Framework/Core/SVT/Services/DataLakeStore.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Set-StrictMode -Version Latest 
class DataLakeStore: SVTBase
{       
    hidden [PSObject] $ResourceObject;

    DataLakeStore([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): 
        Base($subscriptionId, $resourceGroupName, $resourceName) 
    { 
        $this.GetResourceObject();
    }

    DataLakeStore([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
        $this.GetResourceObject();
    }

    hidden [PSObject] GetResourceObject()
    {
        if (-not $this.ResourceObject) {
            $this.ResourceObject = Get-AzureRmDataLakeStoreAccount -Name $this.ResourceContext.ResourceName `
                                            -ResourceGroupName $this.ResourceContext.ResourceGroupName
            if(-not $this.ResourceObject)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }
        }
        return $this.ResourceObject;
    }
    
    hidden [ControlResult] CheckFirewall([ControlResult] $controlResult)
    {   
        $firewallSetting = New-Object PSObject
        Add-Member -InputObject $firewallSetting -MemberType NoteProperty -Name FirewallState -Value $this.ResourceObject.FirewallState   
        Add-Member -InputObject $firewallSetting -MemberType NoteProperty  -Name FirewallRules -Value $this.ResourceObject.FirewallRules

        #Check for any to any rule (0.0.0.0-255.255.255.255)
        $anyToAnyRuleCount = 0
        if(($firewallSetting.FirewallRules|Measure-Object).Count -gt 0)
        {
            $anyToAnyRuleCount = (($firewallSetting.FirewallRules | Where-Object{ 
            $_.StartIpAddress -eq $this.ControlSettings.IPRangeStartIP -and $_.EndIpAddress -eq  $this.ControlSettings.IPRangeEndIP}) | Measure-Object).count        
        }

        if($firewallSetting.FirewallState -eq "Disabled") 
        {  
           $controlResult.AddMessage([VerificationResult]::Failed, "Firewall status : ", $firewallSetting.FirewallState)
        } 
        elseif($anyToAnyRuleCount -gt 0)
        {
            $controlResult.AddMessage("Firewall rules - [$this.ResourceContext.ResourceName]", $firewallSetting.FirewallRules)
            $controlResult.AddMessage([VerificationResult]::Failed,"Any to Any firewall rule `
            (Start IP address: $this.ControlSettings.IPRangeStartIP To End IP Address :$this.ControlSettings.IPRangeEndIP) `
            is defined which must be removed."
)
            $controlResult.SetStateData("Firewall rules", $firewallSetting.FirewallRules);                      
        }
        elseif(($firewallSetting.FirewallRules | Measure-Object).Count -gt 0)
        {
            $controlResult.AddMessage([VerificationResult]::Verify, "Please verify Firewall rules", $firewallSetting.FirewallRules)
            $controlResult.SetStateData("Firewall rules", $firewallSetting.FirewallRules)  
        }
        else
        {
            $controlResult.VerificationResult = [VerificationResult]::Passed
        }
       
        return $controlResult;
    }
        
    hidden [ControlResult] CheckACLAccess([ControlResult] $controlResult)
    {  
            $rootAcl= $null 
            $otherACLDetails = $null 
            try
            {
                $rootAcl=Get-AzureRmDataLakeStoreItemAclEntry -Account $this.ResourceContext.ResourceName -Path "/" -ErrorAction Stop
            }
            catch
            {
                if([Helpers]::CheckMember($_.Exception, "HttpStatus") -and ($_.Exception).HttpStatus -eq [System.Net.HttpStatusCode]::Forbidden)
                {
                    $controlResult.AddMessage("Access denied: The user does not have the permission to perform this operation. Please check firewall and ACL settings.");
                    return $controlResult
                }
                else
                {
                    throw $_
                }
            }
        
            $displayAclObj =  $rootAcl | Select-Object Scope,Type,Id,Permission
            $controlResult.AddMessage("Current ACL setting for root folder of data lake store:", $displayAclObj)        
            
            #check if ACL access is enabled for "Other" users (Public access)
            $otherACLDetails= $rootAcl | where-object { $_.Type -eq "Other" -and ($_.Scope -eq "Access" -or $_.Scope -eq "Default") } | Where-Object {$_.Permission -ne "---"} 
            $isCompliant =  $null -eq $otherACLDetails 
            if($isCompliant)
            {
                $controlResult.VerificationResult = [VerificationResult]::Passed; 
            }
            else
            {
                $displayOtherPermission = $otherACLDetails |  Select-Object Scope,Type,Id,Permission
                $controlResult.AddMessage( [VerificationResult]::Failed, "Other have access to root folder of data lake store:", $displayOtherPermission)    
                $controlResult.SetStateData("Root folder ACL", $displayOtherPermission); 
            }    
         
        return $controlResult;
    }

    hidden [ControlResult] CheckEncryptionAtRest([ControlResult] $controlResult)
    {   
        $encryptionSettings = $this.ResourceObject | Select-Object -Property EncryptionConfig, EncryptionState, EncryptionProvisioningState
        if($this.ResourceObject.EncryptionState -eq [Microsoft.Azure.Management.DataLake.Store.Models.EncryptionState]::Enabled)
        {
            $controlResult.VerificationResult = [VerificationResult]::Passed;
        }
        else
        {
            $controlResult.VerificationResult = [VerificationResult]::Failed;
        }

        $controlResult.AddMessage("Encryption settings of Data Lake Store account", $encryptionSettings);    
        return $controlResult;
    }
   
}