adjust logic

bridgecrewio · Sep 25, 2023 · d6d045e · d6d045e
1 parent 4bf4000
commit d6d045e
Showing 1 changed file with 32 additions and 17 deletions.
diff --git a/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py b/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py
@@ -1,3 +1,6 @@
+from __future__ import annotations
+
+from typing import Any
 
 from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -7,27 +10,39 @@ class VMDisablePasswordAuthentication(BaseResourceCheck):
     def __init__(self) -> None:
         name = "Ensure that Virtual machine does not enable password authentication"
         id = "CKV_AZURE_149"
-        supported_resources = ['Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Compute/virtualMachines']
-        categories = [CheckCategories.ENCRYPTION]
+        supported_resources = (
+            "Microsoft.Compute/virtualMachineScaleSets",
+            "Microsoft.Compute/virtualMachines",
+        )
+        categories = (CheckCategories.ENCRYPTION,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf) -> CheckResult:
-        osprofile = None
-        if conf.get('properties') and isinstance(conf.get('properties'), dict):
-            properties = conf.get('properties')
-            if properties.get("virtualMachineProfile") and isinstance(properties.get("virtualMachineProfile"), dict):
-                profile = properties.get("virtualMachineProfile")
-                if profile.get("osProfile") and isinstance(profile.get("osProfile"), dict):
-                    osprofile = profile.get("osProfile")
-            if properties.get("osProfile") and isinstance(properties.get("osProfile"), dict):
-                osprofile = properties.get("osProfile")
-            if osprofile is None:
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        os_profile = None
+
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            if self.entity_type == "Microsoft.Compute/virtualMachines":
+                tmp_os_profile = properties.get("osProfile")
+                if tmp_os_profile and isinstance(tmp_os_profile, dict):
+                    os_profile = tmp_os_profile
+            elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
+                vm_profile = properties.get("virtualMachineProfile")
+                if vm_profile and isinstance(vm_profile, dict):
+                    tmp_os_profile = vm_profile.get("osProfile")
+                    if tmp_os_profile and isinstance(tmp_os_profile, dict):
+                        os_profile = tmp_os_profile
+
+            if os_profile is None:
                 return CheckResult.UNKNOWN
-            if osprofile.get("linuxConfiguration") and isinstance(osprofile.get("linuxConfiguration"), dict):
-                config = osprofile.get("linuxConfiguration")
-                if config.get("disablePasswordAuthentication") and isinstance(config.get("disablePasswordAuthentication"), bool):
-                    return CheckResult.PASSED
+
+            linux_config = os_profile.get("linuxConfiguration")
+            if linux_config and isinstance(linux_config, dict):
+                pass_auth = linux_config.get("disablePasswordAuthentication")
+                if pass_auth and isinstance(pass_auth, bool):
+                    return CheckResult.PASSED if pass_auth and isinstance(pass_auth, bool) else CheckResult.FAILED
                 return CheckResult.FAILED
+
             return CheckResult.UNKNOWN
 
         return CheckResult.FAILED