github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/roles_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 7 8 "github.com/stretchr/testify/assert" 9 "github.com/stretchr/testify/require" 10 ) 11 12 func Test_adaptRoles(t *testing.T) { 13 src := `resource "aws_iam_role_policy" "test_policy" { 14 name = "test_policy" 15 role = aws_iam_role.test_role.id 16 17 policy = data.aws_iam_policy_document.s3_policy.json 18 } 19 20 resource "aws_iam_role" "test_role" { 21 name = "test_role" 22 assume_role_policy = jsonencode({ 23 Version = "2012-10-17" 24 Statement = [ 25 { 26 Action = "sts:AssumeRole" 27 Effect = "Allow" 28 Sid = "" 29 Principal = { 30 Service = "s3.amazonaws.com" 31 } 32 }, 33 ] 34 }) 35 } 36 37 data "aws_iam_policy_document" "s3_policy" { 38 statement { 39 principals { 40 type = "AWS" 41 identifiers = ["arn:aws:iam::123:root"] 42 } 43 actions = ["s3:*"] 44 resources = ["*"] 45 } 46 }` 47 48 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 49 roles := adaptRoles(modules) 50 require.Len(t, roles, 1) 51 role := roles[0] 52 53 assert.True(t, role.Name.EqualTo("test_role")) 54 assert.Equal(t, role.Name.GetMetadata().Range().GetStartLine(), 9) 55 assert.Equal(t, role.Name.GetMetadata().Range().GetEndLine(), 9) 56 57 require.Len(t, role.Policies, 1) 58 policy := role.Policies[0] 59 assert.Equal(t, 1, policy.Metadata.Range().GetStartLine()) 60 assert.Equal(t, 6, policy.Metadata.Range().GetEndLine()) 61 assert.True(t, policy.Name.EqualTo("test_policy")) 62 assert.Equal(t, policy.Name.GetMetadata().Range().GetStartLine(), 2) 63 assert.Equal(t, policy.Name.GetMetadata().Range().GetEndLine(), 2) 64 65 doc := policy.Document 66 assert.Equal(t, 25, doc.Metadata.Range().GetStartLine()) 67 assert.Equal(t, 34, doc.Metadata.Range().GetEndLine()) 68 69 statements, r := doc.Parsed.Statements() 70 require.Len(t, statements, 1) 71 assert.Equal(t, 26, r.StartLine) 72 assert.Equal(t, 33, r.EndLine) 73 74 statement := statements[0] 75 assert.Equal(t, 26, statement.Range().StartLine) 76 assert.Equal(t, 33, statement.Range().EndLine) 77 78 actions, r := statement.Actions() 79 assert.Equal(t, 31, r.StartLine) 80 assert.Equal(t, 31, r.EndLine) 81 require.Len(t, actions, 1) 82 action := actions[0] 83 assert.Equal(t, "s3:*", action) 84 85 resources, r := statement.Resources() 86 assert.Equal(t, 32, r.StartLine) 87 assert.Equal(t, 32, r.EndLine) 88 require.Len(t, resources, 1) 89 resource := resources[0] 90 assert.Equal(t, "*", resource) 91 92 principals, r := statement.Principals() 93 assert.Equal(t, 27, r.StartLine) 94 assert.Equal(t, 30, r.EndLine) 95 96 aws, r := principals.AWS() 97 assert.Equal(t, 27, r.StartLine) 98 assert.Equal(t, 30, r.EndLine) 99 require.Len(t, aws, 1) 100 assert.Equal(t, "arn:aws:iam::123:root", aws[0]) 101 102 rerange := doc.MetadataFromIamGo(r).Range() 103 assert.Equal(t, 27, rerange.GetStartLine()) 104 assert.Equal(t, 30, rerange.GetEndLine()) 105 }