851 lint aws tests (#884)

ShiriMoran · web-flow · commit d84416f037bb · 2024-09-23T10:11:00.000+03:00
diff --git a/pkg/awsvpc/examples/out/lint_out/aws_acl1_Lint b/pkg/awsvpc/examples/out/lint_out/aws_acl1_Lint
@@ -0,0 +1,27 @@
+"Blocked TCP response" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In the connection from "prod_vpc/proxy1[10.240.0.9]" to "prod_vpc/proxy2[10.240.2.24]" TCP src-ports: 1-9079,9081-65535 response is blocked
+________________________________________________________________________________________________________________________________________________________________________________________________________
+
+"Network ACL rules shadowed by higher priority rules" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "VpcId:42", network ACL "NetworkAclId:45" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+
+In VPC "VpcId:42", network ACL "NetworkAclId:45" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
+
+In VPC "prod_vpc", network ACL "NetworkAclId:54" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+
+... (1 more)
+
+________________________________________________________________________________________________________________________________________________________________________________________________________
+
+"SG not applied to any resources" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "VpcId:42", security group "GroupId:58" has no resources attached to it
+In VPC "prod_vpc", security group "GroupId:61" has no resources attached to it
diff --git a/pkg/awsvpc/examples/out/lint_out/aws_mixed_Lint b/pkg/awsvpc/examples/out/lint_out/aws_mixed_Lint
@@ -0,0 +1,36 @@
+"Blocked TCP response" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In the connection from "Public Internet 147.235.0.0/16" to "mixed/p1[10.240.3.70]" TCP src-ports: 1-1024,5001-65535 dst-ports: 9080 response is blocked
+In the connection from "Public Internet 147.235.0.0/16" to "mixed/p3[10.240.0.96]" TCP src-ports: 1-1024,5001-65535 dst-ports: 9080 response is blocked
+In the connection from "mixed/p1[10.240.3.70]" to "Public Internet 147.235.0.0/16" TCP src-ports: 1-9079,9081-65535 dst-ports: 1025-5000 response is blocked
+... (1 more)
+
+________________________________________________________________________________________________________________________________________________________________________________________________________
+
+"Network ACL not applied to any resources" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "mixed", network ACL "NetworkAclId:45" has no resources attached to it
+________________________________________________________________________________________________________________________________________________________________________________________________________
+
+"Network ACL rules shadowed by higher priority rules" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "VpcId:44", network ACL "NetworkAclId:46" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+
+In VPC "VpcId:44", network ACL "NetworkAclId:46" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
+
+In VPC "mixed", network ACL "NetworkAclId:45" rule is shadowed by a higher priority rule
+	Rule details: ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+		Shadowing rule: ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
+
+... (1 more)
+
+________________________________________________________________________________________________________________________________________________________________________________________________________
+
+"SG not applied to any resources" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "VpcId:44", security group "GroupId:60" has no resources attached to it
+In VPC "mixed", security group "GroupId:57" has no resources attached to it
diff --git a/pkg/awsvpc/examples/out/lint_out/aws_sg_1_Lint b/pkg/awsvpc/examples/out/lint_out/aws_sg_1_Lint
@@ -0,0 +1,8 @@
+"SGs implying different connectivity for endpoints inside a subnet" issues:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In VPC "vpc0", security group "GroupId:27" rule splits subnet "application" (10.240.20.0/24).
+	Rule details: Inbound index: 0, direction: inbound, target: 10.240.20.43/32, 10.240.20.245/32, 10.240.40.0/24, protocol: all
+In VPC "vpc0", security group "GroupId:42" rule splits subnet "db" (10.240.30.0/24).
+	Rule details: Outbound index: 0, direction: outbound, target: 10.240.30.33, protocol: tcp, dstPorts: 0-65535
+In VPC "vpc0", security group "GroupId:42" rule splits subnet "edge" (10.240.10.0/24).
+	Rule details: Inbound index: 1, direction: inbound, target: 10.240.10.42, protocol: tcp, dstPorts: 9080-9080
diff --git a/pkg/awsvpc/lint_test.go b/pkg/awsvpc/lint_test.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2023- IBM Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package awsvpc
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/np-guard/vpc-network-config-analyzer/pkg/commonvpc"
+)
+
+var lintTests = []*commonvpc.VpcGeneralTest{
+	{
+		Name:        "aws_acl1",
+		InputConfig: "aws_acl_1",
+		Enable:      []string{"sg-split-subnet"},
+	},
+	{
+		Name:        "aws_mixed",
+		InputConfig: "aws_mixed",
+		Enable:      []string{"sg-split-subnet"},
+	},
+	{
+		Name:        "aws_sg_1",
+		InputConfig: "aws_sg_1",
+		Enable:      []string{"sg-split-subnet"},
+		Disable: []string{"nacl-split-subnet", "subnet-cidr-overlap", "nacl-unattached",
+			"sg-unattached", "sg-rule-cidr-out-of-range", "nacl-rule-cidr-out-of-range",
+			"tcp-response-blocked", "sg-rule-implied", "nacl-rule-shadowed"},
+	},
+}
+
+func TestAllLint(t *testing.T) {
+	// lintTests is the list of tests to run
+	for testIdx := range lintTests {
+		tt := lintTests[testIdx]
+		tt.Mode = commonvpc.OutputComparison
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+			rc := &AWSresourcesContainer{}
+			commonvpc.RunLintTest(tt, t, rc)
+		})
+	}
+	fmt.Println("done")
+}
+
+// uncomment the function below for generating the expected output files instead of comparing
+
+/*func TestAllLintWithGeneration(t *testing.T) {
+	// tests is the list of tests to run
+	for testIdx := range lintTests {
+		tt := lintTests[testIdx]
+		tt.Mode = commonvpc.OutputGeneration
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+			rc := &AWSresourcesContainer{}
+			commonvpc.RunLintTest(tt, t, rc)
+		})
+	}
+	fmt.Println("done")
+}*/
