github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/ssh_blocked_from_internet_test.go (about) 1 package network 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/network" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckSshBlockedFromInternet(t *testing.T) { 17 tests := []struct { 18 name string 19 input network.Network 20 expected bool 21 }{ 22 { 23 name: "Security group rule allowing SSH access from the public internet", 24 input: network.Network{ 25 SecurityGroups: []network.SecurityGroup{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Rules: []network.SecurityGroupRule{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 Allow: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 32 Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 33 DestinationPorts: []network.PortRange{ 34 { 35 Metadata: defsecTypes.NewTestMetadata(), 36 Start: 22, 37 End: 22, 38 }, 39 }, 40 SourceAddresses: []defsecTypes.StringValue{ 41 defsecTypes.String("*", defsecTypes.NewTestMetadata()), 42 }, 43 Protocol: defsecTypes.String("Tcp", defsecTypes.NewTestMetadata()), 44 }, 45 }, 46 }, 47 }, 48 }, 49 expected: true, 50 }, 51 { 52 name: "Security group rule allowing SSH only ICMP", 53 input: network.Network{ 54 SecurityGroups: []network.SecurityGroup{ 55 { 56 Metadata: defsecTypes.NewTestMetadata(), 57 Rules: []network.SecurityGroupRule{ 58 { 59 Metadata: defsecTypes.NewTestMetadata(), 60 Allow: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 61 Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 62 DestinationPorts: []network.PortRange{ 63 { 64 Metadata: defsecTypes.NewTestMetadata(), 65 Start: 22, 66 End: 22, 67 }, 68 }, 69 SourceAddresses: []defsecTypes.StringValue{ 70 defsecTypes.String("*", defsecTypes.NewTestMetadata()), 71 }, 72 Protocol: defsecTypes.String("Icmp", defsecTypes.NewTestMetadata()), 73 }, 74 }, 75 }, 76 }, 77 }, 78 expected: false, 79 }, 80 { 81 name: "Security group rule allowing SSH access from a specific address", 82 input: network.Network{ 83 SecurityGroups: []network.SecurityGroup{ 84 { 85 Metadata: defsecTypes.NewTestMetadata(), 86 Rules: []network.SecurityGroupRule{ 87 { 88 Metadata: defsecTypes.NewTestMetadata(), 89 Allow: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 90 Outbound: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 91 DestinationPorts: []network.PortRange{ 92 { 93 Metadata: defsecTypes.NewTestMetadata(), 94 Start: 22, 95 End: 22, 96 }, 97 }, 98 SourceAddresses: []defsecTypes.StringValue{ 99 defsecTypes.String("82.102.23.23", defsecTypes.NewTestMetadata()), 100 }, 101 Protocol: defsecTypes.String("Tcp", defsecTypes.NewTestMetadata()), 102 }, 103 }, 104 }, 105 }, 106 }, 107 expected: false, 108 }, 109 } 110 for _, test := range tests { 111 t.Run(test.name, func(t *testing.T) { 112 var testState state.State 113 testState.Azure.Network = test.input 114 results := CheckSshBlockedFromInternet.Evaluate(&testState) 115 var found bool 116 for _, result := range results { 117 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckSshBlockedFromInternet.Rule().LongID() { 118 found = true 119 } 120 } 121 if test.expected { 122 assert.True(t, found, "Rule should have been found") 123 } else { 124 assert.False(t, found, "Rule should not have been found") 125 } 126 }) 127 } 128 }