Framework/Core/SVT/Services/APIManagement.ps1
|
Set-StrictMode -Version Latest class APIManagement: SVTBase { hidden [PSObject] $APIMContext = $null; hidden [PSObject] $APIMInstance = $null; hidden [PSObject] $APIMAPIs = $null; hidden [PSObject] $APIMProducts = $null; hidden [PSObject] $ResourceObject; APIManagement([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): Base($subscriptionId, $resourceGroupName, $resourceName) { $this.GetResourceObject(); } APIManagement([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId, $svtResource) { $this.GetResourceObject(); } hidden [PSObject] GetResourceObject() { if (-not $this.ResourceObject) { $this.ResourceObject = Get-AzureRmResource -ResourceName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName if(-not $this.ResourceObject) { throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation)) } elseif($this.ResourceObject) { $this.APIMContext = New-AzureRmApiManagementContext -ResourceGroupName $this.ResourceContext.ResourceGroupName -ServiceName $this.ResourceContext.ResourceName $this.APIMInstance = Get-AzureRmApiManagement -ResourceGroupName $this.ResourceContext.ResourceGroupName -Name $this.ResourceContext.ResourceName $this.APIMAPIs = Get-AzureRmApiManagementApi -Context $this.APIMContext $this.APIMProducts = Get-AzureRmApiManagementProduct -Context $this.APIMContext } } return $this.ResourceObject; } [ControlItem[]] ApplyServiceFilters([ControlItem[]] $controls) { $result = @(); if($this.ResourceObject) { $result += $controls; if(-not $this.APIMAPIs) { $result = $result | Where-Object {$_.Tags -notcontains "APIMAPIs" } } if(-not $this.APIMProducts) { $result = $result | Where-Object {$_.Tags -notcontains "APIMProducts" } } } return $result; } hidden [ControlResult] CheckAPIMMetricAlert([ControlResult] $controlResult) { $this.CheckMetricAlertConfiguration($this.ControlSettings.MetricAlert.APIManagement, $controlResult, ""); return $controlResult; } hidden [ControlResult] CheckAPIMURLScheme([ControlResult] $controlResult) { if( $null -ne $this.APIMAPIs) { $noncompliantAPIs = $this.APIMAPIs | where-object{$_.Protocols.count -gt 1 -or $_.Protocols[0] -ne 'https' } if(($noncompliantAPIs|Measure-Object).Count -gt 0) { $controlResult.AddMessage([VerificationResult]::Failed, "Below API(s) are configured to use non-secure HTTP access to the backend via API Management.", $noncompliantAPIs) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckSecretNamedValues([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $allNamedValues = @() $allNamedValues += Get-AzureRmApiManagementProperty -Context $this.APIMContext if($allNamedValues.count -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed, "Named Values are not added.") } else { $nonsecretNamedValues = $allNamedValues | where-object {$_.Secret -eq $false} if(($nonsecretNamedValues|Measure-Object).Count -gt 0) { $controlResult.AddMessage([VerificationResult]::Verify, "Below Named Values are not marked as secret values. Please mark it as secret if it contains critical data.", $nonsecretNamedValues) } else { $controlResult.AddMessage([VerificationResult]::Passed, "") } } } return $controlResult; } hidden [ControlResult] CheckRequiresSubscription([ControlResult] $controlResult) { if($null -ne $this.APIMProducts) { $Product = $this.APIMProducts | Where-Object { $_.State -eq 'Published' } if(($null -ne $Product) -and ($Product.SubscriptionRequired -contains $false)) { $Product = $Product | Where-Object { $_.SubscriptionRequired -eq $false} $controlResult.AddMessage([VerificationResult]::Failed, "'Requires Subscription' option is turned OFF for below Products in '$($this.ResourceContext.ResourceName)' API Management instance.", $Product ) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckRequiresApproval([ControlResult] $controlResult) { if( $null -ne $this.APIMProducts) { $Product = $this.APIMProducts | Where-Object { $_.State -eq 'Published' } if(($null -ne $Product) -and ($Product.ApprovalRequired -contains $false)) { $Product = $Product | Where-Object { $_.ApprovalRequired -eq $false} $controlResult.AddMessage([VerificationResult]::Verify, "'Requires Approval' option is turned OFF for below Products in '$($this.ResourceContext.ResourceName)' API Management instance.", $Product) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckManagementAPIDisabled([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $tenantAccess = Get-AzureRmApiManagementTenantAccess -Context $this.APIMContext if(($null -ne $tenantAccess) -and ($tenantAccess.Enabled -eq $true)) { $controlResult.AddMessage([VerificationResult]::Failed, "'Enable API Management REST API' option is turned ON.") } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckGitHubIsUsedInAPIM([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $tenantSyncState = Get-AzureRmApiManagementTenantSyncState -Context $this.APIMContext if(($tenantSyncState.IsGitEnabled -eq $true) -and ($tenantSyncState.CommitId -ne $null)) { $controlResult.AddMessage([VerificationResult]::Verify, "Verify that constant string values, including secrets, across all API configuration and policies are not checked in Git repository.") } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckAADIdentityProviderEnabled([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $identityProvider = Get-AzureRmApiManagementIdentityProvider -Context $this.APIMContext if($null -ne $identityProvider) { if($null -ne ($identityProvider | Where-Object {$_.Type -ne "Aad"})) { $controlResult.AddMessage([VerificationResult]::Verify, "Below listed Identity provider(s) are enabled in '$($this.ResourceContext.ResourceName)' API management instance. Enterprise applications using APIM must authenticate developers/applications using Azure Active Directory backed credentials.", $identityProvider) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckAPIMDeployedInVNet([ControlResult] $controlResult) { if( $null -ne $this.APIMInstance) { if($this.APIMInstance.VpnType -eq 'None') { $controlResult.AddMessage([VerificationResult]::Verify, "'$($this.ResourceContext.ResourceName)' API management instance is not deployed inside a virtual network. Consider hosting APIM within a virtual network for improved isolation.") } else { $controlResult.AddMessage([VerificationResult]::Manual,"'$($this.ResourceContext.ResourceName)' API management instance is deployed in $($this.APIMInstance.VpnType) mode inside a virtual network.") } } return $controlResult; } hidden [ControlResult] CheckDefaultProductsExist([ControlResult] $controlResult) { if( $null -ne $this.APIMProducts) { $Product = $this.APIMProducts if(($null -ne $Product) -and ($Product.ProductId -contains 'starter' -or $Product.ProductId -contains 'unlimited')) { $controlResult.AddMessage([VerificationResult]::Failed, "APIM contains sample products. Delete the two sample products: Starter and Unlimited.") } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckClientCertAuthDisabled([ControlResult] $controlResult) { if(($null -ne $this.APIMContext) -and ($null -ne $this.APIMAPIs)) { $ClientCertAuthDisabledInAPIs = ($this.APIMAPIs).ApiId | ForEach-Object { $apiPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_ $certThumbprint = $apiPolicy | Select-Xml -XPath "//inbound//authentication-certificate" | foreach { $_.Node.thumbprint } if($certThumbprint -eq $null) { $_ } } if($null -ne $ClientCertAuthDisabledInAPIs) { $controlResult.AddMessage([VerificationResult]::Failed, "Client Certificate is not enabled in below APIs.", $ClientCertAuthDisabledInAPIs) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckAPIManagementCORSAllowed([ControlResult] $controlResult) { if(($null -ne $this.APIMContext) -and ($null -ne $this.APIMAPIs)) { $Result = @() $this.APIMAPIs | Select-Object ApiId, Name | ForEach-Object { #Policy Scope: API $APIPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_.ApiId $AllowedOrigins = "" $AllowedOrigins = $APIPolicy | Select-Xml -XPath "//inbound//cors//origin" | foreach { $_.Node.InnerXML } if($null -ne $AllowedOrigins) { $Policy = "" | Select-Object Scope, Name, Id, AllowedOrigins $Policy.Scope = "API" $Policy.Name = $_.Name $Policy.Id = $_.ApiId $Policy.AllowedOrigins = $($AllowedOrigins -join ",") $Result += $Policy } #Policy Scope: Operation Get-AzureRmApiManagementOperation -Context $this.APIMContext -ApiId $_.ApiId | ForEach-Object { $OperationPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_.ApiId -OperationId $_.OperationId $AllowedOrigins = "" $AllowedOrigins = $OperationPolicy | Select-Xml -XPath "//inbound//cors//origin" | foreach { $_.Node.InnerXML } if($null -ne $AllowedOrigins) { $Policy = "" | Select-Object Scope, ScopeName, ScopeId, AllowedOrigins $Policy.Scope = "Operation" $Policy.ScopeName = $_.Name $Policy.ScopeId = $_.OperationId $Policy.AllowedOrigins = $($AllowedOrigins -join ",") $Result += $Policy } } } $FailedResult = $Result | Where-Object { $_.AllowedOrigins.Split(",") -contains "*" } if(($FailedResult | Measure-Object).Count -gt 0) { $controlResult.AddMessage([VerificationResult]::Failed , [MessageData]::new("CORS is enabled in APIM with access from all domains ('*') " + $this.ResourceContext.ResourceName, $FailedResult)); } elseif(($Result | Measure-Object).Count -gt 0) { $controlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("CORS is enabled in APIM with access from below custom domains."),$Result); } else { $controlResult.AddMessage([VerificationResult]::Manual, [MessageData]::new("No CORS settings found for "+$this.ResourceContext.ResourceName)); } } return $controlResult; } hidden [ControlResult] CheckRestrictedCallerIPs([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $Result = @() #Policy Scope: Gobal $GlobalPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext $RestrictedIPs = "" $RestrictedIPs = $GlobalPolicy | Select-Xml -XPath "//inbound//ip-filter" | foreach { $_.Node } $Policy = "" | Select Scope, ScopeName, ScopeId, Action, AllowedIPs, Status $Policy.Scope = "Global" $Policy.ScopeName = "NA" $Policy.ScopeId = "NA" $Policy.Action = "" $Policy.AllowedIPs = "" if($null -ne $RestrictedIPs) { $Policy.Action = $RestrictedIPs.Action $Policy.AllowedIPs = $RestrictedIPs.InnerXML $Policy.Status = 'Enabled' } else { $Policy.Status = 'Not Enabled' } $Result += $Policy #Policy Scope: Product if($null -ne $this.APIMProducts) { $this.APIMProducts | ForEach-Object { $ProductPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ProductId $_.ProductId $RestrictedIPs = "" $RestrictedIPs = $ProductPolicy | Select-Xml -XPath "//inbound//ip-filter" | foreach { $_.Node } $Policy = "" | Select Scope, ScopeName, ScopeId, Action, AllowedIPs, Status $Policy.Scope = "Product" $Policy.ScopeName = $_.Title $Policy.ScopeId = $_.ProductId $Policy.Action = "" $Policy.AllowedIPs = "" if($null -ne $RestrictedIPs) { $Policy.Action = $RestrictedIPs.Action $Policy.AllowedIPs = $RestrictedIPs.InnerXML $Policy.Status = 'Enabled' } else { $Policy.Status = 'Not Enabled' } $Result += $Policy } } #Policy Scope: API #Policy Scope: Operation if($null -ne $this.APIMAPIs) { $this.APIMAPIs | Select-Object ApiId, Name | ForEach-Object { #Policy Scope: API $APIPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_.ApiId $RestrictedIPs = "" $RestrictedIPs = $APIPolicy | Select-Xml -XPath "//inbound//ip-filter" | foreach { $_.Node } $Policy = "" | Select Scope, ScopeName, ScopeId, Action, AllowedIPs, Status $Policy.Scope = "API" $Policy.ScopeName = $_.Name $Policy.ScopeId = $_.ApiId $Policy.Action = "" $Policy.AllowedIPs = "" if($null -ne $RestrictedIPs) { $Policy.Action = $RestrictedIPs.Action $Policy.AllowedIPs = $RestrictedIPs.InnerXML $Policy.Status = 'Enabled' } else { $Policy.Status = 'Not Enabled' } $Result += $Policy #Policy Scope: Operation Get-AzureRmApiManagementOperation -Context $this.APIMContext -ApiId $_.ApiId | ForEach-Object { $OperationPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_.ApiId -OperationId $_.OperationId $RestrictedIPs = "" $RestrictedIPs = $APIPolicy | Select-Xml -XPath "//inbound//ip-filter" | foreach { $_.Node } $Policy = "" | Select Scope, ScopeName, ScopeId, Action, AllowedIPs, Status $Policy.Scope = "Operation" $Policy.ScopeName = $_.Name $Policy.ScopeId = $_.OperationId $Policy.Action = "" $Policy.AllowedIPs = "" if($null -ne $RestrictedIPs) { $Policy.Action = $RestrictedIPs.Action $Policy.AllowedIPs = $RestrictedIPs.InnerXML $Policy.Status = 'Enabled' } else { $Policy.Status = 'Not Enabled' } $Result += $Policy } } } if($null -ne $Result) { $controlResult.AddMessage([VerificationResult]::Verify, "Below IP restriction(s) are configured in $($this.ResourceContext.ResourceName) API management instance.", $Result) } else { $controlResult.AddMessage([VerificationResult]::Verify,"Unable to validate control.Please verify from portal, IP restirction is enabled for APIs.") } } return $controlResult; } hidden [ControlResult] CheckApplicationInsightsEnabled([ControlResult] $controlResult) { if( $null -ne $this.APIMContext) { $apimLogger = Get-AzureRmApiManagementLogger -Context $this.APIMContext | Where-Object { $_.Type -eq 'ApplicationInsights' } if($null -ne $apimLogger) { $controlResult.AddMessage([VerificationResult]::Verify, "Application Insights logger is enabled for" + $this.ResourceContext.ResourceName, $apimLogger) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckGuestGroupUsedInProduct([ControlResult] $controlResult) { if(($null -ne $this.APIMContext) -and ($null -ne $this.APIMProducts)) { $GuestGroupUsedInProductList = $this.APIMProducts | ForEach-Object { if((Get-AzureRmApiManagementGroup -Context $this.APIMContext -ProductId $_.ProductId).GroupId -contains 'guests') { $_ } } if($null -ne $GuestGroupUsedInProductList) { $controlResult.AddMessage([VerificationResult]::Verify, "Guest groups is added to below products access control.", $GuestGroupUsedInProductList) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckDelegatedAuthNEnabled([ControlResult] $controlResult) { $ResourceAppIdURI = [WebRequestHelper]::GetResourceManagerUrl() $uri=[system.string]::Format($ResourceAppIdURI+"subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.ApiManagement/service/{2}/portalsettings/delegation?api-version=2018-06-01-preview",$this.SubscriptionContext.SubscriptionId,$this.ResourceContext.ResourceGroupName,$this.ResourceContext.ResourceName) $json=$null; try { $json=[WebRequestHelper]::InvokeGetWebRequest($uri); } catch { $json=$null; } if(($null -ne $json) -and (($json | Measure-Object).Count -gt 0)) { if(([Helpers]::CheckMember($json[0],"properties")) -and (($json[0].properties.subscriptions.enabled -eq $true) -or ($json[0].properties.userRegistration.enabled -eq $true))) { $controlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Delegated authentication is enabled for $($this.ResourceContext.ResourceName). Please