github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/disable_rdp_from_internet_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/disable_rdp_from_internet_test.go (about)

     1  package network
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/network"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckDisableRdpFromInternet(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    network.Network
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Security group inbound rule allowing RDP access from the Internet",
    24  			input: network.Network{
    25  				SecurityGroups: []network.SecurityGroup{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Rules: []network.SecurityGroupRule{
    29  							{
    30  								Metadata: defsecTypes.NewTestMetadata(),
    31  								Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    32  								Allow:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    33  								SourceAddresses: []defsecTypes.StringValue{
    34  									defsecTypes.String("*", defsecTypes.NewTestMetadata()),
    35  								},
    36  								SourcePorts:          nil,
    37  								DestinationAddresses: nil,
    38  								DestinationPorts: []network.PortRange{
    39  									{
    40  										Metadata: defsecTypes.NewTestMetadata(),
    41  										Start:    3310,
    42  										End:      3390,
    43  									},
    44  								},
    45  								Protocol: defsecTypes.String("Tcp", defsecTypes.NewTestMetadata()),
    46  							},
    47  						},
    48  					},
    49  				},
    50  			},
    51  			expected: true,
    52  		},
    53  		{
    54  			name: "Security group inbound rule allowing RDP access from a specific address",
    55  			input: network.Network{
    56  				SecurityGroups: []network.SecurityGroup{
    57  					{
    58  						Metadata: defsecTypes.NewTestMetadata(),
    59  						Rules: []network.SecurityGroupRule{
    60  							{
    61  								Metadata: defsecTypes.NewTestMetadata(),
    62  								Allow:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    63  								Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    64  								DestinationPorts: []network.PortRange{
    65  									{
    66  										Metadata: defsecTypes.NewTestMetadata(),
    67  										Start:    3310,
    68  										End:      3390,
    69  									},
    70  								},
    71  								SourceAddresses: []defsecTypes.StringValue{
    72  									defsecTypes.String("4.53.160.75", defsecTypes.NewTestMetadata()),
    73  								},
    74  								Protocol: defsecTypes.String("Tcp", defsecTypes.NewTestMetadata()),
    75  							},
    76  						},
    77  					},
    78  				},
    79  			},
    80  			expected: false,
    81  		},
    82  		{
    83  			name: "Security group inbound rule allowing only ICMP",
    84  			input: network.Network{
    85  				SecurityGroups: []network.SecurityGroup{
    86  					{
    87  						Metadata: defsecTypes.NewTestMetadata(),
    88  						Rules: []network.SecurityGroupRule{
    89  							{
    90  								Metadata: defsecTypes.NewTestMetadata(),
    91  								Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    92  								Allow:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    93  								SourceAddresses: []defsecTypes.StringValue{
    94  									defsecTypes.String("*", defsecTypes.NewTestMetadata()),
    95  								},
    96  								SourcePorts:          nil,
    97  								DestinationAddresses: nil,
    98  								DestinationPorts: []network.PortRange{
    99  									{
   100  										Metadata: defsecTypes.NewTestMetadata(),
   101  										Start:    3310,
   102  										End:      3390,
   103  									},
   104  								},
   105  								Protocol: defsecTypes.String("Icmp", defsecTypes.NewTestMetadata()),
   106  							},
   107  						},
   108  					},
   109  				},
   110  			},
   111  			expected: false,
   112  		},
   113  	}
   114  	for _, test := range tests {
   115  		t.Run(test.name, func(t *testing.T) {
   116  			var testState state.State
   117  			testState.Azure.Network = test.input
   118  			results := CheckDisableRdpFromInternet.Evaluate(&testState)
   119  			var found bool
   120  			for _, result := range results {
   121  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckDisableRdpFromInternet.Rule().LongID() {
   122  					found = true
   123  				}
   124  			}
   125  			if test.expected {
   126  				assert.True(t, found, "Rule should have been found")
   127  			} else {
   128  				assert.False(t, found, "Rule should not have been found")
   129  			}
   130  		})
   131  	}
   132  }