github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/authorization/limit_role_actions_test.go (about)

     1  package authorization
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/authorization"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckLimitRoleActions(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    authorization.Authorization
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Wildcard action with all scopes",
    24  			input: authorization.Authorization{
    25  				RoleDefinitions: []authorization.RoleDefinition{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Permissions: []authorization.Permission{
    29  							{
    30  								Metadata: defsecTypes.NewTestMetadata(),
    31  								Actions: []defsecTypes.StringValue{
    32  									defsecTypes.String("*", defsecTypes.NewTestMetadata()),
    33  								},
    34  							},
    35  						},
    36  						AssignableScopes: []defsecTypes.StringValue{
    37  							defsecTypes.String("/", defsecTypes.NewTestMetadata()),
    38  						},
    39  					},
    40  				},
    41  			},
    42  			expected: true,
    43  		},
    44  		{
    45  			name: "Wildcard action with specific scope",
    46  			input: authorization.Authorization{
    47  				RoleDefinitions: []authorization.RoleDefinition{
    48  					{
    49  						Metadata: defsecTypes.NewTestMetadata(),
    50  						Permissions: []authorization.Permission{
    51  							{
    52  								Metadata: defsecTypes.NewTestMetadata(),
    53  								Actions: []defsecTypes.StringValue{
    54  									defsecTypes.String("*", defsecTypes.NewTestMetadata()),
    55  								},
    56  							},
    57  						},
    58  						AssignableScopes: []defsecTypes.StringValue{
    59  							defsecTypes.String("proper-scope", defsecTypes.NewTestMetadata()),
    60  						},
    61  					},
    62  				},
    63  			},
    64  			expected: false,
    65  		},
    66  	}
    67  	for _, test := range tests {
    68  		t.Run(test.name, func(t *testing.T) {
    69  			var testState state.State
    70  			testState.Azure.Authorization = test.input
    71  			results := CheckLimitRoleActions.Evaluate(&testState)
    72  			var found bool
    73  			for _, result := range results {
    74  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckLimitRoleActions.Rule().LongID() {
    75  					found = true
    76  				}
    77  			}
    78  			if test.expected {
    79  				assert.True(t, found, "Rule should have been found")
    80  			} else {
    81  				assert.False(t, found, "Rule should not have been found")
    82  			}
    83  		})
    84  	}
    85  }