github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/rotate_access_keys_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/rotate_access_keys_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  	"time"
     6  
     7  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestCheckAccessKeysRotated(t *testing.T) {
    18  	tests := []struct {
    19  		name     string
    20  		input    iam.IAM
    21  		expected bool
    22  	}{
    23  		{
    24  			name: "Access key created a month ago",
    25  			input: iam.IAM{
    26  				Users: []iam.User{
    27  					{
    28  						Metadata:   defsecTypes.NewTestMetadata(),
    29  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    30  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    31  						AccessKeys: []iam.AccessKey{
    32  							{
    33  								Metadata:     defsecTypes.NewTestMetadata(),
    34  								AccessKeyId:  defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()),
    35  								Active:       defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    36  								CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30), defsecTypes.NewTestMetadata()),
    37  								LastAccess:   defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()),
    38  							},
    39  						},
    40  					},
    41  				},
    42  			},
    43  			expected: false,
    44  		},
    45  		{
    46  			name: "Access key created 4 months ago",
    47  			input: iam.IAM{
    48  				Users: []iam.User{
    49  					{
    50  						Metadata:   defsecTypes.NewTestMetadata(),
    51  						Name:       defsecTypes.String("user", defsecTypes.NewTestMetadata()),
    52  						LastAccess: defsecTypes.TimeUnresolvable(defsecTypes.NewTestMetadata()),
    53  						AccessKeys: []iam.AccessKey{
    54  							{
    55  								Metadata:     defsecTypes.NewTestMetadata(),
    56  								AccessKeyId:  defsecTypes.String("AKIACKCEVSQ6C2EXAMPLE", defsecTypes.NewTestMetadata()),
    57  								Active:       defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    58  								CreationDate: defsecTypes.Time(time.Now().Add(-time.Hour*24*30*4), defsecTypes.NewTestMetadata()),
    59  								LastAccess:   defsecTypes.Time(time.Now(), defsecTypes.NewTestMetadata()),
    60  							},
    61  						},
    62  					},
    63  				},
    64  			},
    65  			expected: true,
    66  		},
    67  	}
    68  	for _, test := range tests {
    69  		t.Run(test.name, func(t *testing.T) {
    70  			var testState state.State
    71  			testState.AWS.IAM = test.input
    72  			results := CheckAccessKeysRotated.Evaluate(&testState)
    73  			var found bool
    74  			for _, result := range results {
    75  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckAccessKeysRotated.Rule().LongID() {
    76  					found = true
    77  				}
    78  			}
    79  			if test.expected {
    80  				assert.True(t, found, "Rule should have been found")
    81  			} else {
    82  				assert.False(t, found, "Rule should not have been found")
    83  			}
    84  		})
    85  	}
    86  }