Skip to content

Commit

Permalink
test(cloudformation): add CF tests (aquasecurity#6315)
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin authored and fl0pp5 committed May 6, 2024
1 parent 7246eaf commit c9a2e1a
Show file tree
Hide file tree
Showing 68 changed files with 2,660 additions and 349 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package accessanalyzer

import (
"testing"

"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/accessanalyzer"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

func TestAdapt(t *testing.T) {
tests := []struct {
name string
source string
expected accessanalyzer.AccessAnalyzer
}{
{
name: "complete",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
Analyzer:
Type: 'AWS::AccessAnalyzer::Analyzer'
Properties:
AnalyzerName: MyAccountAnalyzer
`,
expected: accessanalyzer.AccessAnalyzer{
Analyzers: []accessanalyzer.Analyzer{
{
Name: types.StringTest("MyAccountAnalyzer"),
},
},
},
},
{
name: "empty",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
Analyzer:
Type: 'AWS::AccessAnalyzer::Analyzer'
`,
expected: accessanalyzer.AccessAnalyzer{
Analyzers: []accessanalyzer.Analyzer{
{},
},
},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
testutil.AdaptAndCompare(t, tt.source, tt.expected, Adapt)
})
}
}
84 changes: 84 additions & 0 deletions pkg/iac/adapters/cloudformation/aws/apigateway/apigateway_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package apigateway

import (
"testing"

"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/apigateway"
v2 "github.com/aquasecurity/trivy/pkg/iac/providers/aws/apigateway/v2"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

func TestAdapt(t *testing.T) {
tests := []struct {
name string
source string
expected apigateway.APIGateway
}{
{
name: "complete",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
MyApi:
Type: 'AWS::ApiGatewayV2::Api'
Properties:
Name: MyApi
ProtocolType: WEBSOCKET
MyStage:
Type: 'AWS::ApiGatewayV2::Stage'
Properties:
StageName: Prod
ApiId: !Ref MyApi
AccessLogSettings:
DestinationArn: some-arn
`,
expected: apigateway.APIGateway{
V2: v2.APIGateway{
APIs: []v2.API{
{
Name: types.StringTest("MyApi"),
ProtocolType: types.StringTest("WEBSOCKET"),
Stages: []v2.Stage{
{
Name: types.StringTest("Prod"),
AccessLogging: v2.AccessLogging{
CloudwatchLogGroupARN: types.StringTest("some-arn"),
},
},
},
},
},
},
},
},
{
name: "empty",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
MyApi:
Type: 'AWS::ApiGatewayV2::Api'
MyStage:
Type: 'AWS::ApiGatewayV2::Stage'
MyStage2:
Type: 'AWS::ApiGatewayV2::Stage'
Properties:
ApiId: !Ref MyApi
`,
expected: apigateway.APIGateway{
V2: v2.APIGateway{
APIs: []v2.API{
{
Stages: []v2.Stage{{}},
},
},
},
},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
testutil.AdaptAndCompare(t, tt.source, tt.expected, Adapt)
})
}
}
12 changes: 6 additions & 6 deletions pkg/iac/adapters/cloudformation/aws/apigateway/stage.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@ package apigateway

import (
v2 "github.com/aquasecurity/trivy/pkg/iac/providers/aws/apigateway/v2"
parser2 "github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

func getApis(cfFile parser2.FileContext) (apis []v2.API) {
func getApis(cfFile parser.FileContext) (apis []v2.API) {

apiResources := cfFile.GetResourcesByType("AWS::ApiGatewayV2::Api")
for _, apiRes := range apiResources {
api := v2.API{
Metadata: apiRes.Metadata(),
Name: types.StringDefault("", apiRes.Metadata()),
ProtocolType: types.StringDefault("", apiRes.Metadata()),
Name: apiRes.GetStringProperty("Name"),
ProtocolType: apiRes.GetStringProperty("ProtocolType"),
Stages: getStages(apiRes.ID(), cfFile),
}
apis = append(apis, api)
Expand All @@ -22,7 +22,7 @@ func getApis(cfFile parser2.FileContext) (apis []v2.API) {
return apis
}

func getStages(apiId string, cfFile parser2.FileContext) []v2.Stage {
func getStages(apiId string, cfFile parser.FileContext) []v2.Stage {
var apiStages []v2.Stage

stageResources := cfFile.GetResourcesByType("AWS::ApiGatewayV2::Stage")
Expand All @@ -43,7 +43,7 @@ func getStages(apiId string, cfFile parser2.FileContext) []v2.Stage {
return apiStages
}

func getAccessLogging(r *parser2.Resource) v2.AccessLogging {
func getAccessLogging(r *parser.Resource) v2.AccessLogging {

loggingProp := r.GetProperty("AccessLogSettings")
if loggingProp.IsNil() {
Expand Down
61 changes: 61 additions & 0 deletions pkg/iac/adapters/cloudformation/aws/athena/athena_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
package athena

import (
"testing"

