Framework/Core/SVT/Services/ServiceBus.ps1
#using namespace Microsoft.Azure.Commands.ServiceBus.Models Set-StrictMode -Version Latest class ServiceBus: SVTBase { hidden [PSObject[]] $NameSpacePolicies; hidden [PSObject[]] $Queues; hidden [PSObject[]] $Topics; ServiceBus([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): Base($subscriptionId, $resourceGroupName, $resourceName) { } ServiceBus([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId, $svtResource) { $this.GetServiceBusDetails(); } hidden [void] GetServiceBusDetails() { if (-not $this.NameSpacePolicies) { $this.NameSpacePolicies = Get-AzureRmServiceBusNamespaceAuthorizationRule -ResourceGroup $this.ResourceContext.ResourceGroupName ` -NamespaceName $this.ResourceContext.ResourceName } # Get All Queues if (-not $this.Queues) { $this.Queues = Get-AzureRmServiceBusQueue -ResourceGroup $this.ResourceContext.ResourceGroupName -NamespaceName $this.ResourceContext.ResourceName } if (-not $this.Topics) { $this.Topics = Get-AzureRmServiceBusTopic -ResourceGroup $this.ResourceContext.ResourceGroupName -NamespaceName $this.ResourceContext.ResourceName } } hidden [ControlResult[]] CheckServiceBusRootPolicy([ControlResult] $controlResult) { [ControlResult[]] $resultControlResultList = @() #region "NameSpace" [ControlResult] $childControlResult = [ControlResult]@{ #ChildResourceName = $this.ResourceContext.ResourceName; }; $childControlResult.SetStateData("Authorization rules for Namespace", $this.NameSpacePolicies); $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Authorization rules for Namespace - ["+ $this.ResourceContext.ResourceName +"]. Validate that these rules must not be used at Queue/Topic level to send and receive messages.", $this.NameSpacePolicies)); $resultControlResultList += $childControlResult #endregion #region "Queue" if(($this.Queues|Measure-Object).count -gt 0) { foreach ($queue in $this.Queues) { [ControlResult] $childControlResult = [ControlResult]@{ ChildResourceName = $queue.Name; }; $queuePolicies = Get-AzureRmServiceBusQueueAuthorizationRule -ResourceGroup $this.ResourceContext.ResourceGroupName ` -NamespaceName $this.ResourceContext.ResourceName -QueueName $queue.Name if(($queuePolicies|Measure-Object).count -gt 0) { $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Validate that Queue - ["+ $queue.Name +"] must not use access policies defined at Service Bus namespace level.")); } else { $childControlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("No Authorization rules defined for Queue - ["+ $queue.Name +"]. Applications (senders/receivers) must not use access policies defined at Service Bus namespace level.")); } $resultControlResultList += $childControlResult } } else { $controlResult.AddMessage([MessageData]::new("Queue not available in Namespace - ["+ $this.ResourceContext.ResourceName +"]")); } #endregion #region "Topic" if(($this.Topics|Measure-Object).count -gt 0) { foreach ($topic in $this.Topics) { [ControlResult] $childControlResult = [ControlResult]@{ ChildResourceName = $topic.Name; }; $topicPolicies = Get-AzureRmServiceBusTopicAuthorizationRule -ResourceGroup $this.ResourceContext.ResourceGroupName ` -NamespaceName $this.ResourceContext.ResourceName -TopicName $topic.Name if(($topicPolicies|Measure-Object).count -gt 0) { $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Validate that Topic - ["+ $topic.Name +"] must not use access policies defined at Service Bus namespace level.")); } else { $childControlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("No Authorization rules defined for Topic - ["+ $topic.Name +"]. Applications (senders/receivers) must not use access policies defined at Service Bus namespace level.")); } $resultControlResultList += $childControlResult } } else { $controlResult.AddMessage([MessageData]::new("Topics not available in Namespace - ["+ $this.ResourceContext.ResourceName +"]")); } #endregion return $resultControlResultList; } hidden [ControlResult[]] CheckServiceBusAuthorizationRule([ControlResult] $controlResult) { [ControlResult[]] $resultControlResultList = @() #region "NameSpace" [ControlResult] $childControlResult = [ControlResult]@{ #ChildResourceName = $this.ResourceContext.ResourceName; }; $childControlResult.SetStateData("Authorization rules for Namespace", $this.NameSpacePolicies); $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Authorization rules for Namespace - ["+ $this.ResourceContext.ResourceName +"]. Validate that these rules are defined at correct entity level and with more limited permissions.", $this.NameSpacePolicies)); $resultControlResultList += $childControlResult #endregion #region "Queue" if(($this.Queues|Measure-Object).count -gt 0) { foreach ($queue in $this.Queues) { [ControlResult] $childControlResult = [ControlResult]@{ ChildResourceName = $queue.Name; }; $queuePolicies = Get-AzureRmServiceBusQueueAuthorizationRule -ResourceGroup $this.ResourceContext.ResourceGroupName ` -NamespaceName $this.ResourceContext.ResourceName -QueueName $queue.Name if(($queuePolicies|Measure-Object).count -gt 0) { $childControlResult.SetStateData("Authorization rules for Queue:" + $queue.Name , $queuePolicies); $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Authorization rules for Queue - ["+ $queue.Name +"]. Validate that these rules are defined at correct entity level and with more limited permissions.", $queuePolicies)); } else { $childControlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("No Authorization rules defined for Queue - ["+ $queue.Name +"].")); } $resultControlResultList += $childControlResult } } else { $controlResult.AddMessage([MessageData]::new("Queue not available in Namespace - ["+ $this.ResourceContext.ResourceName +"]")); } #endregion #region "Topic" if(($this.Topics|Measure-Object).count -gt 0) { foreach ($topic in $this.Topics) { [ControlResult] $childControlResult = [ControlResult]@{ ChildResourceName = $topic.Name; }; $topicPolicies = Get-AzureRmServiceBusTopicAuthorizationRule -ResourceGroup $this.ResourceContext.ResourceGroupName ` -NamespaceName $this.ResourceContext.ResourceName -TopicName $topic.Name if(($topicPolicies|Measure-Object).count -gt 0) { $childControlResult.SetStateData("Authorization rules for Topic:" + $topic.Name , $topicPolicies); $childControlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Authorization rules for Topic - ["+ $topic.Name +"]. Validate that these rules are defined at correct entity level and with more limited permissions.", $topicPolicies)); } else { $childControlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("No Authorization rules defined for Topic - ["+ $topic.Name +"].")); } $resultControlResultList += $childControlResult } } else { $controlResult.AddMessage([MessageData]::new("Topics not available in Namespace - ["+ $this.ResourceContext.ResourceName +"]")); } #endregion return $resultControlResultList; } } |