github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_root_user_usage_alarm_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_root_user_usage_alarm_test.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail"
     9  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  	"github.com/stretchr/testify/assert"
    13  )
    14  
    15  func TestCheckRequireRootUserUsageAlarm(t *testing.T) {
    16  	tests := []struct {
    17  		name       string
    18  		cloudtrail cloudtrail.CloudTrail
    19  		cloudwatch cloudwatch.CloudWatch
    20  		expected   bool
    21  	}{
    22  		{
    23  			name: "Multi-region CloudTrail alarms on Non-MFA login",
    24  			cloudtrail: cloudtrail.CloudTrail{
    25  				Trails: []cloudtrail.Trail{
    26  					{
    27  						Metadata:                  defsecTypes.NewTestMetadata(),
    28  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    29  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    30  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			cloudwatch: cloudwatch.CloudWatch{
    35  				LogGroups: []cloudwatch.LogGroup{
    36  					{
    37  						Metadata: defsecTypes.NewTestMetadata(),
    38  						Arn:      defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    39  						MetricFilters: []cloudwatch.MetricFilter{
    40  							{
    41  								Metadata:      defsecTypes.NewTestMetadata(),
    42  								FilterName:    defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    43  								FilterPattern: defsecTypes.String(`$.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && &.eventType != "AwsServiceEvent"`, defsecTypes.NewTestMetadata()),
    44  							},
    45  						},
    46  					},
    47  				},
    48  				Alarms: []cloudwatch.Alarm{
    49  					{
    50  						Metadata:   defsecTypes.NewTestMetadata(),
    51  						AlarmName:  defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    52  						MetricName: defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    53  						Metrics: []cloudwatch.MetricDataQuery{
    54  							{
    55  								Metadata: defsecTypes.NewTestMetadata(),
    56  								ID:       defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    57  							},
    58  						},
    59  					},
    60  				},
    61  			},
    62  			expected: false,
    63  		},
    64  		{
    65  			name: "Multi-region CloudTrail alarms on Non-MFA login",
    66  			cloudtrail: cloudtrail.CloudTrail{
    67  				Trails: []cloudtrail.Trail{
    68  					{
    69  						Metadata:                  defsecTypes.NewTestMetadata(),
    70  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    71  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    72  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    73  					},
    74  				},
    75  			},
    76  			cloudwatch: cloudwatch.CloudWatch{
    77  				LogGroups: []cloudwatch.LogGroup{
    78  					{
    79  						Metadata:      defsecTypes.NewTestMetadata(),
    80  						Arn:           defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    81  						MetricFilters: []cloudwatch.MetricFilter{},
    82  					},
    83  				},
    84  				Alarms: []cloudwatch.Alarm{
    85  					{
    86  						Metadata:   defsecTypes.NewTestMetadata(),
    87  						AlarmName:  defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    88  						MetricName: defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    89  						Metrics: []cloudwatch.MetricDataQuery{
    90  							{
    91  								Metadata: defsecTypes.NewTestMetadata(),
    92  								ID:       defsecTypes.String("RootUserUsage", defsecTypes.NewTestMetadata()),
    93  							},
    94  						},
    95  					},
    96  				},
    97  			},
    98  			expected: true,
    99  		},
   100  	}
   101  	for _, test := range tests {
   102  		t.Run(test.name, func(t *testing.T) {
   103  			var testState state.State
   104  			testState.AWS.CloudWatch = test.cloudwatch
   105  			testState.AWS.CloudTrail = test.cloudtrail
   106  			results := requireRootUserUsageAlarm.Evaluate(&testState)
   107  			var found bool
   108  			for _, result := range results {
   109  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == requireRootUserUsageAlarm.Rule().LongID() {
   110  					found = true
   111  				}
   112  			}
   113  			if test.expected {
   114  				assert.True(t, found, "Rule should have been found")
   115  			} else {
   116  				assert.False(t, found, "Rule should not have been found")
   117  			}
   118  		})
   119  	}
   120  }