github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/network/adapt_test.go (about) 1 package network 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/network" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 ) 15 16 func Test_Adapt(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected network.Network 21 }{ 22 { 23 name: "defined", 24 terraform: ` 25 resource "azurerm_network_security_rule" "example" { 26 name = "example_security_rule" 27 network_security_group_name = azurerm_network_security_group.example.name 28 direction = "Inbound" 29 access = "Allow" 30 protocol = "TCP" 31 source_port_range = "*" 32 destination_port_ranges = ["3389"] 33 source_address_prefix = "4.53.160.75" 34 destination_address_prefix = "*" 35 } 36 37 resource "azurerm_network_security_group" "example" { 38 name = "tf-appsecuritygroup" 39 } 40 41 resource "azurerm_network_watcher_flow_log" "example" { 42 resource_group_name = azurerm_resource_group.example.name 43 name = "example-log" 44 45 retention_policy { 46 enabled = true 47 days = 7 48 } 49 } 50 `, 51 expected: network.Network{ 52 SecurityGroups: []network.SecurityGroup{ 53 { 54 Metadata: defsecTypes.NewTestMetadata(), 55 Rules: []network.SecurityGroupRule{ 56 { 57 Metadata: defsecTypes.NewTestMetadata(), 58 Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 59 Allow: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 60 SourceAddresses: []defsecTypes.StringValue{ 61 defsecTypes.String("4.53.160.75", defsecTypes.NewTestMetadata()), 62 }, 63 DestinationAddresses: []defsecTypes.StringValue{ 64 defsecTypes.String("*", defsecTypes.NewTestMetadata()), 65 }, 66 SourcePorts: []network.PortRange{ 67 { 68 Metadata: defsecTypes.NewTestMetadata(), 69 Start: 0, 70 End: 65535, 71 }, 72 }, 73 DestinationPorts: []network.PortRange{ 74 { 75 Metadata: defsecTypes.NewTestMetadata(), 76 Start: 3389, 77 End: 3389, 78 }, 79 }, 80 Protocol: defsecTypes.String("TCP", defsecTypes.NewTestMetadata()), 81 }, 82 }, 83 }, 84 }, 85 NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{ 86 { 87 Metadata: defsecTypes.NewTestMetadata(), 88 RetentionPolicy: network.RetentionPolicy{ 89 Metadata: defsecTypes.NewTestMetadata(), 90 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 91 Days: defsecTypes.Int(7, defsecTypes.NewTestMetadata()), 92 }, 93 }, 94 }, 95 }, 96 }, 97 { 98 name: "defaults", 99 terraform: ` 100 resource "azurerm_network_security_group" "example" { 101 name = "tf-appsecuritygroup" 102 security_rule { 103 } 104 } 105 `, 106 expected: network.Network{ 107 SecurityGroups: []network.SecurityGroup{ 108 { 109 Metadata: defsecTypes.NewTestMetadata(), 110 Rules: []network.SecurityGroupRule{ 111 { 112 Metadata: defsecTypes.NewTestMetadata(), 113 Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 114 Allow: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 115 Protocol: defsecTypes.String("", defsecTypes.NewTestMetadata()), 116 }, 117 }, 118 }, 119 }, 120 }, 121 }, 122 } 123 124 for _, test := range tests { 125 t.Run(test.name, func(t *testing.T) { 126 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 127 adapted := Adapt(modules) 128 testutil.AssertDefsecEqual(t, test.expected, adapted) 129 }) 130 } 131 } 132 133 func Test_adaptWatcherLog(t *testing.T) { 134 tests := []struct { 135 name string 136 terraform string 137 expected network.NetworkWatcherFlowLog 138 }{ 139 { 140 name: "defined", 141 terraform: ` 142 resource "azurerm_network_watcher_flow_log" "watcher" { 143 retention_policy { 144 enabled = true 145 days = 90 146 } 147 } 148 `, 149 expected: network.NetworkWatcherFlowLog{ 150 Metadata: defsecTypes.NewTestMetadata(), 151 RetentionPolicy: network.RetentionPolicy{ 152 Metadata: defsecTypes.NewTestMetadata(), 153 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 154 Days: defsecTypes.Int(90, defsecTypes.NewTestMetadata()), 155 }, 156 }, 157 }, 158 { 159 name: "defaults", 