github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/no_public_access_test.go (about) 1 package ecr 2 3 import ( 4 "testing" 5 6 "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecr" 11 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 12 "github.com/khulnasoft-lab/defsec/pkg/scan" 13 14 "github.com/liamg/iamgo" 15 16 "github.com/stretchr/testify/assert" 17 ) 18 19 func TestCheckNoPublicAccess(t *testing.T) { 20 tests := []struct { 21 name string 22 input ecr.ECR 23 expected bool 24 }{ 25 { 26 name: "ECR repository policy with wildcard principal", 27 input: ecr.ECR{ 28 Repositories: []ecr.Repository{ 29 { 30 Metadata: types.NewTestMetadata(), 31 Policies: func() []iam.Policy { 32 33 sb := iamgo.NewStatementBuilder() 34 sb.WithSid("new policy") 35 sb.WithEffect("Allow") 36 sb.WithAllPrincipals(true) 37 sb.WithActions([]string{ 38 "ecr:GetDownloadUrlForLayer", 39 "ecr:BatchGetImage", 40 "ecr:BatchCheckLayerAvailability", 41 "ecr:PutImage", 42 "ecr:InitiateLayerUpload", 43 "ecr:UploadLayerPart", 44 "ecr:CompleteLayerUpload", 45 "ecr:DescribeRepositories", 46 "ecr:GetRepositoryPolicy", 47 "ecr:ListImages", 48 "ecr:DeleteRepository", 49 "ecr:BatchDeleteImage", 50 "ecr:SetRepositoryPolicy", 51 "ecr:DeleteRepositoryPolicy", 52 }) 53 54 builder := iamgo.NewPolicyBuilder() 55 builder.WithVersion("2021-10-07") 56 builder.WithStatement(sb.Build()) 57 58 return []iam.Policy{ 59 { 60 Document: iam.Document{ 61 Metadata: types.NewTestMetadata(), 62 Parsed: builder.Build(), 63 }, 64 }, 65 } 66 }(), 67 }, 68 }, 69 }, 70 expected: true, 71 }, 72 { 73 name: "ECR repository policy with specific principal", 74 input: ecr.ECR{ 75 Repositories: []ecr.Repository{ 76 { 77 Metadata: types.NewTestMetadata(), 78 Policies: func() []iam.Policy { 79 80 sb := iamgo.NewStatementBuilder() 81 sb.WithSid("new policy") 82 sb.WithEffect("Allow") 83 sb.WithAWSPrincipals([]string{"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"}) 84 sb.WithActions([]string{ 85 "ecr:GetDownloadUrlForLayer", 86 "ecr:BatchGetImage", 87 "ecr:BatchCheckLayerAvailability", 88 "ecr:PutImage", 89 "ecr:InitiateLayerUpload", 90 "ecr:UploadLayerPart", 91 "ecr:CompleteLayerUpload", 92 "ecr:DescribeRepositories", 93 "ecr:GetRepositoryPolicy", 94 "ecr:ListImages", 95 "ecr:DeleteRepository", 96 "ecr:BatchDeleteImage", 97 "ecr:SetRepositoryPolicy", 98 "ecr:DeleteRepositoryPolicy", 99 }) 100 101 builder := iamgo.NewPolicyBuilder() 102 builder.WithVersion("2021-10-07") 103 builder.WithStatement(sb.Build()) 104 105 return []iam.Policy{ 106 { 107 Document: iam.Document{ 108 Metadata: types.NewTestMetadata(), 109 Parsed: builder.Build(), 110 }, 111 }, 112 } 113 }(), 114 }, 115 }, 116 }, 117 expected: false, 118 }, 119 } 120 for _, test := range tests { 121 t.Run(test.name, func(t *testing.T) { 122 var testState state.State 123 testState.AWS.ECR = test.input 124 results := CheckNoPublicAccess.Evaluate(&testState) 125 var found bool 126 for _, result := range results { 127 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicAccess.Rule().LongID() { 128 found = true 129 } 130 } 131 if test.expected { 132 assert.True(t, found, "Rule should have been found") 133 } else { 134 assert.False(t, found, "Rule should not have been found") 135 } 136 }) 137 } 138 }