package com.cloudforgeci.api.core.rules; import com.cloudforgeci.api.core.DeploymentContext; import com.cloudforgeci.api.core.SystemContext; import com.cloudforge.core.iam.IAMProfileMapper; import com.cloudforge.core.enums.IAMProfile; import com.cloudforge.core.enums.RuntimeType; import com.cloudforge.core.enums.SecurityProfile; import com.cloudforge.core.enums.TopologyType; import com.cloudforgeci.api.test.TestInfrastructureBuilder; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.CsvSource; import software.amazon.awscdk.App; import software.amazon.awscdk.Stack; import software.amazon.awscdk.assertions.Template; import java.util.HashMap; import java.util.Map; import static org.junit.jupiter.api.Assertions.*; /** * Test suite for KeyManagementRules. * * Tests key management compliance validation rules. */ class KeyManagementRulesTest { private Stack createTestStack(App app, String stackName, SecurityProfile profile) { Stack stack = new Stack(app, stackName); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", stackName); cfcContext.put("securityProfile", profile.name()); stack.getNode().setContext("cfc", cfcContext); return stack; } @Test void testKeyManagementRulesInstallWithDevProfile() { // Given: A DEV deployment App app = new App(); Stack stack = createTestStack(app, "TestKeyMgmtDev", SecurityProfile.DEV); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.DEV); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.DEV, iamProfile, cfc); // When: Installing key management rules // Then: Should not throw (advisory for DEV) assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementRulesInstallWithProductionProfile() { // Given: A PRODUCTION deployment App app = new App(); Stack stack = createTestStack(app, "TestKeyMgmtProd", SecurityProfile.PRODUCTION); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When: Installing key management rules assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); // Then: Validation should be added assertNotNull(ctx.getNode()); } @Test void testKeyManagementRulesWithKMSRotationEnabled() { // Given: A deployment with KMS rotation enabled App app = new App(); Stack stack = new Stack(app, "TestKeyMgmtKMS"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyMgmtKMS"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("kmsKeyRotationEnabled", "true"); cfcContext.put("useCustomerManagedKeys", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When: Installing key management rules assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementRulesWithSecretsManager() { // Given: A deployment with Secrets Manager enabled App app = new App(); Stack stack = new Stack(app, "TestKeyMgmtSecrets"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyMgmtSecrets"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("secretsManagerEnabled", "true"); cfcContext.put("secretRotationEnabled", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When: Installing key management rules assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementRulesValidationExecutes() { // Given: A deployment context App app = new App(); Stack stack = createTestStack(app, "TestKeyMgmtValidation", SecurityProfile.PRODUCTION); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When: Installing key management rules new KeyManagementRules().install(ctx); // Then: Node should have validation added assertNotNull(ctx.getNode()); } @Test void testKeyManagementWithCustomerManagedKeys() { // Given: A deployment using CMKs App app = new App(); Stack stack = new Stack(app, "TestCMK"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestCMK"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsKeyRotationEnabled", "true"); cfcContext.put("encryptionAtRest", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should use customer-managed keys assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithAutomaticRotation() { // Given: A deployment with automatic key rotation App app = new App(); Stack stack = new Stack(app, "TestKeyRotation"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyRotation"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("kmsKeyRotationEnabled", "true"); cfcContext.put("keyRotationSchedule", "365"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should