github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_policy_wildcards_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/liamg/iamgo" 14 15 "github.com/stretchr/testify/assert" 16 ) 17 18 func TestCheckNoPolicyWildcards(t *testing.T) { 19 tests := []struct { 20 name string 21 input iam.IAM 22 expected bool 23 }{ 24 { 25 name: "IAM policy with wildcard resource", 26 input: iam.IAM{ 27 Roles: []iam.Role{ 28 { 29 Metadata: defsecTypes.NewTestMetadata(), 30 Policies: []iam.Policy{ 31 { 32 Metadata: defsecTypes.NewTestMetadata(), 33 Document: func() iam.Document { 34 35 builder := iamgo.NewPolicyBuilder() 36 builder.WithVersion("2012-10-17") 37 38 sb := iamgo.NewStatementBuilder() 39 sb.WithSid("ListYourObjects") 40 sb.WithEffect(iamgo.EffectAllow) 41 sb.WithActions([]string{"s3:ListBucket"}) 42 sb.WithResources([]string{"arn:aws:s3:::*"}) 43 sb.WithAWSPrincipals([]string{"arn:aws:iam::1234567890:root"}) 44 45 builder.WithStatement(sb.Build()) 46 47 return iam.Document{ 48 Parsed: builder.Build(), 49 Metadata: defsecTypes.NewTestMetadata(), 50 } 51 }(), 52 Builtin: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 53 }, 54 }, 55 }, 56 }, 57 }, 58 expected: true, 59 }, 60 { 61 name: "Builtin IAM policy with wildcard resource", 62 input: iam.IAM{ 63 Roles: []iam.Role{ 64 { 65 Metadata: defsecTypes.NewTestMetadata(), 66 Policies: []iam.Policy{ 67 { 68 Metadata: defsecTypes.NewTestMetadata(), 69 Document: func() iam.Document { 70 71 builder := iamgo.NewPolicyBuilder() 72 builder.WithVersion("2012-10-17") 73 74 sb := iamgo.NewStatementBuilder() 75 sb.WithSid("ListYourObjects") 76 sb.WithEffect(iamgo.EffectAllow) 77 sb.WithActions([]string{"s3:ListBucket"}) 78 sb.WithResources([]string{"arn:aws:s3:::*"}) 79 sb.WithAWSPrincipals([]string{"arn:aws:iam::1234567890:root"}) 80 81 builder.WithStatement(sb.Build()) 82 83 return iam.Document{ 84 Parsed: builder.Build(), 85 Metadata: defsecTypes.NewTestMetadata(), 86 } 87 }(), 88 Builtin: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 89 }, 90 }, 91 }, 92 }, 93 }, 94 expected: false, 95 }, 96 { 97 name: "IAM policy with wildcard action", 98 input: iam.IAM{ 99 Policies: []iam.Policy{ 100 { 101 Metadata: defsecTypes.NewTestMetadata(), 102 Document: func() iam.Document { 103 104 builder := iamgo.NewPolicyBuilder() 105 builder.WithVersion("2012-10-17") 106 107 sb := iamgo.NewStatementBuilder() 108 sb.WithSid("ListYourObjects") 109 sb.WithEffect(iamgo.EffectAllow) 110 sb.WithActions([]string{"s3:*"}) 111 sb.WithResources([]string{"arn:aws:s3:::bucket-name"}) 112 sb.WithAWSPrincipals([]string{"arn:aws:iam::1234567890:root"}) 113 114 builder.WithStatement(sb.Build()) 115 116 return iam.Document{ 117 Parsed: builder.Build(), 118 Metadata: defsecTypes.NewTestMetadata(), 119 } 120 }(), 121 Builtin: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 122 }, 123 }, 124 }, 125 expected: true, 126 }, 127 { 128 name: "IAM policies without wildcards", 129 input: iam.IAM{ 130 Policies: []iam.Policy{ 131 { 132 Metadata: defsecTypes.NewTestMetadata(), 133 Document: func() iam.Document { 134 135 builder := iamgo.NewPolicyBuilder() 136 builder.WithVersion("2012-10-17") 137 138 sb := iamgo.NewStatementBuilder() 139 sb.WithEffect(iamgo.EffectAllow) 140 sb.WithActions([]string{"s3:GetObject"}) 141 sb.WithResources([]string{"arn:aws:s3:::bucket-name"}) 142 sb.WithAWSPrincipals([]string{"arn:aws:iam::1234567890:root"}) 143 144 builder.WithStatement(sb.Build()) 145 146 return iam.Document{ 147 Parsed: builder.Build(), 148 Metadata: defsecTypes.NewTestMetadata(), 149 } 150 }(), 151 Builtin: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 152 }, 153 }, 154 Roles: []iam.Role{ 155 { 156 Metadata: defsecTypes.NewTestMetadata(), 157 Policies: []iam.Policy{ 158 { 159 Metadata: defsecTypes.NewTestMetadata(), 160 Document: func() iam.Document { 161 162 builder := iamgo.NewPolicyBuilder() 163 builder.WithVersion("2012-10-17") 164 165 sb := iamgo.NewStatementBuilder() 166 sb.WithEffect(iamgo.EffectAllow) 167 sb.WithActions([]string{"sts:AssumeRole"}) 168 sb.WithServicePrincipals([]string{"s3.amazonaws.com"}) 169 170 builder.WithStatement(sb.Build()) 171 172 return iam.Document{ 173 Parsed: builder.Build(), 174 Metadata: defsecTypes.NewTestMetadata(), 175 } 176 }(), 177 Builtin: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 178 }, 179 }, 180 }, 181 }, 182 }, 183 expected: false, 184 }, 185 } 186 for _, test := range tests { 187 t.Run(test.name, func(t *testing.T) { 188 var testState state.State 189 testState.AWS.IAM = test.input 190 results := CheckNoPolicyWildcards.Evaluate(&testState) 191 var found bool 192 for _, result := range results { 193 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPolicyWildcards.Rule().LongID() { 194 found = true 195 } 196 } 197 if test.expected { 198 assert.True(t, found, "Rule should have been found") 199 } else { 200 assert.False(t, found, "Rule should not have been found") 201 } 202 }) 203 } 204 }