github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/enforce_root_mfa_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckRootMFAEnabled(t *testing.T) { 17 tests := []struct { 18 name string 19 input iam.IAM 20 expected bool 21 }{ 22 { 23 name: "root user without mfa", 24 input: iam.IAM{ 25 Users: []iam.User{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Name: defsecTypes.String("root", defsecTypes.NewTestMetadata()), 29 }, 30 }, 31 }, 32 expected: true, 33 }, 34 { 35 name: "other user without mfa", 36 input: iam.IAM{ 37 Users: []iam.User{ 38 { 39 Metadata: defsecTypes.NewTestMetadata(), 40 Name: defsecTypes.String("other", defsecTypes.NewTestMetadata()), 41 }, 42 }, 43 }, 44 expected: false, 45 }, 46 { 47 name: "root user with mfa", 48 input: iam.IAM{ 49 Users: []iam.User{ 50 { 51 Metadata: defsecTypes.NewTestMetadata(), 52 Name: defsecTypes.String("root", defsecTypes.NewTestMetadata()), 53 MFADevices: []iam.MFADevice{ 54 { 55 Metadata: defsecTypes.NewTestMetadata(), 56 IsVirtual: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 57 }, 58 }, 59 }, 60 }, 61 }, 62 expected: false, 63 }, 64 } 65 for _, test := range tests { 66 t.Run(test.name, func(t *testing.T) { 67 var testState state.State 68 testState.AWS.IAM = test.input 69 results := checkRootMFAEnabled.Evaluate(&testState) 70 var found bool 71 for _, result := range results { 72 if result.Status() == scan.StatusFailed && result.Rule().LongID() == checkRootMFAEnabled.Rule().LongID() { 73 found = true 74 } 75 } 76 if test.expected { 77 assert.True(t, found, "Rule should have been found") 78 } else { 79 assert.False(t, found, "Rule should not have been found") 80 } 81 }) 82 } 83 }