Fixed AppServiceScanner Managed Identity rules #211

Azure · Apr 23, 2024 · c906411 · c906411
1 parent 6d9b0ca
commit c906411
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 18 deletions.
diff --git a/internal/scanners/asp/rules.go b/internal/scanners/asp/rules.go
@@ -247,8 +247,11 @@ func (a *AppServiceScanner) getAppRules() map[string]scanners.AzureRule {
 			Recommendation: "App Service should use Managed Identities",
 			Impact:         scanners.ImpactMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
-				c := target.(*armappservice.Site)
-				return c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone, ""
+				// c := target.(*armappservice.Site)
+				// c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone
+				// not working because SDK set's Identity to nil even when configured.
+				ok := scanContext.SiteConfig.Properties.ManagedServiceIdentityID != nil || scanContext.SiteConfig.Properties.XManagedServiceIdentityID != nil
+				return !ok, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
 		},
@@ -377,8 +380,11 @@ func (a *AppServiceScanner) getFunctionRules() map[string]scanners.AzureRule {
 			Recommendation: "Function should use Managed Identities",
 			Impact:         scanners.ImpactMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
-				c := target.(*armappservice.Site)
-				return c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone, ""
+				// c := target.(*armappservice.Site)
+				// c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone
+				// not working because SDK set's Identity to nil even when configured.
+				ok := scanContext.SiteConfig.Properties.ManagedServiceIdentityID != nil || scanContext.SiteConfig.Properties.XManagedServiceIdentityID != nil
+				return !ok, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
 		},
@@ -507,8 +513,11 @@ func (a *AppServiceScanner) getLogicRules() map[string]scanners.AzureRule {
 			Recommendation: "Logic App should use Managed Identities",
 			Impact:         scanners.ImpactMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
-				c := target.(*armappservice.Site)
-				return c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone, ""
+				// c := target.(*armappservice.Site)
+				// c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone
+				// not working because SDK set's Identity to nil even when configured.
+				ok := scanContext.SiteConfig.Properties.ManagedServiceIdentityID != nil || scanContext.SiteConfig.Properties.XManagedServiceIdentityID != nil
+				return !ok, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
 		},

diff --git a/internal/scanners/asp/rules_test.go b/internal/scanners/asp/rules_test.go
@@ -401,18 +401,42 @@ func TestAppServiceScanner_AppRules(t *testing.T) {
 			name: "AppServiceScanner Managed Identity None",
 			fields: fields{
 				rule: "app-016",
-				target: &armappservice.Site{
-					Identity: &armappservice.ManagedServiceIdentity{
-						Type: to.Ptr(armappservice.ManagedServiceIdentityTypeNone),
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: nil,
+							},
+						},
 					},
 				},
-				scanContext: &scanners.ScanContext{},
 			},
 			want: want{
 				broken: true,
 				result: "",
 			},
 		},
+		{
+			name: "AppServiceScanner Managed Identity",
+			fields: fields{
+				rule: "app-016",
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: to.Ptr(int32(1)),
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				broken: false,
+				result: "",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -651,18 +675,42 @@ func TestAppServiceScanner_FunctionRules(t *testing.T) {
 			name: "AppServiceScanner Managed Identity None",
 			fields: fields{
 				rule: "func-014",
-				target: &armappservice.Site{
-					Identity: &armappservice.ManagedServiceIdentity{
-						Type: to.Ptr(armappservice.ManagedServiceIdentityTypeNone),
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: nil,
+							},
+						},
 					},
 				},
-				scanContext: &scanners.ScanContext{},
 			},
 			want: want{
 				broken: true,
 				result: "",
 			},
 		},
+		{
+			name: "AppServiceScanner Managed Identity",
+			fields: fields{
+				rule: "func-014",
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: to.Ptr(int32(1)),
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				broken: false,
+				result: "",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -901,18 +949,42 @@ func TestAppServiceScanner_LogicRules(t *testing.T) {
 			name: "AppServiceScanner Managed Identity None",
 			fields: fields{
 				rule: "logics-014",
-				target: &armappservice.Site{
-					Identity: &armappservice.ManagedServiceIdentity{
-						Type: to.Ptr(armappservice.ManagedServiceIdentityTypeNone),
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: nil,
+							},
+						},
 					},
 				},
-				scanContext: &scanners.ScanContext{},
 			},
 			want: want{
 				broken: true,
 				result: "",
 			},
 		},
+		{
+			name: "AppServiceScanner Managed Identity",
+			fields: fields{
+				rule: "logics-014",
+				target: &armappservice.Site{},
+				scanContext: &scanners.ScanContext{
+					SiteConfig: &armappservice.WebAppsClientGetConfigurationResponse{
+						SiteConfigResource: armappservice.SiteConfigResource{
+							Properties: &armappservice.SiteConfig{
+								ManagedServiceIdentityID: to.Ptr(int32(1)),
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				broken: false,
+				result: "",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {