Mirrors/trufflehog
2
0
Fork 0
mirror of https://github.com/trufflesecurity/trufflehog.git synced 2024-11-15 01:17:34 +00:00
Code Issues Projects Releases Packages Wiki Activity
trufflehog/pkg/sources/s3/s3_integration_test.go

219 lines
5.4 KiB
Go
Raw Normal View History

[bug] - copy chunk before sending on chunksChan (#1633) * Redclare chunk before sending on chunksChan. * add integration test. * update test.
2023-08-16 23:36:38 +00:00
//go:build integration
// +build integration
package s3
import (
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
"fmt"
"sync"
[bug] - copy chunk before sending on chunksChan (#1633) * Redclare chunk before sending on chunksChan. * add integration test. * update test.
2023-08-16 23:36:38 +00:00
"testing"
"time"
"github.com/stretchr/testify/assert"
[fix] - Inadvertent s3 body close (#3491) * fix object retrival * update comment
2024-10-22 02:54:06 +00:00
"google.golang.org/protobuf/types/known/anypb"
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"
[bug] - copy chunk before sending on chunksChan (#1633) * Redclare chunk before sending on chunksChan. * add integration test. * update test.
2023-08-16 23:36:38 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/context"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
)
func TestSource_ChunksCount(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
defer cancel()
s := Source{}
connection := &sourcespb.S3{
Credential: &sourcespb.S3_Unauthenticated{},
Buckets: []string{"truffletestbucket"},
}
conn, err := anypb.New(connection)
if err != nil {
t.Fatal(err)
}
err = s.Init(ctx, "test name", 0, 0, false, conn, 1)
chunksCh := make(chan *sources.Chunk)
go func() {
defer close(chunksCh)
err = s.Chunks(ctx, chunksCh)
assert.Nil(t, err)
}()
Add naive S3 ignorelist (#2536) This PR adds the ability to exclude buckets from S3 scans. The capability is pretty rudimentary right now, and does not support globbing. If both lists are specified the source to fail to initialize.
2024-03-05 13:01:20 +00:00
wantChunkCount := 102
[bug] - copy chunk before sending on chunksChan (#1633) * Redclare chunk before sending on chunksChan. * add integration test. * update test.
2023-08-16 23:36:38 +00:00
got := 0
for range chunksCh {
got++
}
assert.Greater(t, got, wantChunkCount)
}
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
[fix] - Inadvertent s3 body close (#3491) * fix object retrival * update comment
2024-10-22 02:54:06 +00:00
func TestSource_ChunksLarge(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
defer cancel()
s := Source{}
connection := &sourcespb.S3{
Credential: &sourcespb.S3_Unauthenticated{},
Buckets: []string{"trufflesec-ahrav-test"},
}
conn, err := anypb.New(connection)
if err != nil {
t.Fatal(err)
}
err = s.Init(ctx, "test name", 0, 0, false, conn, 1)
chunksCh := make(chan *sources.Chunk)
go func() {
defer close(chunksCh)
err = s.Chunks(ctx, chunksCh)
assert.Nil(t, err)
}()
wantChunkCount := 9637
got := 0
for range chunksCh {
got++
}
assert.Equal(t, got, wantChunkCount)
}
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
func TestSource_Validate(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*15)
defer cancel()
secret, err := common.GetTestSecret(ctx)
if err != nil {
t.Fatal(fmt.Errorf("failed to access secret: %v", err))
}
s3key := secret.MustGetField("AWS_S3_KEY")
s3secret := secret.MustGetField("AWS_S3_SECRET")
tests := []struct {
Add naive S3 ignorelist (#2536) This PR adds the ability to exclude buckets from S3 scans. The capability is pretty rudimentary right now, and does not support globbing. If both lists are specified the source to fail to initialize.
