github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/no_public_egress_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/no_public_egress_test.go (about)

     1  package network
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/network"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckNoPublicEgress(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    network.Network
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Security group outbound rule with wildcard destination address",
    24  			input: network.Network{
    25  				SecurityGroups: []network.SecurityGroup{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Rules: []network.SecurityGroupRule{
    29  							{
    30  								Metadata: defsecTypes.NewTestMetadata(),
    31  								Allow:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    32  								Outbound: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    33  								DestinationAddresses: []defsecTypes.StringValue{
    34  									defsecTypes.String("*", defsecTypes.NewTestMetadata()),
    35  								},
    36  							},
    37  						},
    38  					},
    39  				},
    40  			},
    41  			expected: true,
    42  		},
    43  		{
    44  			name: "Security group outbound rule with private destination address",
    45  			input: network.Network{
    46  				SecurityGroups: []network.SecurityGroup{
    47  					{
    48  						Metadata: defsecTypes.NewTestMetadata(),
    49  						Rules: []network.SecurityGroupRule{
    50  							{
    51  								Metadata: defsecTypes.NewTestMetadata(),
    52  								Allow:    defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    53  								Outbound: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    54  								DestinationAddresses: []defsecTypes.StringValue{
    55  									defsecTypes.String("10.0.0.0/16", defsecTypes.NewTestMetadata()),
    56  								},
    57  							},
    58  						},
    59  					},
    60  				},
    61  			},
    62  			expected: false,
    63  		},
    64  	}
    65  	for _, test := range tests {
    66  		t.Run(test.name, func(t *testing.T) {
    67  			var testState state.State
    68  			testState.Azure.Network = test.input
    69  			results := CheckNoPublicEgress.Evaluate(&testState)
    70  			var found bool
    71  			for _, result := range results {
    72  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicEgress.Rule().LongID() {
    73  					found = true
    74  				}
    75  			}
    76  			if test.expected {
    77  				assert.True(t, found, "Rule should have been found")
    78  			} else {
    79  				assert.False(t, found, "Rule should not have been found")
    80  			}
    81  		})
    82  	}
    83  }