github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/no_public_access_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/no_public_access_test.go (about)

     1  package storage
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/storage"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckNoPublicAccess(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    storage.Storage
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Storage account container public access set to blob",
    24  			input: storage.Storage{
    25  				Accounts: []storage.Account{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Containers: []storage.Container{
    29  							{
    30  								Metadata:     defsecTypes.NewTestMetadata(),
    31  								PublicAccess: defsecTypes.String(storage.PublicAccessBlob, defsecTypes.NewTestMetadata()),
    32  							},
    33  						},
    34  					},
    35  				},
    36  			},
    37  			expected: true,
    38  		},
    39  		{
    40  			name: "Storage account container public access set to container",
    41  			input: storage.Storage{
    42  				Accounts: []storage.Account{
    43  					{
    44  						Metadata: defsecTypes.NewTestMetadata(),
    45  						Containers: []storage.Container{
    46  							{
    47  								Metadata:     defsecTypes.NewTestMetadata(),
    48  								PublicAccess: defsecTypes.String(storage.PublicAccessContainer, defsecTypes.NewTestMetadata()),
    49  							},
    50  						},
    51  					},
    52  				},
    53  			},
    54  			expected: true,
    55  		},
    56  		{
    57  			name: "Storage account container public access set to off",
    58  			input: storage.Storage{
    59  				Accounts: []storage.Account{
    60  					{
    61  						Metadata: defsecTypes.NewTestMetadata(),
    62  						Containers: []storage.Container{
    63  							{
    64  								Metadata:     defsecTypes.NewTestMetadata(),
    65  								PublicAccess: defsecTypes.String(storage.PublicAccessOff, defsecTypes.NewTestMetadata()),
    66  							},
    67  						},
    68  					},
    69  				},
    70  			},
    71  			expected: false,
    72  		},
    73  	}
    74  	for _, test := range tests {
    75  		t.Run(test.name, func(t *testing.T) {
    76  			var testState state.State
    77  			testState.Azure.Storage = test.input
    78  			results := CheckNoPublicAccess.Evaluate(&testState)
    79  			var found bool
    80  			for _, result := range results {
    81  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicAccess.Rule().LongID() {
    82  					found = true
    83  				}
    84  			}
    85  			if test.expected {
    86  				assert.True(t, found, "Rule should have been found")
    87  			} else {
    88  				assert.False(t, found, "Rule should not have been found")
    89  			}
    90  		})
    91  	}
    92  }