github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/database/adapt_test.go (about) 1 package database 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 9 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/database" 10 "github.com/khulnasoft-lab/defsec/test/testutil" 11 "github.com/stretchr/testify/assert" 12 "github.com/stretchr/testify/require" 13 ) 14 15 func Test_Adapt(t *testing.T) { 16 tests := []struct { 17 name string 18 terraform string 19 expected database.Database 20 }{ 21 { 22 name: "postgresql", 23 terraform: ` 24 resource "azurerm_postgresql_server" "example" { 25 name = "example" 26 27 public_network_access_enabled = true 28 ssl_enforcement_enabled = true 29 ssl_minimal_tls_version_enforced = "TLS1_2" 30 } 31 32 resource "azurerm_postgresql_configuration" "example" { 33 name = "log_connections" 34 resource_group_name = azurerm_resource_group.example.name 35 server_name = azurerm_postgresql_server.example.name 36 value = "on" 37 } 38 39 resource "azurerm_postgresql_configuration" "example" { 40 name = "log_checkpoints" 41 resource_group_name = azurerm_resource_group.example.name 42 server_name = azurerm_postgresql_server.example.name 43 value = "on" 44 } 45 46 resource "azurerm_postgresql_configuration" "example" { 47 name = "connection_throttling" 48 resource_group_name = azurerm_resource_group.example.name 49 server_name = azurerm_postgresql_server.example.name 50 value = "on" 51 } 52 53 resource "azurerm_postgresql_firewall_rule" "example" { 54 name = "office" 55 resource_group_name = azurerm_resource_group.example.name 56 server_name = azurerm_postgresql_server.example.name 57 start_ip_address = "40.112.8.12" 58 end_ip_address = "40.112.8.12" 59 } 60 `, 61 expected: database.Database{ 62 PostgreSQLServers: []database.PostgreSQLServer{ 63 { 64 Metadata: defsecTypes.NewTestMetadata(), 65 Server: database.Server{ 66 Metadata: defsecTypes.NewTestMetadata(), 67 EnableSSLEnforcement: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 68 MinimumTLSVersion: defsecTypes.String("TLS1_2", defsecTypes.NewTestMetadata()), 69 EnablePublicNetworkAccess: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 70 FirewallRules: []database.FirewallRule{ 71 { 72 Metadata: defsecTypes.NewTestMetadata(), 73 StartIP: defsecTypes.String("40.112.8.12", defsecTypes.NewTestMetadata()), 74 EndIP: defsecTypes.String("40.112.8.12", defsecTypes.NewTestMetadata()), 75 }, 76 }, 77 }, 78 Config: database.PostgresSQLConfig{ 79 Metadata: defsecTypes.NewTestMetadata(), 80 LogConnections: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 81 LogCheckpoints: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 82 ConnectionThrottling: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 83 }, 84 }, 85 }, 86 }, 87 }, 88 { 89 name: "mariadb", 90 terraform: ` 91 resource "azurerm_mariadb_server" "example" { 92 name = "example-mariadb-server" 93 location = azurerm_resource_group.example.location 94 resource_group_name = azurerm_resource_group.example.name 95 96 public_network_access_enabled = false 97 ssl_enforcement_enabled = true 98 } 99 100 resource "azurerm_mariadb_firewall_rule" "example" { 101 name = "test-rule" 102 server_name = azurerm_mariadb_server.example.name 103 start_ip_address = "40.112.0.0" 104 end_ip_address = "40.112.255.255" 105 } 106 `, 107 expected: database.Database{ 108 MariaDBServers: []database.MariaDBServer{ 109 { 110 Metadata: defsecTypes.NewTestMetadata(), 111 