github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/keyvault/adapt_test.go (about) 1 package keyvault 2 3 import ( 4 "testing" 5 "time" 6 7 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 8 9 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/keyvault" 10 11 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 12 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 "github.com/stretchr/testify/assert" 15 "github.com/stretchr/testify/require" 16 ) 17 18 func Test_Adapt(t *testing.T) { 19 tests := []struct { 20 name string 21 terraform string 22 expected keyvault.KeyVault 23 }{ 24 { 25 name: "defined", 26 terraform: ` 27 resource "azurerm_key_vault" "example" { 28 name = "examplekeyvault" 29 enabled_for_disk_encryption = true 30 soft_delete_retention_days = 7 31 purge_protection_enabled = true 32 33 network_acls { 34 bypass = "AzureServices" 35 default_action = "Deny" 36 } 37 } 38 `, 39 expected: keyvault.KeyVault{ 40 Vaults: []keyvault.Vault{ 41 { 42 Metadata: defsecTypes.NewTestMetadata(), 43 EnablePurgeProtection: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 44 SoftDeleteRetentionDays: defsecTypes.Int(7, defsecTypes.NewTestMetadata()), 45 NetworkACLs: keyvault.NetworkACLs{ 46 Metadata: defsecTypes.NewTestMetadata(), 47 DefaultAction: defsecTypes.String("Deny", defsecTypes.NewTestMetadata()), 48 }, 49 }, 50 }, 51 }, 52 }, 53 { 54 name: "defaults", 55 terraform: ` 56 resource "azurerm_key_vault" "example" { 57 } 58 `, 59 expected: keyvault.KeyVault{ 60 Vaults: []keyvault.Vault{ 61 { 62 Metadata: defsecTypes.NewTestMetadata(), 63 EnablePurgeProtection: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 64 SoftDeleteRetentionDays: defsecTypes.Int(0, defsecTypes.NewTestMetadata()), 65 NetworkACLs: keyvault.NetworkACLs{ 66 Metadata: defsecTypes.NewTestMetadata(), 67 DefaultAction: defsecTypes.String("", defsecTypes.NewTestMetadata()), 68 }, 69 }, 70 }, 71 }, 72 }, 73 } 74 75 for _, test := range tests { 76 t.Run(test.name, func(t *testing.T) { 77 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 78 adapted := Adapt(modules) 79 testutil.AssertDefsecEqual(t, test.expected, adapted) 80 }) 81 } 82 } 83 84 func Test_adaptSecret(t *testing.T) { 85 tests := []struct { 86 name string 87 terraform string 88 expected keyvault.Secret 89 }{ 90 { 91 name: "defaults", 92 terraform: ` 93 resource "azurerm_key_vault_secret" "example" { 94 } 95 `, 96 expected: keyvault.Secret{ 97 Metadata: defsecTypes.NewTestMetadata(), 98 ContentType: defsecTypes.String("", defsecTypes.NewTestMetadata()), 99 ExpiryDate: defsecTypes.Time(time.Time{}, defsecTypes.NewTestMetadata()), 100 }, 101 }, 102 { 103 name: "defined", 104 terraform: ` 105 resource "azurerm_key_vault_secret" "example" { 106 content_type = "password" 107 expiration_date = "1982-12-31T00:00:00Z" 108 } 109 `, 110 expected: keyvault.Secret{ 111 Metadata: defsecTypes.NewTestMetadata(), 112 ContentType: defsecTypes.String("password", defsecTypes.NewTestMetadata()), 113 ExpiryDate: defsecTypes.Time(func(timeVal string) time.Time { 114 parsed, _ := time.Parse(time.RFC3339, timeVal) 115 return parsed 116 }("1982-12-31T00:00:00Z"), defsecTypes.NewTestMetadata())}, 117 }, 118 } 119 120 for _, test := range tests { 121 t.Run(test.name, func(t *testing.T) { 122 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 123 adapted := adaptSecret(modules.GetBlocks()[0]) 124 testutil.AssertDefsecEqual(t, test.expected, adapted) 125 }) 126 } 127 } 128 129 func Test_adaptKey(t *testing.T) { 130 tests := []struct { 131 name string 132 terraform string 133 expected keyvault.Key 134 }{ 135 { 136 name: "defined", 137 terraform: ` 138 resource "azurerm_key_vault_key" "example" { 139 name = "generated-certificate" 140 expiration_date = "1982-12-31T00:00:00Z" 141 } 142 `, 143 expected: keyvault.Key{ 144 Metadata: defsecTypes.NewTestMetadata(), 145 