github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/compute/adapt_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/compute" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 12 "github.com/khulnasoft-lab/defsec/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_adaptManagedDisk(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected compute.ManagedDisk 22 }{ 23 { 24 name: "encryption explicitly disabled", 25 terraform: ` 26 resource "azurerm_managed_disk" "example" { 27 encryption_settings { 28 enabled = false 29 } 30 }`, 31 expected: compute.ManagedDisk{ 32 Metadata: defsecTypes.NewTestMetadata(), 33 Encryption: compute.Encryption{ 34 Metadata: defsecTypes.NewTestMetadata(), 35 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 36 }, 37 }, 38 }, 39 { 40 name: "encryption enabled by default", 41 terraform: ` 42 resource "azurerm_managed_disk" "example" { 43 }`, 44 expected: compute.ManagedDisk{ 45 Metadata: defsecTypes.NewTestMetadata(), 46 Encryption: compute.Encryption{ 47 Metadata: defsecTypes.NewTestMetadata(), 48 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 49 }, 50 }, 51 }, 52 } 53 54 for _, test := range tests { 55 t.Run(test.name, func(t *testing.T) { 56 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 57 adapted := adaptManagedDisk(modules.GetBlocks()[0]) 58 testutil.AssertDefsecEqual(t, test.expected, adapted) 59 }) 60 } 61 } 62 63 func Test_adaptLinuxVM(t *testing.T) { 64 tests := []struct { 65 name string 66 terraform string 67 expected compute.LinuxVirtualMachine 68 }{ 69 { 70 name: "no custom data", 71 terraform: ` 72 resource "azurerm_virtual_machine" "example" { 73 name = "linux-machine" 74 resource_group_name = azurerm_resource_group.example.name 75 location = azurerm_resource_group.example.location 76 size = "Standard_F2" 77 admin_username = "adminuser" 78 79 os_profile_linux_config { 80 ssh_keys = [{ 81 key_data = file("~/.ssh/id_rsa.pub") 82 path = "~/.ssh/id_rsa.pub" 83 }] 84 disable_password_authentication = true 85 } 86 } 87 `, 88 expected: compute.LinuxVirtualMachine{ 89 Metadata: defsecTypes.NewTestMetadata(), 90 VirtualMachine: compute.VirtualMachine{ 91 Metadata: defsecTypes.NewTestMetadata(), 92 CustomData: defsecTypes.String("", defsecTypes.NewTestMetadata()), 93 }, 94 OSProfileLinuxConfig: compute.OSProfileLinuxConfig{ 95 Metadata: defsecTypes.NewTestMetadata(), 96 DisablePasswordAuthentication: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 97 }, 98 }, 99 }, 100 { 101 name: "custom data", 102 terraform: ` 103 resource "azurerm_virtual_machine" "example" { 104 name = "example" 105 os_profile_linux_config { 106 disable_password_authentication = false 107 } 108 os_profile { 109 custom_data =<<EOF 110 export DATABASE_PASSWORD=\"SomeSortOfPassword\" 111 EOF 112 } 113 }`, 114 expected: compute.LinuxVirtualMachine{ 115 Metadata: defsecTypes.NewTestMetadata(), 116 VirtualMachine: compute.VirtualMachine{ 117 Metadata: defsecTypes.NewTestMetadata(), 118 CustomData: defsecTypes.String( 119 `export DATABASE_PASSWORD=\"SomeSortOfPassword\" 120 `, defsecTypes.NewTestMetadata()), 121 }, 122 OSProfileLinuxConfig: compute.OSProfileLinuxConfig{ 123 Metadata: defsecTypes.NewTestMetadata(), 124 DisablePasswordAuthentication: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 