github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ecr/adapt_test.go (about) 1 package ecr 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecr" 9 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 10 11 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 12 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 "github.com/liamg/iamgo" 15 "github.com/stretchr/testify/assert" 16 "github.com/stretchr/testify/require" 17 ) 18 19 func Test_adaptRepository(t *testing.T) { 20 tests := []struct { 21 name string 22 terraform string 23 expected ecr.Repository 24 }{ 25 { 26 name: "configured", 27 terraform: ` 28 resource "aws_kms_key" "ecr_kms" { 29 enable_key_rotation = true 30 } 31 32 resource "aws_ecr_repository" "foo" { 33 name = "bar" 34 image_tag_mutability = "MUTABLE" 35 36 image_scanning_configuration { 37 scan_on_push = true 38 } 39 40 encryption_configuration { 41 encryption_type = "KMS" 42 kms_key = aws_kms_key.ecr_kms.key_id 43 } 44 } 45 46 resource "aws_ecr_repository_policy" "foopolicy" { 47 repository = aws_ecr_repository.foo.name 48 49 policy = <<EOF 50 { 51 "Version": "2008-10-17", 52 "Statement": [ 53 { 54 "Sid": "new policy", 55 "Effect": "Allow", 56 "Principal": "*", 57 "Action": [ 58 "ecr:GetDownloadUrlForLayer", 59 "ecr:BatchGetImage", 60 "ecr:BatchCheckLayerAvailability", 61 "ecr:PutImage", 62 "ecr:InitiateLayerUpload", 63 "ecr:UploadLayerPart", 64 "ecr:CompleteLayerUpload", 65 "ecr:DescribeRepositories", 66 "ecr:GetRepositoryPolicy", 67 "ecr:ListImages", 68 "ecr:DeleteRepository", 69 "ecr:BatchDeleteImage", 70 "ecr:SetRepositoryPolicy", 71 "ecr:DeleteRepositoryPolicy" 72 ] 73 } 74 ] 75 } 76 EOF 77 } 78 `, 79 expected: ecr.Repository{ 80 Metadata: defsecTypes.NewTestMetadata(), 81 ImageTagsImmutable: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 82 ImageScanning: ecr.ImageScanning{ 83 Metadata: defsecTypes.NewTestMetadata(), 84 ScanOnPush: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 85 }, 86 Encryption: ecr.Encryption{ 87 Metadata: defsecTypes.NewTestMetadata(), 88 Type: defsecTypes.String("KMS", defsecTypes.NewTestMetadata()), 89 KMSKeyID: defsecTypes.String("aws_kms_key.ecr_kms", defsecTypes.NewTestMetadata()), 90 }, 91 Policies: []iam.Policy{ 92 { 93 Metadata: defsecTypes.NewTestMetadata(), 94 Name: defsecTypes.StringDefault("", defsecTypes.NewTestMetadata()), 95 Document: func() iam.Document { 96 97 builder := iamgo.NewPolicyBuilder() 98 builder.WithVersion("2008-10-17") 99 100 sb := iamgo.NewStatementBuilder() 101 sb.WithSid("new policy") 102 sb.WithEffect(iamgo.EffectAllow) 103 sb.WithActions([]string{ 104 "ecr:GetDownloadUrlForLayer", 105 "ecr:BatchGetImage", 106 "ecr:BatchCheckLayerAvailability", 107 "ecr:PutImage", 108 "ecr:InitiateLayerUpload", 109 "ecr:UploadLayerPart", 110 "ecr:CompleteLayerUpload", 111 "ecr:DescribeRepositories", 112 "ecr:GetRepositoryPolicy", 113 "ecr:ListImages", 114 "ecr:DeleteRepository", 115 "ecr:BatchDeleteImage", 116 "ecr:SetRepositoryPolicy", 117 "ecr:DeleteRepositoryPolicy", 118 }) 119 sb.WithAllPrincipals(true) 120 builder.WithStatement(sb.Build()) 121 122 return iam.Document{ 123 Parsed: builder.Build(), 124 Metadata: defsecTypes.NewTestMetadata(), 125 } 126 }(), 127 Builtin: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 128 }, 129 }, 130 }, 131 }, 132 { 133 name: "defaults", 134 terraform: ` 135 resource "aws_ecr_repository" "foo" { 136 } 137 `, 138 expected: ecr.Repository{ 139 Metadata: defsecTypes.NewTestMetadata(), 140 