feat(tests): Add Grafana query tests

Author: GeekMasher

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/GrafanaExternalSnapshotsEnabled.expected

@@ -0,0 +1 @@
+| app.bicep:11:18:13:7 | Snapshots | External snapshots are enabled in Grafana configuration, which could lead to unintended sharing of dashboard data with external services. |

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/GrafanaExternalSnapshotsEnabled.qlref

@@ -0,0 +1 @@
+security/CWE-200/GrafanaExternalSnapshotsEnabled.ql

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/app.bicep

@@ -0,0 +1,51 @@
+// Test file for GrafanaExternalSnapshotsEnabled.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with external snapshots enabled
+// This should be detected by the query
+resource insecureGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: true  // ALERT: External snapshots are enabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with external snapshots disabled
+// This should NOT be detected by the query
+resource secureGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: false  // Secure: External snapshots are disabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default snapshot settings (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      // snapshots property omitted
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/GrafanaExcessiveEditorPermissions.expected

@@ -0,0 +1,2 @@
+| app.bicep:11:14:13:7 | Users | Excessive permissions granted to Grafana editors (editorsCanAdmin=true). This allows editors to administrate dashboards, folders and teams they create. |
+| app.bicep:62:14:65:7 | Users | Excessive permissions granted to Grafana editors (editorsCanAdmin=true). This allows editors to administrate dashboards, folders and teams they create. |

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/GrafanaExcessiveEditorPermissions.qlref

@@ -0,0 +1 @@
+security/CWE-272/GrafanaExcessiveEditorPermissions.ql

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/app.bicep

@@ -0,0 +1,71 @@
+// Test file for GrafanaExcessiveEditorPermissions.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with excessive editor permissions
+// This should be detected by the query
+resource insecureGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: true  // ALERT: Excessive permissions for editors
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with proper editor permissions (explicitly set to false)
+// This should NOT be detected by the query
+resource secureGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: false  // Secure: Editors cannot administrate
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default editor permissions (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // editorsCanAdmin property is omitted, should default to false
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Complex - Grafana with both viewer and editor permission settings
+// The editorsCanAdmin=true should be detected by the query
+resource complexGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'complex-grafana-permissions'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: true   // ALERT: Excessive permissions for editors
+        viewersCanEdit: false   // This is secure, but the resource should still be flagged
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/GrafanaExcessiveViewerPermissions.expected

@@ -0,0 +1 @@
+| app.bicep:11:14:13:7 | Users | Excessive permissions granted to Grafana viewers (viewersCanEdit=true). This allows viewers to make temporary edits to dashboards they have access to. |

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/GrafanaExcessiveViewerPermissions.qlref

@@ -0,0 +1 @@
+security/CWE-272/GrafanaExcessiveViewerPermissions.ql

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/app.bicep

@@ -0,0 +1,53 @@
+// Test file for GrafanaExcessiveViewerPermissions.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with excessive viewer permissions
+// This should be detected by the query
+resource insecureGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: true  // ALERT: Excessive permissions for viewers
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with proper viewer permissions (explicitly set to false)
+// This should NOT be detected by the query
+resource secureGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: false  // Secure: Viewers cannot edit dashboards
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default viewer permissions (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // viewersCanEdit property is omitted, should default to false
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-295/GrafanaSmtpSslVerificationDisabled/GrafanaSmtpSslVerificationDisabled.expected

@@ -0,0 +1 @@
+| app.bicep:18:21:18:24 | true | Grafana SMTP configuration has SSL verification disabled (skipVerify=true), which can lead to man-in-the-middle attacks. |

ql/test/queries-tests/security/CWE-295/GrafanaSmtpSslVerificationDisabled/GrafanaSmtpSslVerificationDisabled.qlref

@@ -0,0 +1 @@
+security/CWE-295/GrafanaSmtpSslVerificationDisabled.ql

ql/test/queries-tests/security/CWE-295/GrafanaSmtpSslVerificationDisabled/app.bicep

