github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/encrypt_secrets_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/encrypt_secrets_test.go (about)

     1  package eks
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/eks"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckEncryptSecrets(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    eks.EKS
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "EKS Cluster with no secrets in the resources attribute",
    24  			input: eks.EKS{
    25  				Clusters: []eks.Cluster{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Encryption: eks.Encryption{
    29  							Metadata: defsecTypes.NewTestMetadata(),
    30  							Secrets:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    31  							KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()),
    32  						},
    33  					},
    34  				},
    35  			},
    36  			expected: true,
    37  		},
    38  		{
    39  			name: "EKS Cluster with secrets in the resources attribute but no KMS key",
    40  			input: eks.EKS{
    41  				Clusters: []eks.Cluster{
    42  					{
    43  						Metadata: defsecTypes.NewTestMetadata(),
    44  						Encryption: eks.Encryption{
    45  							Metadata: defsecTypes.NewTestMetadata(),
    46  							Secrets:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    47  							KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()),
    48  						},
    49  					},
    50  				},
    51  			},
    52  			expected: true,
    53  		},
    54  		{
    55  			name: "EKS Cluster with secrets in the resources attribute and a KMS key",
    56  			input: eks.EKS{
    57  				Clusters: []eks.Cluster{
    58  					{
    59  						Metadata: defsecTypes.NewTestMetadata(),
    60  						Encryption: eks.Encryption{
    61  							Metadata: defsecTypes.NewTestMetadata(),
    62  							Secrets:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    63  							KMSKeyID: defsecTypes.String("some-arn", defsecTypes.NewTestMetadata()),
    64  						},
    65  					},
    66  				},
    67  			},
    68  			expected: false,
    69  		},
    70  	}
    71  	for _, test := range tests {
    72  		t.Run(test.name, func(t *testing.T) {
    73  			var testState state.State
    74  			testState.AWS.EKS = test.input
    75  			results := CheckEncryptSecrets.Evaluate(&testState)
    76  			var found bool
    77  			for _, result := range results {
    78  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEncryptSecrets.Rule().LongID() {
    79  					found = true
    80  				}
    81  			}
    82  			if test.expected {
    83  				assert.True(t, found, "Rule should have been found")
    84  			} else {
    85  				assert.False(t, found, "Rule should not have been found")
    86  			}
    87  		})
    88  	}
    89  }