github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_excessive_port_access_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_excessive_port_access_test.go (about)

     1  package ec2
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckNoExcessivePortAccess(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    ec2.EC2
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "AWS VPC network ACL rule with protocol set to all",
    25  			input: ec2.EC2{
    26  				NetworkACLs: []ec2.NetworkACL{
    27  					{
    28  						Metadata: defsecTypes.NewTestMetadata(),
    29  						Rules: []ec2.NetworkACLRule{
    30  							{
    31  								Metadata: defsecTypes.NewTestMetadata(),
    32  								Protocol: defsecTypes.String("-1", defsecTypes.NewTestMetadata()),
    33  								Action:   defsecTypes.String("allow", defsecTypes.NewTestMetadata()),
    34  							},
    35  						},
    36  					},
    37  				},
    38  			},
    39  			expected: true,
    40  		},
    41  		{
    42  			name: "AWS VPC network ACL rule with protocol set to all",
    43  			input: ec2.EC2{
    44  				NetworkACLs: []ec2.NetworkACL{
    45  					{
    46  						Metadata: defsecTypes.NewTestMetadata(),
    47  						Rules: []ec2.NetworkACLRule{
    48  							{
    49  								Metadata: defsecTypes.NewTestMetadata(),
    50  								Protocol: defsecTypes.String("all", defsecTypes.NewTestMetadata()),
    51  								Action:   defsecTypes.String("allow", defsecTypes.NewTestMetadata()),
    52  							},
    53  						},
    54  					},
    55  				},
    56  			},
    57  			expected: true,
    58  		},
    59  		{
    60  			name: "AWS VPC network ACL rule with tcp protocol",
    61  			input: ec2.EC2{
    62  				NetworkACLs: []ec2.NetworkACL{
    63  					{
    64  						Metadata: defsecTypes.NewTestMetadata(),
    65  						Rules: []ec2.NetworkACLRule{
    66  							{
    67  								Metadata: defsecTypes.NewTestMetadata(),
    68  								Protocol: defsecTypes.String("tcp", defsecTypes.NewTestMetadata()),
    69  								Type:     defsecTypes.String("egress", defsecTypes.NewTestMetadata()),
    70  								Action:   defsecTypes.String("allow", defsecTypes.NewTestMetadata()),
    71  							},
    72  						},
    73  					},
    74  				},
    75  			},
    76  			expected: false,
    77  		},
    78  	}
    79  	for _, test := range tests {
    80  		t.Run(test.name, func(t *testing.T) {
    81  			var testState state.State
    82  			testState.AWS.EC2 = test.input
    83  			results := CheckNoExcessivePortAccess.Evaluate(&testState)
    84  			var found bool
    85  			for _, result := range results {
    86  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoExcessivePortAccess.Rule().LongID() {
    87  					found = true
    88  				}
    89  			}
    90  			if test.expected {
    91  				assert.True(t, found, "Rule should have been found")
    92  			} else {
    93  				assert.False(t, found, "Rule should not have been found")
    94  			}
    95  		})
    96  	}
    97  }