feat: implement NetworkDefaultSecurityRule adapter (#4216)

<img width="1474" height="1002" alt="image"
src="https://github.com/user-attachments/assets/8b62255e-97f6-4f78-94d7-2a62b1553c48"
/>

<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Adds a new Azure discovery adapter and client wiring that will
increase API calls and linked-query generation for NSG scans. Risk is
moderate because it touches adapter initialization/registration and
paging logic, but is isolated to a new resource type.
>
> **Overview**
> Adds support for discovering Azure NSG *default* security rules by
introducing a new `NetworkDefaultSecurityRule` searchable adapter,
including `Get`, `Search`, and streaming search, and wiring it into the
Azure manual adapter registry.
>
> Introduces a thin `DefaultSecurityRulesClient` wrapper (with generated
GoMock) and updates resource-ID path extraction to understand
`azure-network-default-security-rule`; includes a dedicated unit test
suite covering paging, validation, and error cases.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
83470e2e2e56c5effbd6bbf5b777f1b1fc789bb9. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: 3fb0c7bdbef4b58a368deeffa2e726c9a2aaa793

Author: Lionel-Wilson

sources/azure/clients/default-security-rules-client.go

@@ -0,0 +1,35 @@
+package clients
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v9"
+)
+
+//go:generate mockgen -destination=../shared/mocks/mock_default_security_rules_client.go -package=mocks -source=default-security-rules-client.go
+
+// DefaultSecurityRulesPager is a type alias for the generic Pager interface with default security rules list response type.
+type DefaultSecurityRulesPager = Pager[armnetwork.DefaultSecurityRulesClientListResponse]
+
+// DefaultSecurityRulesClient is an interface for interacting with Azure NSG default security rules (child of network security group).
+type DefaultSecurityRulesClient interface {
+	Get(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, defaultSecurityRuleName string, options *armnetwork.DefaultSecurityRulesClientGetOptions) (armnetwork.DefaultSecurityRulesClientGetResponse, error)
+	NewListPager(resourceGroupName string, networkSecurityGroupName string, options *armnetwork.DefaultSecurityRulesClientListOptions) DefaultSecurityRulesPager
+}
+
+type defaultSecurityRulesClient struct {
+	client *armnetwork.DefaultSecurityRulesClient
+}
+
+func (c *defaultSecurityRulesClient) Get(ctx context.Context, resourceGroupName string, networkSecurityGroupName string, defaultSecurityRuleName string, options *armnetwork.DefaultSecurityRulesClientGetOptions) (armnetwork.DefaultSecurityRulesClientGetResponse, error) {
+	return c.client.Get(ctx, resourceGroupName, networkSecurityGroupName, defaultSecurityRuleName, options)
+}
+
+func (c *defaultSecurityRulesClient) NewListPager(resourceGroupName string, networkSecurityGroupName string, options *armnetwork.DefaultSecurityRulesClientListOptions) DefaultSecurityRulesPager {
+	return c.client.NewListPager(resourceGroupName, networkSecurityGroupName, options)
+}
+
+// NewDefaultSecurityRulesClient creates a new DefaultSecurityRulesClient from the Azure SDK client.
+func NewDefaultSecurityRulesClient(client *armnetwork.DefaultSecurityRulesClient) DefaultSecurityRulesClient {
+	return &defaultSecurityRulesClient{client: client}
+}

sources/azure/manual/adapters.go

@@ -237,6 +237,11 @@ func Adapters(ctx context.Context, subscriptionID string, regions []string, cred
 			return nil, fmt.Errorf("failed to create security rules client: %w", err)
 		}
 
