github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/openstack/compute/no_public_access_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/openstack" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoPublicAccess(t *testing.T) { 17 tests := []struct { 18 name string 19 input openstack.Compute 20 expected bool 21 }{ 22 { 23 name: "Firewall rule missing destination address", 24 input: openstack.Compute{ 25 Firewall: openstack.Firewall{ 26 AllowRules: []openstack.FirewallRule{ 27 { 28 Metadata: defsecTypes.NewTestMetadata(), 29 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 30 Destination: defsecTypes.String("", defsecTypes.NewTestMetadata()), 31 Source: defsecTypes.String("10.10.10.1", defsecTypes.NewTestMetadata()), 32 }, 33 }, 34 }, 35 }, 36 expected: true, 37 }, 38 { 39 name: "Firewall rule missing source address", 40 input: openstack.Compute{ 41 Firewall: openstack.Firewall{ 42 AllowRules: []openstack.FirewallRule{ 43 { 44 Metadata: defsecTypes.NewTestMetadata(), 45 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 46 Destination: defsecTypes.String("10.10.10.2", defsecTypes.NewTestMetadata()), 47 Source: defsecTypes.String("", defsecTypes.NewTestMetadata()), 48 }, 49 }, 50 }, 51 }, 52 expected: true, 53 }, 54 { 55 name: "Firewall rule with public destination and source addresses", 56 input: openstack.Compute{ 57 Firewall: openstack.Firewall{ 58 AllowRules: []openstack.FirewallRule{ 59 { 60 Metadata: defsecTypes.NewTestMetadata(), 61 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 62 Destination: defsecTypes.String("0.0.0.0", defsecTypes.NewTestMetadata()), 63 Source: defsecTypes.String("0.0.0.0", defsecTypes.NewTestMetadata()), 64 }, 65 }, 66 }, 67 }, 68 expected: true, 69 }, 70 { 71 name: "Firewall rule with private destination and source addresses", 72 input: openstack.Compute{ 73 Firewall: openstack.Firewall{ 74 AllowRules: []openstack.FirewallRule{ 75 { 76 Metadata: defsecTypes.NewTestMetadata(), 77 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 78 Destination: defsecTypes.String("10.10.10.1", defsecTypes.NewTestMetadata()), 79 Source: defsecTypes.String("10.10.10.2", defsecTypes.NewTestMetadata()), 80 }, 81 }, 82 }, 83 }, 84 expected: false, 85 }, 86 } 87 for _, test := range tests { 88 t.Run(test.name, func(t *testing.T) { 89 var testState state.State 90 testState.OpenStack.Compute = test.input 91 results := CheckNoPublicAccess.Evaluate(&testState) 92 var found bool 93 for _, result := range results { 94 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicAccess.Rule().LongID() { 95 found = true 96 } 97 } 98 if test.expected { 99 assert.True(t, found, "Rule should have been found") 100 } else { 101 assert.False(t, found, "Rule should not have been found") 102 } 103 }) 104 } 105 }