github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_acl_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_acl_test.go (about)

     1  package ec2
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckNoPublicIngress(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    ec2.EC2
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "AWS VPC network ACL rule with wildcard address",
    25  			input: ec2.EC2{
    26  				NetworkACLs: []ec2.NetworkACL{
    27  					{
    28  						Metadata: defsecTypes.NewTestMetadata(),
    29  						Rules: []ec2.NetworkACLRule{
    30  							{
    31  								Metadata: defsecTypes.NewTestMetadata(),
    32  								Type:     defsecTypes.String(ec2.TypeIngress, defsecTypes.NewTestMetadata()),
    33  								Action:   defsecTypes.String(ec2.ActionAllow, defsecTypes.NewTestMetadata()),
    34  								CIDRs: []defsecTypes.StringValue{
    35  									defsecTypes.String("0.0.0.0/0", defsecTypes.NewTestMetadata()),
    36  								},
    37  							},
    38  						},
    39  					},
    40  				},
    41  			},
    42  			expected: true,
    43  		},
    44  		{
    45  			name: "AWS VPC network ACL rule with private address",
    46  			input: ec2.EC2{
    47  				NetworkACLs: []ec2.NetworkACL{
    48  					{
    49  						Metadata: defsecTypes.NewTestMetadata(),
    50  						Rules: []ec2.NetworkACLRule{
    51  							{
    52  								Metadata: defsecTypes.NewTestMetadata(),
    53  								Type:     defsecTypes.String(ec2.TypeIngress, defsecTypes.NewTestMetadata()),
    54  								Action:   defsecTypes.String(ec2.ActionAllow, defsecTypes.NewTestMetadata()),
    55  								CIDRs: []defsecTypes.StringValue{
    56  									defsecTypes.String("10.0.0.0/16", defsecTypes.NewTestMetadata()),
    57  								},
    58  							},
    59  						},
    60  					},
    61  				},
    62  			},
    63  			expected: false,
    64  		},
    65  	}
    66  	for _, test := range tests {
    67  		t.Run(test.name, func(t *testing.T) {
    68  			var testState state.State
    69  			testState.AWS.EC2 = test.input
    70  			results := CheckNoPublicIngress.Evaluate(&testState)
    71  			var found bool
    72  			for _, result := range results {
    73  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIngress.Rule().LongID() {
    74  					found = true
    75  				}
    76  			}
    77  			if test.expected {
    78  				assert.True(t, found, "Rule should have been found")
    79  			} else {
    80  				assert.False(t, found, "Rule should not have been found")
    81  			}
    82  		})
    83  	}
    84  }