fix runtime unit tests

tenable · Aug 14, 2020 · 71e2854 · 71e2854
1 parent c6bf4ce
commit 71e2854
Show file tree

Hide file tree

Showing 7 changed files with 163 additions and 11 deletions.
diff --git a/pkg/runtime/executor_test.go b/pkg/runtime/executor_test.go
@@ -26,11 +26,13 @@ import (
 	tfv12 "github.com/accurics/terrascan/pkg/iac-providers/terraform/v12"
 	"github.com/accurics/terrascan/pkg/notifications"
 	"github.com/accurics/terrascan/pkg/notifications/webhook"
+	"github.com/accurics/terrascan/pkg/policy"
 )
 
 var (
-	errMockLoadIacDir  = fmt.Errorf("mock LoadIacDir")
-	errMockLoadIacFile = fmt.Errorf("mock LoadIacFile")
+	errMockLoadIacDir   = fmt.Errorf("mock LoadIacDir")
+	errMockLoadIacFile  = fmt.Errorf("mock LoadIacFile")
+	errMockPolicyEngine = fmt.Errorf("mock PolicyEngine")
 )
 
 // MockIacProvider mocks IacProvider interface
@@ -47,6 +49,31 @@ func (m MockIacProvider) LoadIacFile(file string) (output.AllResourceConfigs, er
 	return m.output, m.err
 }
 
+// mock policy engine
+type MockPolicyEngine struct {
+	err error
+}
+
+func (m MockPolicyEngine) Init(input string) error {
+	return m.err
+}
+
+func (m MockPolicyEngine) Configure() error {
+	return m.err
+}
+
+func (m MockPolicyEngine) Evaluate(input policy.EngineInput) (out policy.EngineOutput, err error) {
+	return out, m.err
+}
+
+func (m MockPolicyEngine) GetResults() (out policy.EngineOutput) {
+	return out
+}
+
+func (m MockPolicyEngine) Release() error {
+	return m.err
+}
+
 func TestExecute(t *testing.T) {
 
 	// TODO: add tests to validate output of Execute()
@@ -66,8 +93,9 @@ func TestExecute(t *testing.T) {
 		{
 			name: "test LoadIacDir no error",
 			executor: Executor{
-				dirPath:     "./testdata/testdir",
-				iacProvider: MockIacProvider{err: nil},
+				dirPath:      "./testdata/testdir",
+				iacProvider:  MockIacProvider{err: nil},
+				policyEngine: MockPolicyEngine{err: nil},
 			},
 			wantErr: nil,
 		},
@@ -82,27 +110,48 @@ func TestExecute(t *testing.T) {
 		{
 			name: "test LoadIacFile no error",
 			executor: Executor{
-				filePath:    "./testdata/testfile",
-				iacProvider: MockIacProvider{err: nil},
+				filePath:     "./testdata/testfile",
+				iacProvider:  MockIacProvider{err: nil},
+				policyEngine: MockPolicyEngine{err: nil},
 			},
 			wantErr: nil,
 		},
 		{
 			name: "test SendNofitications no error",
 			executor: Executor{
-				iacProvider: MockIacProvider{err: nil},
-				notifiers:   []notifications.Notifier{&MockNotifier{err: nil}},
+				iacProvider:  MockIacProvider{err: nil},
+				notifiers:    []notifications.Notifier{&MockNotifier{err: nil}},
+				policyEngine: MockPolicyEngine{err: nil},
 			},
 			wantErr: nil,
 		},
 		{
-			name: "test SendNofitications no error",
+			name: "test SendNofitications mock error",
 			executor: Executor{
-				iacProvider: MockIacProvider{err: nil},
-				notifiers:   []notifications.Notifier{&MockNotifier{err: errMockNotifier}},
+				iacProvider:  MockIacProvider{err: nil},
+				notifiers:    []notifications.Notifier{&MockNotifier{err: errMockNotifier}},
+				policyEngine: MockPolicyEngine{err: nil},
 			},
 			wantErr: errMockNotifier,
 		},
+		{
+			name: "test policy enginer no error",
+			executor: Executor{
+				iacProvider:  MockIacProvider{err: nil},
+				notifiers:    []notifications.Notifier{&MockNotifier{err: nil}},
+				policyEngine: MockPolicyEngine{err: nil},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "test policy engine error",
+			executor: Executor{
+				iacProvider:  MockIacProvider{err: nil},
+				notifiers:    []notifications.Notifier{&MockNotifier{err: nil}},
+				policyEngine: MockPolicyEngine{err: errMockPolicyEngine},
+			},
+			wantErr: errMockPolicyEngine,
+		},
 	}
 
 	for _, tt := range table {
@@ -132,6 +181,7 @@ func TestInit(t *testing.T) {
 				cloudType:  "aws",
 				iacType:    "terraform",
 				iacVersion: "v12",
+				policyPath: "./testdata/testpolicies",
 			},
 			wantErr:         nil,
 			wantIacProvider: &tfv12.TfV12{},
@@ -146,6 +196,7 @@ func TestInit(t *testing.T) {
 				iacType:    "terraform",
 				iacVersion: "v12",
 				configFile: "./testdata/webhook.toml",
+				policyPath: "./testdata/testpolicies",
 			},
 			wantErr:         nil,
 			wantIacProvider: &tfv12.TfV12{},
@@ -178,6 +229,21 @@ func TestInit(t *testing.T) {
 			wantErr:         fmt.Errorf("config file not present"),
 			wantIacProvider: &tfv12.TfV12{},
 		},
+		{
+			name: "invalid policy path",
+			executor: Executor{
+				filePath:   "./testdata/testfile",
+				dirPath:    "",
+				cloudType:  "aws",
+				iacType:    "terraform",
+				iacVersion: "v12",
+				configFile: "./testdata/webhook.toml",
+				policyPath: "./testdata/notthere",
+			},
+			wantErr:         fmt.Errorf("failed to initialize OPA policy engine"),
+			wantIacProvider: &tfv12.TfV12{},
+			wantNotifiers:   []notifications.Notifier{&webhook.Webhook{}},
+		},
 	}
 
