2021-10-01 09:02:46 +00:00
|
|
|
package remote
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
2022-06-28 07:23:29 +00:00
|
|
|
"github.com/snyk/driftctl/enumeration"
|
|
|
|
"github.com/snyk/driftctl/enumeration/remote/alerts"
|
2022-07-06 08:44:42 +00:00
|
|
|
"github.com/snyk/driftctl/enumeration/remote/common"
|
2022-06-28 07:23:29 +00:00
|
|
|
remoteerr "github.com/snyk/driftctl/enumeration/remote/error"
|
|
|
|
"github.com/snyk/driftctl/enumeration/remote/google"
|
|
|
|
"github.com/snyk/driftctl/enumeration/remote/google/repository"
|
|
|
|
terraform3 "github.com/snyk/driftctl/enumeration/terraform"
|
|
|
|
|
2021-10-01 09:02:46 +00:00
|
|
|
"github.com/pkg/errors"
|
2022-06-28 07:23:29 +00:00
|
|
|
"github.com/snyk/driftctl/enumeration/resource"
|
|
|
|
googleresource "github.com/snyk/driftctl/enumeration/resource/google"
|
2021-12-06 13:29:39 +00:00
|
|
|
"github.com/snyk/driftctl/mocks"
|
2022-06-28 07:23:29 +00:00
|
|
|
|
2021-12-06 13:29:39 +00:00
|
|
|
"github.com/snyk/driftctl/test"
|
|
|
|
"github.com/snyk/driftctl/test/goldenfile"
|
|
|
|
testresource "github.com/snyk/driftctl/test/resource"
|
|
|
|
terraform2 "github.com/snyk/driftctl/test/terraform"
|
2021-10-01 09:02:46 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/mock"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestGoogleProjectIAMMember(t *testing.T) {
|
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
test string
|
|
|
|
dirName string
|
|
|
|
repositoryMock func(repository *repository.MockCloudResourceManagerRepository)
|
|
|
|
responseErr error
|
|
|
|
setupAlerterMock func(alerter *mocks.AlerterInterface)
|
|
|
|
wantErr error
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
test: "no bindings",
|
|
|
|
dirName: "google_project_member_empty",
|
|
|
|
repositoryMock: func(repository *repository.MockCloudResourceManagerRepository) {
|
|
|
|
repository.On("ListProjectsBindings").Return(map[string]map[string][]string{}, nil)
|
|
|
|
},
|
|
|
|
wantErr: nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
test: "Cannot list bindings",
|
|
|
|
dirName: "google_project_member_listing_error",
|
|
|
|
repositoryMock: func(repository *repository.MockCloudResourceManagerRepository) {
|
|
|
|
repository.On("ListProjectsBindings").Return(
|
|
|
|
map[string]map[string][]string{},
|
|
|
|
errors.New("googleapi: Error 403: driftctl-acc-circle@driftctl-qa-1.iam.gserviceaccount.com does not have project.getIamPolicy access., forbidden"))
|
|
|
|
},
|
|
|
|
setupAlerterMock: func(alerter *mocks.AlerterInterface) {
|
|
|
|
alerter.On(
|
|
|
|
"SendAlert",
|
|
|
|
"google_project_iam_member",
|
|
|
|
alerts.NewRemoteAccessDeniedAlert(
|
2022-07-06 08:44:42 +00:00
|
|
|
common.RemoteGoogleTerraform,
|
2021-10-01 09:02:46 +00:00
|
|
|
remoteerr.NewResourceListingError(
|
|
|
|
errors.New("googleapi: Error 403: driftctl-acc-circle@driftctl-qa-1.iam.gserviceaccount.com does not have project.getIamPolicy access., forbidden"),
|
|
|
|
"google_project_iam_member",
|
|
|
|
),
|
|
|
|
alerts.EnumerationPhase,
|
|
|
|
),
|
|
|
|
).Once()
|
|
|
|
},
|
|
|
|
wantErr: nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
