github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_object_read_logging_test.go (about) 1 package s3 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail" 11 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/s3" 12 "github.com/khulnasoft-lab/defsec/pkg/scan" 13 14 "github.com/stretchr/testify/assert" 15 ) 16 17 func TestCheckEnableObjectReadLogging(t *testing.T) { 18 tests := []struct { 19 name string 20 s3 s3.S3 21 cloudtrail cloudtrail.CloudTrail 22 expected bool 23 }{ 24 { 25 name: "S3 bucket with no cloudtrail logging", 26 s3: s3.S3{ 27 Buckets: []s3.Bucket{ 28 { 29 Metadata: defsecTypes.NewTestMetadata(), 30 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 31 }, 32 }, 33 }, 34 expected: true, 35 }, 36 { 37 name: "S3 bucket with WriteOnly cloudtrail logging (all of s3)", 38 s3: s3.S3{ 39 Buckets: []s3.Bucket{ 40 { 41 Metadata: defsecTypes.NewTestMetadata(), 42 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 43 }, 44 }, 45 }, 46 cloudtrail: cloudtrail.CloudTrail{ 47 Trails: []cloudtrail.Trail{ 48 { 49 Metadata: defsecTypes.NewTestMetadata(), 50 EventSelectors: []cloudtrail.EventSelector{ 51 { 52 Metadata: defsecTypes.NewTestMetadata(), 53 ReadWriteType: defsecTypes.String("WriteOnly", defsecTypes.NewTestMetadata()), 54 DataResources: []cloudtrail.DataResource{ 55 { 56 Metadata: defsecTypes.NewTestMetadata(), 57 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 58 Values: []defsecTypes.StringValue{ 59 defsecTypes.String("arn:aws:s3", defsecTypes.NewTestMetadata()), 60 }, 61 }, 62 }, 63 }, 64 }, 65 }, 66 }, 67 }, 68 expected: true, 69 }, 70 { 71 name: "S3 bucket with ReadOnly cloudtrail logging (all of s3)", 72 s3: s3.S3{ 73 Buckets: []s3.Bucket{ 74 { 75 Metadata: defsecTypes.NewTestMetadata(), 76 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 77 }, 78 }, 79 }, 80 cloudtrail: cloudtrail.CloudTrail{ 81 Trails: []cloudtrail.Trail{ 82 { 83 Metadata: defsecTypes.NewTestMetadata(), 84 EventSelectors: []cloudtrail.EventSelector{ 85 { 86 Metadata: defsecTypes.NewTestMetadata(), 87 ReadWriteType: defsecTypes.String("ReadOnly", defsecTypes.NewTestMetadata()), 88 DataResources: []cloudtrail.DataResource{ 89 { 90 Metadata: defsecTypes.NewTestMetadata(), 91 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 92 Values: []defsecTypes.StringValue{ 93 defsecTypes.String("arn:aws:s3", defsecTypes.NewTestMetadata()), 94 }, 95 }, 96 }, 97 }, 98 }, 99 }, 100 }, 101 }, 102 expected: false, 103 }, 104 { 105 name: "S3 bucket with 'All' cloudtrail logging (all of s3)", 106 s3: s3.S3{ 107 Buckets: []s3.Bucket{ 108 { 109 Metadata: defsecTypes.NewTestMetadata(), 110 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 111 }, 112 }, 113 }, 114 cloudtrail: cloudtrail.CloudTrail{ 115 Trails: []cloudtrail.Trail{ 116 { 117 Metadata: defsecTypes.NewTestMetadata(), 118 EventSelectors: []cloudtrail.EventSelector{ 119 { 120 Metadata: defsecTypes.NewTestMetadata(), 121 ReadWriteType: defsecTypes.String("All", defsecTypes.NewTestMetadata()), 122 DataResources: []cloudtrail.DataResource{ 123 { 124 Metadata: defsecTypes.NewTestMetadata(), 125 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 126 Values: []defsecTypes.StringValue{ 127 defsecTypes.String("arn:aws:s3", defsecTypes.NewTestMetadata()), 128 }, 129 }, 130 }, 131 }, 132 }, 133 }, 134 }, 135 }, 136 expected: false, 137 }, 138 { 139 name: "S3 