github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/msk/enable_in_transit_encryption_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/msk/enable_in_transit_encryption_test.go (about)

     1  package msk
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/msk"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckEnableInTransitEncryption(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    msk.MSK
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Cluster client broker with plaintext encryption",
    24  			input: msk.MSK{
    25  				Clusters: []msk.Cluster{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						EncryptionInTransit: msk.EncryptionInTransit{
    29  							Metadata:     defsecTypes.NewTestMetadata(),
    30  							ClientBroker: defsecTypes.String(msk.ClientBrokerEncryptionPlaintext, defsecTypes.NewTestMetadata()),
    31  						},
    32  					},
    33  				},
    34  			},
    35  			expected: true,
    36  		},
    37  		{
    38  			name: "Cluster client broker with plaintext or TLS encryption",
    39  			input: msk.MSK{
    40  				Clusters: []msk.Cluster{
    41  					{
    42  						Metadata: defsecTypes.NewTestMetadata(),
    43  						EncryptionInTransit: msk.EncryptionInTransit{
    44  							Metadata:     defsecTypes.NewTestMetadata(),
    45  							ClientBroker: defsecTypes.String(msk.ClientBrokerEncryptionTLSOrPlaintext, defsecTypes.NewTestMetadata()),
    46  						},
    47  					},
    48  				},
    49  			},
    50  			expected: true,
    51  		},
    52  		{
    53  			name: "Cluster client broker with TLS encryption",
    54  			input: msk.MSK{
    55  				Clusters: []msk.Cluster{
    56  					{
    57  						Metadata: defsecTypes.NewTestMetadata(),
    58  						EncryptionInTransit: msk.EncryptionInTransit{
    59  							Metadata:     defsecTypes.NewTestMetadata(),
    60  							ClientBroker: defsecTypes.String(msk.ClientBrokerEncryptionTLS, defsecTypes.NewTestMetadata()),
    61  						},
    62  					},
    63  				},
    64  			},
    65  			expected: false,
    66  		},
    67  	}
    68  	for _, test := range tests {
    69  		t.Run(test.name, func(t *testing.T) {
    70  			var testState state.State
    71  			testState.AWS.MSK = test.input
    72  			results := CheckEnableInTransitEncryption.Evaluate(&testState)
    73  			var found bool
    74  			for _, result := range results {
    75  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnableInTransitEncryption.Rule().LongID() {
    76  					found = true
    77  				}
    78  			}
    79  			if test.expected {
    80  				assert.True(t, found, "Rule should have been found")
    81  			} else {
    82  				assert.False(t, found, "Rule should not have been found")
    83  			}
    84  		})
    85  	}
    86  }