github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/openstack/networking/no_public_egress_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/openstack" 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/stretchr/testify/assert" 14 ) 15 16 func TestCheckNoPublicEgress(t *testing.T) { 17 tests := []struct { 18 name string 19 input openstack.Networking 20 expected bool 21 }{ 22 { 23 name: "Security group rule missing address", 24 input: openstack.Networking{ 25 SecurityGroups: []openstack.SecurityGroup{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 Rules: []openstack.SecurityGroupRule{ 29 { 30 Metadata: defsecTypes.NewTestMetadata(), 31 IsIngress: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 32 CIDR: defsecTypes.String("", defsecTypes.NewTestMetadata()), 33 }, 34 }, 35 }, 36 }, 37 }, 38 expected: false, 39 }, 40 { 41 name: "Security group rule with private address", 42 input: openstack.Networking{ 43 SecurityGroups: []openstack.SecurityGroup{ 44 { 45 Metadata: defsecTypes.NewTestMetadata(), 46 Rules: []openstack.SecurityGroupRule{ 47 { 48 Metadata: defsecTypes.NewTestMetadata(), 49 IsIngress: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 50 CIDR: defsecTypes.String("10.10.0.1", defsecTypes.NewTestMetadata()), 51 }, 52 }, 53 }, 54 }, 55 }, 56 expected: false, 57 }, 58 { 59 name: "Security group rule with single public address", 60 input: openstack.Networking{ 61 SecurityGroups: []openstack.SecurityGroup{ 62 { 63 Metadata: defsecTypes.NewTestMetadata(), 64 Rules: []openstack.SecurityGroupRule{ 65 { 66 Metadata: defsecTypes.NewTestMetadata(), 67 IsIngress: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 68 CIDR: defsecTypes.String("8.8.8.8", defsecTypes.NewTestMetadata()), 69 }, 70 }, 71 }, 72 }, 73 }, 74 expected: false, 75 }, 76 { 77 name: "Security group rule with large public cidr", 78 input: openstack.Networking{ 79 SecurityGroups: []openstack.SecurityGroup{ 80 { 81 Metadata: defsecTypes.NewTestMetadata(), 82 Rules: []openstack.SecurityGroupRule{ 83 { 84 Metadata: defsecTypes.NewTestMetadata(), 85 IsIngress: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 86 CIDR: defsecTypes.String("80.0.0.0/8", defsecTypes.NewTestMetadata()), 87 }, 88 }, 89 }, 90 }, 91 }, 92 expected: true, 93 }, 94 } 95 for _, test := range tests { 96 t.Run(test.name, func(t *testing.T) { 97 var testState state.State 98 testState.OpenStack.Networking = test.input 99 results := CheckNoPublicEgress.Evaluate(&testState) 100 var found bool 101 for _, result := range results { 102 if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicEgress.Rule().LongID() { 103 found = true 104 } 105 } 106 if test.expected { 107 assert.True(t, found, "Rule should have been found") 108 } else { 109 assert.False(t, found, "Rule should not have been found") 110 } 111 }) 112 } 113 }