github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_user_granted_permissions_test.go (about) 1 package iam 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/google/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoUserGrantedPermissions(t *testing.T) { 17 tests := []struct { 18 name string 19 input iam.IAM 20 expected bool 21 }{ 22 { 23 name: "Permissions granted to users", 24 input: iam.IAM{ 25 Organizations: []iam.Organization{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Projects: []iam.Project{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 Members: []iam.Member{ 32 { 33 Metadata: defsecTypes.NewTestMetadata(), 34 Member: defsecTypes.String("user:test@example.com", defsecTypes.NewTestMetadata()), 35 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 36 }, 37 }, 38 Bindings: []iam.Binding{ 39 { 40 Metadata: defsecTypes.NewTestMetadata(), 41 Members: []defsecTypes.StringValue{ 42 defsecTypes.String("user:test@example.com", defsecTypes.NewTestMetadata()), 43 }, 44 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 45 }, 46 }, 47 }, 48 }, 49 }, 50 }, 51 }, 52 expected: true, 53 }, 54 { 55 name: "Permissions granted to users #2", 56 input: iam.IAM{ 57 Organizations: []iam.Organization{ 58 { 59 Metadata: defsecTypes.NewTestMetadata(), 60 Members: []iam.Member{ 61 { 62 Metadata: defsecTypes.NewTestMetadata(), 63 Member: defsecTypes.String("user:test@example.com", defsecTypes.NewTestMetadata()), 64 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 65 }, 66 }, 67 }, 68 }, 69 }, 70 expected: true, 71 }, 72 { 73 name: "Permissions granted to users #3", 74 input: iam.IAM{ 75 Organizations: []iam.Organization{ 76 { 77 Metadata: defsecTypes.NewTestMetadata(), 78 Folders: []iam.Folder{ 79 { 80 Metadata: defsecTypes.NewTestMetadata(), 81 Members: []iam.Member{ 82 { 83 Metadata: defsecTypes.NewTestMetadata(), 84 Member: defsecTypes.String("user:test@example.com", defsecTypes.NewTestMetadata()), 85 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 86 }, 87 }, 88 }, 89 }, 90 }, 91 }, 92 }, 93 expected: true, 94 }, 95 { 96 name: "Permissions granted to users #4", 97 input: iam.IAM{ 98 Organizations: []iam.Organization{ 99 { 100 Metadata: defsecTypes.NewTestMetadata(), 101 Folders: []iam.Folder{ 102 { 103 Metadata: defsecTypes.NewTestMetadata(), 104 Bindings: []iam.Binding{ 105 { 106 Metadata: defsecTypes.NewTestMetadata(), 107 Members: []defsecTypes.StringValue{ 108 defsecTypes.String("user:test@example.com", defsecTypes.NewTestMetadata()), 109 }, 110 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 111 }, 112 }, 113 }, 114 }, 115 }, 116 }, 117 }, 118 expected: true, 119 }, 120 { 121 name: "Permissions granted on groups", 122 input: iam.IAM{ 123 Organizations: []iam.Organization{ 124 { 125 Metadata: defsecTypes.NewTestMetadata(), 126 Members: []iam.Member{ 127 { 128 Metadata: defsecTypes.NewTestMetadata(), 129 Member: defsecTypes.String("group:test@example.com", defsecTypes.NewTestMetadata()), 130 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 131 }, 132 }, 133 Bindings: []iam.Binding{ 134 { 135 Metadata: defsecTypes.NewTestMetadata(), 136 Members: []defsecTypes.StringValue{ 137 defsecTypes.String("group:test@example.com", defsecTypes.NewTestMetadata()), 138 }, 139 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 140 }, 141 }, 142 Folders: []iam.Folder{ 143 { 144 Metadata: defsecTypes.NewTestMetadata(), 145 Bindings: []iam.Binding{ 146 { 147 Metadata: defsecTypes.NewTestMetadata(), 148 Members: []defsecTypes.StringValue{ 149 defsecTypes.String("group:test@example.com", defsecTypes.NewTestMetadata()), 150 }, 151 Role: defsecTypes.String("some-role", defsecTypes.NewTestMetadata()), 152 }, 153 }, 154 }, 155 }, 156 }, 157 }, 158 }, 159 expected: false, 160 }, 161 } 162 for _, test := range tests { 163 t.Run(test.name, func(t *testing.T) { 164 var testState state.State 165 testState.Google.IAM = test.input 166 results := CheckNoUserGrantedPermissions.Evaluate(&testState) 167 var found bool 168 for _, result := range results { 169 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoUserGrantedPermissions.Rule().LongID() { 170 found = true 171 } 172 } 173 if test.expected { 174 assert.True(t, found, "Rule should have been found") 175 } else { 176 assert.False(t, found, "Rule should not have been found") 177 } 178 }) 179 } 180 }