github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/users_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/users_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/aquasecurity/defsec/pkg/providers/aws/iam"
     7  	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
     8  
     9  	"github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil"
    10  	"github.com/aquasecurity/trivy-iac/test/testutil"
    11  )
    12  
    13  func Test_adaptUsers(t *testing.T) {
    14  	tests := []struct {
    15  		name      string
    16  		terraform string
    17  		expected  []iam.User
    18  	}{
    19  		{
    20  			name: "policy",
    21  			terraform: `
    22  resource "aws_iam_user" "lb" {
    23    name = "loadbalancer"
    24    path = "/system/"
    25  }
    26  
    27  resource "aws_iam_user_policy" "policy" {
    28    name = "test"
    29    user = aws_iam_user.lb.name
    30  
    31  
    32    policy = jsonencode({
    33      Version = "2012-10-17"
    34      Statement = [
    35        {
    36          Action = [
    37            "ec2:Describe*",
    38          ]
    39          Effect   = "Allow"
    40          Resource = "*"
    41        },
    42      ]
    43    })
    44  }
    45  `,
    46  			expected: []iam.User{
    47  				{
    48  					Metadata:   defsecTypes.NewTestMetadata(),
    49  					Name:       defsecTypes.String("loadbalancer", defsecTypes.NewTestMetadata()),
    50  					LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    51  					Policies: []iam.Policy{
    52  						{
    53  							Metadata: defsecTypes.NewTestMetadata(),
    54  							Name:     defsecTypes.String("test", defsecTypes.NewTestMetadata()),
    55  							Document: defaultPolicyDocuemnt(false),
    56  							Builtin:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    57  						},
    58  					},
    59  				},
    60  			},
    61  		},
    62  		{
    63  			name: "policy attachment",
    64  			terraform: `
    65  resource "aws_iam_user" "user" {
    66    name = "test-user"
    67  }
    68  
    69  resource "aws_iam_policy" "policy" {
    70    name        = "test-policy"
    71    description = "A test policy"
    72    policy = jsonencode({
    73      Version = "2012-10-17"
    74      Statement = [
    75        {
    76          Action = [
    77            "ec2:Describe*",
    78          ]
    79          Effect   = "Allow"
    80          Resource = "*"
    81        },
    82      ]
    83    })
    84  }
    85  
    86  resource "aws_iam_user_policy_attachment" "test-attach" {
    87    user       = aws_iam_user.user.name
    88    policy_arn = aws_iam_policy.policy.arn
    89  }
    90  `,
    91  			expected: []iam.User{
    92  				{
    93  					Metadata:   defsecTypes.NewTestMetadata(),
    94  					Name:       defsecTypes.String("test-user", defsecTypes.NewTestMetadata()),
    95  					LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    96  					Policies: []iam.Policy{
    97  						{
    98  							Metadata: defsecTypes.NewTestMetadata(),
    99  							Name:     defsecTypes.String("test-policy", defsecTypes.NewTestMetadata()),
   100  							Document: defaultPolicyDocuemnt(false),
   101  							Builtin:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   102  						},
   103  					},
   104  				},
   105  			},
   106  		},
   107  		{
   108  			name: "access key",
   109  			terraform: `
   110  resource "aws_iam_access_key" "lb" {
   111    user    = aws_iam_user.lb.name
   112    pgp_key = "keybase:some_person_that_exists"
   113    status  = "Active"
   114  }
   115  
   116  resource "aws_iam_user" "lb" {
   117    name = "loadbalafncer"
   118    path = "/system/"
   119  }
   120  `,
   121  			expected: []iam.User{
   122  				{
   123  					Metadata:   defsecTypes.NewTestMetadata(),
   124  					Name:       defsecTypes.String("loadbalafncer", defsecTypes.NewTestMetadata()),
   125  					LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
   126  					Policies:   nil,
   127  					AccessKeys: []iam.AccessKey{
   128  						{
   129  							Metadata: defsecTypes.NewTestMetadata(),
   130  							Active:   defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
   131  						},
   132  					},
   133  				},
   134  			},
   135  		},
   136  		{
   137  			name: "access key with default status",
   138  			terraform: `
   139  resource "aws_iam_access_key" "lb" {
   140    user    = aws_iam_user.lb.name
   141    pgp_key = "keybase:some_person_that_exists"
   142  }
   143  
   144  resource "aws_iam_user" "lb" {
   145    name = "loadbalafncer"
   146    path = "/system/"
   147  }
   148  `,
   149  			expected: []iam.User{
   150  				{
   151  					Metadata:   defsecTypes.NewTestMetadata(),
   152  					Name:       defsecTypes.String("loadbalafncer", defsecTypes.NewTestMetadata()),
   153  					LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
   154  					Policies:   nil,
   155  					AccessKeys: []iam.AccessKey{
   156  						{
   157  							Metadata: defsecTypes.NewTestMetadata(),
   158  							Active:   defsecTypes.BoolDefault(true, defsecTypes.NewTestMetadata()),
   159  						},
   160  					},
   161  				},
   162  			},
   163  		},
   164  	}
   165  
   166  	for _, test := range tests {
   167  		t.Run(test.name, func(t *testing.T) {
   168  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
   169  			adapted := adaptUsers(modules)
   170  			testutil.AssertDefsecEqual(t, test.expected, adapted)
   171  		})
   172  	}
   173  }