Skip to content

webapp

Sample rules

A few rules that use objects from this package:

non_car_authentication_enabled_in_function_app 
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class FunctionAppAuthenticationEnableRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_authentication_enabled_in_function_app'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for func_app in env_context.function_apps:
            if func_app.app_service_config is not None and \
                    func_app.app_service_config.auth_settings is not None and \
                    not func_app.app_service_config.auth_settings.enabled:
                issues.append(
                    Issue(
                        f'The Function App `{func_app.get_friendly_name()}` does not have authentication enabled.',
                        func_app,
                        func_app))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.function_apps)
non_car_diagnostic_logs_enabled_in_app_services 
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class AppServiceDiagnosticLogsRule(AzureBaseRule):
    def get_id(self) -> str:
        return 'non_car_diagnostic_logs_enabled_in_app_services'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for app_service in env_context.app_services:

            if app_service.app_service_config is not None:
                app_service_name = app_service.get_friendly_name()
                if app_service.app_service_config.logs is None:
                    issues.append(
                        Issue(f'The web app `{app_service_name}` does not have logging enabled', app_service, app_service))
                else:
                    evidence: List[str] = []
                    if not app_service.app_service_config.logs.http_logging_enabled:
                        evidence.append(
                            f'The web app `{app_service_name}` does not have HTTP logging enabled')
                    if not app_service.app_service_config.logs.request_tracing_enabled:
                        evidence.append(
                            f'The web app `{app_service_name}` does not have request tracing enabled')
                    if not app_service.app_service_config.logs.detailed_error_logging_enabled:
                        evidence.append(
                            f'The web app `{app_service_name}` does not have detailed error logging enabled')
                    if evidence:
                        issues.append(
                            Issue('. '.join(evidence), app_service, app_service))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.app_services)
non_car_client_certificates_required_in_web_app 
from typing import List, Dict
from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class AppServiceClientCertificatesRequiredRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_client_certificates_required_in_web_app'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for app_service in env_context.app_services:
            if not app_service.client_cert_required:
                issues.append(
                    Issue(
                        f'The {app_service.get_type()} `{app_service.get_friendly_name()}` does not have client certificates enabled.',
                        app_service,
                        app_service))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.app_services)

AzureFunctionApp (AzureResource, IManagedIdentityResource)

Attributes:

Name Type Description
name

Function app resource name.
app_service_config AzureAppServiceConfig

App service configuration.
client_cert_mode FieldMode

The mode of the Function App's client certificates requirement for incoming requests.
https_only

Indicates if the Function App only be accessed via HTTPS.
identities_ids List[str]

The managed identities associated with the function app.
managed_identities List[AzureManagedIdentity]

all managed identities associate with the function app.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureAppService (AzureResource, IManagedIdentityResource)

Attributes:

Name Type Description
name str

The name of this AppService.
app_service_config AzureAppServiceConfig

App service configuration.
https_only bool

Indicates if the App Service only be accessed via HTTPS.
client_cert_required bool

Indicate if client certificates are required in Web App.
identities_ids List[str]

The managed identities associated with the app service.
managed_identities List[AzureManagedIdentity]

all managed identities associate with the app service.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AuthSettings dataclass

AuthSettings(enabled: bool)

AzureAppServiceConfig (AzureResource)

Attributes:

Name Type Description
name str

The name of the AppService to which this config belongs.
ftps_state FtpsState

The FTPS state defined in this config. Either AllAllowed, FTPSOnly or Disabled.
auth_settings AuthSettings

App service authentication settings.
minimum_tls_version str

The minimum supported TLS version for the function app.
http2_enabled bool

Indication if http2 protocol should be enabled or not.
logs DiagnosticLogs

The DiagnosticLogs indicate if the logs (detailed error messages, HTTP logging, and failed requests tracing) are enabled or not
linux_fx_version str

Linux App Framework and version for the AppService.
java_version str

Java version hosted by the function app in Azure.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

DiagnosticLogs dataclass

Attributes:

Name Type Description
detailed_error_logging_enabled bool

Indicate if the detailed error logging enable.
http_logging_enabled bool

Indicate if the http logging enable.
request_tracing_enabled bool

Indicate if the request tracing logging enable.