enable automatic key rotation assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithKeyPolicies() { // Given: A deployment with strict KMS key policies App app = new App(); Stack stack = new Stack(app, "TestKeyPolicies"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyPolicies"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsPolicyRestrictive", "true"); cfcContext.put("kmsKeyAdminRole", "arn:aws:iam::123456789012:role/KeyAdmin"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should enforce strict key policies assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithSecretsRotation() { // Given: A deployment with automatic secrets rotation App app = new App(); Stack stack = new Stack(app, "TestSecretsRotation"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestSecretsRotation"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("secretsManagerEnabled", "true"); cfcContext.put("secretRotationEnabled", "true"); cfcContext.put("secretRotationDays", 30); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should enable automatic secret rotation assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithMultiRegionKeys() { // Given: A deployment with multi-region KMS keys App app = new App(); Stack stack = new Stack(app, "TestMultiRegionKeys"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestMultiRegionKeys"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsMultiRegion", "true"); cfcContext.put("kmsReplicaRegions", "us-west-2,eu-west-1"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should configure multi-region keys assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithCloudHSM() { // Given: A deployment with CloudHSM integration App app = new App(); Stack stack = new Stack(app, "TestCloudHSM"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestCloudHSM"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCloudHSM", "true"); cfcContext.put("cloudHSMClusterId", "cluster-abc123"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should integrate with CloudHSM assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithKeyAliases() { // Given: A deployment using KMS key aliases App app = new App(); Stack stack = new Stack(app, "TestKeyAliases"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyAliases"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsKeyAlias", "alias/app-encryption-key"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should use key aliases assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithKeyDeletion() { // Given: A deployment with pending window for key deletion App app = new App(); Stack stack = new Stack(app, "TestKeyDeletion"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyDeletion"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsPendingWindowDays", 30); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should configure deletion window assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithEnvelopeEncryption() { // Given: A deployment using envelope encryption App app = new App(); Stack stack = new Stack(app, "TestEnvelopeEncryption"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestEnvelopeEncryption"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("envelopeEncryptionEnabled", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should use envelope encryption assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithKeyUsageAuditing() { // Given: A deployment with KMS key usage auditing App app = new App(); Stack stack = new Stack(app, "TestKeyUsageAudit"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyUsageAudit"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsUsageLoggingEnabled", "true"); cfcContext.put("kmsCloudTrailEnabled", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should enable key usage auditing assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithGrantConstraints() { // Given: A deployment with KMS grant constraints App app = new App(); Stack stack = new Stack(app, "TestGrantConstraints"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestGrantConstraints"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsGrantConstraintsEnabled", "true"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should enforce grant constraints assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithAllSecurityProfiles() { // Given: Each security profile for (SecurityProfile profile : SecurityProfile.values()) { App app = new App(); Stack stack = createTestStack(app, "TestKeyManagement" + profile, profile); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(profile); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, profile, iamProfile, cfc); // When/Then: Should not throw for any security profile assertDoesNotThrow(() -> new KeyManagementRules().install(ctx), "KeyManagementRules should not throw for security profile: " + profile); } } @Test void testKeyManagementIdempotency() { // Given: A deployment with key management App app = new App(); Stack stack = createTestStack(app, "TestKeyManagementIdempotent", SecurityProfile.PRODUCTION); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When: Installing rules multiple times assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); // Then: Should be idempotent (no errors on repeated calls) } @Test void testKeyManagementWithKeyImport() { // Given: A deployment with imported key material App app = new App(); Stack stack = new Stack(app, "TestKeyImport"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyImport"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsImportedKeyMaterial", "true"); cfcContext.put("kmsImportedKeyExpiration", "2025-12-31"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should support imported key material assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithSSMParameterStore() { // Given: A deployment using SSM Parameter Store with encryption App app = new App(); Stack stack = new Stack(app, "TestSSMEncryption"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestSSMEncryption"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("ssmParameterStoreEnabled", "true"); cfcContext.put("ssmParameterEncrypted", "true"); cfcContext.put("ssmKmsKeyArn", "arn:aws:kms:us-east-1:123456789012:key/12345"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should encrypt SSM parameters assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } @Test void testKeyManagementWithKeyTagging() { // Given: A deployment with KMS key tagging App app = new App(); Stack stack = new Stack(app, "TestKeyTagging"); Map cfcContext = new HashMap<>(); cfcContext.put("stackName", "TestKeyTagging"); cfcContext.put("securityProfile", "PRODUCTION"); cfcContext.put("useCustomerManagedKeys", "true"); cfcContext.put("kmsKeyTagsEnabled", "true"); cfcContext.put("kmsKeyOwner", "security-team"); stack.getNode().setContext("cfc", cfcContext); DeploymentContext cfc = DeploymentContext.from(stack); IAMProfile iamProfile = IAMProfileMapper.mapFromSecurity(SecurityProfile.PRODUCTION); SystemContext ctx = SystemContext.start(stack, TopologyType.JENKINS_SERVICE, RuntimeType.FARGATE, SecurityProfile.PRODUCTION, iamProfile, cfc); // When/Then: Should tag KMS keys assertDoesNotThrow(() -> new KeyManagementRules().install(ctx)); } // ==================== EXPANDED PARAMETERIZED TRUTH TABLE TESTS ==================== /** * Expanded test for KMS key management validation. * Tests all combinations of: security profile, KMS rotation, customer-managed keys. */ @ParameterizedTest @CsvSource({ // PRODUCTION - KMS rotation required "PRODUCTION,false,false", // No rotation/customer keys - FAIL "PRODUCTION,true,false", // Rotation only - FAIL (no customer keys) "PRODUCTION,false,true", // Customer keys only - FAIL (no rotation) "PRODUCTION,true,true", // Both features - PASS // STAGING - advisory only "STAGING,false,false", // Minimal STAGING - PASS (advisory) "STAGING,true,true", // Full STAGING - PASS // DEV - advisory only "DEV,false,false", // Minimal DEV - PASS (advisory) "DEV,true,true", // Full DEV - PASS }) void testKMExpandedKMSKeyManagement(String profile, boolean kmsRotation, boolean customerManagedKeys) { // Create custom context with KMS configuration Map customContext = new HashMap<>(); customContext.put("stackName", "TestKMS"); customContext.put("securityProfile", profile); // Explicitly set KMS properties to override defaults customContext.put("kmsKeyRotationEnabled", String.valueOf(kmsRotation)); customContext.put("useCustomerManagedKeys", String.valueOf(customerManagedKeys)); // Add