github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/no_wildcards_in_policy_documents_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/no_wildcards_in_policy_documents_test.go (about)

     1  package sqs
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/sqs"
    12  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    13  
    14  	"github.com/liamg/iamgo"
    15  
    16  	"github.com/stretchr/testify/assert"
    17  )
    18  
    19  func TestCheckNoWildcardsInPolicyDocuments(t *testing.T) {
    20  	tests := []struct {
    21  		name     string
    22  		input    sqs.SQS
    23  		expected bool
    24  	}{
    25  		{
    26  			name: "AWS SQS policy document with wildcard action statement",
    27  			input: sqs.SQS{
    28  				Queues: []sqs.Queue{
    29  					{
    30  						Metadata: types.NewTestMetadata(),
    31  						Policies: func() []iam.Policy {
    32  
    33  							sb := iamgo.NewStatementBuilder()
    34  							sb.WithSid("new policy")
    35  							sb.WithEffect("Allow")
    36  							sb.WithActions([]string{
    37  								"sqs:*",
    38  							})
    39  							sb.WithResources([]string{"arn:aws:sqs:::my-queue"})
    40  
    41  							builder := iamgo.NewPolicyBuilder()
    42  							builder.WithVersion("2012-10-17")
    43  							builder.WithStatement(sb.Build())
    44  
    45  							return []iam.Policy{
    46  								{
    47  									Document: iam.Document{
    48  										Metadata: types.NewTestMetadata(),
    49  										Parsed:   builder.Build(),
    50  									},
    51  								},
    52  							}
    53  						}(),
    54  					},
    55  				},
    56  			},
    57  			expected: true,
    58  		},
    59  		{
    60  			name: "AWS SQS policy document with action statement list",
    61  			input: sqs.SQS{
    62  				Queues: []sqs.Queue{
    63  					{
    64  						Metadata: types.NewTestMetadata(),
    65  						Policies: func() []iam.Policy {
    66  
    67  							sb := iamgo.NewStatementBuilder()
    68  							sb.WithSid("new policy")
    69  							sb.WithEffect("Allow")
    70  							sb.WithActions([]string{
    71  								"sqs:SendMessage",
    72  								"sqs:ReceiveMessage",
    73  							})
    74  							sb.WithResources([]string{"arn:aws:sqs:::my-queue"})
    75  							sb.WithAWSPrincipals([]string{"*"})
    76  
    77  							builder := iamgo.NewPolicyBuilder()
    78  							builder.WithVersion("2012-10-17")
    79  							builder.WithStatement(sb.Build())
    80  
    81  							return []iam.Policy{
    82  								{
    83  									Document: iam.Document{
    84  										Metadata: types.NewTestMetadata(),
    85  										Parsed:   builder.Build(),
    86  									},
    87  								},
    88  							}
    89  						}(),
    90  					},
    91  				},
    92  			},
    93  			expected: false,
    94  		},
    95  	}
    96  	for _, test := range tests {
    97  		t.Run(test.name, func(t *testing.T) {
    98  			var testState state.State
    99  			testState.AWS.SQS = test.input
   100  			results := CheckNoWildcardsInPolicyDocuments.Evaluate(&testState)
   101  			var found bool
   102  			for _, result := range results {
   103  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoWildcardsInPolicyDocuments.Rule().LongID() {
   104  					found = true
   105  				}
   106  			}
   107  			if test.expected {
   108  				assert.True(t, found, "Rule should have been found")
   109  			} else {
   110  				assert.False(t, found, "Rule should not have been found")
   111  			}
   112  		})
   113  	}
   114  }