feat(cognito): add cognito check for self-registration

padok-team · Feb 10, 2023 · 7334bed · 7334bed
1 parent 610606f
commit 7334bed
Show file tree

Hide file tree

Showing 7 changed files with 253 additions and 0 deletions.
diff --git a/aws/cognito/cognito.go b/aws/cognito/cognito.go
@@ -13,8 +13,11 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [
 	var checks []commons.Check
 	cognitoPools := GetCognitoPools(s)
 	cognitoPoolsDetailed := GetDetailedCognitoPool(s, cognitoPools)
+	cognitoUserPools := GetCognitoUserPools(s)
+	cognitoUserPoolsDetailed := GetDetailedCognitoUserPool(s, cognitoUserPools)
 
 	go commons.CheckTest(checkConfig.Wg, c, "AWS_COG_001", CheckIfCognitoAllowsUnauthenticated)(checkConfig, cognitoPoolsDetailed, "AWS_COG_001")
+	go commons.CheckTest(checkConfig.Wg, c, "AWS_COG_002", CheckIfCognitoSelfRegistration)(checkConfig, cognitoUserPoolsDetailed, "AWS_COG_002")
 
 	go func() {
 		for t := range checkConfig.Queue {

diff --git a/aws/cognito/cognitoPoolSelfRegistration.go b/aws/cognito/cognitoPoolSelfRegistration.go
@@ -0,0 +1,23 @@
+package cognito
+
+import (
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func CheckIfCognitoSelfRegistration(checkConfig commons.CheckConfig, cognitoUserPools []cognitoidentityprovider.DescribeUserPoolOutput, testName string) {
+	var check commons.Check
+	check.InitCheck("Cognito allows self-registration", "Check if Cognito allows self-registration", testName, []string{"Security", "Good Practice"})
+	for _, c := range cognitoUserPools {
+		if !c.UserPool.AdminCreateUserConfig.AllowAdminCreateUserOnly {
+			Message := "Cognito allows self-registration on " + *c.UserPool.Name
+			result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *c.UserPool.Arn}
+			check.AddResult(result)
+		} else {
+			Message := "Cognito does not allow self-registration on " + *c.UserPool.Name
+			result := commons.Result{Status: "OK", Message: Message, ResourceID: *c.UserPool.Arn}
+			check.AddResult(result)
+		}
+	}
+	checkConfig.Queue <- check
+}
diff --git a/aws/cognito/cognitoPoolSelfRegistration_test.go b/aws/cognito/cognitoPoolSelfRegistration_test.go
@@ -0,0 +1,99 @@
+package cognito
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func TestCheckIfCognitoSelfRegistration(t *testing.T) {
+	type args struct {
+		checkConfig      commons.CheckConfig
+		cognitoUserPools []cognitoidentityprovider.DescribeUserPoolOutput
+		testName         string
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "TestCheckIfCognitoSelfRegistration",
+			args: args{
+				checkConfig: commons.CheckConfig{Queue: make(chan commons.Check, 1), Wg: &sync.WaitGroup{}},
+				cognitoUserPools: []cognitoidentityprovider.DescribeUserPoolOutput{
+					{
+						UserPool: &types.UserPoolType{
+							Name:                  aws.String("test"),
+							Arn:                   aws.String("arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_test"),
+							AdminCreateUserConfig: &types.AdminCreateUserConfigType{AllowAdminCreateUserOnly: true},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			CheckIfCognitoSelfRegistration(tt.args.checkConfig, tt.args.cognitoUserPools, tt.args.testName)
+			tt.args.checkConfig.Wg.Add(1)
+			go func() {
+				for check := range tt.args.checkConfig.Queue {
+					if check.Status != "OK" {
+						t.Errorf("CheckIfCognitoSelfRegistration() = %v, want %v", check.Status, "OK")
+					}
+					tt.args.checkConfig.Wg.Done()
+				}
+			}()
+			tt.args.checkConfig.Wg.Wait()
+		})
+	}
+}
+
+func TestCheckIfCognitoSelfRegistrationFail(t *testing.T) {
+	type args struct {
+		checkConfig      commons.CheckConfig
+		cognitoUserPools []cognitoidentityprovider.DescribeUserPoolOutput
+		testName         string
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "TestCheckIfCognitoSelfRegistration",
+			args: args{
+				checkConfig: commons.CheckConfig{Queue: make(chan commons.Check, 1), Wg: &sync.WaitGroup{}},
+				cognitoUserPools: []cognitoidentityprovider.DescribeUserPoolOutput{
+					{
+						UserPool: &types.UserPoolType{
+							Name:                  aws.String("test"),
+							Arn:                   aws.String("arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_test"),
+							AdminCreateUserConfig: &types.AdminCreateUserConfigType{AllowAdminCreateUserOnly: false},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			CheckIfCognitoSelfRegistration(tt.args.checkConfig, tt.args.cognitoUserPools, tt.args.testName)
+			tt.args.checkConfig.Wg.Add(1)
+			go func() {
+				for check := range tt.args.checkConfig.Queue {
+					if check.Status != "FAIL" {
+						t.Errorf("CheckIfCognitoSelfRegistration() = %v, want %v", check.Status, "FAIL")
+					}
+					tt.args.checkConfig.Wg.Done()
+				}
+			}()
+			tt.args.checkConfig.Wg.Wait()
+		})
+	}
+}
diff --git a/aws/cognito/cognitoPoolUnauthenticated_test.go b/aws/cognito/cognitoPoolUnauthenticated_test.go
@@ -0,0 +1,94 @@
+package cognito
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func TestCheckIfCognitoAllowsUnauthenticated(t *testing.T) {
+	type args struct {
+		checkConfig  commons.CheckConfig
+		cognitoPools []cognitoidentity.DescribeIdentityPoolOutput
+		testName     string
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "TestCheckIfCognitoAllowsUnauthenticated",
+			args: args{
+				checkConfig: commons.CheckConfig{Queue: make(chan commons.Check, 1), Wg: &sync.WaitGroup{}},
+				cognitoPools: []cognitoidentity.DescribeIdentityPoolOutput{
+					{
+						IdentityPoolName:               aws.String("test"),
+						IdentityPoolId:                 aws.String("us-east-1:cb21213c-a931-11ed-afa1-0242ac120002"),
+						AllowUnauthenticatedIdentities: false,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			CheckIfCognitoAllowsUnauthenticated(tt.args.checkConfig, tt.args.cognitoPools, tt.args.testName)
+			tt.args.checkConfig.Wg.Add(1)
+			go func() {
+				for check := range tt.args.checkConfig.Queue {
+					if check.Status != "OK" {
+						t.Errorf("CheckIfCognitoAllowsUnauthenticated() = %v, want %v", check.Status, "OK")
+					}
+					tt.args.checkConfig.Wg.Done()
+				}
+			}()
+			tt.args.checkConfig.Wg.Wait()
+		})
+	}
+}
+
+func TestCheckIfCognitoAllowsUnauthenticatedFail(t *testing.T) {
+	type args struct {
+		checkConfig  commons.CheckConfig
+		cognitoPools []cognitoidentity.DescribeIdentityPoolOutput
+		testName     string
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "TestCheckIfCognitoAllowsUnauthenticated",
+			args: args{
+				checkConfig: commons.CheckConfig{Queue: make(chan commons.Check, 1), Wg: &sync.WaitGroup{}},
+				cognitoPools: []cognitoidentity.DescribeIdentityPoolOutput{
+					{
+						IdentityPoolName:               aws.String("test"),
+						IdentityPoolId:                 aws.String("us-east-1:cb21213c-a931-11ed-afa1-0242ac120002"),
+						AllowUnauthenticatedIdentities: true,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			CheckIfCognitoAllowsUnauthenticated(tt.args.checkConfig, tt.args.cognitoPools, tt.args.testName)
+			tt.args.checkConfig.Wg.Add(1)
+			go func() {
+				for check := range tt.args.checkConfig.Queue {
+					if check.Status != "FAIL" {
+						t.Errorf("CheckIfCognitoAllowsUnauthenticated() = %v, want %v", check.Status, "FAIL")
+					}
+					tt.args.checkConfig.Wg.Done()
+				}
+			}()
+			tt.args.checkConfig.Wg.Wait()
+		})
+	}
+}
diff --git a/aws/cognito/getter.go b/aws/cognito/getter.go
@@ -7,6 +7,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity/types"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
+	ciptypes "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
 )
 