PCI-DSS framework to make KMS rotation REQUIRED customContext.put("complianceFrameworks", "PCI-DSS"); customContext.put("complianceMode", "enforce"); // Use TestInfrastructureBuilder to create minimal infrastructure SecurityProfile secProfile = SecurityProfile.valueOf(profile); TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestKMS", secProfile, RuntimeType.FARGATE, customContext); // Create minimal infrastructure and install rules builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); // Determine if this scenario should pass or fail // NOTE: KMS_KEY_ROTATION is REQUIRED for PCI-DSS, HIPAA, GDPR, NIST (ADVISORY for SOC2) boolean shouldFail = false; if (secProfile == SecurityProfile.PRODUCTION) { // With PCI-DSS framework, KMS rotation is REQUIRED if (!kmsRotation) { shouldFail = true; } } // STAGING and DEV are advisory only (never fail) // Trigger synthesis to execute validations if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected validation to fail for: " + profile + ", kmsRotation=" + kmsRotation + ", customerManagedKeys=" + customerManagedKeys); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected validation to pass for: " + profile + ", kmsRotation=" + kmsRotation + ", customerManagedKeys=" + customerManagedKeys); } } /** * Expanded test for certificate management validation. * Tests all combinations of: security profile, certificate exists, expiration monitoring, ACM auto-renewal. */ @ParameterizedTest @CsvSource({ // PRODUCTION - expiration monitoring required "PRODUCTION,false,false", // No monitoring/auto-renewal - FAIL "PRODUCTION,true,false", // Monitoring only - FAIL (no auto-renewal) "PRODUCTION,false,true", // Auto-renewal only - FAIL (no monitoring) "PRODUCTION,true,true", // Both features - PASS // STAGING - advisory only "STAGING,false,false", // Minimal STAGING - PASS "STAGING,true,true", // Full STAGING - PASS // DEV - advisory only "DEV,false,false", // Minimal DEV - PASS "DEV,true,true", // Full DEV - PASS }) void testKMExpandedCertificateManagement(String profile, boolean expirationMonitoring, boolean acmAutoRenewal) { // Create custom context with certificate configuration Map customContext = new HashMap<>(); customContext.put("stackName", "TestCert"); customContext.put("securityProfile", profile); // Explicitly set certificate properties to override defaults customContext.put("certificateExpirationMonitoring", String.valueOf(expirationMonitoring)); customContext.put("acmAutoRenewalEnabled", String.valueOf(acmAutoRenewal)); // Use TestInfrastructureBuilder to create minimal infrastructure SecurityProfile secProfile = SecurityProfile.valueOf(profile); TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestCert", secProfile, RuntimeType.FARGATE, customContext); // Create minimal infrastructure and install rules builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); // NOTE: Certificate validation only runs when a certificate exists (ctx.cert.get().isPresent()). // Since TestInfrastructureBuilder doesn't create certificates by default, the validation // returns early with a PASS. This means all certificate tests will pass. // To properly test certificate validation, we would need to create actual certificates, // but that's beyond the scope of these unit tests. // For now, all tests should pass since no certificate is present assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected validation to pass (no certificate present) for: " + profile + ", expirationMonitoring=" + expirationMonitoring + ", acmAutoRenewal=" + acmAutoRenewal); } /** * Expanded test for secrets management validation. * Tests all combinations of: security profile, Secrets Manager enabled, secret rotation. */ @ParameterizedTest @CsvSource({ // PRODUCTION - Secrets Manager required "PRODUCTION,false,false", // No Secrets Manager - FAIL "PRODUCTION,true,false", // Secrets Manager without rotation - FAIL "PRODUCTION,true,true", // Secrets Manager + rotation - PASS // STAGING - advisory only "STAGING,false,false", // Minimal STAGING - PASS "STAGING,true,false", // Secrets Manager without rotation - PASS "STAGING,true,true", // Full STAGING - PASS // DEV - advisory only "DEV,false,false", // Minimal DEV - PASS "DEV,true,true", // Full