github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/storage/adapt_test.go (about) 1 package storage 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/storage" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 ) 15 16 func Test_Adapt(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected storage.Storage 21 }{ 22 { 23 name: "defined", 24 terraform: ` 25 resource "azurerm_resource_group" "example" { 26 name = "example" 27 } 28 29 resource "azurerm_storage_account" "example" { 30 name = "storageaccountname" 31 resource_group_name = azurerm_resource_group.example.name 32 33 network_rules { 34 default_action = "Deny" 35 bypass = ["Metrics", "AzureServices"] 36 } 37 38 enable_https_traffic_only = true 39 queue_properties { 40 logging { 41 delete = true 42 read = true 43 write = true 44 version = "1.0" 45 retention_policy_days = 10 46 } 47 } 48 min_tls_version = "TLS1_2" 49 } 50 51 resource "azurerm_storage_account_network_rules" "test" { 52 resource_group_name = azurerm_resource_group.example.name 53 storage_account_name = azurerm_storage_account.example.name 54 55 default_action = "Allow" 56 bypass = ["Metrics"] 57 } 58 59 resource "azurerm_storage_container" "example" { 60 storage_account_name = azurerm_storage_account.example.name 61 resource_group_name = azurerm_resource_group.example.name 62 container_access_type = "blob" 63 } 64 `, 65 expected: storage.Storage{ 66 Accounts: []storage.Account{ 67 68 { 69 Metadata: defsecTypes.NewTestMetadata(), 70 EnforceHTTPS: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 71 MinimumTLSVersion: defsecTypes.String("TLS1_2", defsecTypes.NewTestMetadata()), 72 NetworkRules: []storage.NetworkRule{ 73 { 74 Metadata: defsecTypes.NewTestMetadata(), 75 Bypass: []defsecTypes.StringValue{ 76 defsecTypes.String("Metrics", defsecTypes.NewTestMetadata()), 77 defsecTypes.String("AzureServices", defsecTypes.NewTestMetadata()), 78 }, 79 AllowByDefault: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 80 }, 81 { 82 Metadata: defsecTypes.NewTestMetadata(), 83 Bypass: []defsecTypes.StringValue{ 84 defsecTypes.String("Metrics", defsecTypes.NewTestMetadata()), 85 }, 86 AllowByDefault: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 87 }, 88 }, 89 QueueProperties: storage.QueueProperties{ 90 Metadata: defsecTypes.NewTestMetadata(), 91 EnableLogging: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 92 }, 93 Containers: []storage.Container{ 94 { 95 Metadata: defsecTypes.NewTestMetadata(), 96 PublicAccess: defsecTypes.String("blob", defsecTypes.NewTestMetadata()), 97 }, 98 }, 99 }, 100 { 101 Metadata: defsecTypes.NewUnmanagedMetadata(), 102 EnforceHTTPS: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 103 QueueProperties: storage.QueueProperties{ 104 Metadata: defsecTypes.NewUnmanagedMetadata(), 105 EnableLogging: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 106 }, 107 MinimumTLSVersion: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 108 }, 109 }, 110 }, 111 }, 112 { 113 name: "orphans", 114 terraform: ` 115 resource "azurerm_storage_account_network_rules" "test" { 116 default_action = "Allow" 117 bypass = ["Metrics"] 118 } 119 120 resource "azurerm_storage_container" "example" { 121 container_access_type = "blob" 122 } 123 `, 124 expected: storage.Storage{ 125 Accounts: []storage.Account{ 126 { 127 Metadata: defsecTypes.NewUnmanagedMetadata(), 128 EnforceHTTPS: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 129 NetworkRules: []storage.NetworkRule{ 130 { 131 Metadata: defsecTypes.NewTestMetadata(), 132 Bypass: []defsecTypes.StringValue{ 133 defsecTypes.String("Metrics", defsecTypes.NewTestMetadata()), 134 }, 135 AllowByDefault: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 136 }, 137 }, 138 QueueProperties: storage.QueueProperties{ 139 Metadata: defsecTypes.NewUnmanagedMetadata(), 140 EnableLogging: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 141 }, 142 MinimumTLSVersion: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 143 Containers: []storage.Container{ 144 { 145 Metadata: defsecTypes.NewTestMetadata(), 146 PublicAccess: defsecTypes.String("blob", defsecTypes.NewTestMetadata()), 147 }, 148 }, 149 }, 150 }, 151 }, 152 }, 153 } 154 155 for _, test := range tests { 156 t.Run(test.name, func(t *testing.T) { 157 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 158 adapted := Adapt(modules) 159 testutil.AssertDefsecEqual(t, test.expected, adapted) 160 }) 161 } 162 } 163 164 func TestLines(t *testing.T) { 165 src := ` 166 resource "azurerm_resource_group" "example" { 167 name = "example" 168 location = "West Europe" 169 } 170 171 resource "azurerm_storage_account" "example" { 172 resource_group_name = azurerm_resource_group.example.name 173 174 enable_https_traffic_only = true 175 min_tls_version = "TLS1_2" 176 177 queue_properties { 178 logging { 179 delete = true 180 read = true 181 write = true 182 version = "1.0" 183 retention_policy_days = 10 184 } 185 } 186 187 network_rules { 188 default_action = "Deny" 189 bypass = ["Metrics", "AzureServices"] 190 } 191 } 192 193 resource "azurerm_storage_account_network_rules" "test" { 194 resource_group_name = azurerm_resource_group.example.name 195 storage_account_name = azurerm_storage_account.example.name 196 197 default_action = "Allow" 198 bypass = ["Metrics"] 199 } 200 201 resource "azurerm_storage_container" "example" { 202 storage_account_name = azurerm_storage_account.example.name 203 resource_group_name = azurerm_resource_group.example.name 204 container_access_type = "blob" 205 }` 206 207 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 208 adapted := Adapt(modules) 209 210 require.Len(t, adapted.Accounts, 2) //+orphans holder 211 account := adapted.Accounts[0] 212 213 assert.Equal(t, 7, account.Metadata.Range().GetStartLine()) 214 assert.Equal(t, 27, account.Metadata.Range().GetEndLine()) 215 216 assert.Equal(t, 10, account.EnforceHTTPS.GetMetadata().Range().GetStartLine()) 217 assert.Equal(t, 10, account.EnforceHTTPS.GetMetadata().Range().GetEndLine()) 218 219 assert.Equal(t, 11, account.MinimumTLSVersion.GetMetadata().Range().GetStartLine()) 220 assert.Equal(t, 11, account.MinimumTLSVersion.GetMetadata().Range().GetEndLine()) 221 222 assert.Equal(t, 13, account.QueueProperties.Metadata.Range().GetStartLine()) 223 assert.Equal(t, 21, account.QueueProperties.Metadata.Range().GetEndLine()) 224 225 assert.Equal(t, 14, account.QueueProperties.EnableLogging.GetMetadata().Range().GetStartLine()) 226 assert.Equal(t, 20, account.QueueProperties.EnableLogging.GetMetadata().Range().GetEndLine()) 227 228 assert.Equal(t, 23, account.NetworkRules[0].Metadata.Range().GetStartLine()) 229 assert.Equal(t, 26, account.NetworkRules[0].Metadata.Range().GetEndLine()) 230 231 assert.Equal(t, 24, account.NetworkRules[0].AllowByDefault.GetMetadata().Range().GetStartLine()) 232 assert.Equal(t, 24, account.NetworkRules[0].AllowByDefault.GetMetadata().Range().GetEndLine()) 233 234 assert.Equal(t, 25, account.NetworkRules[0].Bypass[0].GetMetadata().Range().GetStartLine()) 235 assert.Equal(t, 25, account.NetworkRules[0].Bypass[0].GetMetadata().Range().GetEndLine()) 236 237 assert.Equal(t, 29, account.NetworkRules[1].Metadata.Range().GetStartLine()) 238 assert.Equal(t, 35, account.NetworkRules[1].Metadata.Range().GetEndLine()) 239 240 assert.Equal(t, 33, account.NetworkRules[1].AllowByDefault.GetMetadata().Range().GetStartLine()) 241 assert.Equal(t, 33, account.NetworkRules[1].AllowByDefault.GetMetadata().Range().GetEndLine()) 242 243 assert.Equal(t, 34, account.NetworkRules[1].Bypass[0].GetMetadata().Range().GetStartLine()) 244 assert.Equal(t, 34, account.NetworkRules[1].Bypass[0].GetMetadata().Range().GetEndLine()) 245 246 assert.Equal(t, 37, account.Containers[0].Metadata.Range().GetStartLine()) 247 assert.Equal(t, 41, account.Containers[0].Metadata.Range().GetEndLine()) 248 249 assert.Equal(t, 40, account.Containers[0].PublicAccess.GetMetadata().Range().GetStartLine()) 250 assert.Equal(t, 40, account.Containers[0].PublicAccess.GetMetadata().Range().GetEndLine()) 251 252 }