github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/digitalocean/compute/adapt_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/digitalocean/compute" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 ) 15 16 func Test_adaptDroplets(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected []compute.Droplet 21 }{ 22 { 23 name: "key as data reference", 24 terraform: ` 25 data "digitalocean_ssh_key" "terraform" { 26 name = "myKey" 27 } 28 29 resource "digitalocean_droplet" "example" { 30 ssh_keys = [ data.digitalocean_ssh_key.myKey.id ] 31 } 32 `, 33 expected: []compute.Droplet{ 34 { 35 Metadata: defsecTypes.NewTestMetadata(), 36 SSHKeys: []defsecTypes.StringValue{ 37 defsecTypes.String("", defsecTypes.NewTestMetadata()), 38 }, 39 }, 40 }, 41 }, 42 { 43 name: "key as string", 44 terraform: ` 45 data "digitalocean_ssh_key" "terraform" { 46 name = "myKey" 47 } 48 49 resource "digitalocean_droplet" "example" { 50 ssh_keys = [ "my-ssh-key" ] 51 } 52 `, 53 expected: []compute.Droplet{ 54 { 55 Metadata: defsecTypes.NewTestMetadata(), 56 SSHKeys: []defsecTypes.StringValue{ 57 defsecTypes.String("my-ssh-key", defsecTypes.NewTestMetadata()), 58 }, 59 }, 60 }, 61 }, 62 { 63 name: "defaults", 64 terraform: ` 65 resource "digitalocean_droplet" "example" { 66 } 67 `, 68 expected: []compute.Droplet{ 69 { 70 Metadata: defsecTypes.NewTestMetadata(), 71 }, 72 }, 73 }, 74 } 75 76 for _, test := range tests { 77 t.Run(test.name, func(t *testing.T) { 78 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 79 adapted := adaptDroplets(modules) 80 testutil.AssertDefsecEqual(t, test.expected, adapted) 81 }) 82 } 83 } 84 85 func Test_adaptFirewalls(t *testing.T) { 86 tests := []struct { 87 name string 88 terraform string 89 expected []compute.Firewall 90 }{ 91 { 92 name: "basic", 93 terraform: ` 94 resource "digitalocean_firewall" "example" { 95 droplet_ids = [digitalocean_droplet.web.id] 96 97 outbound_rule { 98 protocol = "tcp" 99 port_range = "22" 100 destination_addresses = ["192.168.1.0/24"] 101 } 102 103 inbound_rule { 104 protocol = "tcp" 105 port_range = "22" 106 source_addresses = ["192.168.1.0/24", "fc00::/7"] 107 } 108 } 109 `, 110 expected: []compute.Firewall{ 111 { 112 Metadata: defsecTypes.NewTestMetadata(), 113 OutboundRules: []compute.OutboundFirewallRule{ 114 { 115 Metadata: defsecTypes.NewTestMetadata(), 116 DestinationAddresses: []defsecTypes.StringValue{ 117 defsecTypes.String("192.168.1.0/24", defsecTypes.NewTestMetadata()), 118 }, 119 }, 120 }, 121 InboundRules: []compute.InboundFirewallRule{ 122 { 123 Metadata: defsecTypes.NewTestMetadata(), 124 SourceAddresses: []defsecTypes.StringValue{ 125 defsecTypes.String("192.168.1.0/24", defsecTypes.NewTestMetadata()), 126 defsecTypes.String("fc00::/7", defsecTypes.NewTestMetadata()), 127 }, 128 }, 129 }, 130 }, 131 }, 132 }, 133 { 134 name: "defaults", 135 terraform: ` 136 resource "digitalocean_firewall" "example" { 137 } 138 `, 139 expected: []compute.Firewall{ 140 { 141 Metadata: defsecTypes.NewTestMetadata(), 142 OutboundRules: []compute.OutboundFirewallRule{}, 143 InboundRules: []compute.InboundFirewallRule{}, 144 }, 145 }, 146 }, 147 } 148 149 for _, test := range tests { 150 t.Run(test.name, func(t *testing.T) { 151 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 152 adapted := adaptFirewalls(modules) 153 testutil.AssertDefsecEqual(t, test.expected, adapted) 154 }) 155 } 156 } 157 158 func Test_adaptLoadBalancers(t *testing.T) { 159 tests := []struct { 160 name string 161 terraform string 162 expected []compute.LoadBalancer 163 }{ 164 { 165 name: "basic", 166 terraform: ` 167 resource "digitalocean_loadbalancer" "example" { 168 169 forwarding_rule { 170 entry_port = 443 171 entry_protocol = "https" 172 173 target_port = 443 174 target_protocol = "https" 175 } 176 } 177 `, 178 expected: []compute.LoadBalancer{ 179 { 180 Metadata: defsecTypes.NewTestMetadata(), 181 ForwardingRules: []compute.ForwardingRule{ 182 { 183 Metadata: defsecTypes.NewTestMetadata(), 184 EntryProtocol: defsecTypes.String("https", defsecTypes.NewTestMetadata()), 185 }, 186 }, 187 }, 188 }, 189 }, 190 { 191 name: "defaults", 192 terraform: ` 193 resource "digitalocean_loadbalancer" "example" { 194 } 195 `, 196 expected: []compute.LoadBalancer{ 197 { 198 Metadata: defsecTypes.NewTestMetadata(), 199 ForwardingRules: nil, 200 }, 201 }, 202 }, 203 } 204 205 for _, test := range tests { 206 t.Run(test.name, func(t *testing.T) { 207 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 208 adapted := adaptLoadBalancers(modules) 209 testutil.AssertDefsecEqual(t, test.expected, adapted) 210 }) 211 } 212 } 213 214 func