316 lines
9.7 KiB
Go
316 lines
9.7 KiB
Go
package middlewares
|
|
|
|
import (
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/snyk/driftctl/enumeration/resource"
|
|
"github.com/snyk/driftctl/enumeration/resource/aws"
|
|
)
|
|
|
|
func TestAwsDefaultSecurityGroupRule_Execute(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
remoteResources *[]*resource.Resource
|
|
resourcesFromState *[]*resource.Resource
|
|
expected *[]*resource.Resource
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "Should ignore default rules if not managed",
|
|
remoteResources: &[]*resource.Resource{
|
|
{
|
|
Id: "default-sg",
|
|
Type: aws.AwsDefaultSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"source_security_group_id": "default-sg",
|
|
"self": true,
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(22),
|
|
"to_port": float64(22),
|
|
"protocol": "tcp",
|
|
"security_group_id": "default-sg",
|
|
"cidr_blocks": []interface{}{"1.2.3.4/32"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"ipv6_cidr_blocks": []interface{}{"::/0"},
|
|
},
|
|
},
|
|
},
|
|
resourcesFromState: &[]*resource.Resource{},
|
|
expected: &[]*resource.Resource{
|
|
&resource.Resource{
|
|
Id: "default-sg",
|
|
Type: aws.AwsDefaultSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(22),
|
|
"to_port": float64(22),
|
|
"protocol": "tcp",
|
|
"security_group_id": "default-sg",
|
|
"cidr_blocks": []interface{}{"1.2.3.4/32"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"ipv6_cidr_blocks": []interface{}{"::/0"},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "Should not ignore default rules if managed",
|
|
remoteResources: &[]*resource.Resource{
|
|
&resource.Resource{
|
|
Id: "default-sg",
|
|
Type: aws.AwsDefaultSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-sg",
|
|
Type: aws.AwsSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"source_security_group_id": "default-sg",
|
|
"self": true,
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(22),
|
|
"to_port": float64(22),
|
|
"protocol": "tcp",
|
|
"security_group_id": "dummy-sg",
|
|
"cidr_blocks": []interface{}{"1.2.3.4/32"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "dummy-sg",
|
|
"self": false,
|
|
"ipv6_cidr_blocks": []interface{}{"::/0"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress-2",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "dummy-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
},
|
|
resourcesFromState: &[]*resource.Resource{
|
|
&resource.Resource{
|
|
Id: "default-sg",
|
|
Type: aws.AwsDefaultSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"source_security_group_id": "default-sg",
|
|
"self": true,
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
},
|
|
expected: &[]*resource.Resource{
|
|
&resource.Resource{
|
|
Id: "default-sg",
|
|
Type: aws.AwsDefaultSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-sg",
|
|
Type: aws.AwsSecurityGroupResourceType,
|
|
Attrs: &resource.Attributes{},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"source_security_group_id": "default-sg",
|
|
"self": true,
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "default-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-ingress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "ingress",
|
|
"from_port": float64(22),
|
|
"to_port": float64(22),
|
|
"protocol": "tcp",
|
|
"security_group_id": "dummy-sg",
|
|
"cidr_blocks": []interface{}{"1.2.3.4/32"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "dummy-egress",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "dummy-sg",
|
|
"self": false,
|
|
"ipv6_cidr_blocks": []interface{}{"::/0"},
|
|
},
|
|
},
|
|
&resource.Resource{
|
|
Id: "default-egress-2",
|
|
Type: aws.AwsSecurityGroupRuleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"type": "egress",
|
|
"from_port": float64(0),
|
|
"to_port": float64(0),
|
|
"protocol": "-1",
|
|
"security_group_id": "dummy-sg",
|
|
"self": false,
|
|
"cidr_blocks": []interface{}{"0.0.0.0/0"},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
m := AwsDefaultSecurityGroupRule{}
|
|
if err := m.Execute(tt.remoteResources, tt.resourcesFromState); (err != nil) != tt.wantErr {
|
|
t.Errorf("Execute() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !reflect.DeepEqual(tt.remoteResources, tt.expected) {
|
|
t.Fatalf("Expected results mismatch")
|
|
}
|
|
})
|
|
}
|
|
}
|