Revised keyVaultSecretExpiryNonRbac

aquasecurity · Nov 6, 2024 · d83a461 · d83a461
1 parent 262aa08
commit d83a461
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/plugins/azure/keyvaults/keyVaultSecretExpiryNonRbac.spec.js b/plugins/azure/keyvaults/keyVaultSecretExpiryNonRbac.spec.js
@@ -1,5 +1,5 @@
 var expect = require('chai').expect;
-var auth = require('./keyVaultSecretExpiry');
+var auth = require('./keyVaultSecretExpiryNonRbac');
 
 var secretExpiryPass = new Date();
 secretExpiryPass.setMonth(secretExpiryPass.getMonth() + 2);
@@ -20,9 +20,12 @@ const listKeyVaults = [
         "sku": {
             "family": "A",
             "name": "Standard"
+        },
+        "properties": {
+            "enableRbacAuthorization": false  // Non-RBAC vault
         }
     },
-    { 
+    {
         "id": "/subscriptions/abcdef123-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/Default-ActivityLogAlerts/providers/Microsoft.KeyVault/vaults/testvault",
         "name": "testvault",
         "type": "Microsoft.KeyVault/vaults",
@@ -31,6 +34,9 @@ const listKeyVaults = [
         "sku": {
             "family": "A",
             "name": "Standard"
+        },
+        "properties": {
+            "enableRbacAuthorization": true  // RBAC vault
         }
     }
 ];
@@ -138,7 +144,7 @@ const createCache = (err, list, get) => {
     }
 };
 
-describe('keyVaultSecretExpiry', function() {
+describe('keyVaultSecretExpiryNonRbac', function() {
     describe('run', function() {
         it('should give passing result if no secrets found', function(done) {
             const callback = (err, results) => {
@@ -152,7 +158,19 @@ describe('keyVaultSecretExpiry', function() {
             auth.run(createCache(null, [], {}), {}, callback);
         });
 
-        it('should give passing result if secret expiration is not enabled', function(done) {
+        it('should give passing result if vault is RBAC-enabled', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Key Vault is RBAC-enabled');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            auth.run(createCache(null, [listKeyVaults[1]], {}), {}, callback);
+        });
+
+        it('should give passing result if secret expiration is not enabled in non-RBAC vault', function(done) {
             const callback = (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);
@@ -164,7 +182,7 @@ describe('keyVaultSecretExpiry', function() {
             auth.run(createCache(null, [listKeyVaults[0]], getSecrets[0]), {}, callback);
         });
 
-        it('should give passing result if secret expiry is not yet reached', function(done) {
+        it('should give passing result if secret expiry is not yet reached in non-RBAC vault', function(done) {
             const callback = (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);