Server: database.Server{ 112 Metadata: defsecTypes.NewTestMetadata(), 113 EnableSSLEnforcement: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 114 MinimumTLSVersion: defsecTypes.String("", defsecTypes.NewTestMetadata()), 115 EnablePublicNetworkAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 116 FirewallRules: []database.FirewallRule{ 117 { 118 Metadata: defsecTypes.NewTestMetadata(), 119 StartIP: defsecTypes.String("40.112.0.0", defsecTypes.NewTestMetadata()), 120 EndIP: defsecTypes.String("40.112.255.255", defsecTypes.NewTestMetadata()), 121 }, 122 }, 123 }, 124 }, 125 }, 126 }, 127 }, 128 { 129 name: "mysql", 130 terraform: ` 131 resource "azurerm_mysql_server" "example" { 132 public_network_access_enabled = true 133 ssl_enforcement_enabled = true 134 ssl_minimal_tls_version_enforced = "TLS1_2" 135 } 136 137 resource "azurerm_mysql_firewall_rule" "example" { 138 server_name = azurerm_mysql_server.example.name 139 start_ip_address = "40.112.8.12" 140 end_ip_address = "40.112.8.12" 141 } 142 `, 143 expected: database.Database{ 144 MySQLServers: []database.MySQLServer{ 145 { 146 Metadata: defsecTypes.NewTestMetadata(), 147 Server: database.Server{ 148 Metadata: defsecTypes.NewTestMetadata(), 149 EnableSSLEnforcement: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 150 MinimumTLSVersion: defsecTypes.String("TLS1_2", defsecTypes.NewTestMetadata()), 151 EnablePublicNetworkAccess: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 152 FirewallRules: []database.FirewallRule{ 153 { 154 Metadata: defsecTypes.NewTestMetadata(), 155 StartIP: defsecTypes.String("40.112.8.12", defsecTypes.NewTestMetadata()), 156 EndIP: defsecTypes.String("40.112.8.12", defsecTypes.NewTestMetadata()), 157 }, 158 }, 159 }, 160 }, 161 }, 162 }, 163 }, 164 { 165 name: "ms sql", 166 terraform: ` 167 resource "azurerm_mssql_server" "example" { 168 name = "mssqlserver" 169 minimum_tls_version = "1.2" 170 public_network_access_enabled = false 171 } 172 173 resource "azurerm_mssql_firewall_rule" "example" { 174 name = "FirewallRule1" 175 server_id = azurerm_mssql_server.example.id 176 start_ip_address = "10.0.17.62" 177 end_ip_address = "10.0.17.62" 178 } 179 180 resource "azurerm_mssql_server_security_alert_policy" "example" { 181 resource_group_name = azurerm_resource_group.example.name 182 server_name = azurerm_mssql_server.example.name 183 disabled_alerts = [ 184 "Sql_Injection", 185 "Data_Exfiltration" 186 ] 187 email_account_admins = true 188 email_addresses = [ 189 "example@example.com" 190 ] 191 } 192 193 resource "azurerm_mssql_server_extended_auditing_policy" "example" { 194 server_id = azurerm_mssql_server.example.id 195 retention_in_days = 6 196 } 197 `, 198 expected: database.Database{ 199 MSSQLServers: []database.MSSQLServer{ 200 { 201 Metadata: defsecTypes.NewTestMetadata(), 202 Server: database.Server{ 203 Metadata: defsecTypes.NewTestMetadata(), 204 MinimumTLSVersion: defsecTypes.String("1.2", defsecTypes.NewTestMetadata()), 205 EnablePublicNetworkAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 206 EnableSSLEnforcement: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 207 FirewallRules: []database.FirewallRule{ 208 { 209 Metadata: defsecTypes.NewTestMetadata(), 210 StartIP: defsecTypes.String("10.0.17.62", defsecTypes.NewTestMetadata()), 211 EndIP: defsecTypes.String("10.0.17.62", defsecTypes.NewTestMetadata()), 212 }, 213 }, 214 }, 215 ExtendedAuditingPolicies: []database.ExtendedAuditingPolicy{ 216 { 217 Metadata: defsecTypes.NewTestMetadata(), 218 RetentionInDays: defsecTypes.Int(6, defsecTypes.NewTestMetadata()), 219 }, 220 }, 221 SecurityAlertPolicies: []database.SecurityAlertPolicy{ 222 { 223 Metadata: defsecTypes.NewTestMetadata(), 224 EmailAddresses: []defsecTypes.StringValue{ 225 defsecTypes.String("example@example.com", defsecTypes.NewTestMetadata()), 226 }, 227 DisabledAlerts: []defsecTypes.StringValue{ 228 defsecTypes.String("Sql_Injection", defsecTypes.NewTestMetadata()), 229 defsecTypes.String("Data_Exfiltration", defsecTypes.NewTestMetadata()), 230 }, 231 EmailAccountAdmins: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 232 }, 233 }, 234 }, 235 }, 236 }, 237 }, 238 } 239 240 for _, test := range tests { 241 t.Run(test.name, func(t *testing.T) { 242 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 243 adapted := Adapt(modules) 244 testutil.AssertDefsecEqual(t, test.expected, adapted) 245 }) 246 } 247 } 248 249 func TestLines(t *testing.T) { 250 src := ` 251 resource "azurerm_postgresql_server" "example" { 252 public_network_access_enabled = true 253 ssl_enforcement_enabled = true 254 ssl_minimal_tls_version_enforced = "TLS1_2" 255 } 256 257 resource "azurerm_postgresql_configuration" "example" { 258 name = "log_connections" 259 server_name = azurerm_postgresql_server.example.name 260 value = "on" 261 } 262 263 resource "azurerm_postgresql_configuration" "example" { 264 name = "log_checkpoints" 265 server_name = azurerm_postgresql_server.example.name 266 value = "on" 267 } 268 269 resource "azurerm_postgresql_configuration" "example" { 270 name = "connection_throttling" 271 server_name = azurerm_postgresql_server.example.name 272 value = "on" 273 } 274 275 resource "azurerm_postgresql_firewall_rule" "example" { 276 name = "office" 277 server_name = azurerm_postgresql_server.example.name 278 start_ip_address = "40.112.8.12" 279 end_ip_address = "40.112.8.12" 280 } 281 282 resource "azurerm_mariadb_server" "example" { 283 public_network_access_enabled = false 284 ssl_enforcement_enabled = true 285 } 286 287 resource "azurerm_mariadb_firewall_rule" "example" { 288 name = "test-rule" 289 server_name = azurerm_mariadb_server.example.name 290 start_ip_address = "40.112.0.0" 291 end_ip_address = "40.112.255.255" 292 } 293 294 resource "azurerm_mysql_server" "example" { 295 public_network_access_enabled = true 296 ssl_enforcement_enabled = true 297 ssl_minimal_tls_version_enforced = "TLS1_2" 298 } 299 300 resource "azurerm_mysql_firewall_rule" "example" { 301 server_name = azurerm_mysql_server.example.name 302 start_ip_address = "40.112.8.12" 303 end_ip_address = "40.112.8.12" 304 } 305 306 resource "azurerm_mssql_server" "example" { 307 name = "mssqlserver" 308 public_network_access_enabled = false 309 minimum_tls_version = "1.2" 310 } 311 312 resource "azurerm_mssql_firewall_rule" "example" { 313 name = "FirewallRule1" 314 server_id = azurerm_mssql_server.example.id 315 start_ip_address = "10.0.17.62" 316 end_ip_address = "10.0.17.62" 317 } 318 319 resource "azurerm_mssql_server_security_alert_policy" "example" { 320 server_name = azurerm_mssql_server.example.name 321 disabled_alerts = [ 322 "Sql_Injection", 323 "Data_Exfiltration" 324 ] 325 email_account_admins = true 326 email_addresses = [ 327 "example@example.com" 328 ] 329 } 330 331 resource "azurerm_mssql_server_extended_auditing_policy" "example" { 332 server_id = azurerm_mssql_server.example.id 333 retention_in_days = 6 334 } 335 ` 336 337 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 338 adapted := Adapt(modules) 339 340 require.Len(t, adapted.PostgreSQLServers, 1) 341 require.Len(t, adapted.MariaDBServers, 1) 342 require.Len(t, adapted.MySQLServers, 1) 343 require.Len(t, adapted.MSSQLServers, 1) 344 345 postgres := adapted.PostgreSQLServers[0] 346 mariadb := adapted.MariaDBServers[0] 347 mysql := adapted.MySQLServers[0] 348 mssql := adapted.MSSQLServers[0] 349 350 assert.Equal(t, 2, postgres.Metadata.Range().GetStartLine()) 351 assert.Equal(t, 6, postgres.Metadata.Range().GetEndLine()) 352 353 assert.Equal(t, 3, postgres.EnablePublicNetworkAccess.GetMetadata().Range().GetStartLine()) 354 assert.Equal(t, 3, postgres.EnablePublicNetworkAccess.GetMetadata().Range().GetEndLine()) 355 356 assert.Equal(t, 4, postgres.EnableSSLEnforcement.GetMetadata().Range().GetStartLine()) 357 assert.Equal(t, 4, postgres.EnableSSLEnforcement.GetMetadata().Range().GetEndLine()) 358 359 assert.Equal(t, 5, postgres.MinimumTLSVersion.GetMetadata().Range().GetStartLine()) 360 assert.Equal(t, 5, postgres.MinimumTLSVersion.GetMetadata().Range().GetEndLine()) 361 362 assert.Equal(t, 11, postgres.Config.LogConnections.GetMetadata().Range().GetStartLine()) 363 assert.Equal(t, 11, postgres.Config.LogConnections.GetMetadata().Range().GetEndLine()) 364 365 assert.Equal(t, 17, postgres.Config.LogCheckpoints.GetMetadata().Range().GetStartLine()) 366 assert.Equal(t, 17, postgres.Config.LogCheckpoints.GetMetadata().Range().GetEndLine()) 367 368 assert.Equal(t, 23, postgres.Config.ConnectionThrottling.GetMetadata().Range().GetStartLine()) 369 assert.Equal(t, 23, postgres.Config.ConnectionThrottling.GetMetadata().Range().GetEndLine()) 370 371 assert.Equal(t, 26, postgres.FirewallRules[0].Metadata.Range().GetStartLine()) 372 assert.Equal(t, 31, postgres.FirewallRules[0].Metadata.Range().GetEndLine()) 373 374 assert.Equal(t, 29, postgres.FirewallRules[0].StartIP.GetMetadata().Range().GetStartLine()) 375 assert.Equal(t, 29, postgres.FirewallRules[0].StartIP.GetMetadata().Range().GetEndLine()) 376 377 assert.Equal(t, 30, postgres.FirewallRules[0].EndIP.GetMetadata().Range().GetStartLine()) 378 assert.Equal(t, 30, postgres.FirewallRules[0].EndIP.GetMetadata().Range().GetEndLine()) 379 380 assert.Equal(t, 33, mariadb.Metadata.Range().GetStartLine()) 381 assert.Equal(t, 36, mariadb.Metadata.Range().GetEndLine()) 382 383 assert.Equal(t, 34, mariadb.EnablePublicNetworkAccess.GetMetadata().Range().GetStartLine()) 384 assert.Equal(t, 34, mariadb.EnablePublicNetworkAccess.GetMetadata().Range().GetEndLine()) 385 386 assert.Equal(t, 35, mariadb.EnableSSLEnforcement.GetMetadata().Range().GetStartLine()) 387 assert.Equal(t, 35, mariadb.EnableSSLEnforcement.GetMetadata().Range().GetEndLine()) 388 389 assert.Equal(t, 38, mariadb.FirewallRules[0].Metadata.Range().GetStartLine()) 390 assert.Equal(t, 43, mariadb.FirewallRules[0].Metadata.Range().GetEndLine()) 391 392 assert.Equal(t, 41, mariadb.FirewallRules[0].StartIP.GetMetadata().Range().GetStartLine()) 393 assert.Equal(t, 41, mariadb.FirewallRules[0].StartIP.GetMetadata().Range().GetEndLine()) 394 395 assert.Equal(t, 42, mariadb.FirewallRules[0].EndIP.GetMetadata().Range().GetStartLine()) 396 assert.Equal(t, 42, mariadb.FirewallRules[0].EndIP.GetMetadata().Range().GetEndLine()) 397 398 assert.Equal(t, 45, mysql.Metadata.Range().GetStartLine()) 