github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/disable_unused_credentials_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  	"time"
     6  
     7  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckUnusedCredentialsDisabled(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    iam.IAM
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "User logged in today",
    25  			input: iam.IAM{
    26  				Users: []iam.User{
    27  					{
    28  						Metadata:   defsecTypes.NewTestMetadata(),
    29  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    30  						LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			expected: false,
    35  		},
    36  		{
    37  			name: "User never logged in, but used access key today",
    38  			input: iam.IAM{
    39  				Users: []iam.User{
    40  					{
    41  						Metadata:   defsecTypes.NewTestMetadata(),
    42  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    43  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    44  						AccessKeys: []iam.AccessKey{
    45  							{
    46  								Metadata:     defsecTypes.NewTestMetadata(),
    47  								AccessKeyId:  defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()),
    48  								Active:       defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    49  								CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()),
    50  								LastAccess:   defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()),
    51  							},
    52  						},
    53  					},
    54  				},
    55  			},
    56  			expected: false,
    57  		},
    58  		{
    59  			name: "User logged in 100 days ago",
    60  			input: iam.IAM{
    61  				Users: []iam.User{
    62  					{
    63  						Metadata:   defsecTypes.NewTestMetadata(),
    64  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    65  						LastAccess: defsecTypes.Time(time.Now().Add(-time.Hour*24*100), defsecTypes.NewTestMetadata()),
    66  					},
    67  				},
    68  			},
    69  			expected: true,
    70  		},
    71  		{
    72  			name: "User last used access key 100 days ago but it is no longer active",
    73  			input: iam.IAM{
    74  				Users: []iam.User{
    75  					{
    76  						Metadata:   defsecTypes.NewTestMetadata(),
    77  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    78  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    79  						AccessKeys: []iam.AccessKey{
    80  							{
    81  								Metadata:     defsecTypes.NewTestMetadata(),
    82  								AccessKeyId:  defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()),
    83  								Active:       defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    84  								CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*120), defsecTypes.NewTestMetadata()),
    85  								LastAccess:   defsecTypes.Time(time.Now().Add(-time.Hour*24*100), defsecTypes.NewTestMetadata()),
    86  							},
    87  						},
    88  					},
    89  				},
    90  			},
    91  			expected: false,
    92  		},
    93  		{
    94  			name: "User last used access key 100 days ago and it is active",
    95  			input: iam.IAM{
    96  				Users: []iam.User{
    97  					{
    98  						Metadata:   defsecTypes.NewTestMetadata(),
    99  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
   100  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
   101  						AccessKeys: []iam.AccessKey{
   102  							{
   103  								Metadata:     defsecTypes.NewTestMetadata(),
   104  								AccessKeyId:  defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()),
   105  								Active:       defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
   106  								CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*120), defsecTypes.NewTestMetadata()),
   107  								LastAccess:   defsecTypes.Time(time.Now().Add(-time.Hour*24*100), defsecTypes.NewTestMetadata()),
   108  							},
   109  						},
   110  					},
   111  				},
   112  			},
   113  			expected: true,
   114  		},
   115  	}
   116  	for _, test := range tests {
   117  		t.Run(test.name, func(t *testing.T) {
   118  			var testState state.State
   119  			testState.AWS.IAM = test.input
   120  			results := CheckUnusedCredentialsDisabled.Evaluate(&testState)
   121  			var found bool
   122  			for _, result := range results {
   123  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckUnusedCredentialsDisabled.Rule().LongID() {
   124  					found = true
   125  				}
   126  			}
   127  			if test.expected {
   128  				assert.True(t, found, "Rule should have been found")
   129  			} else {
   130  				assert.False(t, found, "Rule should not have been found")
   131  			}
   132  		})
   133  	}
   134  }