github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ssm/secret_use_customer_key_test.go (about) 1 package ssm 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ssm" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckSecretUseCustomerKey(t *testing.T) { 17 tests := []struct { 18 name string 19 input ssm.SSM 20 expected bool 21 }{ 22 { 23 name: "AWS SSM missing KMS key", 24 input: ssm.SSM{ 25 Secrets: []ssm.Secret{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 29 }, 30 }, 31 }, 32 expected: true, 33 }, 34 { 35 name: "AWS SSM with default KMS key", 36 input: ssm.SSM{ 37 Secrets: []ssm.Secret{ 38 { 39 Metadata: defsecTypes.NewTestMetadata(), 40 KMSKeyID: defsecTypes.String(ssm.DefaultKMSKeyID, defsecTypes.NewTestMetadata()), 41 }, 42 }, 43 }, 44 expected: true, 45 }, 46 { 47 name: "AWS SSM with proper KMS key", 48 input: ssm.SSM{ 49 Secrets: []ssm.Secret{ 50 { 51 Metadata: defsecTypes.NewTestMetadata(), 52 KMSKeyID: defsecTypes.String("some-ok-key", defsecTypes.NewTestMetadata()), 53 }, 54 }, 55 }, 56 expected: false, 57 }, 58 } 59 for _, test := range tests { 60 t.Run(test.name, func(t *testing.T) { 61 var testState state.State 62 testState.AWS.SSM = test.input 63 results := CheckSecretUseCustomerKey.Evaluate(&testState) 64 var found bool 65 for _, result := range results { 66 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckSecretUseCustomerKey.Rule().LongID() { 67 found = true 68 } 69 } 70 if test.expected { 71 assert.True(t, found, "Rule should have been found") 72 } else { 73 assert.False(t, found, "Rule should not have been found") 74 } 75 }) 76 } 77 }