DEV - PASS }) void testKMExpandedSecretsManagement(String profile, boolean secretsManager, boolean secretRotation) { // Create custom context with secrets management configuration Map customContext = new HashMap<>(); customContext.put("stackName", "TestSecrets"); customContext.put("securityProfile", profile); // Explicitly set secrets properties to override defaults customContext.put("secretsManagerEnabled", String.valueOf(secretsManager)); customContext.put("secretRotationEnabled", String.valueOf(secretRotation)); // Add PCI-DSS framework to make Secrets Manager and rotation REQUIRED customContext.put("complianceFrameworks", "PCI-DSS"); customContext.put("complianceMode", "enforce"); // Use TestInfrastructureBuilder to create minimal infrastructure SecurityProfile secProfile = SecurityProfile.valueOf(profile); TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestSecrets", secProfile, RuntimeType.FARGATE, customContext); // Create minimal infrastructure and install rules builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); // Determine if this scenario should pass or fail // NOTE: SECRETS_MANAGER and SECRETS_ROTATION are REQUIRED for PCI-DSS, HIPAA, NIST // Secret rotation is only checked if Secrets Manager is enabled boolean shouldFail = false; if (secProfile == SecurityProfile.PRODUCTION) { // Secrets Manager is REQUIRED for PCI-DSS if (!secretsManager) { shouldFail = true; } else { // If Secrets Manager is enabled, rotation is also REQUIRED if (!secretRotation) { shouldFail = true; } } } // STAGING and DEV are advisory only (never fail) // Trigger synthesis to execute validations if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected validation to fail for: " + profile + ", secretsManager=" + secretsManager + ", secretRotation=" + secretRotation); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected validation to pass for: " + profile + ", secretsManager=" + secretsManager + ", secretRotation=" + secretRotation); } } /** * Comprehensive realistic scenarios combining all key management features. */ @ParameterizedTest @CsvSource({ // Scenario 1: Maximum security - PRODUCTION with all features "PRODUCTION,true,true,true,true,true,true", // Scenario 2: PRODUCTION minimal - FAIL (missing all features) "PRODUCTION,false,false,false,false,false,false", // Scenario 3: PRODUCTION with KMS only - partial FAIL "PRODUCTION,true,true,false,false,false,false", // Scenario 4: PRODUCTION with certificates only - partial FAIL "PRODUCTION,false,false,true,true,false,false", // Scenario 5: PRODUCTION with secrets only - partial FAIL "PRODUCTION,false,false,false,false,true,true", // Scenario 6: STAGING with all features (advisory) "STAGING,true,true,true,true,true,true", // Scenario 7: STAGING minimal (advisory) "STAGING,false,false,false,false,false,false", // Scenario 8: DEV with all features "DEV,true,true,true,true,true,true", // Scenario 9: DEV minimal "DEV,false,false,false,false,false,false", // Scenario 10: PRODUCTION with KMS + Secrets but no cert management - partial FAIL "PRODUCTION,true,true,false,false,true,true", // Scenario 11: PRODUCTION with rotation but missing other features - FAIL "PRODUCTION,true,false,true,false,true,false", // Scenario 12: PRODUCTION with auto-renewal and rotation enabled - partial FAIL "PRODUCTION,true,true,false,true,false,false", }) void testKMExpandedComprehensiveScenarios(String profile, boolean kmsRotation, boolean customerManagedKeys, boolean certExpirationMonitoring, boolean acmAutoRenewal, boolean secretsManager, boolean secretRotation) { // Create custom context with all key management configuration Map customContext = new HashMap<>(); customContext.put("stackName", "TestKMComprehensive"); customContext.put("securityProfile", profile); // Explicitly set all properties to override defaults customContext.put("kmsKeyRotationEnabled", String.valueOf(kmsRotation)); customContext.put("useCustomerManagedKeys", String.valueOf(customerManagedKeys)); customContext.put("certificateExpirationMonitoring", String.valueOf(certExpirationMonitoring)); customContext.put("acmAutoRenewalEnabled", String.valueOf(acmAutoRenewal)); customContext.put("secretsManagerEnabled", String.valueOf(secretsManager)); customContext.put("secretRotationEnabled", String.valueOf(secretRotation)); // Add