github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudfront/enforce_https_test.go (about)

     1  package cloudfront
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudfront"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckEnforceHttps(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    cloudfront.Cloudfront
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "CloudFront distribution default cache behaviour with allow all policy",
    24  			input: cloudfront.Cloudfront{
    25  				Distributions: []cloudfront.Distribution{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						DefaultCacheBehaviour: cloudfront.CacheBehaviour{
    29  							Metadata:             defsecTypes.NewTestMetadata(),
    30  							ViewerProtocolPolicy: defsecTypes.String(cloudfront.ViewerPolicyProtocolAllowAll, defsecTypes.NewTestMetadata()),
    31  						},
    32  					},
    33  				},
    34  			},
    35  			expected: true,
    36  		},
    37  		{
    38  			name: "CloudFront distribution ordered cache behaviour with allow all policy",
    39  			input: cloudfront.Cloudfront{
    40  				Distributions: []cloudfront.Distribution{
    41  					{
    42  						Metadata: defsecTypes.NewTestMetadata(),
    43  						DefaultCacheBehaviour: cloudfront.CacheBehaviour{
    44  							Metadata:             defsecTypes.NewTestMetadata(),
    45  							ViewerProtocolPolicy: defsecTypes.String(cloudfront.ViewerPolicyProtocolHTTPSOnly, defsecTypes.NewTestMetadata()),
    46  						},
    47  						OrdererCacheBehaviours: []cloudfront.CacheBehaviour{
    48  							{
    49  								Metadata:             defsecTypes.NewTestMetadata(),
    50  								ViewerProtocolPolicy: defsecTypes.String(cloudfront.ViewerPolicyProtocolAllowAll, defsecTypes.NewTestMetadata()),
    51  							},
    52  						},
    53  					},
    54  				},
    55  			},
    56  			expected: true,
    57  		},
    58  		{
    59  			name: "CloudFront distribution cache behaviours allowing HTTPS only",
    60  			input: cloudfront.Cloudfront{
    61  				Distributions: []cloudfront.Distribution{
    62  					{
    63  						Metadata: defsecTypes.NewTestMetadata(),
    64  						DefaultCacheBehaviour: cloudfront.CacheBehaviour{
    65  							Metadata:             defsecTypes.NewTestMetadata(),
    66  							ViewerProtocolPolicy: defsecTypes.String(cloudfront.ViewerPolicyProtocolHTTPSOnly, defsecTypes.NewTestMetadata()),
    67  						},
    68  						OrdererCacheBehaviours: []cloudfront.CacheBehaviour{
    69  							{
    70  								Metadata:             defsecTypes.NewTestMetadata(),
    71  								ViewerProtocolPolicy: defsecTypes.String(cloudfront.ViewerPolicyProtocolHTTPSOnly, defsecTypes.NewTestMetadata()),
    72  							},
    73  						},
    74  					},
    75  				},
    76  			},
    77  			expected: false,
    78  		},
    79  	}
    80  	for _, test := range tests {
    81  		t.Run(test.name, func(t *testing.T) {
    82  			var testState state.State
    83  			testState.AWS.Cloudfront = test.input
    84  			results := CheckEnforceHttps.Evaluate(&testState)
    85  			var found bool
    86  			for _, result := range results {
    87  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnforceHttps.Rule().LongID() {
    88  					found = true
    89  				}
    90  			}
    91  			if test.expected {
    92  				assert.True(t, found, "Rule should have been found")
    93  			} else {
    94  				assert.False(t, found, "Rule should not have been found")
    95  			}
    96  		})
    97  	}
    98  }