github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/no_public_access_test.go (about)

     1  package apigateway
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	v1 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/apigateway/v1"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckNoPublicAccess(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    v1.APIGateway
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "API GET method without authorization",
    25  			input: v1.APIGateway{
    26  				APIs: []v1.API{
    27  					{
    28  						Metadata: defsecTypes.NewTestMetadata(),
    29  						Resources: []v1.Resource{
    30  							{
    31  								Methods: []v1.Method{
    32  									{
    33  										Metadata:          defsecTypes.NewTestMetadata(),
    34  										HTTPMethod:        defsecTypes.String("GET", defsecTypes.NewTestMetadata()),
    35  										APIKeyRequired:    defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    36  										AuthorizationType: defsecTypes.String(v1.AuthorizationNone, defsecTypes.NewTestMetadata()),
    37  									},
    38  								},
    39  							},
    40  						},
    41  					},
    42  				},
    43  			},
    44  			expected: true,
    45  		},
    46  		{
    47  			name: "API OPTION method without authorization",
    48  			input: v1.APIGateway{
    49  				APIs: []v1.API{
    50  					{
    51  						Metadata: defsecTypes.NewTestMetadata(),
    52  						Resources: []v1.Resource{
    53  							{
    54  								Methods: []v1.Method{
    55  									{
    56  										Metadata:          defsecTypes.NewTestMetadata(),
    57  										HTTPMethod:        defsecTypes.String("OPTION", defsecTypes.NewTestMetadata()),
    58  										APIKeyRequired:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    59  										AuthorizationType: defsecTypes.String(v1.AuthorizationNone, defsecTypes.NewTestMetadata()),
    60  									},
    61  								},
    62  							},
    63  						},
    64  					},
    65  				},
    66  			},
    67  			expected: false,
    68  		},
    69  		{
    70  			name: "API GET method with IAM authorization",
    71  			input: v1.APIGateway{
    72  				APIs: []v1.API{
    73  					{
    74  						Metadata: defsecTypes.NewTestMetadata(),
    75  						Resources: []v1.Resource{
    76  							{
    77  								Methods: []v1.Method{
    78  									{
    79  										Metadata:          defsecTypes.NewTestMetadata(),
    80  										HTTPMethod:        defsecTypes.String("GET", defsecTypes.NewTestMetadata()),
    81  										APIKeyRequired:    defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    82  										AuthorizationType: defsecTypes.String(v1.AuthorizationIAM, defsecTypes.NewTestMetadata()),
    83  									},
    84  								},
    85  							},
    86  						},
    87  					},
    88  				},
    89  			},
    90  			expected: false,
    91  		},
    92  	}
    93  	for _, test := range tests {
    94  		t.Run(test.name, func(t *testing.T) {
    95  			var testState state.State
    96  			testState.AWS.APIGateway.V1 = test.input
    97  			results := CheckNoPublicAccess.Evaluate(&testState)
    98  			var found bool
    99  			for _, result := range results {
   100  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicAccess.Rule().LongID() {
   101  					found = true
   102  				}
   103  			}
   104  			if test.expected {
   105  				assert.True(t, found, "Rule should have been found")
   106  			} else {
   107  				assert.False(t, found, "Rule should not have been found")
   108  			}
   109  		})
   110  	}
   111  }