2024-03-05 13:01:20 +00:00
name string
roles []string
buckets []string
ignoreBuckets []string
wantErrCount int
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
}{
{
name: "buckets without roles, can access all buckets",
buckets: []string{
"truffletestbucket-s3-tests",
},
wantErrCount: 0,
},
{
name: "buckets without roles, one error per inaccessible bucket",
buckets: []string{
"truffletestbucket-s3-tests",
"truffletestbucket-s3-role-assumption",
"truffletestbucket-no-access",
},
wantErrCount: 2,
},
Add naive S3 ignorelist (#2536) This PR adds the ability to exclude buckets from S3 scans. The capability is pretty rudimentary right now, and does not support globbing. If both lists are specified the source to fail to initialize.
2024-03-05 13:01:20 +00:00
{
// As of the time of this writing the account has six inaccessible buckets. If that is changed, this test
// will break. This test was written to balance between speed of implementation and robustness.
name: "ignored buckets, one error per inaccessible bucket",
ignoreBuckets: []string{
"trufflebucketforall",
"truffletestbucket-no-access",
"truffletestbucket-roleassumption",
"truffletestbucket-s3-role-assumption",
},
wantErrCount: 2,
},
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
{
name: "roles without buckets, all can access at least one account bucket",
roles: []string{
"arn:aws:iam::619888638459:role/s3-test-assume-role",
},
wantErrCount: 0,
},
{
name: "roles without buckets, one error per role that cannot access any account buckets",
roles: []string{
"arn:aws:iam::619888638459:role/s3-test-assume-role",
"arn:aws:iam::619888638459:role/test-no-access",
},
wantErrCount: 1,
},
{
name: "role and buckets, can access at least one bucket",
roles: []string{
"arn:aws:iam::619888638459:role/s3-test-assume-role",
},
buckets: []string{
"truffletestbucket-s3-role-assumption",
"truffletestbucket-no-access",
},
wantErrCount: 0,
},
{
name: "roles and buckets, one error per role that cannot access at least one bucket",
roles: []string{
"arn:aws:iam::619888638459:role/s3-test-assume-role",
"arn:aws:iam::619888638459:role/test-no-access",
},
buckets: []string{
"truffletestbucket-s3-role-assumption",
"truffletestbucket-no-access",
},
wantErrCount: 1,
},
{
name: "role and buckets, a bucket doesn't even exist",
roles: []string{
"arn:aws:iam::619888638459:role/s3-test-assume-role",
},
buckets: []string{
"truffletestbucket-s3-role-assumption",
"not-a-real-bucket-asljdhmglasjgvklhsdaljfh", // need a bucket name that nobody is likely to ever create
},
wantErrCount: 1,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*15)
var cancelOnce sync.Once
defer cancelOnce.Do(cancel)
s := &Source{}
Use S3 credentials waterfall (#1823) This PR updates the S3 source to use explicitly configured credentials if they're available and follow the normal AWS credentials waterfall if they're not. This is irrespective of whether role assumption is configured. This changes the previous behavior, which was to use waterfall credentials only if role assumption was configured and explicitly configured credentials only when it was not.
2023-09-27 20:57:47 +00:00
// As of this writing, credentials set in the environment or the on-disk credentials file also work, but I
// couldn't figure out how to write automated tests for those cases that weren't ugly as sin.
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
conn, err := anypb.New(&sourcespb.S3{
Credential: &sourcespb.S3_AccessKey{
AccessKey: &credentialspb.KeySecret{
Key: s3key,
Secret: s3secret,
},
},
Add naive S3 ignorelist (#2536) This PR adds the ability to exclude buckets from S3 scans. The capability is pretty rudimentary right now, and does not support globbing. If both lists are specified the source to fail to initialize.
2024-03-05 13:01:20 +00:00
Buckets: tt.buckets,
IgnoreBuckets: tt.ignoreBuckets,
Roles: tt.roles,
Validate S3 source (#1715) This PR adds S3 source validation. This is accomplished by factoring out common "bucket visiting" logic to be used by both scanning and validation.
2023-09-05 14:18:58 +00:00
})
if err != nil {
t.Fatal(err)
}
err = s.Init(ctx, tt.name, 0, 0, false, conn, 0)
if err != nil {
t.Fatal(err)
}
errs := s.Validate(ctx)
assert.Equal(t, tt.wantErrCount, len(errs))
})
}
}
Reference in a new issue Copy permalink