From 4a66f67e328a26092178a8737addd8f03ebb9adb Mon Sep 17 00:00:00 2001 From: Preslav Gerchev Date: Tue, 23 Jan 2024 19:27:34 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Add=20direction=20to=20network=20se?= =?UTF-8?q?curity=20rules.=20Ensure=20destination=20port=20ranges=20are=20?= =?UTF-8?q?always=20populated=20(#3086)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ✨ Add direction to network security rules. Ensure destination port ranges are always populated. Signed-off-by: Preslav * Update network test. Signed-off-by: Preslav --------- Signed-off-by: Preslav --- providers/azure/resources/azure.lr | 2 ++ providers/azure/resources/azure.lr.go | 12 ++++++++++++ providers/azure/resources/azure.lr.manifest.yaml | 1 + providers/azure/resources/network.go | 13 +++++++++++++ providers/azure/resources/network_test.go | 14 ++++++++------ 5 files changed, 36 insertions(+), 6 deletions(-) diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr index f1fb9c48c7..f99c51ad74 100644 --- a/providers/azure/resources/azure.lr +++ b/providers/azure/resources/azure.lr @@ -757,6 +757,8 @@ private azure.subscription.networkService.securityrule @defaults("id name") { properties dict // Security rule destination port range destinationPortRange []dict + // Security rule direction (outbound or inbound) + direction string } // Azure Network Watcher diff --git a/providers/azure/resources/azure.lr.go b/providers/azure/resources/azure.lr.go index 55726c8a17..8289f78dca 100644 --- a/providers/azure/resources/azure.lr.go +++ b/providers/azure/resources/azure.lr.go @@ -1383,6 +1383,9 @@ var getDataFields = map[string]func(r plugin.Resource) *plugin.DataRes{ "azure.subscription.networkService.securityrule.destinationPortRange": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionNetworkServiceSecurityrule).GetDestinationPortRange()).ToDataRes(types.Array(types.Dict)) }, + "azure.subscription.networkService.securityrule.direction": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionNetworkServiceSecurityrule).GetDirection()).ToDataRes(types.String) + }, "azure.subscription.networkService.watcher.id": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionNetworkServiceWatcher).GetId()).ToDataRes(types.String) }, @@ -4042,6 +4045,10 @@ var setDataFields = map[string]func(r plugin.Resource, v *llx.RawData) bool { r.(*mqlAzureSubscriptionNetworkServiceSecurityrule).DestinationPortRange, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) return }, + "azure.subscription.networkService.securityrule.direction": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionNetworkServiceSecurityrule).Direction, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, "azure.subscription.networkService.watcher.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { r.(*mqlAzureSubscriptionNetworkServiceWatcher).__id, ok = v.Value.(string) return @@ -9681,6 +9688,7 @@ type mqlAzureSubscriptionNetworkServiceSecurityrule struct { Etag plugin.TValue[string] Properties plugin.TValue[interface{}] DestinationPortRange plugin.TValue[[]interface{}] + Direction plugin.TValue[string] } // createAzureSubscriptionNetworkServiceSecurityrule creates a new instance of this resource @@ -9740,6 +9748,10 @@ func (c *mqlAzureSubscriptionNetworkServiceSecurityrule) GetDestinationPortRange return &c.DestinationPortRange } +func (c *mqlAzureSubscriptionNetworkServiceSecurityrule) GetDirection() *plugin.TValue[string] { + return &c.Direction +} + // mqlAzureSubscriptionNetworkServiceWatcher for the azure.subscription.networkService.watcher resource type mqlAzureSubscriptionNetworkServiceWatcher struct { MqlRuntime *plugin.Runtime diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml index 33eb96f31b..8993d970b9 100644 --- a/providers/azure/resources/azure.lr.manifest.yaml +++ b/providers/azure/resources/azure.lr.manifest.yaml @@ -1433,6 +1433,7 @@ resources: azure.subscription.networkService.securityrule: fields: destinationPortRange: {} + direction: {} etag: {} id: {} name: {} diff --git a/providers/azure/resources/network.go b/providers/azure/resources/network.go index 8dcff0ba0d..575571d21d 100644 --- a/providers/azure/resources/network.go +++ b/providers/azure/resources/network.go @@ -2050,11 +2050,24 @@ func azureSecurityRuleToMql(runtime *plugin.Runtime, secRule network.SecurityRul } } + if secRule.Properties != nil && secRule.Properties.DestinationPortRanges != nil { + for _, r := range secRule.Properties.DestinationPortRanges { + dPortRange := parseAzureSecurityRulePortRange(*r) + for i := range dPortRange { + destinationPortRange = append(destinationPortRange, map[string]interface{}{ + "fromPort": dPortRange[i].FromPort, + "toPort": dPortRange[i].ToPort, + }) + } + } + } + res, err := CreateResource(runtime, "azure.subscription.networkService.securityrule", map[string]*llx.RawData{ "id": llx.StringData(convert.ToString(secRule.ID)), "name": llx.StringData(convert.ToString(secRule.Name)), "etag": llx.StringData(convert.ToString(secRule.Etag)), + "direction": llx.StringDataPtr((*string)(secRule.Properties.Direction)), "properties": llx.DictData(properties), "destinationPortRange": llx.ArrayData(destinationPortRange, types.String), }) diff --git a/providers/azure/resources/network_test.go b/providers/azure/resources/network_test.go index fec3425333..0c00eea793 100644 --- a/providers/azure/resources/network_test.go +++ b/providers/azure/resources/network_test.go @@ -10,11 +10,13 @@ import ( ) func TestParseAzurePortRange(t *testing.T) { - entry := "80,1024-65535" + entry := "*,80,1024-65535" ranges := parseAzureSecurityRulePortRange(entry) - assert.Equal(t, 2, len(ranges)) - assert.Equal(t, "80", ranges[0].FromPort) - assert.Equal(t, "80", ranges[0].ToPort) - assert.Equal(t, "1024", ranges[1].FromPort) - assert.Equal(t, "65535", ranges[1].ToPort) + assert.Equal(t, 3, len(ranges)) + assert.Equal(t, "*", ranges[0].FromPort) + assert.Equal(t, "*", ranges[0].ToPort) + assert.Equal(t, "80", ranges[1].FromPort) + assert.Equal(t, "80", ranges[1].ToPort) + assert.Equal(t, "1024", ranges[2].FromPort) + assert.Equal(t, "65535", ranges[2].ToPort) }