+		defaultSecurityRulesClient, err := armnetwork.NewDefaultSecurityRulesClient(subscriptionID, cred, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create default security rules client: %w", err)
+		}
+
 		applicationGatewaysClient, err := armnetwork.NewApplicationGatewaysClient(subscriptionID, cred, nil)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create application gateways client: %w", err)
@@ -594,6 +599,10 @@ func Adapters(ctx context.Context, subscriptionID string, regions []string, cred
 					clients.NewSecurityRulesClient(securityRulesClient),
 					resourceGroupScopes,
 				), cache),
+				sources.WrapperToAdapter(NewNetworkDefaultSecurityRule(
+					clients.NewDefaultSecurityRulesClient(defaultSecurityRulesClient),
+					resourceGroupScopes,
+				), cache),
 				sources.WrapperToAdapter(NewNetworkApplicationGateway(
 					clients.NewApplicationGatewaysClient(applicationGatewaysClient),
 					resourceGroupScopes,
@@ -763,6 +772,7 @@ func Adapters(ctx context.Context, subscriptionID string, regions []string, cred
 			sources.WrapperToAdapter(NewNetworkNetworkSecurityGroup(nil, placeholderResourceGroupScopes), noOpCache),
 			sources.WrapperToAdapter(NewNetworkApplicationSecurityGroup(nil, placeholderResourceGroupScopes), noOpCache),
 			sources.WrapperToAdapter(NewNetworkSecurityRule(nil, placeholderResourceGroupScopes), noOpCache),
+			sources.WrapperToAdapter(NewNetworkDefaultSecurityRule(nil, placeholderResourceGroupScopes), noOpCache),
 			sources.WrapperToAdapter(NewNetworkRouteTable(nil, placeholderResourceGroupScopes), noOpCache),
 			sources.WrapperToAdapter(NewNetworkApplicationGateway(nil, placeholderResourceGroupScopes), noOpCache),
 			sources.WrapperToAdapter(NewNetworkVirtualNetworkGateway(nil, placeholderResourceGroupScopes), noOpCache),