125 }, 126 }, 127 }, 128 } 129 130 for _, test := range tests { 131 t.Run(test.name, func(t *testing.T) { 132 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 133 adapted := adaptLinuxVM(modules.GetBlocks()[0]) 134 testutil.AssertDefsecEqual(t, test.expected, adapted) 135 }) 136 } 137 } 138 139 func Test_adaptWindowsVM(t *testing.T) { 140 tests := []struct { 141 name string 142 terraform string 143 expected compute.WindowsVirtualMachine 144 }{ 145 { 146 name: "old resource", 147 terraform: ` 148 resource "azurerm_virtual_machine" "example" { 149 name = "example" 150 os_profile_windows_config { 151 } 152 os_profile { 153 custom_data =<<EOF 154 export DATABASE_PASSWORD=\"SomeSortOfPassword\" 155 EOF 156 } 157 }`, 158 expected: compute.WindowsVirtualMachine{ 159 Metadata: defsecTypes.NewTestMetadata(), 160 VirtualMachine: compute.VirtualMachine{ 161 Metadata: defsecTypes.NewTestMetadata(), 162 CustomData: defsecTypes.String(`export DATABASE_PASSWORD=\"SomeSortOfPassword\" 163 `, defsecTypes.NewTestMetadata()), 164 }, 165 }, 166 }, 167 { 168 name: "new resource", 169 terraform: ` 170 resource "azurerm_windows_virtual_machine" "example" { 171 name = "example-machine" 172 custom_data =<<EOF 173 export GREETING="Hello there" 174 EOF 175 }`, 176 expected: compute.WindowsVirtualMachine{ 177 Metadata: defsecTypes.NewTestMetadata(), 178 VirtualMachine: compute.VirtualMachine{ 179 Metadata: defsecTypes.NewTestMetadata(), 180 CustomData: defsecTypes.String(`export GREETING="Hello there" 181 `, defsecTypes.NewTestMetadata()), 182 }, 183 }, 184 }, 185 } 186 187 for _, test := range tests { 188 t.Run(test.name, func(t *testing.T) { 189 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 190 adapted := adaptWindowsVM(modules.GetBlocks()[0]) 191 testutil.AssertDefsecEqual(t, test.expected, adapted) 192 }) 193 } 194 } 195 196 func TestLines(t *testing.T) { 197 src := ` 198 resource "azurerm_managed_disk" "good_example" { 199 encryption_settings { 200 enabled = false 201 } 202 } 203 204 resource "azurerm_virtual_machine" "example" { 205 name = "linux-machine" 206 207 os_profile_linux_config { 208 ssh_keys = [{ 209 key_data = file("~/.ssh/id_rsa.pub") 210 path = "~/.ssh/id_rsa.pub" 211 }] 212 disable_password_authentication = true 213 } 214 os_profile { 215 custom_data =<<EOF 216 export DATABASE_PASSWORD=\"SomeSortOfPassword\" 217 EOF 218 } 219 }` 220 221 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 222 adapted := Adapt(modules) 223 224 require.Len(t, adapted.ManagedDisks, 1) 225 require.Len(t, adapted.LinuxVirtualMachines, 1) 226 227 managedDisk := adapted.ManagedDisks[0] 228 linuxVM := adapted.LinuxVirtualMachines[0] 229 230 assert.Equal(t, 4, managedDisk.Encryption.Enabled.GetMetadata().Range().GetStartLine()) 231 assert.Equal(t, 4, managedDisk.Encryption.Enabled.GetMetadata().Range().GetEndLine()) 232 233 assert.Equal(t, 16, linuxVM.OSProfileLinuxConfig.DisablePasswordAuthentication.GetMetadata().Range().GetStartLine()) 234 assert.Equal(t, 16, linuxVM.OSProfileLinuxConfig.DisablePasswordAuthentication.GetMetadata().Range().GetEndLine()) 235 236 assert.Equal(t, 19, linuxVM.VirtualMachine.CustomData.GetMetadata().Range().GetStartLine()) 237 assert.Equal(t, 21, linuxVM.VirtualMachine.CustomData.GetMetadata().Range().GetEndLine()) 238 }