Test_adaptKubernetesClusters(t *testing.T) { 215 tests := []struct { 216 name string 217 terraform string 218 expected []compute.KubernetesCluster 219 }{ 220 { 221 name: "basic", 222 terraform: ` 223 resource "digitalocean_kubernetes_cluster" "example" { 224 name = "foo" 225 region = "nyc1" 226 version = "1.20.2-do.0" 227 surge_upgrade = true 228 auto_upgrade = true 229 } 230 `, 231 expected: []compute.KubernetesCluster{ 232 { 233 Metadata: defsecTypes.NewTestMetadata(), 234 SurgeUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 235 AutoUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 236 }, 237 }, 238 }, 239 { 240 name: "defaults", 241 terraform: ` 242 resource "digitalocean_kubernetes_cluster" "example" { 243 } 244 `, 245 expected: []compute.KubernetesCluster{ 246 { 247 Metadata: defsecTypes.NewTestMetadata(), 248 SurgeUpgrade: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 249 AutoUpgrade: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 250 }, 251 }, 252 }, 253 } 254 255 for _, test := range tests { 256 t.Run(test.name, func(t *testing.T) { 257 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 258 adapted := adaptKubernetesClusters(modules) 259 testutil.AssertDefsecEqual(t, test.expected, adapted) 260 }) 261 } 262 } 263 264 func TestLines(t *testing.T) { 265 src := ` 266 data "digitalocean_ssh_key" "terraform" { 267 name = "myKey" 268 } 269 270 resource "digitalocean_droplet" "example" { 271 ssh_keys = [ data.digitalocean_ssh_key.myKey.id ] 272 } 273 274 resource "digitalocean_firewall" "example" { 275 276 outbound_rule { 277 destination_addresses = ["192.168.1.0/24"] 278 } 279 280 inbound_rule { 281 source_addresses = ["192.168.1.0/24", "fc00::/7"] 282 } 283 } 284 285 resource "digitalocean_loadbalancer" "example" { 286 287 forwarding_rule { 288 entry_port = 443 289 entry_protocol = "https" 290 } 291 } 292 293 resource "digitalocean_kubernetes_cluster" "example" { 294 name = "foo" 295 surge_upgrade = true 296 auto_upgrade = true 297 }` 298 299 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 300 adapted := Adapt(modules) 301 302 require.Len(t, adapted.Droplets, 1) 303 require.Len(t, adapted.Firewalls, 1) 304 require.Len(t, adapted.KubernetesClusters, 1) 305 require.Len(t, adapted.LoadBalancers, 1) 306 307 droplet := adapted.Droplets[0] 308 firewall := adapted.Firewalls[0] 309 cluster := adapted.KubernetesClusters[0] 310 loadBalancer := adapted.LoadBalancers[0] 311 312 assert.Equal(t, 6, droplet.Metadata.Range().GetStartLine()) 313 assert.Equal(t, 8, droplet.Metadata.Range().GetEndLine()) 314 315 assert.Equal(t, 7, droplet.SSHKeys[0].GetMetadata().Range().GetStartLine()) 316 assert.Equal(t, 7, droplet.SSHKeys[0].GetMetadata().Range().GetEndLine()) 317 318 assert.Equal(t, 10, firewall.Metadata.Range().GetStartLine()) 319 assert.Equal(t, 19, firewall.Metadata.Range().GetEndLine()) 320 321 assert.Equal(t, 12, firewall.OutboundRules[0].Metadata.Range().GetStartLine()) 322 assert.Equal(t, 14, firewall.OutboundRules[0].Metadata.Range().GetEndLine()) 323 324 assert.Equal(t, 13, firewall.OutboundRules[0].DestinationAddresses[0].GetMetadata().Range().GetStartLine()) 325 assert.Equal(t, 13, firewall.OutboundRules[0].DestinationAddresses[0].GetMetadata().Range().GetEndLine()) 326 327 assert.Equal(t, 16, firewall.InboundRules[0].Metadata.Range().GetStartLine()) 328 assert.Equal(t, 18, firewall.InboundRules[0].Metadata.Range().GetEndLine()) 329 330 assert.Equal(t, 17, firewall.InboundRules[0].SourceAddresses[0].GetMetadata().Range().GetStartLine()) 331 assert.Equal(t, 17, firewall.InboundRules[0].SourceAddresses[0].GetMetadata().Range().GetEndLine()) 332 333 assert.Equal(t, 21, loadBalancer.Metadata.Range().GetStartLine()) 334 assert.Equal(t, 27, loadBalancer.Metadata.Range().GetEndLine()) 335 336 assert.Equal(t, 23, loadBalancer.ForwardingRules[0].Metadata.Range().GetStartLine()) 337 assert.Equal(t, 26, loadBalancer.ForwardingRules[0].Metadata.Range().GetEndLine()) 338 339 assert.Equal(t, 25, loadBalancer.ForwardingRules[0].EntryProtocol.GetMetadata().Range().GetStartLine()) 340 assert.Equal(t, 25, loadBalancer.ForwardingRules[0].EntryProtocol.GetMetadata().Range().GetEndLine()) 341 342 assert.Equal(t, 29, cluster.Metadata.Range().GetStartLine()) 343 assert.Equal(t, 33, cluster.Metadata.Range().GetEndLine()) 344 345 assert.Equal(t, 31, cluster.SurgeUpgrade.GetMetadata().Range().GetStartLine()) 346 assert.Equal(t, 31, cluster.SurgeUpgrade.GetMetadata().Range().GetEndLine()) 347 348 assert.Equal(t, 32, cluster.AutoUpgrade.GetMetadata().Range().GetStartLine()) 349 assert.Equal(t, 32, cluster.AutoUpgrade.GetMetadata().Range().GetEndLine()) 350 }