github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_root_hardware_mfa_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_root_hardware_mfa_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckRootHardwareMFAEnabled(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    iam.IAM
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "root user without mfa",
    24  			input: iam.IAM{
    25  				Users: []iam.User{
    26  					{
    27  						Metadata: types.NewTestMetadata(),
    28  						Name:     types.String("root", types.NewTestMetadata()),
    29  					},
    30  				},
    31  			},
    32  			expected: true,
    33  		},
    34  		{
    35  			name: "root user with virtual MFA mfa",
    36  			input: iam.IAM{
    37  				Users: []iam.User{
    38  					{
    39  						Metadata: types.NewTestMetadata(),
    40  						Name:     types.String("root", types.NewTestMetadata()),
    41  						MFADevices: []iam.MFADevice{
    42  							{
    43  								Metadata:  types.NewTestMetadata(),
    44  								IsVirtual: types.Bool(true, types.NewTestMetadata()),
    45  							},
    46  						},
    47  					},
    48  				},
    49  			},
    50  			expected: true,
    51  		},
    52  		{
    53  			name: "other user without mfa",
    54  			input: iam.IAM{
    55  				Users: []iam.User{
    56  					{
    57  						Metadata: types.NewTestMetadata(),
    58  						Name:     types.String("other", types.NewTestMetadata()),
    59  					},
    60  				},
    61  			},
    62  			expected: false,
    63  		},
    64  		{
    65  			name: "root user with hardware mfa",
    66  			input: iam.IAM{
    67  				Users: []iam.User{
    68  					{
    69  						Metadata: types.NewTestMetadata(),
    70  						Name:     types.String("root", types.NewTestMetadata()),
    71  						MFADevices: []iam.MFADevice{
    72  							{
    73  								Metadata:  types.NewTestMetadata(),
    74  								IsVirtual: types.Bool(false, types.NewTestMetadata()),
    75  							},
    76  						},
    77  					},
    78  				},
    79  			},
    80  			expected: false,
    81  		},
    82  	}
    83  	for _, test := range tests {
    84  		t.Run(test.name, func(t *testing.T) {
    85  			var testState state.State
    86  			testState.AWS.IAM = test.input
    87  			results := checkRootHardwareMFAEnabled.Evaluate(&testState)
    88  			var found bool
    89  			for _, result := range results {
    90  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == checkRootHardwareMFAEnabled.Rule().LongID() {
    91  					found = true
    92  				}
    93  			}
    94  			if test.expected {
    95  				assert.True(t, found, "Rule should have been found")
    96  			} else {
    97  				assert.False(t, found, "Rule should not have been found")
    98  			}
    99  		})
   100  	}
   101  }