feat(tests): Add test cases for Azure Web App security configurations including Always On, public network access, client certificate requirements, and HTTPS-only settings

Author: GeekMasher

ql/test/queries-tests/reliability/WebAppAlwaysOnDisabled/WebAppAlwaysOnDisabled.expected

@@ -0,0 +1,2 @@
+| webapp-without-alwayson | Azure Web App doesn't have Always On enabled, which can lead to poor reliability and potential security issues due to cold starts. |
+| webapp-with-alwayson-disabled | Azure Web App doesn't have Always On enabled, which can lead to poor reliability and potential security issues due to cold starts. |

ql/test/queries-tests/reliability/WebAppAlwaysOnDisabled/WebAppAlwaysOnDisabled.qlref

@@ -0,0 +1 @@
+security/reliability/WebAppAlwaysOnDisabled.ql

ql/test/queries-tests/reliability/WebAppAlwaysOnDisabled/app.bicep

@@ -0,0 +1,66 @@
+// This is a test file for the WebAppAlwaysOnDisabled query
+// It contains examples of secure and insecure configurations
+
+param location string = resourceGroup().location
+
+// App Service Plan
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: 'app-plan-test'
+  location: location
+  sku: {
+    name: 'S1'
+    tier: 'Standard'
+  }
+}
+
+// Insecure: Web App without Always On enabled (Default)
+resource webAppWithoutAlwaysOn 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'webapp-without-alwayson'
+  location: location
+  kind: 'app' // Specifies it's a regular web app
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      // Always On is not explicitly set, defaults to false
+    }
+  }
+}
+
+// Insecure: Web App with Always On explicitly disabled
+resource webAppWithAlwaysOnDisabled 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'webapp-with-alwayson-disabled'
+  location: location
+  kind: 'app' // Specifies it's a regular web app
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      alwaysOn: false // Explicitly disabled
+    }
+  }
+}
+
+// Secure: Web App with Always On enabled
+resource webAppWithAlwaysOn 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'webapp-with-alwayson'
+  location: location
+  kind: 'app' // Specifies it's a regular web app
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      alwaysOn: true // Explicitly enabled
+    }
+  }
+}
+
+// Function App without Always On (should not be flagged)
+resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'function-app-without-alwayson'
+  location: location
+  kind: 'functionapp' // Specifies it's a function app
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      // Always On not set for function app is acceptable
+    }
+  }
+}

ql/test/queries-tests/security/CWE-284/WebAppPublicNetworkAccess/WebAppPublicNetworkAccess.expected

@@ -0,0 +1,2 @@
+| app.bicep:46:1:54:1 | AppService[insecureWebApp] | Azure Web App has unrestricted public network access without VNet integration, potentially increasing attack surface. |
+| app.bicep:57:1:65:1 | AppService[explicitlyInsecureWebApp] | Azure Web App has unrestricted public network access without VNet integration, potentially increasing attack surface. |

ql/test/queries-tests/security/CWE-284/WebAppPublicNetworkAccess/WebAppPublicNetworkAccess.qlref

@@ -0,0 +1 @@
+security/CWE-284/WebAppPublicNetworkAccess.ql

ql/test/queries-tests/security/CWE-284/WebAppPublicNetworkAccess/app.bicep

@@ -0,0 +1,96 @@
+// This is a test file for the WebAppPublicNetworkAccess query
+// It contains examples of secure and insecure configurations
+
+param location string = resourceGroup().location
+
+// App Service Plan
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: 'app-plan-test'
+  location: location
+  sku: {
+    name: 'S1'
+    tier: 'Standard'
+  }
+}
+
+// VNet resource
+resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
+  name: 'test-vnet'
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+    subnets: [
+      {
+        name: 'app-subnet'
+        properties: {
+          addressPrefix: '10.0.1.0/24'
+          delegations: [
+            {
+              name: 'delegation'
+              properties: {
+                serviceName: 'Microsoft.Web/serverfarms'
+              }
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+
+// Insecure: Web App with default public network access (enabled) and no VNet integration
+resource insecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'insecure-public-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    // No public network access restrictions
+    // No VNet integration
+  }
+}
+
+// Insecure: Web App with explicitly enabled public network access and no VNet integration
+resource explicitlyInsecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'explicitly-insecure-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    publicNetworkAccess: 'Enabled' // Explicitly allowing public access
+    // No VNet integration
+  }
+}
+
+// Secure: Web App with VNet integration
+resource secureWithVNetWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secure-vnet-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    // Public network access not explicitly disabled, but has VNet integration
+    virtualNetworkSubnetId: '${vnet.id}/subnets/app-subnet'
+  }
+}
+
+// Secure: Web App with disabled public network access
+resource secureNoPublicWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secure-no-public-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    publicNetworkAccess: 'Disabled' // Explicitly disabling public access
+  }
+}
+
+// Secure: Web App with VNet integration at the properties level
+resource secureWithPropsVNetWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secure-props-vnet-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    virtualNetworkSubnetId: '${vnet.id}/subnets/app-subnet'
+  }
+}