160 terraform: ` 161 resource "azurerm_network_watcher_flow_log" "watcher" { 162 retention_policy { 163 } 164 } 165 `, 166 expected: network.NetworkWatcherFlowLog{ 167 Metadata: defsecTypes.NewTestMetadata(), 168 RetentionPolicy: network.RetentionPolicy{ 169 Metadata: defsecTypes.NewTestMetadata(), 170 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 171 Days: defsecTypes.Int(0, defsecTypes.NewTestMetadata()), 172 }, 173 }, 174 }, 175 } 176 177 for _, test := range tests { 178 t.Run(test.name, func(t *testing.T) { 179 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 180 adapted := adaptWatcherLog(modules.GetBlocks()[0]) 181 testutil.AssertDefsecEqual(t, test.expected, adapted) 182 }) 183 } 184 } 185 186 func TestLines(t *testing.T) { 187 src := ` 188 resource "azurerm_network_security_group" "example" { 189 name = "tf-appsecuritygroup" 190 } 191 192 resource "azurerm_network_security_rule" "example" { 193 name = "example_security_rule" 194 network_security_group_name = azurerm_network_security_group.example.name 195 direction = "Inbound" 196 access = "Allow" 197 protocol = "TCP" 198 source_port_range = "*" 199 destination_port_ranges = ["3389"] 200 source_address_prefix = "4.53.160.75" 201 destination_address_prefix = "*" 202 } 203 204 resource "azurerm_network_watcher_flow_log" "example" { 205 resource_group_name = azurerm_resource_group.example.name 206 name = "example-log" 207 208 retention_policy { 209 enabled = true 210 days = 7 211 } 212 }` 213 214 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 215 adapted := Adapt(modules) 216 217 require.Len(t, adapted.SecurityGroups, 1) 218 require.Len(t, adapted.NetworkWatcherFlowLogs, 1) 219 220 securityGroup := adapted.SecurityGroups[0] 221 rule := securityGroup.Rules[0] 222 watcher := adapted.NetworkWatcherFlowLogs[0] 223 224 assert.Equal(t, 2, securityGroup.Metadata.Range().GetStartLine()) 225 assert.Equal(t, 4, securityGroup.Metadata.Range().GetEndLine()) 226 227 assert.Equal(t, 6, rule.Metadata.Range().GetStartLine()) 228 assert.Equal(t, 16, rule.Metadata.Range().GetEndLine()) 229 230 assert.Equal(t, 9, rule.Outbound.GetMetadata().Range().GetStartLine()) 231 assert.Equal(t, 9, rule.Outbound.GetMetadata().Range().GetEndLine()) 232 233 assert.Equal(t, 10, rule.Allow.GetMetadata().Range().GetStartLine()) 234 assert.Equal(t, 10, rule.Allow.GetMetadata().Range().GetEndLine()) 235 236 assert.Equal(t, 11, rule.Protocol.GetMetadata().Range().GetStartLine()) 237 assert.Equal(t, 11, rule.Protocol.GetMetadata().Range().GetEndLine()) 238 239 assert.Equal(t, 12, rule.SourcePorts[0].Metadata.Range().GetStartLine()) 240 assert.Equal(t, 12, rule.SourcePorts[0].Metadata.Range().GetEndLine()) 241 242 assert.Equal(t, 13, rule.DestinationPorts[0].Metadata.Range().GetStartLine()) 243 assert.Equal(t, 13, rule.DestinationPorts[0].Metadata.Range().GetEndLine()) 244 245 assert.Equal(t, 14, rule.SourceAddresses[0].GetMetadata().Range().GetStartLine()) 246 assert.Equal(t, 14, rule.SourceAddresses[0].GetMetadata().Range().GetEndLine()) 247 248 assert.Equal(t, 15, rule.DestinationAddresses[0].GetMetadata().Range().GetStartLine()) 249 assert.Equal(t, 15, rule.DestinationAddresses[0].GetMetadata().Range().GetEndLine()) 250 251 assert.Equal(t, 18, watcher.Metadata.Range().GetStartLine()) 252 assert.Equal(t, 26, watcher.Metadata.Range().GetEndLine()) 253 254 assert.Equal(t, 22, watcher.RetentionPolicy.Metadata.Range().GetStartLine()) 255 assert.Equal(t, 25, watcher.RetentionPolicy.Metadata.Range().GetEndLine()) 256 257 assert.Equal(t, 23, watcher.RetentionPolicy.Enabled.GetMetadata().Range().GetStartLine()) 258 assert.Equal(t, 23, watcher.RetentionPolicy.Enabled.GetMetadata().Range().GetEndLine()) 259 260 assert.Equal(t, 24, watcher.RetentionPolicy.Days.GetMetadata().Range().GetStartLine()) 261 assert.Equal(t, 24, watcher.RetentionPolicy.Days.GetMetadata().Range().GetEndLine()) 262 }