fix(azure): properly check ports in AVD-AZU-0058 and AVD-AZU-0050

Signed-off-by: Nikita Pivkin <[email protected]>

checks/cloud/azure/network/disable_rdp_from_internet.rego

@@ -49,4 +49,7 @@ deny contains res if {
 	)
 }
 
-port_range_includes(from, to, port) if from <= port <= to
+port_range_includes(from, to, port) if {
+	from.value <= port
+	port <= to.value
+}

checks/cloud/azure/network/disable_rdp_from_internet_test.rego

@@ -12,8 +12,8 @@ test_deny_inbound_rule_allows_rdp_access_from_internet if {
 		"protocol": {"value": "Tcp"},
 		"sourceaddresses": [{"value": "*"}],
 		"destinationports": [{
-			"start": 3310,
-			"end": 3390,
+			"start": {"value": 3310},
+			"end": {"value": 3390},
 		}],
 	}]}]}}}
 
@@ -28,8 +28,8 @@ test_allow_inbound_rule_allow_rdp_access_from_specific_address if {
 		"protocol": {"value": "Tcp"},
 		"sourceaddresses": [{"value": "237.84.2.178"}],
 		"destinationports": [{
-			"start": 3310,
-			"end": 3390,
+			"start": {"value": 3310},
+			"end": {"value": 3390},
 		}],
 	}]}]}}}
 
@@ -44,8 +44,24 @@ test_allow_inbound_rule_allow_access_for_icmp if {
 		"protocol": {"value": "Icmp"},
 		"sourceaddresses": [{"value": "*"}],
 		"destinationports": [{
-			"start": 3310,
-			"end": 3390,
+			"start": {"value": 3310},
+			"end": {"value": 3390},
+		}],
+	}]}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_inbound_rule_allow_access_for_non_rdp_port if {
+	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
+		"outbound": {"value": false},
+		"allow": {"value": true},
+		"protocol": {"value": "Icmp"},
+		"sourceaddresses": [{"value": "*"}],
+		"destinationports": [{
+			"start": {"value": 8080},
+			"end": {"value": 8080},
 		}],
 	}]}]}}}
 

checks/cloud/azure/network/ssh_blocked_from_internet.rego

@@ -47,4 +47,7 @@ deny contains res if {
 	)
 }
 
-port_range_includes(from, to, port) if from <= port <= to
+port_range_includes(from, to, port) if {
+	from.value <= port
+	port <= to.value
+}

checks/cloud/azure/network/ssh_blocked_from_internet_test.rego

@@ -12,8 +12,8 @@ test_deny_inbound_rule_allows_rdp_access_from_internet if {
 		"protocol": {"value": "Tcp"},
 		"sourceaddresses": [{"value": "*"}],
 		"destinationports": [{
-			"start": 22,
-			"end": 22,
+			"start": {"value": 22},
+			"end": {"value": 22},
 		}],
 	}]}]}}}
 
@@ -28,8 +28,8 @@ test_allow_inbound_rule_allow_rdp_access_from_specific_address if {
 		"protocol": {"value": "Tcp"},
 		"sourceaddresses": [{"value": "237.84.2.178"}],
 		"destinationports": [{
-			"start": 22,
-			"end": 22,
+			"start": {"value": 22},
+			"end": {"value": 22},
 		}],
 	}]}]}}}
 
@@ -44,8 +44,24 @@ test_allow_inbound_rule_allow_access_for_icmp if {
 		"protocol": {"value": "Icmp"},
 		"sourceaddresses": [{"value": "*"}],
 		"destinationports": [{
-			"start": 22,
-			"end": 22,
+			"start": {"value": 22},
+			"end": {"value": 22},
+		}],
+	}]}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_inbound_rule_allow_access_for_non_ssh_port if {
+	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
+		"outbound": {"value": false},
+		"allow": {"value": true},
+		"protocol": {"value": "Tcp"},
+		"sourceaddresses": [{"value": "*"}],
+		"destinationports": [{
+			"start": {"value": 8080},
+			"end": {"value": 8080},
 		}],
 	}]}]}}}
 

test/rego/azure_network_test.go

@@ -104,6 +104,37 @@ var azureNetworkTestCases = testCases{
 			}}},
 			expected: false,
 		},
+		{
+			name: "Security group inbound rule allowing non RDP access from public internet",
+			input: state.State{Azure: azure.Azure{Network: network.Network{
+				SecurityGroups: []network.SecurityGroup{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Rules: []network.SecurityGroupRule{
+							{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+								Allow:    trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+								SourceAddresses: []trivyTypes.StringValue{
+									trivyTypes.String("*", trivyTypes.NewTestMetadata()),
+								},
+								SourcePorts:          nil,
+								DestinationAddresses: nil,
+								DestinationPorts: []network.PortRange{
+									{
+										Metadata: trivyTypes.NewTestMetadata(),
+										Start:    trivyTypes.IntTest(8080),
+										End:      trivyTypes.IntTest(8080),
+									},
+								},
+								Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()),
+							},
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
 	},
 	"AVD-AZU-0051": {
 		{
@@ -302,6 +333,35 @@ var azureNetworkTestCases = testCases{
 			}}},
 			expected: false,
 		},
+		{
+			name: "Security group rule allowing non SSH access from the public internet",
+			input: state.State{Azure: azure.Azure{Network: network.Network{
+				SecurityGroups: []network.SecurityGroup{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Rules: []network.SecurityGroupRule{
+							{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Allow:    trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+								Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+								DestinationPorts: []network.PortRange{
+									{
+										Metadata: trivyTypes.NewTestMetadata(),
+										Start:    trivyTypes.IntTest(8080),
+										End:      trivyTypes.IntTest(8080),
+									},
+								},
+								SourceAddresses: []trivyTypes.StringValue{
+									trivyTypes.String("82.102.23.23", trivyTypes.NewTestMetadata()),
+								},
+								Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()),
+							},
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
 		{
 			name: "Security group rule allowing SSH access from a specific address",
 			input: state.State{Azure: azure.Azure{Network: network.Network{