Skip to content

Commit

Permalink
fix(gcp): check cloudsql sslMode (#4635)
Browse files Browse the repository at this point in the history
  • Loading branch information
pedrooot authored and MrCloudSec committed Aug 5, 2024
1 parent 9addf86 commit 8adc72a
Show file tree
Hide file tree
Showing 25 changed files with 218 additions and 83 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_GCP:
report.status_extended = (
f"Database Instance {instance.name} requires SSL connections."
)
if not instance.ssl:
if not instance.require_ssl or instance.ssl_mode != "ENCRYPTED_ONLY":
report.status = "FAIL"
report.status_extended = f"Database Instance {instance.name} does not require SSL connections."
findings.append(report)
Expand Down
8 changes: 6 additions & 2 deletions prowler/providers/gcp/services/cloudsql/cloudsql_service.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,12 @@ def __get_instances__(self):
region=instance["region"],
ip_addresses=instance.get("ipAddresses", []),
public_ip=public_ip,
ssl=instance["settings"]["ipConfiguration"].get(
require_ssl=instance["settings"]["ipConfiguration"].get(
"requireSsl", False
),
ssl_mode=instance["settings"]["ipConfiguration"].get(
"sslMode", "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
),
automated_backups=instance["settings"][
"backupConfiguration"
]["enabled"],
Expand Down Expand Up @@ -61,7 +64,8 @@ class Instance(BaseModel):
region: str
public_ip: bool
authorized_networks: list
ssl: bool
require_ssl: bool
ssl_mode: str
automated_backups: bool
flags: list
project_id: str
2 changes: 2 additions & 0 deletions tests/providers/gcp/gcp_fixtures.py
Original file line number Diff line number Diff line change
Expand Up @@ -583,6 +583,7 @@ def mock_api_instances_calls(client: MagicMock, service: str):
"settings": {
"ipConfiguration": {
"requireSsl": True,
"sslMode": "ENCRYPTED_ONLY",
"authorizedNetworks": [{"value": "test"}],
},
"backupConfiguration": {"enabled": True},
Expand All @@ -597,6 +598,7 @@ def mock_api_instances_calls(client: MagicMock, service: str):
"settings": {
"ipConfiguration": {
"requireSsl": False,
"sslMode": "ALLOW_UNENCRYPTED_AND_ENCRYPTED",
"authorizedNetworks": [{"value": "test"}],
},
"backupConfiguration": {"enabled": False},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_instance_with_automated_backups(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -97,7 +98,8 @@ def test_cloudsql_instance_without_automated_backups(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=False,
authorized_networks=[],
flags=[],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_with_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_with_local_infile_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "local_infile", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_with_local_infile_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "local_infile", "value": "on"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_with_skip_show_databases_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "skip_show_database", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_with_skip_show_databases_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "skip_show_database", "value": "on"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_pgaudit_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "cloudsql.enable_pgaudit", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_pgaudit_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "cloudsql.enable_pgaudit", "value": "on"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_connections_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_connections", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_connections_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_connections", "value": "on"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_disconnections_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_disconnections", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_disconnections_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_disconnections", "value": "on"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_error_verbosity_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_error_verbosity", "value": "off"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_error_verbosity_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_error_verbosity", "value": "default"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_min_duration_statement_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_min_duration_statement", "value": "0"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_min_duration_statement_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_min_duration_statement", "value": "-1"}],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[],
Expand Down Expand Up @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_min_error_statement_flag_off(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_min_error_statement", "value": "warning"}],
Expand Down Expand Up @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_min_error_statement_flag_on(self):
ip_addresses=[],
region=GCP_EU1_LOCATION,
public_ip=False,
ssl=False,
require_ssl=False,
ssl_mode="ENCRYPTED_ONLY",
automated_backups=True,
authorized_networks=[],
flags=[{"name": "log_min_error_statement", "value": "error"}],
Expand Down
Loading

0 comments on commit 8adc72a

Please sign in to comment.