github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/enforce_http_token_imds_test.go (about) 1 package ec2 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckIMDSAccessRequiresToken(t *testing.T) { 17 tests := []struct { 18 name string 19 input ec2.EC2 20 expected bool 21 }{ 22 { 23 name: "positive result", 24 input: ec2.EC2{ 25 Instances: []ec2.Instance{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 MetadataOptions: ec2.MetadataOptions{ 29 Metadata: defsecTypes.NewTestMetadata(), 30 HttpTokens: defsecTypes.String("optional", defsecTypes.NewTestMetadata()), 31 HttpEndpoint: defsecTypes.String("enabled", defsecTypes.NewTestMetadata()), 32 }, 33 }, 34 }, 35 }, 36 expected: true, 37 }, 38 { 39 name: "negative result", 40 input: ec2.EC2{ 41 Instances: []ec2.Instance{ 42 { 43 Metadata: defsecTypes.NewTestMetadata(), 44 MetadataOptions: ec2.MetadataOptions{ 45 Metadata: defsecTypes.NewTestMetadata(), 46 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 47 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 48 }, 49 }, 50 }, 51 }, 52 expected: false, 53 }, 54 } 55 for _, test := range tests { 56 t.Run(test.name, func(t *testing.T) { 57 var testState state.State 58 testState.AWS.EC2 = test.input 59 results := CheckIMDSAccessRequiresToken.Evaluate(&testState) 60 var found bool 61 for _, result := range results { 62 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckIMDSAccessRequiresToken.Rule().LongID() { 63 found = true 64 } 65 } 66 if test.expected { 67 assert.True(t, found, "Rule should have been found") 68 } else { 69 assert.False(t, found, "Rule should not have been found") 70 } 71 }) 72 } 73 }