ql/test/queries-tests/security/CWE-295/WebAppMissingClientCert/WebAppMissingClientCert.expected

@@ -0,0 +1,4 @@
+| app.bicep:18:1:26:1 | AppService[insecureWebApp] | Azure Web App with HTTPS enabled doesn't require client certificates for mutual TLS authentication. |
+| app.bicep:30:1:39:1 | AppService[partiallySecureWebApp] | Azure Web App with HTTPS enabled doesn't require client certificates for mutual TLS authentication. |
+| app.bicep:43:1:52:1 | AppService[explicitlyOptionalWebApp] | Azure Web App with HTTPS enabled doesn't require client certificates for mutual TLS authentication. |
+| app.bicep:56:1:65:1 | AppService[secureWebApp] | Azure Web App with HTTPS enabled doesn't require client certificates for mutual TLS authentication. |

ql/test/queries-tests/security/CWE-295/WebAppMissingClientCert/WebAppMissingClientCert.qlref

@@ -0,0 +1 @@
+security/CWE-295/WebAppMissingClientCert.ql

ql/test/queries-tests/security/CWE-295/WebAppMissingClientCert/app.bicep

@@ -0,0 +1,77 @@
+// This is a test file for the WebAppMissingClientCert query
+// It contains examples of secure and insecure configurations
+
+param location string = resourceGroup().location
+
+// App Service Plan
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: 'app-plan-test'
+  location: location
+  sku: {
+    name: 'S1'
+    tier: 'Standard'
+  }
+}
+
+// Insecure: Web App with HTTPS-Only but no client cert configuration
+// This should be flagged by the query
+resource insecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'insecure-webapp-no-clientcert'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true // HTTPS is enabled but no client cert
+    // No client cert configuration
+  }
+}
+
+// Insecure: Web App with HTTPS-Only and client cert enabled but not required
+// This should be flagged by the query
+resource partiallySecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'partially-secure-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    clientCertEnabled: true
+    httpsOnly: true
+    // clientCertMode not set to Required
+  }
+}
+
+// Insecure: Web App with explicit non-Required client cert mode
+// This should be flagged by the query
+resource explicitlyOptionalWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'explicitly-optional-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    clientCertEnabled: true
+    clientCertMode: 'Optional' // Explicitly not required
+    httpsOnly: true
+  }
+}
+
+// Secure: Web App with HTTPS-Only and required client cert
+// This should NOT be flagged by the query
+resource secureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secure-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    clientCertEnabled: true
+    clientCertMode: 'Required' // Client cert is required
+    httpsOnly: true
+  }
+}
+
+// Web App without HTTPS-Only
+// This should NOT be flagged by the query (since we only check apps with HTTPS enabled)
+resource httpWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'http-webapp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    // No client cert configuration
+  }
+  // No httpsOnly setting
+}

ql/test/queries-tests/security/CWE-319/SitesWithoutHttpsOnly/SitesWithoutHttpsOnly.expected

@@ -0,0 +1,2 @@
+| app.bicep:17:1:27:1 | AppService[insecureWebApp] | Azure Web App is not configured with HTTPS-only mode, potentially allowing insecure HTTP connections. |
+| app.bicep:30:1:37:1 | AppService[explicitlyInsecureWebApp] | Azure Web App is not configured with HTTPS-only mode, potentially allowing insecure HTTP connections. |