Framework/Core/SVT/Services/DataLakeStore.ps1
|
Set-StrictMode -Version Latest class DataLakeStore: AzSVTBase { hidden [PSObject] $ResourceObject; DataLakeStore([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId, $svtResource) { $this.GetResourceObject(); } hidden [PSObject] GetResourceObject() { if (-not $this.ResourceObject) { $this.ResourceObject = Get-AzDataLakeStoreAccount -Name $this.ResourceContext.ResourceName ` -ResourceGroupName $this.ResourceContext.ResourceGroupName if(-not $this.ResourceObject) { throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation)) } } return $this.ResourceObject; } hidden [ControlResult] CheckFirewall([ControlResult] $controlResult) { $firewallSetting = New-Object PSObject Add-Member -InputObject $firewallSetting -MemberType NoteProperty -Name FirewallState -Value $this.ResourceObject.FirewallState Add-Member -InputObject $firewallSetting -MemberType NoteProperty -Name FirewallRules -Value $this.ResourceObject.FirewallRules #Check for any to any rule (0.0.0.0-255.255.255.255) $anyToAnyRuleCount = 0 if(($firewallSetting.FirewallRules|Measure-Object).Count -gt 0) { $anyToAnyRuleCount = (($firewallSetting.FirewallRules | Where-Object{ $_.StartIpAddress -eq $this.ControlSettings.IPRangeStartIP -and $_.EndIpAddress -eq $this.ControlSettings.IPRangeEndIP}) | Measure-Object).count } if($firewallSetting.FirewallState -eq "Disabled") { $controlResult.AddMessage([VerificationResult]::Failed, "Firewall status : ", $firewallSetting.FirewallState) } elseif($anyToAnyRuleCount -gt 0) { $controlResult.AddMessage("Firewall rules - [$this.ResourceContext.ResourceName]", $firewallSetting.FirewallRules) $controlResult.AddMessage([VerificationResult]::Failed,"Any to Any firewall rule ` (Start IP address: $($this.ControlSettings.IPRangeStartIP) To End IP Address :$($this.ControlSettings.IPRangeEndIP)) ` is defined which must be removed.") $controlResult.SetStateData("Firewall rules", $firewallSetting.FirewallRules); } elseif(($firewallSetting.FirewallRules | Measure-Object).Count -gt 0) { $controlResult.AddMessage([VerificationResult]::Verify, "Please verify Firewall rules", $firewallSetting.FirewallRules) $controlResult.SetStateData("Firewall rules", $firewallSetting.FirewallRules) } else { $controlResult.VerificationResult = [VerificationResult]::Passed } return $controlResult; } hidden [ControlResult] CheckACLAccess([ControlResult] $controlResult) { $rootAcl= $null $otherACLDetails = $null try { $rootAcl=Get-AzDataLakeStoreItemAclEntry -Account $this.ResourceContext.ResourceName -Path "/" -ErrorAction Stop } catch { if([Helpers]::CheckMember($_.Exception, "HttpStatus") -and ($_.Exception).HttpStatus -eq [System.Net.HttpStatusCode]::Forbidden) { $controlResult.AddMessage("Access denied: The user does not have the permission to perform this operation. Please check firewall and ACL settings."); return $controlResult } else { throw $_ } } $displayAclObj = $rootAcl | Select-Object Scope,Type,Id,Permission $controlResult.AddMessage("Current ACL setting for root folder of data lake store:", $displayAclObj) #check if ACL access is enabled for "Other" users (Public access) $otherACLDetails= $rootAcl | where-object { $_.Type -eq "Other" -and ($_.Scope -eq "Access" -or $_.Scope -eq "Default") } | Where-Object {$_.Permission -ne "---"} $isCompliant = $null -eq $otherACLDetails if($isCompliant) { $controlResult.VerificationResult = [VerificationResult]::Passed; } else { $displayOtherPermission = $otherACLDetails | Select-Object Scope,Type,Id,Permission $controlResult.AddMessage( [VerificationResult]::Failed, "Other have access to root folder of data lake store:", $displayOtherPermission) $controlResult.SetStateData("Root folder ACL", $displayOtherPermission); } return $controlResult; } hidden [ControlResult] CheckEncryptionAtRest([ControlResult] $controlResult) { $encryptionSettings = $this.ResourceObject | Select-Object -Property EncryptionConfig, EncryptionState, EncryptionProvisioningState if($this.ResourceObject.EncryptionState -eq [Microsoft.Azure.Management.DataLake.Store.Models.EncryptionState]::Enabled) { $controlResult.VerificationResult = [VerificationResult]::Passed; } else { $controlResult.VerificationResult = [VerificationResult]::Failed; } $controlResult.AddMessage("Encryption settings of Data Lake Store account", $encryptionSettings); return $controlResult; } } |