ExpiryDate: defsecTypes.Time(func(timeVal string) time.Time { 146 parsed, _ := time.Parse(time.RFC3339, timeVal) 147 return parsed 148 }("1982-12-31T00:00:00Z"), defsecTypes.NewTestMetadata()), 149 }, 150 }, 151 { 152 name: "defaults", 153 terraform: ` 154 resource "azurerm_key_vault_key" "example" { 155 } 156 `, 157 expected: keyvault.Key{ 158 Metadata: defsecTypes.NewTestMetadata(), 159 ExpiryDate: defsecTypes.Time(time.Time{}, defsecTypes.NewTestMetadata()), 160 }, 161 }, 162 { 163 name: "expiration date refers to the resource", 164 terraform: ` 165 terraform { 166 required_version = ">=1.3.0" 167 required_providers { 168 azurerm = { 169 source = "hashicorp/azurerm" 170 version = ">=3.0.0" 171 } 172 time = { 173 source = "hashicorp/time" 174 version = ">=0.9.0" 175 } 176 } 177 } 178 179 resource "azurerm_key_vault" "this" { 180 name = "keyvault" 181 location = "us-west" 182 resource_group_name = "resource-group" 183 tenant_id = "tenant-id" 184 sku_name = "Standard" 185 } 186 187 resource "time_offset" "expiry" { 188 offset_years = 1 189 base_rfc3339 = "YYYY-MM-DDTHH:MM:SSZ" 190 } 191 192 resource "azurerm_key_vault_key" "this" { 193 name = "key" 194 key_vault_id = azurerm_key_vault.this.id 195 key_type = "RSA" 196 key_size = 2048 197 key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"] 198 expiration_date = time_offset.expiry.rfc3339 199 } 200 `, 201 expected: keyvault.Key{ 202 Metadata: defsecTypes.NewTestMetadata(), 203 ExpiryDate: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 204 }, 205 }, 206 } 207 208 for _, test := range tests { 209 t.Run(test.name, func(t *testing.T) { 210 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 211 adapted := adaptKey(modules.GetBlocks()[0]) 212 testutil.AssertDefsecEqual(t, test.expected, adapted) 213 }) 214 } 215 } 216 217 func TestLines(t *testing.T) { 218 src := ` 219 resource "azurerm_key_vault" "example" { 220 name = "examplekeyvault" 221 enabled_for_disk_encryption = true 222 soft_delete_retention_days = 7 223 purge_protection_enabled = true 224 225 network_acls { 226 bypass = "AzureServices" 227 default_action = "Deny" 228 } 229 } 230 231 resource "azurerm_key_vault_key" "example" { 232 key_vault_id = azurerm_key_vault.example.id 233 name = "generated-certificate" 234 expiration_date = "1982-12-31T00:00:00Z" 235 } 236 237 resource "azurerm_key_vault_secret" "example" { 238 key_vault_id = azurerm_key_vault.example.id 239 content_type = "password" 240 expiration_date = "1982-12-31T00:00:00Z" 241 }` 242 243 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 244 adapted := Adapt(modules) 245 246 require.Len(t, adapted.Vaults, 1) 247 require.Len(t, adapted.Vaults[0].Keys, 1) 248 require.Len(t, adapted.Vaults[0].Secrets, 1) 249 250 vault := adapted.Vaults[0] 251 key := vault.Keys[0] 252 secret := vault.Secrets[0] 253 254 assert.Equal(t, 5, vault.SoftDeleteRetentionDays.GetMetadata().Range().GetStartLine()) 255 assert.Equal(t, 5, vault.SoftDeleteRetentionDays.GetMetadata().Range().GetEndLine()) 256 257 assert.Equal(t, 6, vault.EnablePurgeProtection.GetMetadata().Range().GetStartLine()) 258 assert.Equal(t, 6, vault.EnablePurgeProtection.GetMetadata().Range().GetEndLine()) 259 260 assert.Equal(t, 10, vault.NetworkACLs.DefaultAction.GetMetadata().Range().GetStartLine()) 261 assert.Equal(t, 10, vault.NetworkACLs.DefaultAction.GetMetadata().Range().GetEndLine()) 262 263 assert.Equal(t, 17, key.ExpiryDate.GetMetadata().Range().GetStartLine()) 264 assert.Equal(t, 17, key.ExpiryDate.GetMetadata().Range().GetEndLine()) 265 266 assert.Equal(t, 22, secret.ContentType.GetMetadata().Range().GetStartLine()) 267 assert.Equal(t, 22, secret.ContentType.GetMetadata().Range().GetEndLine()) 268 269 assert.Equal(t, 23, secret.ExpiryDate.GetMetadata().Range().GetStartLine()) 270 assert.Equal(t, 23, secret.ExpiryDate.GetMetadata().Range().GetEndLine()) 271 }