@@ -0,0 +1,92 @@
+// Test file for GrafanaSmtpSslVerificationDisabled.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with SMTP SSL verification disabled
+// This should be detected by the query
+resource insecureGrafanaSmtp 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-smtp'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      smtp: {
+        enabled: true
+        host: 'smtp.example.com:587'
+        user: 'grafanauser'
+        password: 'password123'
+        fromAddress: 'grafana@example.com'
+        fromName: 'Grafana Alerts'
+        skipVerify: true  // ALERT: SSL verification is disabled
+        startTLSPolicy: 'MandatoryStartTLS'
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with SMTP SSL verification enabled
+// This should NOT be detected by the query
+resource secureGrafanaSmtp 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-smtp'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      smtp: {
+        enabled: true
+        host: 'smtp.example.com:587'
+        user: 'grafanauser'
+        password: 'password123'
+        fromAddress: 'grafana@example.com'
+        fromName: 'Grafana Alerts'
+        skipVerify: false  // Secure: SSL verification is enabled
+        startTLSPolicy: 'MandatoryStartTLS'
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with SMTP but no skipVerify setting (should default to false)
+// This should NOT be detected by the query
+resource defaultSecureGrafanaSmtp 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-smtp'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      smtp: {
+        enabled: true
+        host: 'smtp.example.com:587'
+        user: 'grafanauser'
+        password: 'password123'
+        fromAddress: 'grafana@example.com'
+        fromName: 'Grafana Alerts'
+        // skipVerify not set, defaults to false
+        startTLSPolicy: 'MandatoryStartTLS'
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Edge case - Grafana with SMTP disabled
+// This should NOT be detected by the query even though skipVerify is true
+resource disabledSmtpGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'disabled-smtp-grafana'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      smtp: {
+        enabled: false
+        skipVerify: true  // This shouldn't trigger the alert because SMTP is disabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-306/GrafanaApiKeyEnabled/GrafanaApiKeyEnabled.expected

@@ -0,0 +1 @@
+| app.bicep:10:13:10:21 | String | Grafana API key feature is enabled, which can increase the attack surface. Consider disabling API keys if not strictly necessary. |

ql/test/queries-tests/security/CWE-306/GrafanaApiKeyEnabled/GrafanaApiKeyEnabled.qlref

@@ -0,0 +1 @@
+security/CWE-306/GrafanaApiKeyEnabled.ql

ql/test/queries-tests/security/CWE-306/GrafanaApiKeyEnabled/app.bicep

@@ -0,0 +1,41 @@
+// Test file for GrafanaApiKeyEnabled.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with API key feature enabled
+// This should be detected by the query
+resource insecureGrafanaApiKey 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-apikey'
+  location: 'eastus'
+  properties: {
+    apiKey: 'Enabled'  // ALERT: API key feature is enabled
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with API key feature disabled
+// This should NOT be detected by the query
+resource secureGrafanaApiKey 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-apikey'
+  location: 'westeurope'
+  properties: {
+    apiKey: 'Disabled'  // Secure: API key feature is disabled
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana without explicit API key setting
+// This should NOT be detected by the query (assuming default is secure)
+resource defaultGrafanaApiKey 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-apikey'
+  location: 'centralus'
+  properties: {
+    // No explicit API key setting
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-319/GrafanaInsecureStartTLSPolicy/GrafanaInsecureStartTLSPolicy.expected

@@ -0,0 +1,2 @@
+| app.bicep:13:25:13:36 | String | Insecure StartTLS policy 'NoStartTLS' configured in Grafana SMTP settings. This may allow email communications to be sent unencrypted. Use 'MandatoryStartTLS' instead. |
+| app.bicep:33:25:33:47 | String | Insecure StartTLS policy 'OpportunisticStartTLS' configured in Grafana SMTP settings. This may allow email communications to be sent unencrypted. Use 'MandatoryStartTLS' instead. |

ql/test/queries-tests/security/CWE-319/GrafanaInsecureStartTLSPolicy/GrafanaInsecureStartTLSPolicy.qlref

@@ -0,0 +1 @@
+security/CWE-319/GrafanaInsecureStartTLSPolicy.ql