github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/authorization/limit_role_actions_test.go (about) 1 package authorization 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/authorization" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckLimitRoleActions(t *testing.T) { 17 tests := []struct { 18 name string 19 input authorization.Authorization 20 expected bool 21 }{ 22 { 23 name: "Wildcard action with all scopes", 24 input: authorization.Authorization{ 25 RoleDefinitions: []authorization.RoleDefinition{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Permissions: []authorization.Permission{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 Actions: []defsecTypes.StringValue{ 32 defsecTypes.String("*", defsecTypes.NewTestMetadata()), 33 }, 34 }, 35 }, 36 AssignableScopes: []defsecTypes.StringValue{ 37 defsecTypes.String("/", defsecTypes.NewTestMetadata()), 38 }, 39 }, 40 }, 41 }, 42 expected: true, 43 }, 44 { 45 name: "Wildcard action with specific scope", 46 input: authorization.Authorization{ 47 RoleDefinitions: []authorization.RoleDefinition{ 48 { 49 Metadata: defsecTypes.NewTestMetadata(), 50 Permissions: []authorization.Permission{ 51 { 52 Metadata: defsecTypes.NewTestMetadata(), 53 Actions: []defsecTypes.StringValue{ 54 defsecTypes.String("*", defsecTypes.NewTestMetadata()), 55 }, 56 }, 57 }, 58 AssignableScopes: []defsecTypes.StringValue{ 59 defsecTypes.String("proper-scope", defsecTypes.NewTestMetadata()), 60 }, 61 }, 62 }, 63 }, 64 expected: false, 65 }, 66 } 67 for _, test := range tests { 68 t.Run(test.name, func(t *testing.T) { 69 var testState state.State 70 testState.Azure.Authorization = test.input 71 results := CheckLimitRoleActions.Evaluate(&testState) 72 var found bool 73 for _, result := range results { 74 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckLimitRoleActions.Rule().LongID() { 75 found = true 76 } 77 } 78 if test.expected { 79 assert.True(t, found, "Rule should have been found") 80 } else { 81 assert.False(t, found, "Rule should not have been found") 82 } 83 }) 84 } 85 }