github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/limit_root_account_usage_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/limit_root_account_usage_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  	"time"
     6  
     7  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckLimitRootAccountUsage(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    iam.IAM
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "root user, never logged in",
    25  			input: iam.IAM{
    26  				Users: []iam.User{
    27  					{
    28  						Metadata:   defsecTypes.NewTestMetadata(),
    29  						Name:       defsecTypes.String("root", defsecTypes.NewTestMetadata()),
    30  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			expected: false,
    35  		},
    36  		{
    37  			name: "root user, logged in months ago",
    38  			input: iam.IAM{
    39  				Users: []iam.User{
    40  					{
    41  						Metadata:   defsecTypes.NewTestMetadata(),
    42  						Name:       defsecTypes.String("other", defsecTypes.NewTestMetadata()),
    43  						LastAccess: defsecTypes.Time(time.Now().Add(-time.Hour*24*90), defsecTypes.NewTestMetadata()),
    44  					},
    45  				},
    46  			},
    47  			expected: false,
    48  		},
    49  		{
    50  			name: "root user, logged in today",
    51  			input: iam.IAM{
    52  				Users: []iam.User{
    53  					{
    54  						Metadata:   defsecTypes.NewTestMetadata(),
    55  						Name:       defsecTypes.String("root", defsecTypes.NewTestMetadata()),
    56  						LastAccess: defsecTypes.Time(time.Now().Add(-time.Hour), defsecTypes.NewTestMetadata()),
    57  					},
    58  				},
    59  			},
    60  			expected: true,
    61  		},
    62  		{
    63  			name: "other user, logged in today",
    64  			input: iam.IAM{
    65  				Users: []iam.User{
    66  					{
    67  						Metadata:   defsecTypes.NewTestMetadata(),
    68  						Name:       defsecTypes.String("other", defsecTypes.NewTestMetadata()),
    69  						LastAccess: defsecTypes.Time(time.Now().Add(-time.Hour), defsecTypes.NewTestMetadata()),
    70  					},
    71  				},
    72  			},
    73  			expected: false,
    74  		},
    75  	}
    76  	for _, test := range tests {
    77  		t.Run(test.name, func(t *testing.T) {
    78  			var testState state.State
    79  			testState.AWS.IAM = test.input
    80  			results := checkLimitRootAccountUsage.Evaluate(&testState)
    81  			var found bool
    82  			for _, result := range results {
    83  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == checkLimitRootAccountUsage.Rule().LongID() {
    84  					found = true
    85  				}
    86  			}
    87  			if test.expected {
    88  				assert.True(t, found, "Rule should have been found")
    89  			} else {
    90  				assert.False(t, found, "Rule should not have been found")
    91  			}
    92  		})
    93  	}
    94  }