passing result if PostgreSQL Server is using TLS version equal to or higher than desired TLS version', function(done) {
const cache = createCache([listPostgres[1]]);
postgresqlTlsVersion.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('PostgreSQL server is using TLS version 1.2 or higher');
expect(results[0].region).to.equal('eastus');
done();
});
});
it('should give failing result if PostgreSQL Server allows all TLS versions', function(done) {
const cache = createCache([listPostgres[2]]);
postgresqlTlsVersion.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('PostgreSQL server allows all TLS versions');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give UnKnown result if unable to query postgreSQL Server', function(done) {
const cache = createCache(null);
postgresqlTlsVersion.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for PostgreSQL servers: ');
expect(results[0].region).to.equal('eastus');
done();
});
});

})
})
Loading