feat(test): Add tests

GeekMasher · GeekMasher · commit c65571edab48 · 2025-07-07T12:10:13.000+01:00
diff --git a/ql/test/library-tests/frameworks/web/Web.expected b/ql/test/library-tests/frameworks/web/Web.expected
@@ -0,0 +1,21 @@
+webApps
+| app.bicep:7:1:25:1 | (no string representation) |
+| app.bicep:28:1:45:1 | AppService[${appServiceName}-insecure] |
+| app.bicep:48:1:70:1 | AppService[${appServiceName}-secure] |
+| app.bicep:73:1:84:1 | DeploymentSlot[${MemberExpression}/staging] |
+| app.bicep:87:1:100:1 | (no string representation) |
+| app.bicep:103:1:115:1 | AppService[${appServiceName}-function] |
+| test-sites.bicep:9:1:16:1 | (no string representation) |
+| test-sites.bicep:19:1:72:1 | (no string representation) |
+| test-sites.bicep:75:1:107:1 | (no string representation) |
+webSites
+| app.bicep:28:1:45:1 | AppService[${appServiceName}-insecure] |
+| app.bicep:48:1:70:1 | AppService[${appServiceName}-secure] |
+| app.bicep:103:1:115:1 | AppService[${appServiceName}-function] |
+| test-sites.bicep:19:1:72:1 | (no string representation) |
+| test-sites.bicep:75:1:107:1 | (no string representation) |
+webSlots
+| app.bicep:73:1:84:1 | DeploymentSlot[${MemberExpression}/staging] |
+webServerFarms
+| app.bicep:7:1:25:1 | (no string representation) |
+| test-sites.bicep:9:1:16:1 | (no string representation) |
diff --git a/ql/test/library-tests/frameworks/web/Web.ql b/ql/test/library-tests/frameworks/web/Web.ql
@@ -0,0 +1,10 @@
+private import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+query predicate webApps(Web::WebResource web) { any() }
+
+query predicate webSites(Web::SitesResource sites) { any() }
+
+query predicate webSlots(Web::SlotResource slots) { any() }
+
+query predicate webServerFarms(Web::ServerFarmsResource serverFarm) { any() }
diff --git a/ql/test/library-tests/frameworks/web/app.bicep b/ql/test/library-tests/frameworks/web/app.bicep
@@ -0,0 +1,115 @@
+param location string = resourceGroup().location
+param appServicePlanName string = 'myAppServicePlan'
+param appServiceName string = 'myAppService'
+param staticSiteName string = 'myStaticSite'
+
+// App Service Plan
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = {
+  name: appServicePlanName
+  location: location
+  sku: {
+    name: 'S1'
+    tier: 'Standard'
+  }
+  properties: {
+    reserved: true // For Linux
+    computeMode: 'Dedicated'
+    workerSize: 'Small'
+    workerSizeId: 1
+    numberOfWorkers: 2
+    perSiteScaling: false
+    elasticScaleEnabled: true
+    zoneRedundant: true
+    maximumElasticWorkerCount: 10
+  }
+}
+
+// App Service with insecure configuration (for testing queries)
+resource insecureAppService 'Microsoft.Web/sites@2022-09-01' = {
+  name: '${appServiceName}-insecure'
+  location: location
+  kind: 'app'
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: false // Insecure setting
+    publicNetworkAccess: 'Enabled'
+    clientCertEnabled: false
+    siteConfig: {
+      minTlsVersion: '1.0' // Weak TLS
+      remoteDebuggingEnabled: true // Insecure
+      ftpsState: 'AllAllowed'
+      http20Enabled: false
+      alwaysOn: true
+    }
+  }
+}
+
+// App Service with secure configuration
+resource secureAppService 'Microsoft.Web/sites@2022-09-01' = {
+  name: '${appServiceName}-secure'
+  location: location
+  kind: 'app'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true
+    publicNetworkAccess: 'Disabled'
+    clientCertEnabled: true
+    clientCertMode: 'Required'
+    siteConfig: {
+      minTlsVersion: '1.2'
+      remoteDebuggingEnabled: false
+      ftpsState: 'Disabled'
+      http20Enabled: true
+      alwaysOn: true
+    }
+    virtualNetworkSubnetId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/mySubnet'
+  }
+}
+
+// Deployment slot for testing
