securityhub test cases

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
kyverno · Apr 24, 2024 · 62572d1 · 62572d1
1 parent 39fc42a
commit 62572d1
Show file tree

Hide file tree

Showing 3 changed files with 197 additions and 17 deletions.
diff --git a/pkg/cache/utils.go b/pkg/cache/utils.go
diff --git a/pkg/target/securityhub/securityhub.go b/pkg/target/securityhub/securityhub.go
@@ -13,11 +13,16 @@ import (
 	"github.com/kyverno/policy-reporter/pkg/target"
 )
 
+type HubClient interface {
+	BatchImportFindings(ctx context.Context, params *hub.BatchImportFindingsInput, optFns ...func(*hub.Options)) (*hub.BatchImportFindingsOutput, error)
+	GetFindings(ctx context.Context, params *hub.GetFindingsInput, optFns ...func(*hub.Options)) (*hub.GetFindingsOutput, error)
+}
+
 // Options to configure the S3 target
 type Options struct {
 	target.ClientOptions
 	CustomFields map[string]string
-	Client       *hub.Client
+	Client       HubClient
 	AccountID    string
 	Region       string
 	ProductName  string
@@ -28,7 +33,7 @@ type Options struct {
 type client struct {
 	target.BaseClient
 	customFields map[string]string
-	hub          *hub.Client
+	hub          HubClient
 	accountID    string
 	region       string
 	productName  string
@@ -66,7 +71,7 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) {
 				CreatedAt:     toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")),
 				UpdatedAt:     toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")),
 				Severity: &types.Severity{
-					Label: mapSeverity(result.Severity),
+					Label: MapSeverity(result.Severity),
 				},
 				Title:       &title,
 				Description: &result.Message,
@@ -242,7 +247,7 @@ func toPointer[T any](value T) *T {
 	return &value
 }
 
-func mapSeverity(s v1alpha2.PolicySeverity) types.SeverityLabel {
+func MapSeverity(s v1alpha2.PolicySeverity) types.SeverityLabel {
 	switch s {
 	case v1alpha2.SeverityInfo:
 		return types.SeverityLabelInformational