 	for _, tt := range table {

diff --git a/...cies/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json b/...cies/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json
@@ -0,0 +1,12 @@
+{
+    "name": "cloudfrontNoHTTPSTraffic",
+    "file": "cloudfrontNoHTTPSTraffic.rego",
+    "templateArgs": {
+        "prefix": ""
+    },
+    "severity": "HIGH",
+    "description": "Use encrypted connection between CloudFront and origin server",
+    "referenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
+    "category": "Encryption and Key Management",
+    "version": 2
+}
diff --git a/...cies/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json b/...cies/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json
@@ -0,0 +1,12 @@
+{
+    "name": "cloudfrontNoSecureCiphers",
+    "file": "cloudfrontNoSecureCiphers.rego",
+    "templateArgs": {
+        "prefix": ""
+    },
+    "severity": "HIGH",
+    "description": "Secure ciphers are not used in CloudFront distribution",
+    "referenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
+    "category": "Encryption and Key Management",
+    "version": 2
+}
diff --git a/...testdata/testpolicies/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json b/...testdata/testpolicies/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json
@@ -0,0 +1,12 @@
+{
+    "name": "cloudfrontNoLogging",
+    "file": "cloudfrontNoLogging.rego",
+    "templateArgs": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
+    "referenceId": "AWS.CloudFront.Logging.Medium.0567",
+    "category": "Logging",
+    "version": 2
+}
diff --git a/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoHTTPSTraffic.rego b/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoHTTPSTraffic.rego
@@ -0,0 +1,10 @@
+package accurics
+
+{{.prefix}}cloudfrontNoHTTPSTraffic[retVal]{
+    cloudfront = input.aws_cloudfront_distribution[_]
+    some i
+    orderedcachebehaviour = cloudfront.config.ordered_cache_behavior[i]
+    orderedcachebehaviour.viewer_protocol_policy == "allow-all"
+	traverse := sprintf("ordered_cache_behavior[%d].viewer_protocol_policy", [i])
+    retVal := { "Id": cloudfront.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "ordered_cache_behavior.viewer_protocol_policy", "AttributeDataType": "string", "Expected": "redirect-to-https", "Actual": orderedcachebehaviour.viewer_protocol_policy }
+}
diff --git a/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoLogging.rego b/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoLogging.rego
@@ -0,0 +1,21 @@
+package accurics
+
+{{.prefix}}cloudfrontNoLogging[retVal]{
+    cloudfront = input.aws_cloudfront_distribution[_]
+    not cloudfront.config.logging_config
+
+    rc = "ewogICJsb2dnaW5nX2NvbmZpZyI6IHsKICAgICJpbmNsdWRlX2Nvb2tpZXMiOiBmYWxzZSwKICAgICJidWNrZXQiOiAiPGJ1Y2tldD4iLAogICAgInByZWZpeCI6ICI8cHJlZml4PiIKICB9Cn0="
+
+    traverse = ""
+    retVal := { "Id": cloudfront.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "logging_config", "AttributeDataType": "base64", "Expected": rc, "Actual": null }
+}
+
+{{.prefix}}cloudfrontNoLogging[retVal]{
+    cloudfront = input.aws_cloudfront_distribution[_]
+    cloudfront.config.logging_config == []
+
+    rc = "ewogICJsb2dnaW5nX2NvbmZpZyI6IHsKICAgICJpbmNsdWRlX2Nvb2tpZXMiOiBmYWxzZSwKICAgICJidWNrZXQiOiAiPGJ1Y2tldD4iLAogICAgInByZWZpeCI6ICI8cHJlZml4PiIKICB9Cn0="
+
+    traverse = ""
+    retVal := { "Id": cloudfront.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "logging_config", "AttributeDataType": "base64", "Expected": rc, "Actual": null }
+}
diff --git a/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoSecureCiphers.rego b/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoSecureCiphers.rego
@@ -0,0 +1,19 @@
+package accurics 
+
+{{.prefix}}cloudfrontNoSecureCiphers[retVal]{
+    cloudfront = input.aws_cloudfront_distribution[_]
+    some i
+    certificate = cloudfront.config.viewer_certificate[i]
+    certificate.cloudfront_default_certificate = false
+    not minimumAllowedProtocolVersion(certificate.minimum_protocol_version)
+    traverse := sprintf("viewer_certificate[%d].minimum_protocol_version", [i])
+    retVal := { "Id": cloudfront.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "viewer_certificate.minimum_protocol_version", "AttributeDataType": "string", "Expected": "TLSv1.2", "Actual": certificate.minimum_protocol_version }
+}
+
+minimumAllowedProtocolVersion(currentVersion) {
+    currentVersion == "TLSv1.1"
+}
+
+minimumAllowedProtocolVersion(currentVersion) {
+    currentVersion == "TLSv1.2"
+}