---
inputType: "CA10__CaAzureSqlServer__c"
testData:
  - file: "test-data.json"
importExtracts:
  - file: "/types/CA10__CaAzureSqlServer__c/object.extracts.yaml"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "SQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP) via the AllowAllWindowsAzureIps rule."
    remediationMessage: "Remove or disable the overly permissive rule."
    check:
# searches for the rule with the name AllowAllWindowsAzureIps
      IS_EQUAL:
        left:
          JSON_QUERY_TEXT:
              arg: 
                EXTRACT: "caJsonFrom__firewallRulesJson__c"
              expression: "[? name == 'AllowAllWindowsAzureIps'].name | [0]"
              undeterminedIf: 
                evaluationError: "The JSON query has failed."
                resultTypeMismatch: "The JSON query did not return text type."
        right:
          TEXT: "AllowAllWindowsAzureIps"
  - status: "INCOMPLIANT"
    currentStateMessage: "SQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP)."
    remediationMessage: "Remove or disable the overly permissive rule."
    check:
# number of rules with start and end IPs as 0.0.0.0
      GREATER_THAN:
        left:
          JSON_QUERY_NUMBER:
              arg: 
                EXTRACT: "caJsonFrom__firewallRulesJson__c"
              expression: "length([? properties.startIpAddress == '0.0.0.0' && (properties.endIpAddress == '0.0.0.0' || properties.endIpAddress == '255.255.255.255')])"
              undeterminedIf: 
                evaluationError: "The JSON query has failed."
                resultTypeMismatch: "The JSON query did not return number type."
        right:
          NUMBER: 0.0
  - status: "COMPLIANT"
    currentStateMessage: "SQL server firewall rules are not defined."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__firewallRulesJson__c"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "SQL server firewall rules do not allow ingress from 0.0.0.0/0 (ANY IP)."