Fixed symbolic references with Azure.Deployment.AdminUsername Azure#3146 (Azure#3160)

BernieWhite · web-flow · commit 390793526d1e · 2024-11-02T13:08:26.000+10:00
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -32,6 +32,8 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 - Bug fixes:
   - Fixed evaluation of `Azure.NSG.LateralTraversal` with empty string properties by @BernieWhite.
     [#3130](https://github.com/Azure/PSRule.Rules.Azure/issues/3130)
+  - Fixed evaluation of `Azure.Deployment.AdminUsername` with symbolic references by @BernieWhite.
+    [#3146](https://github.com/Azure/PSRule.Rules.Azure/issues/3146)
 
 ## v1.40.0-B0029 (pre-release)
 
diff --git a/src/PSRule.Rules.Azure/Runtime/Helper.cs b/src/PSRule.Rules.Azure/Runtime/Helper.cs
@@ -55,8 +55,10 @@ public static string CompressExpression(string expression)
     /// </summary>
     public static bool HasLiteralValue(string expression)
     {
-        return !IsTemplateExpression(expression) ||
-            TokenStreamValidator.HasLiteralValue(ExpressionParser.Parse(expression));
+        return !string.IsNullOrEmpty(expression) && (
+            !IsTemplateExpression(expression) ||
+            TokenStreamValidator.HasLiteralValue(ExpressionParser.Parse(expression))
+        );
     }
 
     /// <summary>
diff --git a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1
@@ -123,8 +123,17 @@ function global:RecurseDeploymentSensitive {
         [PSObject]$Deployment
     )
     process {
+        Write-Debug "Deployment is: $($Deployment.name)";
         $propertyNames = $Configuration.GetStringValues('AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES');
+
+        # Resources could be an object or an array. Check if it is an object and enumerate properties instead.
         $resources = @($Deployment.properties.template.resources);
+        if ($Deployment.properties.template.resources -is [System.Management.Automation.PSObject]) {
+            $resources = @($Deployment.properties.template.resources.PSObject.Properties.GetEnumerator() | ForEach-Object {
+                $_.Value
+            });
+        }
+
         if ($resources.Length -eq 0) {
             return $Assert.Pass();
         }
@@ -140,7 +149,7 @@ function global:RecurseDeploymentSensitive {
                         $Assert.Pass();
                     }
                     else {
-                        Write-Debug "Found property name: $propertyName";
+                        Write-Debug "Found property name: $propertyName, value: $found";
                         foreach ($value in $found) {
                             $Assert.Create(![PSRule.Rules.Azure.Runtime.Helper]::HasLiteralValue($value), $LocalizedData.LiteralSensitiveProperty, $propertyName);
                         }
@@ -167,9 +176,9 @@ function global:RecursivePropertiesSecretEvaluation {
         [Bool]$ShouldUseSecret = $True
     )
     process {
-        $PropertyName = $Property.psObject.properties.Name 
-        foreach ($NestedProperty in $Property.PSObject.Properties.Value.PSObject.Properties ) {
-            if($NestedProperty.MemberType -eq 'NoteProperty'){
+        $PropertyName = $Property.PSObject.properties.Name
+        foreach ($NestedProperty in $Property.PSObject.Properties.Value.PSObject.Properties) {
+            if($NestedProperty.MemberType -eq 'NoteProperty') {
                 RecursivePropertiesSecretEvaluation -Resource $Resource -SecureParameters $SecureParameters -Property $NestedProperty -ShouldUseSecret $ShouldUseSecret
             } else {
                 CheckPropertyUsesSecureParameter -Resource $Resource -SecureParameters $SecureParameters -PropertyPath "properties.$($PropertyName)" -ShouldUseSecret $ShouldUseSecret
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Deployment.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Deployment.Tests.ps1
@@ -76,6 +76,28 @@ Describe 'Azure.Deployment' -Tag 'Deployment' {
             $targetNames | Should -BeIn 'secret_good', 'streaming_jobs_good', 'reference_good';
         }
     }
+
+    Context 'With Template' {
+        BeforeAll {
+            $templatePath = Join-Path -Path $here -ChildPath 'deployment.tests.json';
+            $outputFile = Join-Path -Path $rootPath -ChildPath out/tests/Resources.Deployment.json;
+            Export-AzRuleTemplateData -TemplateFile $templatePath -OutputPath $outputFile;
+            $result = Invoke-PSRule -Module PSRule.Rules.Azure -InputPath $outputFile -Outcome All -WarningAction Ignore -ErrorAction Stop;
+        }
+
+        It 'Azure.Deployment.Name' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Deployment.Name' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult | Should -BeNullOrEmpty;
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 2;
+        }
+    }
 }
 