399 assert.Equal(t, 49, mysql.Metadata.Range().GetEndLine()) 400 401 assert.Equal(t, 46, mysql.EnablePublicNetworkAccess.GetMetadata().Range().GetStartLine()) 402 assert.Equal(t, 46, mysql.EnablePublicNetworkAccess.GetMetadata().Range().GetEndLine()) 403 404 assert.Equal(t, 47, mysql.EnableSSLEnforcement.GetMetadata().Range().GetStartLine()) 405 assert.Equal(t, 47, mysql.EnableSSLEnforcement.GetMetadata().Range().GetEndLine()) 406 407 assert.Equal(t, 48, mysql.MinimumTLSVersion.GetMetadata().Range().GetStartLine()) 408 assert.Equal(t, 48, mysql.MinimumTLSVersion.GetMetadata().Range().GetEndLine()) 409 410 assert.Equal(t, 51, mysql.FirewallRules[0].Metadata.Range().GetStartLine()) 411 assert.Equal(t, 55, mysql.FirewallRules[0].Metadata.Range().GetEndLine()) 412 413 assert.Equal(t, 53, mysql.FirewallRules[0].StartIP.GetMetadata().Range().GetStartLine()) 414 assert.Equal(t, 53, mysql.FirewallRules[0].StartIP.GetMetadata().Range().GetEndLine()) 415 416 assert.Equal(t, 54, mysql.FirewallRules[0].EndIP.GetMetadata().Range().GetStartLine()) 417 assert.Equal(t, 54, mysql.FirewallRules[0].EndIP.GetMetadata().Range().GetEndLine()) 418 419 assert.Equal(t, 57, mssql.Metadata.Range().GetStartLine()) 420 assert.Equal(t, 61, mssql.Metadata.Range().GetEndLine()) 421 422 assert.Equal(t, 59, mssql.EnablePublicNetworkAccess.GetMetadata().Range().GetStartLine()) 423 assert.Equal(t, 59, mssql.EnablePublicNetworkAccess.GetMetadata().Range().GetEndLine()) 424 425 assert.Equal(t, 60, mssql.MinimumTLSVersion.GetMetadata().Range().GetStartLine()) 426 assert.Equal(t, 60, mssql.MinimumTLSVersion.GetMetadata().Range().GetEndLine()) 427 428 assert.Equal(t, 63, mssql.FirewallRules[0].Metadata.Range().GetStartLine()) 429 assert.Equal(t, 68, mssql.FirewallRules[0].Metadata.Range().GetEndLine()) 430 431 assert.Equal(t, 66, mssql.FirewallRules[0].StartIP.GetMetadata().Range().GetStartLine()) 432 assert.Equal(t, 66, mssql.FirewallRules[0].StartIP.GetMetadata().Range().GetEndLine()) 433 434 assert.Equal(t, 67, mssql.FirewallRules[0].EndIP.GetMetadata().Range().GetStartLine()) 435 assert.Equal(t, 67, mssql.FirewallRules[0].EndIP.GetMetadata().Range().GetEndLine()) 436 437 assert.Equal(t, 70, mssql.SecurityAlertPolicies[0].Metadata.Range().GetStartLine()) 438 assert.Equal(t, 80, mssql.SecurityAlertPolicies[0].Metadata.Range().GetEndLine()) 439 440 assert.Equal(t, 72, mssql.SecurityAlertPolicies[0].DisabledAlerts[0].GetMetadata().Range().GetStartLine()) 441 assert.Equal(t, 75, mssql.SecurityAlertPolicies[0].DisabledAlerts[0].GetMetadata().Range().GetEndLine()) 442 443 assert.Equal(t, 76, mssql.SecurityAlertPolicies[0].EmailAccountAdmins.GetMetadata().Range().GetStartLine()) 444 assert.Equal(t, 76, mssql.SecurityAlertPolicies[0].EmailAccountAdmins.GetMetadata().Range().GetEndLine()) 445 446 assert.Equal(t, 77, mssql.SecurityAlertPolicies[0].EmailAddresses[0].GetMetadata().Range().GetStartLine()) 447 assert.Equal(t, 79, mssql.SecurityAlertPolicies[0].EmailAddresses[0].GetMetadata().Range().GetEndLine()) 448 449 assert.Equal(t, 82, mssql.ExtendedAuditingPolicies[0].Metadata.Range().GetStartLine()) 450 assert.Equal(t, 85, mssql.ExtendedAuditingPolicies[0].Metadata.Range().GetEndLine()) 451 452 assert.Equal(t, 84, mssql.ExtendedAuditingPolicies[0].RetentionInDays.GetMetadata().Range().GetStartLine()) 453 assert.Equal(t, 84, mssql.ExtendedAuditingPolicies[0].RetentionInDays.GetMetadata().Range().GetEndLine()) 454 }