+resource testSlot 'Microsoft.Web/sites/slots@2022-09-01' = {
+  name: '${secureAppService.name}/staging'
+  location: location
+  kind: 'app'
+  properties: {
+    httpsOnly: true
+    siteConfig: {
+      minTlsVersion: '1.2'
+      alwaysOn: true
+    }
+  }
+}
+
+// Static Web App
+resource staticSite 'Microsoft.Web/staticSites@2022-09-01' = {
+  name: staticSiteName
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Standard'
+  }
+  properties: {
+    repositoryUrl: 'https://github.com/example/repo'
+    repositoryToken: 'your-token-here'
+    allowConfigFileUpdates: true
+    allowPrivateEndpoints: false
+  }
+}
+
+// Function App (another kind of site)
+resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
+  name: '${appServiceName}-function'
+  location: location
+  kind: 'functionapp'
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true
+    siteConfig: {
+      minTlsVersion: '1.2'
+      alwaysOn: true
+    }
+  }
+}
diff --git a/ql/test/library-tests/frameworks/web/test-sites.bicep b/ql/test/library-tests/frameworks/web/test-sites.bicep
@@ -0,0 +1,107 @@
+// This is a test file for Microsoft.Web/sites resources
+
+param location string = 'eastus'
+param appServicePlanName string = 'test-asp'
+param webAppName string = 'test-webapp'
+param functionAppName string = 'test-function-app'
+
+// App Service Plan
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: appServicePlanName
+  location: location
+  sku: {
+    name: 'B1'
+    tier: 'Basic'
+  }
+}
+
+// Web App (App Service)
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: webAppName
+  location: location
+  kind: 'app'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true
+    clientCertEnabled: true
+    clientCertMode: 'Required'
+    virtualNetworkSubnetId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/MySubnet'
+    siteConfig: {
+      alwaysOn: true
+      http20Enabled: true
+      minTlsVersion: '1.2'
+      ftpsState: 'FtpsOnly'
+      ipSecurityRestrictions: [
+        {
+          ipAddress: '192.168.1.0/24'
+          action: 'Allow'
+          priority: 100
+          name: 'Allow internal network'
+        }
+        {
+          ipAddress: '10.0.0.0/16'
+          action: 'Deny'
+          priority: 200
+          name: 'Block private network'
+        }
+      ]
+      ipSecurityRestrictionsDefaultAction: 'Deny'
+      appSettings: [
+        {
+          name: 'WEBSITE_NODE_DEFAULT_VERSION'
+          value: '~16'
+        }
+        {
+          name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
+          value: '00000000-0000-0000-0000-000000000000'
+        }
+      ]
+      connectionStrings: [
+        {
+          name: 'MyDbConnection'
+          connectionString: 'Data Source=myserver;Initial Catalog=mydb;User ID=myuser;Password=mypassword;'
+          type: 'SQLAzure'
+        }
+      ]
+      linuxFxVersion: 'NODE|16-lts'
+    }
+  }
+}
+
+// Function App
+resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: functionAppName
+  location: location
+  kind: 'functionapp'
+  identity: {
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+      '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity': {}
+    }
+  }
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true
+    siteConfig: {
+      alwaysOn: true
+      use32BitWorkerProcess: false
+      appSettings: [
+        {
+          name: 'AzureWebJobsStorage'
+          value: 'DefaultEndpointsProtocol=https;AccountName=mystorageaccount;EndpointSuffix=core.windows.net;AccountKey=mykey=='
+        }
+        {
+          name: 'FUNCTIONS_EXTENSION_VERSION'
+          value: '~4'
+        }
+        {
+          name: 'FUNCTIONS_WORKER_RUNTIME'
+          value: 'node'
+        }
+      ]
+    }
+  }
+}
