github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/node_metadata_security_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/node_metadata_security_test.go (about)

     1  package gke
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/google/gke"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckNodeMetadataSecurity(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    gke.GKE
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Cluster node pools metadata exposed by default",
    24  			input: gke.GKE{
    25  				Clusters: []gke.Cluster{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						NodeConfig: gke.NodeConfig{
    29  							Metadata: defsecTypes.NewTestMetadata(),
    30  							WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
    31  								Metadata:     defsecTypes.NewTestMetadata(),
    32  								NodeMetadata: defsecTypes.String("UNSPECIFIED", defsecTypes.NewTestMetadata()),
    33  							},
    34  						},
    35  					},
    36  				},
    37  			},
    38  			expected: true,
    39  		},
    40  		{
    41  			name: "Node pool metadata exposed",
    42  			input: gke.GKE{
    43  				Clusters: []gke.Cluster{
    44  					{
    45  						Metadata: defsecTypes.NewTestMetadata(),
    46  						NodeConfig: gke.NodeConfig{
    47  							Metadata: defsecTypes.NewTestMetadata(),
    48  							WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
    49  								Metadata:     defsecTypes.NewTestMetadata(),
    50  								NodeMetadata: defsecTypes.String("SECURE", defsecTypes.NewTestMetadata()),
    51  							},
    52  						},
    53  						NodePools: []gke.NodePool{
    54  							{
    55  								Metadata: defsecTypes.NewTestMetadata(),
    56  								NodeConfig: gke.NodeConfig{
    57  									Metadata: defsecTypes.NewTestMetadata(),
    58  									WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
    59  										Metadata:     defsecTypes.NewTestMetadata(),
    60  										NodeMetadata: defsecTypes.String("EXPOSE", defsecTypes.NewTestMetadata()),
    61  									},
    62  								},
    63  							},
    64  						},
    65  					},
    66  				},
    67  			},
    68  			expected: true,
    69  		},
    70  		{
    71  			name: "Cluster node pools metadata secured",
    72  			input: gke.GKE{
    73  				Clusters: []gke.Cluster{
    74  					{
    75  						Metadata: defsecTypes.NewTestMetadata(),
    76  						NodeConfig: gke.NodeConfig{
    77  							Metadata: defsecTypes.NewTestMetadata(),
    78  							WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
    79  								Metadata:     defsecTypes.NewTestMetadata(),
    80  								NodeMetadata: defsecTypes.String("SECURE", defsecTypes.NewTestMetadata()),
    81  							},
    82  						},
    83  					},
    84  				},
    85  			},
    86  			expected: false,
    87  		},
    88  	}
    89  	for _, test := range tests {
    90  		t.Run(test.name, func(t *testing.T) {
    91  			var testState state.State
    92  			testState.Google.GKE = test.input
    93  			results := CheckNodeMetadataSecurity.Evaluate(&testState)
    94  			var found bool
    95  			for _, result := range results {
    96  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNodeMetadataSecurity.Rule().LongID() {
    97  					found = true
    98  				}
    99  			}
   100  			if test.expected {
   101  				assert.True(t, found, "Rule should have been found")
   102  			} else {
   103  				assert.False(t, found, "Rule should not have been found")
   104  			}
   105  		})
   106  	}
   107  }