github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_group_mfa_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/liamg/iamgo"
    14  
    15  	"github.com/stretchr/testify/assert"
    16  )
    17  
    18  func TestCheckEnforceGroupMFA(t *testing.T) {
    19  	tests := []struct {
    20  		name     string
    21  		input    iam.IAM
    22  		expected bool
    23  	}{
    24  		{
    25  			name: "IAM policy with no MFA required",
    26  			input: iam.IAM{
    27  				Groups: []iam.Group{
    28  					{
    29  						Metadata: types.NewTestMetadata(),
    30  						Policies: []iam.Policy{
    31  							{
    32  								Metadata: types.NewTestMetadata(),
    33  								Document: func() iam.Document {
    34  
    35  									builder := iamgo.NewPolicyBuilder()
    36  									builder.WithVersion("2012-10-17")
    37  
    38  									sb := iamgo.NewStatementBuilder()
    39  									sb.WithEffect(iamgo.EffectAllow)
    40  									sb.WithActions([]string{"ec2:*"})
    41  
    42  									builder.WithStatement(sb.Build())
    43  
    44  									return iam.Document{
    45  										Parsed: builder.Build(),
    46  									}
    47  								}(),
    48  							},
    49  						},
    50  					},
    51  				},
    52  			},
    53  			expected: true,
    54  		},
    55  		{
    56  			name: "IAM policy with MFA required",
    57  			input: iam.IAM{
    58  				Groups: []iam.Group{
    59  					{
    60  						Metadata: types.NewTestMetadata(),
    61  						Policies: []iam.Policy{
    62  							{
    63  								Metadata: types.NewTestMetadata(),
    64  								Document: func() iam.Document {
    65  
    66  									builder := iamgo.NewPolicyBuilder()
    67  									builder.WithVersion("2012-10-17")
    68  
    69  									sb := iamgo.NewStatementBuilder()
    70  									sb.WithEffect(iamgo.EffectAllow)
    71  									sb.WithActions([]string{"ec2:*"})
    72  									sb.WithCondition("Bool", "aws:MultiFactorAuthPresent", []string{"true"})
    73  
    74  									builder.WithStatement(sb.Build())
    75  
    76  									return iam.Document{
    77  										Parsed: builder.Build(),
    78  									}
    79  								}(),
    80  							},
    81  						},
    82  					},
    83  				},
    84  			},
    85  			expected: false,
    86  		},
    87  	}
    88  	for _, test := range tests {
    89  		t.Run(test.name, func(t *testing.T) {
    90  			var testState state.State
    91  			testState.AWS.IAM = test.input
    92  			results := CheckEnforceGroupMFA.Evaluate(&testState)
    93  			var found bool
    94  			for _, result := range results {
    95  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnforceGroupMFA.Rule().LongID() {
    96  					found = true
    97  				}
    98  			}
    99  			if test.expected {
   100  				assert.True(t, found, "Rule should have been found")
   101  			} else {
   102  				assert.False(t, found, "Rule should not have been found")
   103  			}
   104  		})
   105  	}
   106  }