github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/google/iam/adapt_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 7 8 "github.com/aquasecurity/defsec/pkg/providers/google/iam" 9 "github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil" 10 "github.com/aquasecurity/trivy-iac/test/testutil" 11 "github.com/stretchr/testify/assert" 12 "github.com/stretchr/testify/require" 13 ) 14 15 func Test_Adapt(t *testing.T) { 16 tests := []struct { 17 name string 18 terraform string 19 expected iam.IAM 20 }{ 21 { 22 name: "basic", 23 terraform: ` 24 data "google_organization" "org" { 25 domain = "example.com" 26 } 27 28 resource "google_project" "my_project" { 29 name = "My Project" 30 project_id = "your-project-id" 31 org_id = data.google_organization.org.id 32 auto_create_network = true 33 } 34 35 resource "google_folder" "department1" { 36 display_name = "Department 1" 37 parent = data.google_organization.org.id 38 } 39 40 resource "google_folder_iam_member" "admin" { 41 folder = google_folder.department1.name 42 role = "roles/editor" 43 member = "user:alice@gmail.com" 44 } 45 46 resource "google_folder_iam_binding" "folder-123" { 47 folder = google_folder.department1.name 48 role = "roles/nothing" 49 members = [ 50 "user:not-alice@gmail.com", 51 ] 52 } 53 54 resource "google_organization_iam_member" "org-123" { 55 org_id = data.google_organization.org.id 56 role = "roles/whatever" 57 member = "user:member@gmail.com" 58 } 59 60 resource "google_organization_iam_binding" "binding" { 61 org_id = data.google_organization.org.id 62 role = "roles/browser" 63 64 members = [ 65 "user:member_2@gmail.com", 66 ] 67 } 68 69 resource "google_iam_workload_identity_pool_provider" "example" { 70 workload_identity_pool_id = "example-pool" 71 workload_identity_pool_provider_id = "example-provider" 72 attribute_condition = "assertion.repository_owner=='your-github-organization'" 73 } 74 `, 75 expected: iam.IAM{ 76 Organizations: []iam.Organization{ 77 { 78 Metadata: defsecTypes.NewTestMetadata(), 79 80 Projects: []iam.Project{ 81 { 82 Metadata: defsecTypes.NewTestMetadata(), 83 AutoCreateNetwork: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 84 }, 85 }, 86 87 Folders: []iam.Folder{ 88 { 89 Metadata: defsecTypes.NewTestMetadata(), 90 Members: []iam.Member{ 91 { 92 Metadata: defsecTypes.NewTestMetadata(), 93 Member: defsecTypes.String("user:alice@gmail.com", defsecTypes.NewTestMetadata()), 94 Role: defsecTypes.String("roles/editor", defsecTypes.NewTestMetadata()), 95 DefaultServiceAccount: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 96 }, 97 }, 98 Bindings: []iam.Binding{ 99 { 100 Metadata: defsecTypes.NewTestMetadata(), 101 Members: []defsecTypes.StringValue{ 102 defsecTypes.String("user:not-alice@gmail.com", defsecTypes.NewTestMetadata()), 103 }, 104 Role: defsecTypes.String("roles/nothing", defsecTypes.NewTestMetadata()), 105 IncludesDefaultServiceAccount: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 106 }, 107 }, 108 }, 109 }, 110 Members: []iam.Member{ 111 { 112 Metadata: defsecTypes.NewTestMetadata(), 113 Member: defsecTypes.String("user:member@gmail.com", defsecTypes.NewTestMetadata()), 114 Role: defsecTypes.String("roles/whatever", defsecTypes.NewTestMetadata()), 115 DefaultServiceAccount: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 116 }, 117 }, 118 Bindings: []iam.Binding{ 119 { 120 Metadata: defsecTypes.NewTestMetadata(), 121 Members: []defsecTypes.StringValue{ 122 defsecTypes.String("user:member_2@gmail.com", defsecTypes.NewTestMetadata())}, 123 Role: defsecTypes.String("roles/browser", defsecTypes.NewTestMetadata()), 124 IncludesDefaultServiceAccount: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 125 }, 126 }, 127 }, 128 }, 129 WorkloadIdentityPoolProviders: []iam.WorkloadIdentityPoolProvider{ 130 { 131 Metadata: defsecTypes.NewTestMetadata(), 132 133 WorkloadIdentityPoolId: defsecTypes.String("example-pool", defsecTypes.NewTestMetadata()), 134 WorkloadIdentityPoolProviderId: defsecTypes.String("example-provider", defsecTypes.NewTestMetadata()), 135 AttributeCondition: defsecTypes.String("assertion.repository_owner=='your-github-organization'", defsecTypes.NewTestMetadata()), 136 }, 137 }, 138 }, 139 }, 140 } 141 142 for _, test := range tests { 143 t.Run(test.name, func(t *testing.T) { 144 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 145 adapted := Adapt(modules) 146 testutil.AssertDefsecEqual(t, test.expected, adapted) 147 }) 148 } 149 } 150 151 func TestLines(t *testing.T) { 