github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/roles_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil"
     7  
     8  	"github.com/stretchr/testify/assert"
     9  	"github.com/stretchr/testify/require"
    10  )
    11  
    12  func Test_adaptRoles(t *testing.T) {
    13  	src := `resource "aws_iam_role_policy" "test_policy" {
    14   	name = "test_policy"
    15   	role = aws_iam_role.test_role.id
    16   
    17   	policy = data.aws_iam_policy_document.s3_policy.json
    18   }
    19   
    20   resource "aws_iam_role" "test_role" {
    21   	name = "test_role"
    22   	assume_role_policy = jsonencode({
    23   		Version = "2012-10-17"
    24   		Statement = [
    25   		{
    26   			Action = "sts:AssumeRole"
    27   			Effect = "Allow"
    28   			Sid    = ""
    29   			Principal = {
    30   			Service = "s3.amazonaws.com"
    31   			}
    32   		},
    33   		]
    34   	})
    35   }
    36   
    37   data "aws_iam_policy_document" "s3_policy" {
    38     statement {
    39       principals {
    40         type        = "AWS"
    41         identifiers = ["arn:aws:iam::123:root"]
    42       }
    43       actions   = ["s3:*"]
    44       resources = ["*"]
    45     }
    46   }`
    47  
    48  	modules := tftestutil.CreateModulesFromSource(t, src, ".tf")
    49  	roles := adaptRoles(modules)
    50  	require.Len(t, roles, 1)
    51  	role := roles[0]
    52  
    53  	assert.True(t, role.Name.EqualTo("test_role"))
    54  	assert.Equal(t, role.Name.GetMetadata().Range().GetStartLine(), 9)
    55  	assert.Equal(t, role.Name.GetMetadata().Range().GetEndLine(), 9)
    56  
    57  	require.Len(t, role.Policies, 1)
    58  	policy := role.Policies[0]
    59  	assert.Equal(t, 1, policy.Metadata.Range().GetStartLine())
    60  	assert.Equal(t, 6, policy.Metadata.Range().GetEndLine())
    61  	assert.True(t, policy.Name.EqualTo("test_policy"))
    62  	assert.Equal(t, policy.Name.GetMetadata().Range().GetStartLine(), 2)
    63  	assert.Equal(t, policy.Name.GetMetadata().Range().GetEndLine(), 2)
    64  
    65  	doc := policy.Document
    66  	assert.Equal(t, 25, doc.Metadata.Range().GetStartLine())
    67  	assert.Equal(t, 34, doc.Metadata.Range().GetEndLine())
    68  
    69  	statements, r := doc.Parsed.Statements()
    70  	require.Len(t, statements, 1)
    71  	assert.Equal(t, 26, r.StartLine)
    72  	assert.Equal(t, 33, r.EndLine)
    73  
    74  	statement := statements[0]
    75  	assert.Equal(t, 26, statement.Range().StartLine)
    76  	assert.Equal(t, 33, statement.Range().EndLine)
    77  
    78  	actions, r := statement.Actions()
    79  	assert.Equal(t, 31, r.StartLine)
    80  	assert.Equal(t, 31, r.EndLine)
    81  	require.Len(t, actions, 1)
    82  	action := actions[0]
    83  	assert.Equal(t, "s3:*", action)
    84  
    85  	resources, r := statement.Resources()
    86  	assert.Equal(t, 32, r.StartLine)
    87  	assert.Equal(t, 32, r.EndLine)
    88  	require.Len(t, resources, 1)
    89  	resource := resources[0]
    90  	assert.Equal(t, "*", resource)
    91  
    92  	principals, r := statement.Principals()
    93  	assert.Equal(t, 27, r.StartLine)
    94  	assert.Equal(t, 30, r.EndLine)
    95  
    96  	aws, r := principals.AWS()
    97  	assert.Equal(t, 27, r.StartLine)
    98  	assert.Equal(t, 30, r.EndLine)
    99  	require.Len(t, aws, 1)
   100  	assert.Equal(t, "arn:aws:iam::123:root", aws[0])
   101  
   102  	rerange := doc.MetadataFromIamGo(r).Range()
   103  	assert.Equal(t, 27, rerange.GetStartLine())
   104  	assert.Equal(t, 30, rerange.GetEndLine())
   105  }