ImageTagsImmutable: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 141 ImageScanning: ecr.ImageScanning{ 142 Metadata: defsecTypes.NewTestMetadata(), 143 ScanOnPush: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 144 }, 145 Encryption: ecr.Encryption{ 146 Metadata: defsecTypes.NewTestMetadata(), 147 Type: defsecTypes.String("AES256", defsecTypes.NewTestMetadata()), 148 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 149 }, 150 }, 151 }, 152 } 153 154 for _, test := range tests { 155 t.Run(test.name, func(t *testing.T) { 156 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 157 adapted := adaptRepository(modules.GetBlocks()[0], modules[0], modules) 158 testutil.AssertDefsecEqual(t, test.expected, adapted) 159 }) 160 } 161 } 162 163 func TestLines(t *testing.T) { 164 src := ` 165 resource "aws_kms_key" "ecr_kms" { 166 enable_key_rotation = true 167 } 168 169 resource "aws_ecr_repository" "foo" { 170 name = "bar" 171 image_tag_mutability = "MUTABLE" 172 173 image_scanning_configuration { 174 scan_on_push = true 175 } 176 177 encryption_configuration { 178 encryption_type = "KMS" 179 kms_key = aws_kms_key.ecr_kms.key_id 180 } 181 } 182 183 resource "aws_ecr_repository_policy" "foopolicy" { 184 repository = aws_ecr_repository.foo.name 185 186 policy = <<EOF 187 { 188 "Version": "2008-10-17", 189 "Statement": [ 190 { 191 "Sid": "new policy", 192 "Effect": "Allow", 193 "Principal": "*", 194 "Action": [ 195 "ecr:GetDownloadUrlForLayer", 196 "ecr:BatchGetImage", 197 "ecr:BatchCheckLayerAvailability", 198 "ecr:PutImage", 199 "ecr:InitiateLayerUpload", 200 "ecr:UploadLayerPart", 201 "ecr:CompleteLayerUpload", 202 "ecr:DescribeRepositories", 203 "ecr:GetRepositoryPolicy", 204 "ecr:ListImages", 205 "ecr:DeleteRepository", 206 "ecr:BatchDeleteImage", 207 "ecr:SetRepositoryPolicy", 208 "ecr:DeleteRepositoryPolicy" 209 ] 210 } 211 ] 212 } 213 EOF 214 }` 215 216 module := tftestutil.CreateModulesFromSource(t, src, ".tf") 217 adapted := Adapt(module) 218 219 require.Len(t, adapted.Repositories, 1) 220 repo := adapted.Repositories[0] 221 222 assert.Equal(t, 6, repo.Metadata.Range().GetStartLine()) 223 assert.Equal(t, 18, repo.Metadata.Range().GetEndLine()) 224 225 assert.Equal(t, 8, repo.ImageTagsImmutable.GetMetadata().Range().GetStartLine()) 226 assert.Equal(t, 8, repo.ImageTagsImmutable.GetMetadata().Range().GetEndLine()) 227 228 assert.Equal(t, 10, repo.ImageScanning.Metadata.Range().GetStartLine()) 229 assert.Equal(t, 12, repo.ImageScanning.Metadata.Range().GetEndLine()) 230 231 assert.Equal(t, 11, repo.ImageScanning.ScanOnPush.GetMetadata().Range().GetStartLine()) 232 assert.Equal(t, 11, repo.ImageScanning.ScanOnPush.GetMetadata().Range().GetEndLine()) 233 234 assert.Equal(t, 14, repo.Encryption.Metadata.Range().GetStartLine()) 235 assert.Equal(t, 17, repo.Encryption.Metadata.Range().GetEndLine()) 236 237 assert.Equal(t, 15, repo.Encryption.Type.GetMetadata().Range().GetStartLine()) 238 assert.Equal(t, 15, repo.Encryption.Type.GetMetadata().Range().GetEndLine()) 239 240 assert.Equal(t, 2, repo.Encryption.KMSKeyID.GetMetadata().Range().GetStartLine()) 241 assert.Equal(t, 4, repo.Encryption.KMSKeyID.GetMetadata().Range().GetEndLine()) 242 243 assert.Equal(t, 20, repo.Policies[0].Metadata.Range().GetStartLine()) 244 assert.Equal(t, 51, repo.Policies[0].Metadata.Range().GetEndLine()) 245 246 assert.Equal(t, 23, repo.Policies[0].Document.Metadata.Range().GetStartLine()) 247 assert.Equal(t, 50, repo.Policies[0].Document.Metadata.Range().GetEndLine()) 248 }