Skip to content

Commit

Permalink
PLA-38601 - Fixed azure security port jobs (#128)
Browse files Browse the repository at this point in the history
* PLA-38601 - Fixed azure remediation jobs to wait for the poller result

* PLA-38601 - Add all the required source checks for azure security group port rules
  • Loading branch information
kshrutik authored May 13, 2022
1 parent 966d98d commit 52daae6
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 49 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

logging.basicConfig(level=logging.INFO)

source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]

class NetworkSecurityGroupClosePort22(object):
def parse(self, payload):
Expand Down Expand Up @@ -91,26 +92,32 @@ def remediate(self, client, resource_group_name, security_group_name):

for rule in security_rules:
if (
rule.access != "Allow"
or rule.direction != "Inbound"
or rule.source_address_prefix != "*"
rule.protocol in ["*", "TCP"]
and rule.direction == "Inbound"
and rule.access == "Allow"
and (
rule.source_address_prefix in source_address_list
or any(
item in rule.source_address_prefixes
for item in source_address_list
)
)
):
continue
if rule.destination_port_range is not None:
port_range = rule.destination_port_range
if "-" in port_range:
new_ranges = self._find_and_remove_port([port_range], port)
if len(new_ranges) == 1:
rule.destination_port_range = new_ranges[0]
else:
rule.destination_port_range = None
rule.destination_port_ranges = new_ranges
elif int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges
if rule.destination_port_range is not None:
port_range = rule.destination_port_range
if "-" in port_range:
new_ranges = self._find_and_remove_port([port_range], port)
if len(new_ranges) == 1:
rule.destination_port_range = new_ranges[0]
else:
rule.destination_port_range = None
rule.destination_port_ranges = new_ranges
elif int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges

network_security_group.security_rules = security_rules

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@

logging.basicConfig(level=logging.INFO)

source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]


class NetworkSecurityGroupClosePort3389(object):
def parse(self, payload):
Expand Down Expand Up @@ -88,26 +90,32 @@ def remediate(self, client, resource_group_name, security_group_name):

for rule in security_rules:
if (
rule.access != "Allow"
or rule.direction != "Inbound"
or rule.source_address_prefix != "*"
rule.protocol in ["*", "TCP"]
and rule.direction == "Inbound"
and rule.access == "Allow"
and (
rule.source_address_prefix in source_address_list
or any(
item in rule.source_address_prefixes
for item in source_address_list
)
)
):
continue
if rule.destination_port_range is not None:
port_range = rule.destination_port_range
if "-" in port_range:
new_ranges = self._find_and_remove_port([port_range], port)
if len(new_ranges) == 1:
rule.destination_port_range = new_ranges[0]
else:
rule.destination_port_range = None
rule.destination_port_ranges = new_ranges
elif int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges
if rule.destination_port_range is not None:
port_range = rule.destination_port_range
if "-" in port_range:
new_ranges = self._find_and_remove_port([port_range], port)
if len(new_ranges) == 1:
rule.destination_port_range = new_ranges[0]
else:
rule.destination_port_range = None
rule.destination_port_ranges = new_ranges
elif int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges

network_security_group.security_rules = security_rules

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@

logging.basicConfig(level=logging.INFO)

source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]


class VMSecurityGroupClosePort22(object):
def parse(self, payload):
Expand Down Expand Up @@ -101,18 +103,24 @@ def remediate(self, compute_client, network_client, resource_group_name, vm_name

for rule in security_rules:
if (
rule.access != "Allow"
or rule.direction != "Inbound"
or rule.source_address_prefix != "*"
rule.protocol in ["*", "TCP"]
and rule.direction == "Inbound"
and rule.access == "Allow"
and (
rule.source_address_prefix in source_address_list
or any(
item in rule.source_address_prefixes
for item in source_address_list
)
)
):
continue
if rule.destination_port_range is not None:
if int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges
if rule.destination_port_range is not None:
if int(rule.destination_port_range) == port:
security_rules.remove(rule)
else:
port_ranges = rule.destination_port_ranges
new_ranges = self._find_and_remove_port(port_ranges, port)
rule.destination_port_ranges = new_ranges

network_security_group.security_rules = security_rules

Expand Down

0 comments on commit 52daae6

Please sign in to comment.