github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_privileged_service_accounts_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/google/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoPrivilegedServiceAccounts(t *testing.T) { 17 tests := []struct { 18 name string 19 input iam.IAM 20 expected bool 21 }{ 22 { 23 name: "Service account granted owner role", 24 input: iam.IAM{ 25 Organizations: []iam.Organization{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Members: []iam.Member{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 Role: defsecTypes.String("roles/owner", defsecTypes.NewTestMetadata()), 32 Member: defsecTypes.String("serviceAccount:${google_service_account.test.email}", defsecTypes.NewTestMetadata()), 33 }, 34 }, 35 }, 36 }, 37 }, 38 expected: true, 39 }, 40 { 41 name: "Service account granted editor role", 42 input: iam.IAM{ 43 Organizations: []iam.Organization{ 44 { 45 Metadata: defsecTypes.NewTestMetadata(), 46 Folders: []iam.Folder{ 47 { 48 Metadata: defsecTypes.NewTestMetadata(), 49 Projects: []iam.Project{ 50 { 51 Metadata: defsecTypes.NewTestMetadata(), 52 Bindings: []iam.Binding{ 53 { 54 Metadata: defsecTypes.NewTestMetadata(), 55 Role: defsecTypes.String("roles/editor", defsecTypes.NewTestMetadata()), 56 Members: []defsecTypes.StringValue{ 57 defsecTypes.String("serviceAccount:${google_service_account.test.email}", defsecTypes.NewTestMetadata()), 58 }, 59 }, 60 }, 61 }, 62 }, 63 }, 64 }, 65 }, 66 }, 67 }, 68 expected: true, 69 }, 70 { 71 name: "No service account with excessive privileges", 72 input: iam.IAM{ 73 Organizations: []iam.Organization{ 74 { 75 Metadata: defsecTypes.NewTestMetadata(), 76 Folders: []iam.Folder{ 77 { 78 Metadata: defsecTypes.NewTestMetadata(), 79 Projects: []iam.Project{ 80 { 81 Metadata: defsecTypes.NewTestMetadata(), 82 Members: []iam.Member{ 83 { 84 Metadata: defsecTypes.NewTestMetadata(), 85 Role: defsecTypes.String("roles/owner", defsecTypes.NewTestMetadata()), 86 Member: defsecTypes.String("proper@email.com", defsecTypes.NewTestMetadata()), 87 }, 88 }, 89 Bindings: []iam.Binding{ 90 { 91 Metadata: defsecTypes.NewTestMetadata(), 92 Role: defsecTypes.String("roles/logging.logWriter", defsecTypes.NewTestMetadata()), 93 Members: []defsecTypes.StringValue{ 94 defsecTypes.String("serviceAccount:${google_service_account.test.email}", defsecTypes.NewTestMetadata()), 95 }, 96 }, 97 }, 98 }, 99 }, 100 }, 101 }, 102 }, 103 }, 104 }, 105 expected: false, 106 }, 107 } 108 for _, test := range tests { 109 t.Run(test.name, func(t *testing.T) { 110 var testState state.State 111 testState.Google.IAM = test.input 112 results := CheckNoPrivilegedServiceAccounts.Evaluate(&testState) 113 var found bool 114 for _, result := range results { 115 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPrivilegedServiceAccounts.Rule().LongID() { 116 found = true 117 } 118 } 119 if test.expected { 120 assert.True(t, found, "Rule should have been found") 121 } else { 122 assert.False(t, found, "Rule should not have been found") 123 } 124 }) 125 } 126 }