github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudtrail/require_bucket_access_logging_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudtrail/require_bucket_access_logging_test.go (about)

     1  package cloudtrail
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail"
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/s3"
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckBucketAccessLoggingRequired(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		inputCT  cloudtrail.CloudTrail
    21  		inputS3  s3.S3
    22  		expected bool
    23  	}{
    24  		{
    25  			name: "Trail has bucket with logging enabled",
    26  			inputCT: cloudtrail.CloudTrail{
    27  				Trails: []cloudtrail.Trail{
    28  					{
    29  						Metadata:   defsecTypes.NewTestMetadata(),
    30  						BucketName: defsecTypes.String("my-bucket", defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			inputS3: s3.S3{
    35  				Buckets: []s3.Bucket{
    36  					{
    37  						Metadata: defsecTypes.NewTestMetadata(),
    38  						Name:     defsecTypes.String("my-bucket", defsecTypes.NewTestMetadata()),
    39  						Logging: s3.Logging{
    40  							Metadata: defsecTypes.NewTestMetadata(),
    41  							Enabled:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    42  						},
    43  					},
    44  				},
    45  			},
    46  			expected: false,
    47  		},
    48  		{
    49  			name: "Trail has bucket without logging enabled",
    50  			inputCT: cloudtrail.CloudTrail{
    51  				Trails: []cloudtrail.Trail{
    52  					{
    53  						Metadata:   defsecTypes.NewTestMetadata(),
    54  						BucketName: defsecTypes.String("my-bucket", defsecTypes.NewTestMetadata()),
    55  					},
    56  				},
    57  			},
    58  			inputS3: s3.S3{
    59  				Buckets: []s3.Bucket{
    60  					{
    61  						Metadata: defsecTypes.NewTestMetadata(),
    62  						Name:     defsecTypes.String("my-bucket", defsecTypes.NewTestMetadata()),
    63  						Logging: s3.Logging{
    64  							Metadata: defsecTypes.NewTestMetadata(),
    65  							Enabled:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    66  						},
    67  					},
    68  				},
    69  			},
    70  			expected: true,
    71  		},
    72  	}
    73  	for _, test := range tests {
    74  		t.Run(test.name, func(t *testing.T) {
    75  			var testState state.State
    76  			testState.AWS.CloudTrail = test.inputCT
    77  			testState.AWS.S3 = test.inputS3
    78  			results := checkBucketAccessLoggingRequired.Evaluate(&testState)
    79  			var found bool
    80  			for _, result := range results {
    81  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == checkBucketAccessLoggingRequired.Rule().LongID() {
    82  					found = true
    83  				}
    84  			}
    85  			if test.expected {
    86  				assert.True(t, found, "Rule should have been found")
    87  			} else {
    88  				assert.False(t, found, "Rule should not have been found")
    89  			}
    90  		})
    91  	}
    92  }