diff --git a/pkg/target/securityhub/securityhub_test.go b/pkg/target/securityhub/securityhub_test.go
@@ -0,0 +1,188 @@
+package securityhub_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	hub "github.com/aws/aws-sdk-go-v2/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
+	"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
+	"github.com/kyverno/policy-reporter/pkg/fixtures"
+	"github.com/kyverno/policy-reporter/pkg/target/securityhub"
+)
+
+type client struct {
+	batched bool
+	fetched bool
+
+	send     func(findings []types.AwsSecurityFinding)
+	findings []types.AwsSecurityFinding
+}
+
+func (c *client) BatchImportFindings(ctx context.Context, params *hub.BatchImportFindingsInput, optFns ...func(*hub.Options)) (*hub.BatchImportFindingsOutput, error) {
+	c.batched = true
+
+	if c.send != nil {
+		c.send(params.Findings)
+	}
+
+	return &hub.BatchImportFindingsOutput{
+		SuccessCount: aws.Int32(1),
+		FailedCount:  aws.Int32(0),
+	}, nil
+}
+
+func (c *client) GetFindings(ctx context.Context, params *hub.GetFindingsInput, optFns ...func(*hub.Options)) (*hub.GetFindingsOutput, error) {
+	c.fetched = true
+	return &hub.GetFindingsOutput{
+		Findings: c.findings,
+	}, nil
+}
+
+func TestSecurityHub(t *testing.T) {
+	t.Run("send result", func(t *testing.T) {
+		c := securityhub.NewClient(securityhub.Options{
+			AccountID:   "accountID",
+			Region:      "eu-central-1",
+			ProductName: "Policy Reporter",
+			Client: &client{
+				send: func(findings []types.AwsSecurityFinding) {
+					if len(findings) != 1 {
+						t.Error("expected to get one finding")
+						return
+					}
+
+					finding := findings[0]
+
+					if *finding.AwsAccountId != "accountID" {
+						t.Errorf("unexpected accountID: %s", *finding.AwsAccountId)
+					}
+					if *finding.Id != fixtures.CompleteTargetSendResult.GetID() {
+						t.Errorf("unexpected id: %s", *finding.Id)
+					}
+					if *finding.ProductArn != "arn:aws:securityhub:eu-central-1:accountID:product/accountID/default" {
+						t.Errorf("unexpected product arn: %s", *finding.ProductArn)
+					}
+					if finding.ProductFields["Product Name"] != "Policy Reporter" {
+						t.Errorf("unexpected product name arn: %s", finding.ProductFields["Product Name"])
+					}
+				},
+			},
+		})
+
+		c.Send(fixtures.CompleteTargetSendResult)
+	})
+	t.Run("clean up disabled", func(t *testing.T) {
+		h := &client{}
+
+		c := securityhub.NewClient(securityhub.Options{
+			AccountID:   "accountID",
+			Region:      "eu-central-1",
+			ProductName: "Policy Reporter",
+			Client:      h,
+			Cleanup:     false,
+		})
+
+		c.CleanUp(context.TODO(), fixtures.DefaultPolicyReport)
+
+		if h.fetched {
+			t.Error("expected fetch was not called")
+		}
+		if h.batched {
+			t.Error("expected batch was not called")
+		}
+	})
+	t.Run("findings without results", func(t *testing.T) {
+		h := &client{}
+
+		c := securityhub.NewClient(securityhub.Options{
+			AccountID:   "accountID",
+			Region:      "eu-central-1",
+			ProductName: "Policy Reporter",
+			Client:      h,
+			Cleanup:     true,
+		})
+
+		c.CleanUp(context.TODO(), fixtures.DefaultPolicyReport)
+
+		if !h.fetched {
+			t.Error("expected fetch was called")
+		}
+		if h.batched {
+			t.Error("expected batch was not called")
+		}
+	})
+	t.Run("findings with existing result", func(t *testing.T) {
+		h := &client{
+			findings: []types.AwsSecurityFinding{
+				{
+					Id: aws.String(fixtures.DefaultPolicyReport.GetResults()[0].GetID()),
+				},
+			},
+		}
+
+		c := securityhub.NewClient(securityhub.Options{
+			AccountID:   "accountID",
+			Region:      "eu-central-1",
+			ProductName: "Policy Reporter",
+			Client:      h,
+			Cleanup:     true,
+		})
+
+		c.CleanUp(context.TODO(), fixtures.DefaultPolicyReport)
+
+		if !h.fetched {
+			t.Error("expected fetch was called")
+		}
+		if h.batched {
+			t.Error("expected batch was not called")
+		}
+	})
+	t.Run("findings with not existing result", func(t *testing.T) {
+		h := &client{
+			findings: []types.AwsSecurityFinding{
+				{
+					Id: aws.String("not-existing-result"),
+				},
+			},
+		}
+
+		c := securityhub.NewClient(securityhub.Options{
+			AccountID:   "accountID",
+			Region:      "eu-central-1",
+			ProductName: "Policy Reporter",
+			Client:      h,
+			Cleanup:     true,
+		})
+
+		c.CleanUp(context.TODO(), fixtures.DefaultPolicyReport)
+
+		if !h.fetched {
+			t.Error("expected fetch was called")
+		}
+		if !h.batched {
+			t.Error("expected batch was called")
+		}
+	})
+	t.Run("MapSeverity", func(t *testing.T) {
+		if securityhub.MapSeverity(v1alpha2.SeverityInfo) != types.SeverityLabelInformational {
+			t.Error("unexpected severity mapping")
+		}
+		if securityhub.MapSeverity(v1alpha2.SeverityLow) != types.SeverityLabelLow {
+			t.Error("unexpected severity mapping")
+		}
+		if securityhub.MapSeverity(v1alpha2.SeverityMedium) != types.SeverityLabelMedium {
+			t.Error("unexpected severity mapping")
+		}
+		if securityhub.MapSeverity(v1alpha2.SeverityHigh) != types.SeverityLabelHigh {
+			t.Error("unexpected severity mapping")
+		}
+		if securityhub.MapSeverity(v1alpha2.SeverityCritical) != types.SeverityLabelCritical {
+			t.Error("unexpected severity mapping")
+		}
+		if securityhub.MapSeverity("") != types.SeverityLabelInformational {
+			t.Error("unexpected severity mapping")
+		}
+	})
+}