ensure that it is implemented securely.")); } else { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("")); } } else { $controlResult.AddMessage([VerificationResult]::Verify, [MessageData]::new("Unable to validate control.Please verify from portal, Delegated authentication is On or Off.")); } return $controlResult; } hidden [ControlResult] CheckAPIManagementMsiEnabled([ControlResult] $controlResult) { if($null -ne $this.APIMInstance) { if(([Helpers]::CheckMember($this.APIMInstance,"Identity.Type")) -and ($this.APIMInstance.Identity.type -eq "SystemAssigned")) { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("Your APIM instance is using Managed Service Identity(MSI). It is specifically turned On.")); } else { $controlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("Your APIM instance is not using Managed Service Identity(MSI). It is specifically turned Off.")); } } return $controlResult; } hidden [ControlResult] CheckUserAuthorizationSettingInAPI([ControlResult] $controlResult) { $UserAuthDisabledApi = $this.CheckUserAuthorizationSettingEnabledinAPI(); if($UserAuthDisabledApi -ne 'ResourceNotFound') { if($null -ne $UserAuthDisabledApi) { $controlResult.AddMessage([VerificationResult]::Failed, "User Authorization : OAuth 2.0 or OpenID connect is not enabled in below APIs.", $UserAuthDisabledApi) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [ControlResult] CheckJWTValidatePolicyInAPI([ControlResult] $controlResult) { $UserAuthDisabledApi = $this.CheckUserAuthorizationSettingEnabledinAPI(); if(($UserAuthDisabledApi -ne 'ResourceNotFound') -and ($null -ne $this.APIMContext) -and ($null -ne $this.APIMAPIs)) { $JWTValidatePolicyNotFound = $this.APIMAPIs | ForEach-Object { $apiPolicy = Get-AzureRmApiManagementPolicy -Context $this.APIMContext -ApiId $_.ApiId $IsPolicyEnabled = $apiPolicy | Select-Xml -XPath "//inbound//validate-jwt" if($null -eq $IsPolicyEnabled) { $_ } } $Temp = Compare-Object -ReferenceObject $UserAuthDisabledApi.ApiID -DifferenceObject $JWTValidatePolicyNotFound.ApiId -IncludeEqual | Where-Object { $_.SideIndicator -eq "==" } if(($null -ne $JWTValidatePolicyNotFound) -and ($null -ne $UserAuthDisabledApi) -and ($null -ne $Temp)) { $controlResult.AddMessage([VerificationResult]::Failed, "The 'validate-jwt' policy is not configured in below APIs.", $JWTValidatePolicyNotFound) } elseif($null -ne $JWTValidatePolicyNotFound) { $controlResult.AddMessage([VerificationResult]::Verify,"The 'validate-jwt' policy is not configured in below APIs.", $JWTValidatePolicyNotFound) } else { $controlResult.AddMessage([VerificationResult]::Passed,"") } } return $controlResult; } hidden [PSObject] CheckUserAuthorizationSettingEnabledinAPI() { if( $null -ne $this.APIMContext -and ($null -ne $this.APIMAPIs)) { $ResourceAppIdURI = [WebRequestHelper]::GetResourceManagerUrl() $UserAuthDisabledApi = @() $this.APIMAPIs | ForEach-Object { $uri=[system.string]::Format($ResourceAppIdURI+"subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.ApiManagement/service/{2}/apis/{3}?api-version=2018-06-01-preview",$this.SubscriptionContext.SubscriptionId,$this.ResourceContext.ResourceGroupName,$this.ResourceContext.ResourceName,$_.ApiId) $json=$null; try { $json=[WebRequestHelper]::InvokeGetWebRequest($uri); } catch { $json=$null; } if(($null -ne $json) -and (($json | Measure-Object).Count -gt 0)) { if(([Helpers]::CheckMember($json[0],"properties.authenticationSettings")) -and (-not ([Helpers]::CheckMember($json, "properties.authenticationSettings.oAuth2") -or [Helpers]::CheckMember($json, "properties.authenticationSettings.openid")))) { $UserAuthDisabledApi += $_ } } } return $UserAuthDisabledApi; } else { return "ResourceNotFound"; } } } |