github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_root_access_keys_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoRootAccessKeys(t *testing.T) { 17 tests := []struct { 18 name string 19 input iam.IAM 20 expected bool 21 }{ 22 { 23 name: "root user without access key", 24 input: iam.IAM{ 25 Users: []iam.User{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Name: defsecTypes.String("root", defsecTypes.NewTestMetadata()), 29 AccessKeys: nil, 30 }, 31 }, 32 }, 33 expected: false, 34 }, 35 { 36 name: "other user without access key", 37 input: iam.IAM{ 38 Users: []iam.User{ 39 { 40 Metadata: defsecTypes.NewTestMetadata(), 41 Name: defsecTypes.String("other", defsecTypes.NewTestMetadata()), 42 AccessKeys: nil, 43 }, 44 }, 45 }, 46 expected: false, 47 }, 48 { 49 name: "other user with access key", 50 input: iam.IAM{ 51 Users: []iam.User{ 52 { 53 Metadata: defsecTypes.NewTestMetadata(), 54 Name: defsecTypes.String("other", defsecTypes.NewTestMetadata()), 55 AccessKeys: []iam.AccessKey{ 56 { 57 Metadata: defsecTypes.NewTestMetadata(), 58 AccessKeyId: defsecTypes.String("BLAH", defsecTypes.NewTestMetadata()), 59 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 60 CreationDate: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 61 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 62 }, 63 }, 64 }, 65 }, 66 }, 67 expected: false, 68 }, 69 { 70 name: "root user with inactive access key", 71 input: iam.IAM{ 72 Users: []iam.User{ 73 { 74 Metadata: defsecTypes.NewTestMetadata(), 75 Name: defsecTypes.String("root", defsecTypes.NewTestMetadata()), 76 AccessKeys: []iam.AccessKey{ 77 { 78 Metadata: defsecTypes.NewTestMetadata(), 79 AccessKeyId: defsecTypes.String("BLAH", defsecTypes.NewTestMetadata()), 80 Active: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 81 CreationDate: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 82 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 83 }, 84 }, 85 }, 86 }, 87 }, 88 expected: false, 89 }, 90 { 91 name: "root user with active access key", 92 input: iam.IAM{ 93 Users: []iam.User{ 94 { 95 Metadata: defsecTypes.NewTestMetadata(), 96 Name: defsecTypes.String("root", defsecTypes.NewTestMetadata()), 97 AccessKeys: []iam.AccessKey{ 98 { 99 Metadata: defsecTypes.NewTestMetadata(), 100 AccessKeyId: defsecTypes.String("BLAH", defsecTypes.NewTestMetadata()), 101 Active: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 102 CreationDate: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 103 LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()), 104 }, 105 }, 106 }, 107 }, 108 }, 109 expected: true, 110 }, 111 } 112 for _, test := range tests { 113 t.Run(test.name, func(t *testing.T) { 114 var testState state.State 115 testState.AWS.IAM = test.input 116 results := checkNoRootAccessKeys.Evaluate(&testState) 117 var found bool 118 for _, result := range results { 119 if result.Status() == scan.StatusFailed && result.Rule().LongID() == checkNoRootAccessKeys.Rule().LongID() { 120 found = true 121 } 122 } 123 if test.expected { 124 assert.True(t, found, "Rule should have been found") 125 } else { 126 assert.False(t, found, "Rule should not have been found") 127 } 128 }) 129 } 130 }