github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/limit_user_access_keys_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 "time" 6 7 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 8 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 11 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 12 "github.com/khulnasoft-lab/defsec/pkg/scan" 13 14 "github.com/stretchr/testify/assert" 15 ) 16 17 func TestCheckLimitUserAccessKeys(t *testing.T) { 18 tests := []struct { 19 name string 20 input iam.IAM 21 expected bool 22 }{ 23 { 24 name: "Single active access key", 25 input: iam.IAM{ 26 Users: []iam.User{ 27 { 28 Metadata: defsecTypes.NewTestMetadata(), 29 Name: defsecTypes.String("user", defsecTypes.NewTestMetadata()), 30 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 31 AccessKeys: []iam.AccessKey{ 32 { 33 Metadata: defsecTypes.NewTestMetadata(), 34 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 35 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 36 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 37 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 38 }, 39 }, 40 }, 41 }, 42 }, 43 expected: false, 44 }, 45 { 46 name: "One active, one inactive access key", 47 input: iam.IAM{ 48 Users: []iam.User{ 49 { 50 Metadata: defsecTypes.NewTestMetadata(), 51 Name: defsecTypes.String("user", defsecTypes.NewTestMetadata()), 52 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 53 AccessKeys: []iam.AccessKey{ 54 { 55 Metadata: defsecTypes.NewTestMetadata(), 56 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 57 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 58 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 59 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 60 }, 61 { 62 Metadata: defsecTypes.NewTestMetadata(), 63 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 64 Active: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 65 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 66 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 67 }, 68 }, 69 }, 70 }, 71 }, 72 expected: false, 73 }, 74 { 75 name: "Two inactive keys", 76 input: iam.IAM{ 77 Users: []iam.User{ 78 { 79 Metadata: defsecTypes.NewTestMetadata(), 80 Name: defsecTypes.String("user", defsecTypes.NewTestMetadata()), 81 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 82 AccessKeys: []iam.AccessKey{ 83 { 84 Metadata: defsecTypes.NewTestMetadata(), 85 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 86 Active: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 87 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 88 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 89 }, 90 { 91 Metadata: defsecTypes.NewTestMetadata(), 92 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 93 Active: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 94 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 95 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 96 }, 97 }, 98 }, 99 }, 100 }, 101 expected: false, 102 }, 103 { 104 name: "Two active keys", 105 input: iam.IAM{ 106 Users: []iam.User{ 107 { 108 Metadata: defsecTypes.NewTestMetadata(), 109 Name: defsecTypes.String("user", defsecTypes.NewTestMetadata()), 110 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 111 AccessKeys: []iam.AccessKey{ 112 { 113 Metadata: defsecTypes.NewTestMetadata(), 114 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 115 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 116 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 117 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 118 }, 119 { 120 Metadata: defsecTypes.NewTestMetadata(), 121 AccessKeyId: defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()), 122 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 123 CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()), 124 LastAccess: defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()), 125 }, 126 }, 127 }, 128 }, 129 }, 130 expected: true, 131 }, 132 } 133 for _, test := range tests { 134 t.Run(test.name, func(t *testing.T) { 135 var testState state.State 136 testState.AWS.IAM = test.input 137 results := CheckLimitUserAccessKeys.Evaluate(&testState) 138 var found bool 139 for _, result := range results { 140 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckLimitUserAccessKeys.Rule().LongID() { 141 found = true 142 } 143 } 144 if test.expected { 145 assert.True(t, found, "Rule should have been found") 146 } else { 147 assert.False(t, found, "Rule should not have been found") 148 } 149 }) 150 } 151 }