sources/azure/manual/network-default-security-rule.go

@@ -0,0 +1,262 @@
+package manual
+
+import (
+	"context"
+	"errors"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v9"
+	"github.com/overmindtech/cli/go/discovery"
+	"github.com/overmindtech/cli/go/sdp-go"
+	"github.com/overmindtech/cli/go/sdpcache"
+	"github.com/overmindtech/cli/sources"
+	"github.com/overmindtech/cli/sources/azure/clients"
+	azureshared "github.com/overmindtech/cli/sources/azure/shared"
+	"github.com/overmindtech/cli/sources/shared"
+	"github.com/overmindtech/cli/sources/stdlib"
+)
+
+var NetworkDefaultSecurityRuleLookupByUniqueAttr = shared.NewItemTypeLookup("uniqueAttr", azureshared.NetworkDefaultSecurityRule)
+
+type networkDefaultSecurityRuleWrapper struct {
+	client clients.DefaultSecurityRulesClient
+	*azureshared.MultiResourceGroupBase
+}
+
+// NewNetworkDefaultSecurityRule creates a new networkDefaultSecurityRuleWrapper instance (SearchableWrapper: child of network security group).
+func NewNetworkDefaultSecurityRule(client clients.DefaultSecurityRulesClient, resourceGroupScopes []azureshared.ResourceGroupScope) sources.SearchableWrapper {
+	return &networkDefaultSecurityRuleWrapper{
+		client: client,
+		MultiResourceGroupBase: azureshared.NewMultiResourceGroupBase(
+			resourceGroupScopes,
+			sdp.AdapterCategory_ADAPTER_CATEGORY_NETWORK,
+			azureshared.NetworkDefaultSecurityRule,
+		),
+	}
+}
+
+func (n networkDefaultSecurityRuleWrapper) Get(ctx context.Context, scope string, queryParts ...string) (*sdp.Item, *sdp.QueryError) {
+	if len(queryParts) < 2 {
+		return nil, &sdp.QueryError{
+			ErrorType:   sdp.QueryError_OTHER,
+			ErrorString: "Get requires 2 query parts: networkSecurityGroupName and defaultSecurityRuleName",
+			Scope:       scope,
+			ItemType:    n.Type(),
+		}
+	}
+	nsgName := queryParts[0]
+	ruleName := queryParts[1]
+	if ruleName == "" {
+		return nil, azureshared.QueryError(errors.New("default security rule name cannot be empty"), scope, n.Type())
+	}
+
+	rgScope, err := n.ResourceGroupScopeFromScope(scope)
+	if err != nil {
+		return nil, azureshared.QueryError(err, scope, n.Type())
+	}
+	resp, err := n.client.Get(ctx, rgScope.ResourceGroup, nsgName, ruleName, nil)
+	if err != nil {
+		return nil, azureshared.QueryError(err, scope, n.Type())
+	}
+
+	return n.azureDefaultSecurityRuleToSDPItem(&resp.SecurityRule, nsgName, ruleName, scope)
+}
+
+func (n networkDefaultSecurityRuleWrapper) GetLookups() sources.ItemTypeLookups {
+	return sources.ItemTypeLookups{
+		NetworkNetworkSecurityGroupLookupByName,
+		NetworkDefaultSecurityRuleLookupByUniqueAttr,
+	}
+}
+
+func (n networkDefaultSecurityRuleWrapper) Search(ctx context.Context, scope string, queryParts ...string) ([]*sdp.Item, *sdp.QueryError) {
+	if len(queryParts) < 1 {
+		return nil, &sdp.QueryError{
+			ErrorType:   sdp.QueryError_OTHER,
+			ErrorString: "Search requires 1 query part: networkSecurityGroupName",
+			Scope:       scope,
+			ItemType:    n.Type(),
+		}
+	}
+	nsgName := queryParts[0]
+
+	rgScope, err := n.ResourceGroupScopeFromScope(scope)
+	if err != nil {
+		return nil, azureshared.QueryError(err, scope, n.Type())
+	}
+	pager := n.client.NewListPager(rgScope.ResourceGroup, nsgName, nil)
+
+	var items []*sdp.Item
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			return nil, azureshared.QueryError(err, scope, n.Type())
+		}
+		for _, rule := range page.Value {
+			if rule == nil || rule.Name == nil {
+				continue
+			}
+			item, sdpErr := n.azureDefaultSecurityRuleToSDPItem(rule, nsgName, *rule.Name, scope)
+			if sdpErr != nil {
+				return nil, sdpErr
+			}
+			items = append(items, item)
+		}
+	}
+	return items, nil
+}
+
+func (n networkDefaultSecurityRuleWrapper) SearchStream(ctx context.Context, stream discovery.QueryResultStream, cache sdpcache.Cache, cacheKey sdpcache.CacheKey, scope string, queryParts ...string) {
+	if len(queryParts) < 1 {
+		stream.SendError(azureshared.QueryError(errors.New("Search requires 1 query part: networkSecurityGroupName"), scope, n.Type()))
+		return
+	}
+	nsgName := queryParts[0]
+
+	rgScope, err := n.ResourceGroupScopeFromScope(scope)
+	if err != nil {
+		stream.SendError(azureshared.QueryError(err, scope, n.Type()))
+		return
+	}
+	pager := n.client.NewListPager(rgScope.ResourceGroup, nsgName, nil)
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			stream.SendError(azureshared.QueryError(err, scope, n.Type()))
+			return
+		}
+		for _, rule := range page.Value {
+			if rule == nil || rule.Name == nil {