bucket with 'All' cloudtrail logging (only this bucket)", 140 s3: s3.S3{ 141 Buckets: []s3.Bucket{ 142 { 143 Metadata: defsecTypes.NewTestMetadata(), 144 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 145 }, 146 }, 147 }, 148 cloudtrail: cloudtrail.CloudTrail{ 149 Trails: []cloudtrail.Trail{ 150 { 151 Metadata: defsecTypes.NewTestMetadata(), 152 EventSelectors: []cloudtrail.EventSelector{ 153 { 154 Metadata: defsecTypes.NewTestMetadata(), 155 ReadWriteType: defsecTypes.String("All", defsecTypes.NewTestMetadata()), 156 DataResources: []cloudtrail.DataResource{ 157 { 158 Metadata: defsecTypes.NewTestMetadata(), 159 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 160 Values: []defsecTypes.StringValue{ 161 defsecTypes.String("arn:aws:s3:::test-bucket/", defsecTypes.NewTestMetadata()), 162 }, 163 }, 164 }, 165 }, 166 }, 167 }, 168 }, 169 }, 170 expected: false, 171 }, 172 { 173 name: "S3 bucket with 'All' cloudtrail logging (only another bucket)", 174 s3: s3.S3{ 175 Buckets: []s3.Bucket{ 176 { 177 Metadata: defsecTypes.NewTestMetadata(), 178 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 179 }, 180 }, 181 }, 182 cloudtrail: cloudtrail.CloudTrail{ 183 Trails: []cloudtrail.Trail{ 184 { 185 Metadata: defsecTypes.NewTestMetadata(), 186 EventSelectors: []cloudtrail.EventSelector{ 187 { 188 Metadata: defsecTypes.NewTestMetadata(), 189 ReadWriteType: defsecTypes.String("All", defsecTypes.NewTestMetadata()), 190 DataResources: []cloudtrail.DataResource{ 191 { 192 Metadata: defsecTypes.NewTestMetadata(), 193 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 194 Values: []defsecTypes.StringValue{ 195 defsecTypes.String("arn:aws:s3:::test-bucket2/", defsecTypes.NewTestMetadata()), 196 }, 197 }, 198 }, 199 }, 200 }, 201 }, 202 }, 203 }, 204 expected: true, 205 }, 206 { 207 name: "S3 bucket with 'All' cloudtrail logging (this bucket, missing slash)", 208 s3: s3.S3{ 209 Buckets: []s3.Bucket{ 210 { 211 Metadata: defsecTypes.NewTestMetadata(), 212 Name: defsecTypes.String("test-bucket", defsecTypes.NewTestMetadata()), 213 }, 214 }, 215 }, 216 cloudtrail: cloudtrail.CloudTrail{ 217 Trails: []cloudtrail.Trail{ 218 { 219 Metadata: defsecTypes.NewTestMetadata(), 220 EventSelectors: []cloudtrail.EventSelector{ 221 { 222 Metadata: defsecTypes.NewTestMetadata(), 223 ReadWriteType: defsecTypes.String("All", defsecTypes.NewTestMetadata()), 224 DataResources: []cloudtrail.DataResource{ 225 { 226 Metadata: defsecTypes.NewTestMetadata(), 227 Type: defsecTypes.String("AWS::S3::Object", defsecTypes.NewTestMetadata()), 228 Values: []defsecTypes.StringValue{ 229 defsecTypes.String("arn:aws:s3:::test-bucket", defsecTypes.NewTestMetadata()), 230 }, 231 }, 232 }, 233 }, 234 }, 235 }, 236 }, 237 }, 238 expected: true, 239 }, 240 } 241 for _, test := range tests { 242 t.Run(test.name, func(t *testing.T) { 243 var testState state.State 244 testState.AWS.S3 = test.s3 245 testState.AWS.CloudTrail = test.cloudtrail 246 results := CheckEnableObjectReadLogging.Evaluate(&testState) 247 var found bool 248 for _, result := range results { 249 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnableObjectReadLogging.Rule().LongID() { 250 found = true 251 } 252 } 253 if test.expected { 254 assert.True(t, found, "Rule should have been found") 255 } else { 256 assert.False(t, found, "Rule should not have been found") 257 } 258 }) 259 } 260 }