test: add functional tests

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Aug 20, 2024 · da443a2 · da443a2
1 parent b03d640
commit da443a2
Show file tree

Hide file tree

Showing 4 changed files with 401 additions and 0 deletions.
diff --git a/test/rego/azure_appservice_test.go b/test/rego/azure_appservice_test.go
@@ -0,0 +1,197 @@
+package test
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/appservice"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+var azureAppServiceTestCases = testCases{
+	"AVD-AZU-0002": {
+		{
+			name: "App service identity not registered",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Identity: struct{ Type trivyTypes.StringValue }{
+							Type: trivyTypes.String("", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "App service identity registered",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Identity: struct{ Type trivyTypes.StringValue }{
+							Type: trivyTypes.String("UserAssigned", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0003": {
+		{
+			name: "App service authentication disabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Authentication: struct{ Enabled trivyTypes.BoolValue }{
+							Enabled: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "App service authentication enabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Authentication: struct{ Enabled trivyTypes.BoolValue }{
+							Enabled: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0005": {
+		{
+			name: "HTTP2 disabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Site: struct {
+							EnableHTTP2       trivyTypes.BoolValue
+							MinimumTLSVersion trivyTypes.StringValue
+						}{
+							EnableHTTP2: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "HTTP2 enabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Site: struct {
+							EnableHTTP2       trivyTypes.BoolValue
+							MinimumTLSVersion trivyTypes.StringValue
+						}{
+							EnableHTTP2: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0004": {
+		{
+			name: "Function app doesn't enforce HTTPS",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				FunctionApps: []appservice.FunctionApp{
+					{
+						Metadata:  trivyTypes.NewTestMetadata(),
+						HTTPSOnly: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Function app enforces HTTPS",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				FunctionApps: []appservice.FunctionApp{
+					{
+						Metadata:  trivyTypes.NewTestMetadata(),
+						HTTPSOnly: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0001": {
+		{
+			name: "App service client certificate disabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata:         trivyTypes.NewTestMetadata(),
+						EnableClientCert: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "App service client certificate enabled",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata:         trivyTypes.NewTestMetadata(),
+						EnableClientCert: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0006": {
+		{
+			name: "Minimum TLS version TLS1_0",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Site: struct {
+							EnableHTTP2       trivyTypes.BoolValue
+							MinimumTLSVersion trivyTypes.StringValue
+						}{
+							EnableHTTP2:       trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+							MinimumTLSVersion: trivyTypes.String("1.0", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Minimum TLS version TLS1_2",
+			input: state.State{Azure: azure.Azure{AppService: appservice.AppService{
+				Services: []appservice.Service{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Site: struct {
+							EnableHTTP2       trivyTypes.BoolValue
+							MinimumTLSVersion trivyTypes.StringValue
+						}{
+							EnableHTTP2:       trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+							MinimumTLSVersion: trivyTypes.String("1.2", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+}
diff --git a/test/rego/azure_authorization_test.go b/test/rego/azure_authorization_test.go
@@ -0,0 +1,57 @@
+package test
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/authorization"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+var azureAuthorizationTestCases = testCases{
+	"AVD-AZU-0030": {
+		{
+			name: "Wildcard action with all scopes",
+			input: state.State{Azure: azure.Azure{Authorization: authorization.Authorization{
+				RoleDefinitions: []authorization.RoleDefinition{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Permissions: []authorization.Permission{
+							{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Actions: []trivyTypes.StringValue{
+									trivyTypes.String("*", trivyTypes.NewTestMetadata()),
+								},
+							},
+						},
+						AssignableScopes: []trivyTypes.StringValue{
+							trivyTypes.String("/", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Wildcard action with specific scope",
+			input: state.State{Azure: azure.Azure{Authorization: authorization.Authorization{
+				RoleDefinitions: []authorization.RoleDefinition{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						Permissions: []authorization.Permission{
+							{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Actions: []trivyTypes.StringValue{
+									trivyTypes.String("*", trivyTypes.NewTestMetadata()),
+								},
+							},
+						},
+						AssignableScopes: []trivyTypes.StringValue{
+							trivyTypes.String("proper-scope", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+}
diff --git a/test/rego/azure_container_test.go b/test/rego/azure_container_test.go
@@ -0,0 +1,143 @@
+package test
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/container"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+var azureContainerTestCases = testCases{
+	"AVD-AZU-0043": {
+		{
+			name: "Cluster missing network policy configuration",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						NetworkProfile: container.NetworkProfile{
+							Metadata:      trivyTypes.NewTestMetadata(),
+							NetworkPolicy: trivyTypes.String("", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Cluster with network policy configured",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						NetworkProfile: container.NetworkProfile{
+							Metadata:      trivyTypes.NewTestMetadata(),
+							NetworkPolicy: trivyTypes.String("calico", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0041": {
+		{
+			name: "API server authorized IP ranges undefined",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata:                    trivyTypes.NewTestMetadata(),
+						EnablePrivateCluster:        trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						APIServerAuthorizedIPRanges: []trivyTypes.StringValue{},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "API server authorized IP ranges defined",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata:             trivyTypes.NewTestMetadata(),
+						EnablePrivateCluster: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						APIServerAuthorizedIPRanges: []trivyTypes.StringValue{
+							trivyTypes.String("1.2.3.4/32", trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0040": {
+		{
+			name: "Logging via OMS agent disabled",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						AddonProfile: container.AddonProfile{
+							Metadata: trivyTypes.NewTestMetadata(),
+							OMSAgent: container.OMSAgent{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Enabled:  trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+							},
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Logging via OMS agent enabled",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						AddonProfile: container.AddonProfile{
+							Metadata: trivyTypes.NewTestMetadata(),
+							OMSAgent: container.OMSAgent{
+								Metadata: trivyTypes.NewTestMetadata(),
+								Enabled:  trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+							},
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+	"AVD-AZU-0042": {
+		{
+			name: "Role based access control disabled",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						RoleBasedAccessControl: container.RoleBasedAccessControl{
+							Metadata: trivyTypes.NewTestMetadata(),
+							Enabled:  trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Role based access control enabled",
+			input: state.State{Azure: azure.Azure{Container: container.Container{
+				KubernetesClusters: []container.KubernetesCluster{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						RoleBasedAccessControl: container.RoleBasedAccessControl{
+							Metadata: trivyTypes.NewTestMetadata(),
+							Enabled:  trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						},
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+}