 Describe 'Azure.Deployment' -Tag 'Deployment' {
@@ -162,9 +184,18 @@ Describe 'Azure.Deployment.AdminUsername' -Tag 'Deployment' {
             $ruleResult | Should -Not -BeNullOrEmpty;
             $ruleResult.Length | Should -Be 3;
         }
+    }
 
-        It 'Azure.Deployment.Name' {
-            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Deployment.Name' };
+    Context 'With Bicep with symbolic names' {
+        BeforeAll {
+            $templatePath = Join-Path -Path $here -ChildPath 'Bicep/SymbolicNameTestCases/Tests.Bicep.5.json';
+            $outputFile = Join-Path -Path $rootPath -ChildPath out/tests/Resources.Deployment.json;
+            Export-AzRuleTemplateData -TemplateFile $templatePath -OutputPath $outputFile;
+            $result = Invoke-PSRule -Module PSRule.Rules.Azure -InputPath $outputFile -Outcome All -WarningAction Ignore -ErrorAction Stop;
+        }
+
+        It 'Azure.Deployment.AdminUsername' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Deployment.AdminUsername' };
 
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@@ -173,7 +204,7 @@ Describe 'Azure.Deployment.AdminUsername' -Tag 'Deployment' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
+            $ruleResult.Length | Should -Be 10;
         }
     }
 }
diff --git a/tests/PSRule.Rules.Azure.Tests/Bicep/SymbolicNameTestCases/Tests.Bicep.5.bicep b/tests/PSRule.Rules.Azure.Tests/Bicep/SymbolicNameTestCases/Tests.Bicep.5.bicep
@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Test case for https://github.com/Azure/PSRule.Rules.Azure/issues/3146
+// Contributed by @riosengineer
+
+param rgName string = 'rg-test'
+param location string = 'eastus'
+param sqlServerName string = 's1'
+param sqlAdministrators object = {
+  azureADOnlyAuthentication: true
+  login: 'group1'
+  sid: 'sid'
+  principalType: 'Group'
+}
+param sqlDatabase object = {
+  name: 'sqldb'
+  tier: 'Basic'
+  sku: 'Basic'
+  maxSizeBytes: 2147483648
+  collation: 'SQL_Latin1_General_CP1_CI_AS'
+}
+
+// Azure SQL DB
+module sqlDb 'br/public:avm/res/sql/server:0.8.0' = {
+  name: 'abc'
+  scope: resourceGroup(rgName)
+  params: {
+    name: sqlServerName
+    location: location
+    minimalTlsVersion: '1.2'
+    managedIdentities: {
+      systemAssigned: true
+    }
+    privateEndpoints: [
+      {
+        name: 'pe'
+        customNetworkInterfaceName: 'pe-sql-nic'
+        subnetResourceId: ''
+        privateDnsZoneGroup: {
+          privateDnsZoneGroupConfigs: [
+            {
+              privateDnsZoneResourceId: ''
+            }
+          ]
+        }
+      }
+    ]
+    publicNetworkAccess: 'Disabled'
+    securityAlertPolicies: [
+      {
+        name: 'Default'
+        state: 'Enabled'
+        emailAccountAdmins: true
+      }
+    ]
+    administrators: {
+      azureADOnlyAuthentication: sqlAdministrators.azureADOnlyAuthentication
+      login: sqlAdministrators.login
+      sid: sqlAdministrators.sid
+      principalType: sqlAdministrators.principalType
+    }
+    databases: [
+      {
+        name: sqlDatabase.name
+        collation: sqlDatabase.collation
+        maxSizeBytes: sqlDatabase.maxSizeBytes
+        skuTier: sqlDatabase.tier
+        skuName: sqlDatabase.sku
+      }
+    ]
+  }
+}
diff --git a/tests/PSRule.Rules.Azure.Tests/Bicep/SymbolicNameTestCases/Tests.Bicep.5.json b/tests/PSRule.Rules.Azure.Tests/Bicep/SymbolicNameTestCases/Tests.Bicep.5.json
diff --git a/tests/PSRule.Rules.Azure.Tests/TokenStreamValidatorTests.cs b/tests/PSRule.Rules.Azure.Tests/TokenStreamValidatorTests.cs

Original file line number	Diff line number	Diff line change
`@@ -55,8 +55,10 @@ public static string CompressExpression(string expression)`
`55`	`55`	`/// </summary>`
`56`	`56`	`public static bool HasLiteralValue(string expression)`
`57`	`57`	`{`
`58`		`- return !IsTemplateExpression(expression) \|\|`
`59`		`- TokenStreamValidator.HasLiteralValue(ExpressionParser.Parse(expression));`
	`58`	`+ return !string.IsNullOrEmpty(expression) && (`
	`59`	`+ !IsTemplateExpression(expression) \|\|`
	`60`	`+ TokenStreamValidator.HasLiteralValue(ExpressionParser.Parse(expression))`
	`61`	`+ );`
`60`	`62`	`}`
`61`	`63`
`62`	`64`	`/// <summary>`