github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/enable_access_logging_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/enable_access_logging_test.go (about)

     1  package apigateway
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	v1 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/apigateway/v1"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckEnableAccessLogging(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    v1.APIGateway
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "API Gateway stage with no log group ARN",
    25  			input: v1.APIGateway{
    26  				APIs: []v1.API{
    27  					{
    28  						Metadata: defsecTypes.NewTestMetadata(),
    29  						Stages: []v1.Stage{
    30  							{
    31  								Metadata: defsecTypes.NewTestMetadata(),
    32  								AccessLogging: v1.AccessLogging{
    33  									Metadata:              defsecTypes.NewTestMetadata(),
    34  									CloudwatchLogGroupARN: defsecTypes.String("", defsecTypes.NewTestMetadata()),
    35  								},
    36  							},
    37  						},
    38  					},
    39  				},
    40  			},
    41  			expected: true,
    42  		},
    43  		{
    44  			name: "API Gateway stage with log group ARN",
    45  			input: v1.APIGateway{
    46  				APIs: []v1.API{
    47  					{
    48  						Metadata: defsecTypes.NewTestMetadata(),
    49  						Stages: []v1.Stage{
    50  							{
    51  								Metadata: defsecTypes.NewTestMetadata(),
    52  								AccessLogging: v1.AccessLogging{
    53  									Metadata:              defsecTypes.NewTestMetadata(),
    54  									CloudwatchLogGroupARN: defsecTypes.String("log-group-arn", defsecTypes.NewTestMetadata()),
    55  								},
    56  							},
    57  						},
    58  					},
    59  				},
    60  			},
    61  			expected: false,
    62  		},
    63  	}
    64  	for _, test := range tests {
    65  		t.Run(test.name, func(t *testing.T) {
    66  			var testState state.State
    67  			testState.AWS.APIGateway.V1 = test.input
    68  			results := CheckEnableAccessLogging.Evaluate(&testState)
    69  			var found bool
    70  			for _, result := range results {
    71  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnableAccessLogging.Rule().LongID() {
    72  					found = true
    73  				}
    74  			}
    75  			if test.expected {
    76  				assert.True(t, found, "Rule should have been found")
    77  			} else {
    78  				assert.False(t, found, "Rule should not have been found")
    79  			}
    80  		})
    81  	}
    82  }