feat: added E2E negative tests for -q flag

noamd-legit · Nov 3, 2021 · 1f28569 · 1f28569
1 parent 8daf925
commit 1f28569
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 0 deletions.
diff --git a/...es/queries/invalid/invalid_metadata/terraform/athena_database_not_encrypted/metadata.json b/...es/queries/invalid/invalid_metadata/terraform/athena_database_not_encrypted/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "b2315cae-b110-4426-81e0-80bb8640cddZ"
+  "queryName": "Athena Database Not Encrypted"
+  "severity": "high"
+  "category": "Encryption",
+  "descriptionText": "AWS Athena Database data in S3 should be encrypted",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration",
+  "platform": "Terraform",
+  "descriptionID": "c90feea8"
+}
diff --git a/...mples/queries/invalid/invalid_metadata/terraform/athena_database_not_encrypted/query.rego b/...mples/queries/invalid/invalid_metadata/terraform/athena_database_not_encrypted/query.rego
@@ -0,0 +1,16 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_athena_database[name]
+	not common_lib.valid_key(resource, "encryption_configuration")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_athena_database[{{%s}}]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is defined", [name]),
+		"keyActualValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is missing", [name]),
+	}
+}
diff --git a/...mples/queries/invalid/missing_metadata/terraform/athena_database_not_encrypted/query.rego b/...mples/queries/invalid/missing_metadata/terraform/athena_database_not_encrypted/query.rego
@@ -0,0 +1,16 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_athena_database[name]
+	not common_lib.valid_key(resource, "encryption_configuration")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_athena_database[{{%s}}]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is defined", [name]),
+		"keyActualValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is missing", [name]),
+	}
+}
diff --git a/.../samples/queries/valid/single_query/terraform/athena_database_not_encrypted/metadata.json b/.../samples/queries/valid/single_query/terraform/athena_database_not_encrypted/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "b2315cae-b110-4426-81e0-80bb8640cddZ",
+  "queryName": "Athena Database Not Encrypted",
+  "severity": "high",
+  "category": "Encryption",
+  "descriptionText": "AWS Athena Database data in S3 should be encrypted",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration",
+  "platform": "Terraform",
+  "descriptionID": "c90feea8"
+}
diff --git a/...res/samples/queries/valid/single_query/terraform/athena_database_not_encrypted/query.rego b/...res/samples/queries/valid/single_query/terraform/athena_database_not_encrypted/query.rego
@@ -0,0 +1,16 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_athena_database[name]
+	not common_lib.valid_key(resource, "encryption_configuration")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_athena_database[{{%s}}]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is defined", [name]),
+		"keyActualValue": sprintf("aws_athena_database[{{%s}}] encryption_configuration is missing", [name]),
+	}
+}
diff --git a/e2e/testcases/e2e-cli-051_scan_custom-queries-path.go b/e2e/testcases/e2e-cli-051_scan_custom-queries-path.go
@@ -0,0 +1,20 @@
+package testcases
+
+// E2E-CLI-051 - Kics scan command with --queries-path
+// should load and execute queries found in the provided path
+func init() { //nolint
+	testSample := TestCase{
+		Name: "should load and execute queries from a custom path [E2E-CLI-051]",
+		Args: args{
+			Args: []cmdArgs{
+				[]string{"scan", "--queries-path", "fixtures/samples/queries/valid/single_query", "-p", "fixtures/samples/bom-positive.tf"},
+				[]string{"scan", "--queries-path", "fixtures/samples/queries/invalid/invalid_metadata", "-p", "fixtures/samples/bom-positive.tf"},
+				[]string{"scan", "--queries-path", "fixtures/samples/queries/invalid/missing_metadata", "-p", "fixtures/samples/bom-positive.tf"},
+				[]string{"scan", "--queries-path", "fixtures/samples/invalid_path", "-p", "fixtures/samples/bom-positive.tf"},
+			},
+		},
+		WantStatus: []int{50, 0, 0, 126},
+	}
+
+	Tests = append(Tests, testSample)
+}