"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/athena"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

func TestAdapt(t *testing.T) {
tests := []struct {
name string
source string
expected athena.Athena
}{
{
name: "complete",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
MyAthenaWorkGroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyCustomWorkGroup
WorkGroupConfiguration:
EnforceWorkGroupConfiguration: true
ResultConfiguration:
EncryptionOption: SSE_KMS
`,
expected: athena.Athena{
Workgroups: []athena.Workgroup{
{
Name: types.StringTest("MyCustomWorkGroup"),
EnforceConfiguration: types.BoolTest(true),
Encryption: athena.EncryptionConfiguration{
Type: types.StringTest("SSE_KMS"),
},
},
},
},
},
{
name: "empty",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
MyAthenaWorkGroup:
Type: AWS::Athena::WorkGroup
`,
expected: athena.Athena{
Workgroups: []athena.Workgroup{{}},
},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
testutil.AdaptAndCompare(t, tt.source, tt.expected, Adapt)
})
}

}
68 changes: 68 additions & 0 deletions pkg/iac/adapters/cloudformation/aws/cloudfront/cloudfront_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
package cloudfront

import (
"testing"

"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudfront"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

func TestAdapt(t *testing.T) {
tests := []struct {
name string
source string
expected cloudfront.Cloudfront
}{
{
name: "complete",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
WebACLId: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
Logging:
Bucket: "myawslogbucket.s3.amazonaws.com"
ViewerCertificate:
MinimumProtocolVersion: SSLv3
DefaultCacheBehavior:
ViewerProtocolPolicy: "redirect-to-https"
`,
expected: cloudfront.Cloudfront{
Distributions: []cloudfront.Distribution{
{
WAFID: types.StringTest("a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"),
Logging: cloudfront.Logging{
Bucket: types.StringTest("myawslogbucket.s3.amazonaws.com"),
},
ViewerCertificate: cloudfront.ViewerCertificate{
MinimumProtocolVersion: types.StringTest("SSLv3"),
},
DefaultCacheBehaviour: cloudfront.CacheBehaviour{
ViewerProtocolPolicy: types.StringTest("redirect-to-https"),
},
},
},
},
},
{
name: "empty",
source: `AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
`,
expected: cloudfront.Cloudfront{
Distributions: []cloudfront.Distribution{{}},
},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
testutil.AdaptAndCompare(t, tt.source, tt.expected, Adapt)
})
}
}
22 changes: 6 additions & 16 deletions pkg/iac/adapters/cloudformation/aws/cloudfront/distribution.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,10 @@ package cloudfront

import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudfront"
parser2 "github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
)

func getDistributions(ctx parser2.FileContext) (distributions []cloudfront.Distribution) {
func getDistributions(ctx parser.FileContext) (distributions []cloudfront.Distribution) {

distributionResources := ctx.GetResourcesByType("AWS::CloudFront::Distribution")

Expand All @@ -32,24 +31,15 @@ func getDistributions(ctx parser2.FileContext) (distributions []cloudfront.Distr
return distributions
}

func getDefaultCacheBehaviour(r *parser2.Resource) cloudfront.CacheBehaviour {
func getDefaultCacheBehaviour(r *parser.Resource) cloudfront.CacheBehaviour {
defaultCache := r.GetProperty("DistributionConfig.DefaultCacheBehavior")
if defaultCache.IsNil() {
return cloudfront.CacheBehaviour{
Metadata: r.Metadata(),
ViewerProtocolPolicy: types.StringDefault("allow-all", r.Metadata()),
}
}
protoProp := r.GetProperty("DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy")
if protoProp.IsNotString() {
return cloudfront.CacheBehaviour{
Metadata: r.Metadata(),
ViewerProtocolPolicy: types.StringDefault("allow-all", r.Metadata()),
Metadata: r.Metadata(),
}
}

return cloudfront.CacheBehaviour{
Metadata: r.Metadata(),
ViewerProtocolPolicy: protoProp.AsStringValue(),
Metadata: defaultCache.Metadata(),
ViewerProtocolPolicy: defaultCache.GetStringProperty("ViewerProtocolPolicy"),
}
}
Loading

0 comments on commit c9a2e1a

Please sign in to comment.