github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/emr/enable_in_transit_encryption_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/emr/enable_in_transit_encryption_test.go (about)

     1  package emr
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/emr"
     9  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/stretchr/testify/assert"
    12  )
    13  
    14  func TestEnableInTransitEncryption(t *testing.T) {
    15  	tests := []struct {
    16  		name     string
    17  		input    emr.EMR
    18  		expected bool
    19  	}{
    20  		{
    21  			name: "EMR cluster with in-transit encryption disabled",
    22  			input: emr.EMR{
    23  				SecurityConfiguration: []emr.SecurityConfiguration{
    24  					{
    25  						Name: defsecTypes.String("test", defsecTypes.NewTestMetadata()),
    26  						Configuration: defsecTypes.String(`{
    27  							"EncryptionConfiguration": {
    28  							  "AtRestEncryptionConfiguration": {
    29  								"S3EncryptionConfiguration": {
    30  								  "EncryptionMode": "SSE-S3"
    31  								},
    32  								"LocalDiskEncryptionConfiguration": {
    33  								  "EncryptionKeyProviderType": "AwsKms",
    34  								  "AwsKmsKey": "arn:aws:kms:us-west-2:187416307283:alias/tf_emr_test_key"
    35  								}
    36  							  },
    37  							  "EnableInTransitEncryption": false,
    38  							  "EnableAtRestEncryption": false
    39  							}
    40  						  }`, defsecTypes.NewTestMetadata()),
    41  					},
    42  				},
    43  			},
    44  			expected: true,
    45  		},
    46  		{
    47  			name: "EMR cluster with in-transit encryption enabled",
    48  			input: emr.EMR{
    49  				SecurityConfiguration: []emr.SecurityConfiguration{
    50  					{
    51  						Name: defsecTypes.String("test", defsecTypes.NewTestMetadata()),
    52  						Configuration: defsecTypes.String(`{
    53  							"EncryptionConfiguration": {
    54  							  "AtRestEncryptionConfiguration": {
    55  								"S3EncryptionConfiguration": {
    56  								  "EncryptionMode": "SSE-S3"
    57  								},
    58  								"LocalDiskEncryptionConfiguration": {
    59  								  "EncryptionKeyProviderType": "AwsKms",
    60  								  "AwsKmsKey": "arn:aws:kms:us-west-2:187416307283:alias/tf_emr_test_key"
    61  								}
    62  							  },
    63  							  "EnableInTransitEncryption": true,
    64  							  "EnableAtRestEncryption": true
    65  							}
    66  						  }`, defsecTypes.NewTestMetadata()),
    67  					},
    68  				},
    69  			},
    70  			expected: false,
    71  		},
    72  	}
    73  	for _, test := range tests {
    74  		t.Run(test.name, func(t *testing.T) {
    75  			var testState state.State
    76  			testState.AWS.EMR = test.input
    77  			results := CheckEnableInTransitEncryption.Evaluate(&testState)
    78  			var found bool
    79  			for _, result := range results {
    80  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnableInTransitEncryption.Rule().LongID() {
    81  					found = true
    82  				}
    83  			}
    84  			if test.expected {
    85  				assert.True(t, found, "Rule should have been found")
    86  			} else {
    87  				assert.False(t, found, "Rule should not have been found")
    88  			}
    89  		})
    90  	}
    91  }