 func GetCognitoPools(s aws.Config) []types.IdentityPoolShortDescription {
@@ -37,3 +39,32 @@ func GetDetailedCognitoPool(s aws.Config, pools []types.IdentityPoolShortDescrip
 	}
 	return detailedPools
 }
+
+func GetCognitoUserPools(s aws.Config) []ciptypes.UserPoolDescriptionType {
+	svc := cognitoidentityprovider.NewFromConfig(s)
+	fmt.Print(svc)
+	cognitoInput := &cognitoidentityprovider.ListUserPoolsInput{
+		MaxResults: 50,
+	}
+	result, err := svc.ListUserPools(context.TODO(), cognitoInput)
+	if err != nil {
+		fmt.Println(err)
+	}
+	return result.UserPools
+}
+
+func GetDetailedCognitoUserPool(s aws.Config, userPools []ciptypes.UserPoolDescriptionType) []cognitoidentityprovider.DescribeUserPoolOutput {
+	svc := cognitoidentityprovider.NewFromConfig(s)
+	var detailedUserPools []cognitoidentityprovider.DescribeUserPoolOutput
+	for _, userPool := range userPools {
+		cognitoInput := &cognitoidentityprovider.DescribeUserPoolInput{
+			UserPoolId: userPool.Id,
+		}
+		result, err := svc.DescribeUserPool(context.TODO(), cognitoInput)
+		if err != nil {
+			fmt.Println(err)
+		}
+		detailedUserPools = append(detailedUserPools, *result)
+	}
+	return detailedUserPools
+}
diff --git a/go.mod b/go.mod
@@ -37,6 +37,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.22.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.22 // indirect

diff --git a/go.sum b/go.sum
@@ -28,6 +28,8 @@ github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.23.1 h1:ZCqj9nmTDVRL8Gi/+zlmL
 github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.23.1/go.mod h1:/hrojmxacYhf62vrgsh4P9Xll7ThI5SCWbCkN+ilvcg=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.15.1 h1:lEmZ2KrVLoSCZqugJXxc8ckenLtLp0J72RUx50Fg/Sc=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.15.1/go.mod h1:JIHsygiDiivhB2Rr077N1uso4l9FVwzzM3lcscS8hUQ=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.22.1 h1:pGTNqXTEJUkxzWZOFtMCyiaSFdWP3V+Dozk1m52PhuQ=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.22.1/go.mod h1:SbWXSrT+zM2C8uZzZ8fLEsE3VNar9rg77PdgbGspyHQ=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.18.2 h1:Catad2gQSpfOHMje2A5fO8gjaO/5eonhp44PCiAnxcE=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.18.2/go.mod h1:nkpC9xkh+3vdxmhqN8Ac10pgV14DsJDLzUsV2CcS+44=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.84.1 h1:sJ4Fuz498wBjmL5WQrkYoXHn5JroMVQYqAkLbtYKZcY=