152 src := ` 153 data "google_organization" "org" { 154 domain = "example.com" 155 } 156 157 resource "google_project" "my_project" { 158 name = "My Project" 159 project_id = "your-project-id" 160 org_id = data.google_organization.org.id 161 auto_create_network = true 162 } 163 164 resource "google_folder" "department1" { 165 display_name = "Department 1" 166 parent = data.google_organization.org.id 167 } 168 169 resource "google_folder_iam_binding" "folder-123" { 170 folder = google_folder.department1.name 171 role = "roles/nothing" 172 members = [ 173 "user:not-alice@gmail.com", 174 ] 175 } 176 177 resource "google_folder_iam_member" "admin" { 178 folder = google_folder.department1.name 179 role = "roles/editor" 180 member = "user:alice@gmail.com" 181 } 182 183 resource "google_organization_iam_member" "org-123" { 184 org_id = data.google_organization.org.id 185 role = "roles/whatever" 186 member = "user:member@gmail.com" 187 } 188 189 resource "google_organization_iam_binding" "binding" { 190 org_id = data.google_organization.org.id 191 role = "roles/browser" 192 193 members = [ 194 "user:member_2@gmail.com", 195 ] 196 } 197 198 resource "google_iam_workload_identity_pool_provider" "example" { 199 workload_identity_pool_id = "example-pool" 200 workload_identity_pool_provider_id = "example-provider" 201 attribute_condition = "assertion.repository_owner=='your-github-organization'" 202 }` 203 204 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 205 adapted := Adapt(modules) 206 207 require.Len(t, adapted.Organizations, 1) 208 require.Len(t, adapted.Organizations[0].Projects, 1) 209 require.Len(t, adapted.Organizations[0].Folders, 1) 210 require.Len(t, adapted.Organizations[0].Bindings, 1) 211 require.Len(t, adapted.Organizations[0].Members, 1) 212 require.Len(t, adapted.WorkloadIdentityPoolProviders, 1) 213 214 project := adapted.Organizations[0].Projects[0] 215 folder := adapted.Organizations[0].Folders[0] 216 binding := adapted.Organizations[0].Bindings[0] 217 member := adapted.Organizations[0].Members[0] 218 pool := adapted.WorkloadIdentityPoolProviders[0] 219 220 assert.Equal(t, 6, project.Metadata.Range().GetStartLine()) 221 assert.Equal(t, 11, project.Metadata.Range().GetEndLine()) 222 223 assert.Equal(t, 10, project.AutoCreateNetwork.GetMetadata().Range().GetStartLine()) 224 assert.Equal(t, 10, project.AutoCreateNetwork.GetMetadata().Range().GetEndLine()) 225 226 assert.Equal(t, 13, folder.Metadata.Range().GetStartLine()) 227 assert.Equal(t, 16, folder.Metadata.Range().GetEndLine()) 228 229 assert.Equal(t, 18, folder.Bindings[0].Metadata.Range().GetStartLine()) 230 assert.Equal(t, 24, folder.Bindings[0].Metadata.Range().GetEndLine()) 231 232 assert.Equal(t, 20, folder.Bindings[0].Role.GetMetadata().Range().GetStartLine()) 233 assert.Equal(t, 20, folder.Bindings[0].Role.GetMetadata().Range().GetEndLine()) 234 235 assert.Equal(t, 21, folder.Bindings[0].Members[0].GetMetadata().Range().GetStartLine()) 236 assert.Equal(t, 23, folder.Bindings[0].Members[0].GetMetadata().Range().GetEndLine()) 237 238 assert.Equal(t, 26, folder.Members[0].Metadata.Range().GetStartLine()) 239 assert.Equal(t, 30, folder.Members[0].Metadata.Range().GetEndLine()) 240 241 assert.Equal(t, 29, folder.Members[0].Member.GetMetadata().Range().GetStartLine()) 242 assert.Equal(t, 29, folder.Members[0].Member.GetMetadata().Range().GetEndLine()) 243 244 assert.Equal(t, 28, folder.Members[0].Role.GetMetadata().Range().GetStartLine()) 245 assert.Equal(t, 28, folder.Members[0].Role.GetMetadata().Range().GetEndLine()) 246 247 assert.Equal(t, 32, member.Metadata.Range().GetStartLine()) 248 assert.Equal(t, 36, member.Metadata.Range().GetEndLine()) 249 250 assert.Equal(t, 34, member.Role.GetMetadata().Range().GetStartLine()) 251 assert.Equal(t, 34, member.Role.GetMetadata().Range().GetEndLine()) 252 253 assert.Equal(t, 35, member.Member.GetMetadata().Range().GetStartLine()) 254 assert.Equal(t, 35, member.Member.GetMetadata().Range().GetEndLine()) 255 256 assert.Equal(t, 38, binding.Metadata.Range().GetStartLine()) 257 assert.Equal(t, 45, binding.Metadata.Range().GetEndLine()) 258 259 assert.Equal(t, 40, binding.Role.GetMetadata().Range().GetStartLine()) 260 assert.Equal(t, 40, binding.Role.GetMetadata().Range().GetEndLine()) 261 262 assert.Equal(t, 42, binding.Members[0].GetMetadata().Range().GetStartLine()) 263 assert.Equal(t, 44, binding.Members[0].GetMetadata().Range().GetEndLine()) 264 265 assert.Equal(t, 51, pool.Metadata.Range().GetEndLine()) 266 }