+				continue
+			}
+			item, sdpErr := n.azureDefaultSecurityRuleToSDPItem(rule, nsgName, *rule.Name, scope)
+			if sdpErr != nil {
+				stream.SendError(sdpErr)
+				continue
+			}
+			cache.StoreItem(ctx, item, shared.DefaultCacheDuration, cacheKey)
+			stream.SendItem(item)
+		}
+	}
+}
+
+func (n networkDefaultSecurityRuleWrapper) SearchLookups() []sources.ItemTypeLookups {
+	return []sources.ItemTypeLookups{
+		{NetworkNetworkSecurityGroupLookupByName},
+	}
+}
+
+func (n networkDefaultSecurityRuleWrapper) azureDefaultSecurityRuleToSDPItem(rule *armnetwork.SecurityRule, nsgName, ruleName, scope string) (*sdp.Item, *sdp.QueryError) {
+	attributes, err := shared.ToAttributesWithExclude(rule, "tags")
+	if err != nil {
+		return nil, azureshared.QueryError(err, scope, n.Type())
+	}
+
+	err = attributes.Set("uniqueAttr", shared.CompositeLookupKey(nsgName, ruleName))
+	if err != nil {
+		return nil, azureshared.QueryError(err, scope, n.Type())
+	}
+
+	sdpItem := &sdp.Item{
+		Type:            azureshared.NetworkDefaultSecurityRule.String(),
+		UniqueAttribute: "uniqueAttr",
+		Attributes:      attributes,
+		Scope:           scope,
+	}
+
+	// Link to parent Network Security Group
+	sdpItem.LinkedItemQueries = append(sdpItem.LinkedItemQueries, &sdp.LinkedItemQuery{
+		Query: &sdp.Query{
+			Type:   azureshared.NetworkNetworkSecurityGroup.String(),
+			Method: sdp.QueryMethod_GET,
+			Query:  nsgName,
+			Scope:  scope,
+		},
+	})
+
+	if rule.Properties != nil {
+		// Link to SourceApplicationSecurityGroups
+		if rule.Properties.SourceApplicationSecurityGroups != nil {
+			for _, asgRef := range rule.Properties.SourceApplicationSecurityGroups {
+				if asgRef != nil && asgRef.ID != nil {
+					asgName := azureshared.ExtractResourceName(*asgRef.ID)
+					if asgName != "" {
+						linkScope := scope
+						if extractedScope := azureshared.ExtractScopeFromResourceID(*asgRef.ID); extractedScope != "" {
+							linkScope = extractedScope
+						}
+						sdpItem.LinkedItemQueries = append(sdpItem.LinkedItemQueries, &sdp.LinkedItemQuery{
+							Query: &sdp.Query{
+								Type:   azureshared.NetworkApplicationSecurityGroup.String(),
+								Method: sdp.QueryMethod_GET,
+								Query:  asgName,
+								Scope:  linkScope,
+							},
+						})
+					}
+				}
+			}
+		}
+
+		// Link to DestinationApplicationSecurityGroups
+		if rule.Properties.DestinationApplicationSecurityGroups != nil {
+			for _, asgRef := range rule.Properties.DestinationApplicationSecurityGroups {
+				if asgRef != nil && asgRef.ID != nil {
+					asgName := azureshared.ExtractResourceName(*asgRef.ID)
+					if asgName != "" {
+						linkScope := scope
+						if extractedScope := azureshared.ExtractScopeFromResourceID(*asgRef.ID); extractedScope != "" {
+							linkScope = extractedScope
+						}
+						sdpItem.LinkedItemQueries = append(sdpItem.LinkedItemQueries, &sdp.LinkedItemQuery{
+							Query: &sdp.Query{
+								Type:   azureshared.NetworkApplicationSecurityGroup.String(),
+								Method: sdp.QueryMethod_GET,
+								Query:  asgName,
+								Scope:  linkScope,
+							},
+						})
+					}
+				}
+			}
+		}
+
+		// Link to stdlib.NetworkIP for source/destination address prefixes when they are IPs or CIDRs
+		if rule.Properties.SourceAddressPrefix != nil {
+			appendIPOrCIDRLinkIfValid(&sdpItem.LinkedItemQueries, *rule.Properties.SourceAddressPrefix)
+		}
+		for _, p := range rule.Properties.SourceAddressPrefixes {
+			if p != nil {
+				appendIPOrCIDRLinkIfValid(&sdpItem.LinkedItemQueries, *p)
+			}
+		}
+		if rule.Properties.DestinationAddressPrefix != nil {
+			appendIPOrCIDRLinkIfValid(&sdpItem.LinkedItemQueries, *rule.Properties.DestinationAddressPrefix)
+		}
+		for _, p := range rule.Properties.DestinationAddressPrefixes {
+			if p != nil {
+				appendIPOrCIDRLinkIfValid(&sdpItem.LinkedItemQueries, *p)
+			}
+		}
+	}
+
+	return sdpItem, nil
+}
+
+func (n networkDefaultSecurityRuleWrapper) PotentialLinks() map[shared.ItemType]bool {
+	return shared.NewItemTypesSet(
+		azureshared.NetworkNetworkSecurityGroup,
+		azureshared.NetworkApplicationSecurityGroup,
+		stdlib.NetworkIP,
+	)
+}
+
+// ref: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/network-security-groups/get#defaultsecurityrules
+func (n networkDefaultSecurityRuleWrapper) IAMPermissions() []string {
+	return []string{
+		"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
+	}
+}
+
+func (n networkDefaultSecurityRuleWrapper) PredefinedRole() string {
+	return "Reader"
+}