feat(tests): Add Grafana query tests

Author: GeekMasher

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/GrafanaExternalSnapshotsEnabled.expected

@@ -0,0 +1 @@
+| app.bicep:11:18:13:7 | Snapshots | External snapshots are enabled in Grafana configuration, which could lead to unintended sharing of dashboard data with external services. |

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/GrafanaExternalSnapshotsEnabled.qlref

@@ -0,0 +1 @@
+security/CWE-200/GrafanaExternalSnapshotsEnabled.ql

ql/test/queries-tests/security/CWE-200/GrafanaExternalSnapshotsEnabled/app.bicep

@@ -0,0 +1,51 @@
+// Test file for GrafanaExternalSnapshotsEnabled.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with external snapshots enabled
+// This should be detected by the query
+resource insecureGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: true  // ALERT: External snapshots are enabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with external snapshots disabled
+// This should NOT be detected by the query
+resource secureGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: false  // Secure: External snapshots are disabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default snapshot settings (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaSnapshots 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      // snapshots property omitted
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/GrafanaExcessiveEditorPermissions.expected

@@ -0,0 +1,2 @@
+| app.bicep:11:14:13:7 | Users | Excessive permissions granted to Grafana editors (editorsCanAdmin=true). This allows editors to administrate dashboards, folders and teams they create. |
+| app.bicep:62:14:65:7 | Users | Excessive permissions granted to Grafana editors (editorsCanAdmin=true). This allows editors to administrate dashboards, folders and teams they create. |

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/GrafanaExcessiveEditorPermissions.qlref

@@ -0,0 +1 @@
+security/CWE-272/GrafanaExcessiveEditorPermissions.ql

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveEditorPermissions/app.bicep

@@ -0,0 +1,71 @@
+// Test file for GrafanaExcessiveEditorPermissions.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with excessive editor permissions
+// This should be detected by the query
+resource insecureGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: true  // ALERT: Excessive permissions for editors
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with proper editor permissions (explicitly set to false)
+// This should NOT be detected by the query
+resource secureGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: false  // Secure: Editors cannot administrate
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default editor permissions (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaEditors 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-editors'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // editorsCanAdmin property is omitted, should default to false
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Complex - Grafana with both viewer and editor permission settings
+// The editorsCanAdmin=true should be detected by the query
+resource complexGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'complex-grafana-permissions'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: true   // ALERT: Excessive permissions for editors
+        viewersCanEdit: false   // This is secure, but the resource should still be flagged
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/GrafanaExcessiveViewerPermissions.expected

@@ -0,0 +1 @@
+| app.bicep:11:14:13:7 | Users | Excessive permissions granted to Grafana viewers (viewersCanEdit=true). This allows viewers to make temporary edits to dashboards they have access to. |

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/GrafanaExcessiveViewerPermissions.qlref

@@ -0,0 +1 @@
+security/CWE-272/GrafanaExcessiveViewerPermissions.ql

ql/test/queries-tests/security/CWE-272/GrafanaExcessiveViewerPermissions/app.bicep

@@ -0,0 +1,53 @@
+// Test file for GrafanaExcessiveViewerPermissions.ql
+// Contains examples of secure and insecure configurations
+
+// TEST CASE: Insecure - Grafana with excessive viewer permissions
+// This should be detected by the query
+resource insecureGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'insecure-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: true  // ALERT: Excessive permissions for viewers
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with proper viewer permissions (explicitly set to false)
+// This should NOT be detected by the query
+resource secureGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'secure-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: false  // Secure: Viewers cannot edit dashboards
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// TEST CASE: Secure - Grafana with default viewer permissions (property omitted)
+// This should NOT be detected by the query (assuming default is false)
+resource defaultGrafanaViewers 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'default-grafana-viewers'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // viewersCanEdit property is omitted, should default to false
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}

ql/test/queries-tests/security/CWE-295/GrafanaSmtpSslVerificationDisabled/GrafanaSmtpSslVerificationDisabled.expected

@@ -0,0 +1 @@
+| app.bicep:18:21:18:24 | true | Grafana SMTP configuration has SSL verification disabled (skipVerify=true), which can lead to man-in-the-middle attacks. |