test: "multiples storage buckets, multiple bindings",
|
|
|
|
dirName: "google_project_member_listing_multiple",
|
|
|
|
repositoryMock: func(repository *repository.MockCloudResourceManagerRepository) {
|
|
|
|
repository.On("ListProjectsBindings").Return(map[string]map[string][]string{
|
|
|
|
"": {
|
|
|
|
"roles/editor": {
|
|
|
|
"user:martin.guibert@cloudskiff.com",
|
|
|
|
"serviceAccount:drifctl-admin@cloudskiff-dev-martin.iam.gserviceaccount.com",
|
|
|
|
},
|
|
|
|
"roles/storage.admin": {"user:martin.guibert@cloudskiff.com"},
|
|
|
|
"roles/viewer": {"serviceAccount:driftctl@cloudskiff-dev-martin.iam.gserviceaccount.com"},
|
|
|
|
"roles/cloudasset.viewer": {"serviceAccount:driftctl@cloudskiff-dev-martin.iam.gserviceaccount.com"},
|
|
|
|
"roles/iam.securityReviewer": {"serviceAccount:driftctl@cloudskiff-dev-martin.iam.gserviceaccount.com"},
|
|
|
|
},
|
|
|
|
}, nil)
|
|
|
|
},
|
|
|
|
wantErr: nil,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
providerVersion := "3.78.0"
|
|
|
|
resType := resource.ResourceType(googleresource.GoogleProjectIamMemberResourceType)
|
|
|
|
schemaRepository := testresource.InitFakeSchemaRepository("google", providerVersion)
|
|
|
|
googleresource.InitResourcesMetadata(schemaRepository)
|
2022-06-28 07:23:29 +00:00
|
|
|
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
|
2021-10-01 09:02:46 +00:00
|
|
|
deserializer := resource.NewDeserializer(factory)
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
t.Run(c.test, func(tt *testing.T) {
|
|
|
|
|
|
|
|
shouldUpdate := c.dirName == *goldenfile.Update
|
|
|
|
|
|
|
|
scanOptions := ScannerOptions{Deep: true}
|
2022-06-28 07:23:29 +00:00
|
|
|
providerLibrary := terraform3.NewProviderLibrary()
|
2022-07-06 08:44:42 +00:00
|
|
|
remoteLibrary := common.NewRemoteLibrary()
|
2021-10-01 09:02:46 +00:00
|
|
|
|
|
|
|
// Initialize mocks
|
|
|
|
alerter := &mocks.AlerterInterface{}
|
|
|
|
if c.setupAlerterMock != nil {
|
|
|
|
c.setupAlerterMock(alerter)
|
|
|
|
}
|
|
|
|
|
|
|
|
realProvider, err := terraform2.InitTestGoogleProvider(providerLibrary, providerVersion)
|
|
|
|
if err != nil {
|
|
|
|
tt.Fatal(err)
|
|
|
|
}
|
|
|
|
provider := terraform2.NewFakeTerraformProvider(realProvider)
|
|
|
|
provider.WithResponse(c.dirName)
|
|
|
|
|
|
|
|
managerRepository := &repository.MockCloudResourceManagerRepository{}
|
|
|
|
if c.repositoryMock != nil {
|
|
|
|
c.repositoryMock(managerRepository)
|
|
|
|
}
|
|
|
|
|
|
|
|
remoteLibrary.AddEnumerator(google.NewGoogleProjectIamMemberEnumerator(managerRepository, factory))
|
|
|
|
|
2022-06-28 07:23:29 +00:00
|
|
|
testFilter := &enumeration.MockFilter{}
|
2021-10-01 09:02:46 +00:00
|
|
|
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
|
|
|
|
|
|
|
|
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
|
|
|
|
got, err := s.Resources()
|
|
|
|
assert.Equal(tt, c.wantErr, err)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
alerter.AssertExpectations(tt)
|
|
|
|
testFilter.AssertExpectations(tt)
|
|
|
|
test.TestAgainstGoldenFile(got, resType.String(), c.dirName, provider, deserializer, shouldUpdate, tt)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|