require "helper" require "inspec/resource" require "resources/aws/aws_kms_key" require "resource_support/aws" # MAKKSB = MockAwsKmsKeyBackend # Abbreviation not used outside this file TIME_NOW = Time.now #=============================================================================# # Constructor Tests #=============================================================================# class AwsKmsKeyConstructorTest < Minitest::Test def setup AwsKmsKey::BackendFactory.select(MAKKSB::Empty) end def test_rejects_empty_params assert_raises(ArgumentError) { AwsKmsKey.new } end def test_accepts_key_arn_as_scalar AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111") end def test_accepts_key_arn_as_hash AwsKmsKey.new(key_id: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111") end def test_rejects_unrecognized_params assert_raises(ArgumentError) { AwsKmsKey.new(invalid: 9) } end end #=============================================================================# # Search / Recall #=============================================================================# class AwsKmsKeyRecallTest < Minitest::Test def setup AwsKmsKey::BackendFactory.select(MAKKSB::Basic) end def test_search_hit_via_scalar_works assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").exists? end def test_search_hit_via_hash_works assert AwsKmsKey.new(key_id: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").exists? end def test_search_miss_is_not_an_exception refute AwsKmsKey.new(key_id: "non-existant").exists? end end #=============================================================================# # Properties #=============================================================================# class AwsKmsKeyPropertiesTest < Minitest::Test def setup AwsKmsKey::BackendFactory.select(MAKKSB::Basic) end def test_property_key_id assert_equal("7a6950aa-c8e6-4e51-8afc-111111111111", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").key_id) end def test_property_arn assert_equal("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").arn) assert_nil(AwsKmsKey.new(key_id: "non-existant").arn) end def test_property_creation_date assert_equal(TIME_NOW - 10 * 24 * 3600, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").creation_date) assert_nil(AwsKmsKey.new(key_id: "non-existant").creation_date) end def test_property_key_usage assert_equal("ENCRYPT_DECRYPT", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").key_usage) assert_nil(AwsKmsKey.new(key_id: "non-existant").key_usage) end def test_property_key_state assert_equal("Enabled", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").key_state) assert_nil(AwsKmsKey.new(key_id: "non-existant").key_state) end def test_property_description assert_equal("test-key-1-desc", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").description) assert_nil(AwsKmsKey.new(key_id: "non-existant").description) end def test_property_deletion_time assert_equal(TIME_NOW + 10 * 24 * 3600, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").deletion_time) assert_nil(AwsKmsKey.new(key_id: "non-existant").deletion_time) end def test_property_invalidation_time assert_nil(AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").invalidation_time) assert_nil(AwsKmsKey.new(key_id: "non-existant").invalidation_time) end def test_property_created_days_ago assert_equal(10, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").created_days_ago) assert_nil(AwsKmsKey.new(key_id: "non-existant").created_days_ago) end end #=============================================================================# # Matchers #=============================================================================# class AwsKmsKeyMatchersTest < Minitest::Test def setup AwsKmsKey::BackendFactory.select(MAKKSB::Basic) end def test_matcher_enabled_positive assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").enabled? end def test_matcher_enabled_negative refute AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222").enabled? end def test_matcher_rotation_enabled_positive assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").has_rotation_enabled? end def test_matcher_rotation_enabled_negative refute AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222").has_rotation_enabled? end def test_matcher_external_positive assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222").external? end def test_matcher_external_negative refute AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").external? end def test_matcher_has_key_expiration_positive assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").has_key_expiration? end def test_matcher_has_key_expiration_negative refute AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222").has_key_expiration? end def test_matcher_has_aws_key_manager_positive assert AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").managed_by_aws? end def test_matcher_has_aws_key_manager_negative refute AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222").managed_by_aws? end end #=============================================================================# # Test Fixtures #=============================================================================# module MAKKSB class Empty < AwsBackendBase def describe_key(query) raise Aws::KMS::Errors::NotFoundException.new(nil, nil) end end class Basic < AwsBackendBase def describe_key(query) fixtures = [ OpenStruct.new({ key_id: "7a6950aa-c8e6-4e51-8afc-111111111111", arn: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111", creation_date: TIME_NOW - 10 * 24 * 3600, enabled: true, description: "test-key-1-desc", key_usage: "ENCRYPT_DECRYPT", key_state: "Enabled", deletion_date: TIME_NOW + 10 * 24 * 3600, valid_to: nil, origin: "AWS_KMS", expiration_model: "KEY_MATERIAL_EXPIRES", key_manager: "AWS", }), OpenStruct.new({ key_id: "7a6950aa-c8e6-4e51-8afc-222222222222", arn: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222", creation_date: TIME_NOW, enabled: false, description: "test-key-2-desc", key_usage: "", key_state: "PendingDeletion", deletion_date: nil, valid_to: nil, origin: "EXTERNAL", expiration_model: "KEY_MATERIAL_DOES_NOT_EXPIRE", key_manager: "CUSTOMER", }), ] selected = fixtures.detect do |fixture| fixture.arn == query[:key_id] end return OpenStruct.new({ key_metadata: selected }) unless selected.nil? raise Aws::KMS::Errors::NotFoundException.new(nil, nil) end def get_key_rotation_status(query) fixtures = [ OpenStruct.new({ arn: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111", key_rotation_enabled: true, }), OpenStruct.new({ arn: "arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-222222222222", key_rotation_enabled: false, }), ] selected = fixtures.detect do |fixture| fixture.arn == query[:key_id] end return selected unless selected.nil? raise Aws::KMS::Errors::NotFoundException.new(nil, nil) end end end