github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_public_egress_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_public_egress_test.go (about)

     1  package compute
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/google/compute"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckNoPublicEgress(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    compute.Compute
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Firewall egress rule with multiple public destination addresses",
    24  			input: compute.Compute{
    25  				Networks: []compute.Network{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						Firewall: &compute.Firewall{
    29  							Metadata: defsecTypes.NewTestMetadata(),
    30  							EgressRules: []compute.EgressRule{
    31  								{
    32  									Metadata: defsecTypes.NewTestMetadata(),
    33  									FirewallRule: compute.FirewallRule{
    34  										Metadata: defsecTypes.NewTestMetadata(),
    35  										IsAllow:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    36  										Enforced: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    37  									},
    38  									DestinationRanges: []defsecTypes.StringValue{
    39  										defsecTypes.String("0.0.0.0/0", defsecTypes.NewTestMetadata()),
    40  										defsecTypes.String("1.2.3.4/32", defsecTypes.NewTestMetadata()),
    41  									},
    42  								},
    43  							},
    44  						},
    45  					},
    46  				},
    47  			},
    48  			expected: true,
    49  		},
    50  		{
    51  			name: "Firewall egress rule with public destination address",
    52  			input: compute.Compute{
    53  				Networks: []compute.Network{
    54  					{
    55  						Metadata: defsecTypes.NewTestMetadata(),
    56  						Firewall: &compute.Firewall{
    57  							Metadata: defsecTypes.NewTestMetadata(),
    58  							EgressRules: []compute.EgressRule{
    59  								{
    60  									Metadata: defsecTypes.NewTestMetadata(),
    61  									FirewallRule: compute.FirewallRule{
    62  										Metadata: defsecTypes.NewTestMetadata(),
    63  										IsAllow:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    64  										Enforced: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    65  									},
    66  									DestinationRanges: []defsecTypes.StringValue{
    67  										defsecTypes.String("1.2.3.4/32", defsecTypes.NewTestMetadata()),
    68  									},
    69  								},
    70  							},
    71  						},
    72  					},
    73  				},
    74  			},
    75  			expected: false,
    76  		},
    77  	}
    78  	for _, test := range tests {
    79  		t.Run(test.name, func(t *testing.T) {
    80  			var testState state.State
    81  			testState.Google.Compute = test.input
    82  			results := CheckNoPublicEgress.Evaluate(&testState)
    83  			var found bool
    84  			for _, result := range results {
    85  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicEgress.Rule().LongID() {
    86  					found = true
    87  				}
    88  			}
    89  			if test.expected {
    90  				assert.True(t, found, "Rule should have been found")
    91  			} else {
    92  				assert.False(t, found, "Rule should not have been found")
    93  			}
    94  		})
    95  	}
    96  }