github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_sgr_test.go (about) 1 package ec2 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2" 9 "github.com/khulnasoft-lab/defsec/pkg/scan" 10 11 "github.com/khulnasoft-lab/defsec/pkg/state" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoPublicIngressSgr(t *testing.T) { 17 tests := []struct { 18 name string 19 input ec2.EC2 20 expected bool 21 }{ 22 { 23 name: "AWS VPC ingress security group rule with wildcard address", 24 input: ec2.EC2{ 25 SecurityGroups: []ec2.SecurityGroup{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 IngressRules: []ec2.SecurityGroupRule{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 CIDRs: []defsecTypes.StringValue{ 32 defsecTypes.String("0.0.0.0/0", defsecTypes.NewTestMetadata()), 33 }, 34 }, 35 }, 36 }, 37 }, 38 }, 39 expected: true, 40 }, 41 { 42 name: "AWS VPC ingress security group rule with private address", 43 input: ec2.EC2{ 44 SecurityGroups: []ec2.SecurityGroup{ 45 { 46 Metadata: defsecTypes.NewTestMetadata(), 47 IngressRules: []ec2.SecurityGroupRule{ 48 { 49 Metadata: defsecTypes.NewTestMetadata(), 50 CIDRs: []defsecTypes.StringValue{ 51 defsecTypes.String("10.0.0.0/16", defsecTypes.NewTestMetadata()), 52 }, 53 }, 54 }, 55 }, 56 }, 57 }, 58 expected: false, 59 }, 60 } 61 for _, test := range tests { 62 t.Run(test.name, func(t *testing.T) { 63 var testState state.State 64 testState.AWS.EC2 = test.input 65 results := CheckNoPublicIngressSgr.Evaluate(&testState) 66 var found bool 67 for _, result := range results { 68 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIngressSgr.Rule().LongID() { 69 found = true 70 } 71 } 72 if test.expected { 73 assert.True(t, found, "Rule should have been found") 74 } else { 75 assert.False(t, found, "Rule should not have been found") 76 } 77 }) 78 } 79 }