PCI-DSS framework to make controls REQUIRED customContext.put("complianceFrameworks", "PCI-DSS"); customContext.put("complianceMode", "enforce"); // Use TestInfrastructureBuilder to create minimal infrastructure SecurityProfile secProfile = SecurityProfile.valueOf(profile); TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestKMComprehensive", secProfile, RuntimeType.FARGATE, customContext); // Create minimal infrastructure and install rules builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); // Determine if this scenario should pass or fail // NOTE: With ComplianceMatrix and PCI-DSS framework: // - KMS_KEY_ROTATION: REQUIRED (only rotation, customerManagedKeys not checked) // - CERTIFICATE_EXPIRATION_MONITORING: ADVISORY (never fails) // - SECRETS_MANAGER: REQUIRED // - SECRETS_ROTATION: REQUIRED (only if Secrets Manager enabled) boolean shouldFail = false; if (secProfile == SecurityProfile.PRODUCTION) { // KMS rotation is REQUIRED for PCI-DSS if (!kmsRotation) { shouldFail = true; } // Secrets Manager is REQUIRED for PCI-DSS if (!secretsManager) { shouldFail = true; } else { // If Secrets Manager is enabled, rotation is also REQUIRED if (!secretRotation) { shouldFail = true; } } // Certificate monitoring is ADVISORY - doesn't cause failures // ACM auto-renewal is advisory - doesn't cause failures } // STAGING and DEV are advisory only (never fail) // Trigger synthesis to execute validations if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected validation to fail for: " + profile + ", kmsRotation=" + kmsRotation + ", customerManagedKeys=" + customerManagedKeys + ", certExpirationMonitoring=" + certExpirationMonitoring + ", acmAutoRenewal=" + acmAutoRenewal + ", secretsManager=" + secretsManager + ", secretRotation=" + secretRotation); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected validation to pass for: " + profile + ", kmsRotation=" + kmsRotation + ", customerManagedKeys=" + customerManagedKeys + ", certExpirationMonitoring=" + certExpirationMonitoring + ", acmAutoRenewal=" + acmAutoRenewal + ", secretsManager=" + secretsManager + ", secretRotation=" + secretRotation); } } @ParameterizedTest @CsvSource({ // Edge case: KMS key rotation edge cases (validation only checks enabled, not period) "PRODUCTION,FARGATE,365,true,ENFORCE,false", // Rotation enabled - PASS "PRODUCTION,FARGATE,366,true,ENFORCE,false", // Rotation enabled (days ignored) - PASS "PRODUCTION,FARGATE,730,true,ENFORCE,false", // Rotation enabled (days ignored) - PASS "PRODUCTION,FARGATE,90,true,ENFORCE,false", // Rotation enabled - PASS "PRODUCTION,FARGATE,0,true,ENFORCE,false", // Rotation enabled (days ignored) - PASS "PRODUCTION,EC2,365,true,ENFORCE,false", // EC2 rotation enabled - PASS "PRODUCTION,EC2,400,true,ENFORCE,false", // EC2 rotation enabled (days ignored) - PASS // STAGING - more lenient "STAGING,FARGATE,365,true,ENFORCE,false", // STAGING rotation enabled - PASS "STAGING,FARGATE,730,true,ENFORCE,false", // STAGING rotation enabled - PASS // DEV - minimal enforcement "DEV,FARGATE,0,false,ENFORCE,false", // DEV no rotation - PASS // ADVISORY mode "PRODUCTION,FARGATE,730,true,ADVISORY,false" // PRODUCTION advisory - PASS }) void testKmsKeyRotationEdgeCases(String profile, String runtime, int rotationDays, boolean kmsEnabled, String complianceMode, boolean shouldFail) { Map customContext = new HashMap<>(); customContext.put("stackName", "TestKmsRotationEdge"); customContext.put("securityProfile", profile); customContext.put("kmsKeyRotationDays", String.valueOf(rotationDays)); customContext.put("customerManagedKeysEnabled", String.valueOf(kmsEnabled)); customContext.put("complianceFrameworks", "pci-dss"); customContext.put("complianceMode", complianceMode); customContext.put("networkMode", "private-with-nat"); customContext.put("region", "us-east-1"); SecurityProfile secProfile = SecurityProfile.valueOf(profile); RuntimeType runtimeType = RuntimeType.valueOf(runtime); if (!shouldFail) { customContext.put("secretsManagerEnabled", "true"); customContext.put("secretRotationEnabled", "true"); customContext.put("acmAutoRenewal", "true"); customContext.put("certExpirationMonitoring", "true"); } TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestKmsRotationEdge", secProfile, runtimeType, customContext); builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected KMS rotation validation to fail for: " + rotationDays + " days"); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected KMS rotation validation to pass for: " + rotationDays + " days"); } } @ParameterizedTest @CsvSource({ // Edge case: Certificate expiration monitoring combinations (PCI-DSS is advisory for certs) "PRODUCTION,FARGATE,true,true,30,ENFORCE,false", // All cert features - PASS "PRODUCTION,FARGATE,true,false,30,ENFORCE,false", // Monitoring only (acmAutoRenewalEnabled defaults to true) - PASS "PRODUCTION,FARGATE,false,true,30,ENFORCE,false", // PCI-DSS cert monitoring is advisory - PASS "PRODUCTION,FARGATE,true,true,7,ENFORCE,false", // 7 day warning - PASS "PRODUCTION,FARGATE,true,true,60,ENFORCE,false", // 60 day warning - PASS "PRODUCTION,EC2,true,true,30,ENFORCE,false", // EC2 full cert mgmt - PASS "PRODUCTION,EC2,false,false,0,ENFORCE,false", // EC2 PCI-DSS cert monitoring advisory - PASS // STAGING "STAGING,FARGATE,true,true,30,ENFORCE,false", // STAGING full cert mgmt - PASS "STAGING,FARGATE,false,false,0,ENFORCE,false", // STAGING no cert mgmt - PASS // ADVISORY mode "PRODUCTION,FARGATE,false,false,0,ADVISORY,false" // PRODUCTION advisory no cert mgmt - PASS }) void testCertificateManagementEdgeCases(String profile, String runtime, boolean expirationMonitoring, boolean autoRenewal, int warningDays, String complianceMode, boolean shouldFail) { Map customContext = new HashMap<>(); customContext.put("stackName", "TestCertEdge"); customContext.put("securityProfile", profile); customContext.put("certExpirationMonitoring", String.valueOf(expirationMonitoring)); customContext.put("acmAutoRenewal", String.valueOf(autoRenewal)); customContext.put("certExpirationWarningDays", String.valueOf(warningDays)); customContext.put("complianceFrameworks", "pci-dss"); customContext.put("complianceMode", complianceMode); customContext.put("networkMode", "private-with-nat"); customContext.put("region", "us-east-1"); SecurityProfile secProfile = SecurityProfile.valueOf(profile); RuntimeType runtimeType = RuntimeType.valueOf(runtime); if (!shouldFail) { customContext.put("kmsKeyRotationDays", "365"); customContext.put("customerManagedKeysEnabled", "true"); customContext.put("secretsManagerEnabled", "true"); customContext.put("secretRotationEnabled", "true"); } TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestCertEdge", secProfile, runtimeType, customContext); builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected cert management validation to fail"); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected cert management validation to pass"); } } @ParameterizedTest @CsvSource({ // Edge case: Secrets rotation edge cases "PRODUCTION,FARGATE,true,30,ENFORCE,false", // 30 day rotation - PASS "PRODUCTION,FARGATE,true,7,ENFORCE,false", // 7 day rotation (aggressive) - PASS "PRODUCTION,FARGATE,true,90,ENFORCE,false", // 90 day rotation - PASS "PRODUCTION,FARGATE,true,0,ENFORCE,true", // No rotation - FAIL "PRODUCTION,FARGATE,false,0,ENFORCE,true", // Secrets manager disabled - FAIL "PRODUCTION,EC2,true,30,ENFORCE,false", // EC2 30 day rotation - PASS "PRODUCTION,EC2,false,0,ENFORCE,true", // EC2 no secrets mgmt - FAIL // STAGING "STAGING,FARGATE,true,90,ENFORCE,false", // STAGING 90 day rotation - PASS "STAGING,FARGATE,false,0,ENFORCE,false", // STAGING no secrets mgmt - PASS // ADVISORY mode "PRODUCTION,FARGATE,false,0,ADVISORY,false" // PRODUCTION advisory no secrets - PASS }) void testSecretsRotationEdgeCases(String profile, String runtime, boolean secretsManagerEnabled, int rotationDays, String complianceMode, boolean shouldFail) { Map customContext = new HashMap<>(); customContext.put("stackName", "TestSecretsRotationEdge"); customContext.put("securityProfile", profile); customContext.put("secretsManagerEnabled", String.valueOf(secretsManagerEnabled)); customContext.put("secretRotationDays", String.valueOf(rotationDays)); customContext.put("secretRotationEnabled", String.valueOf(rotationDays > 0)); customContext.put("complianceFrameworks", "pci-dss"); customContext.put("complianceMode", complianceMode); customContext.put("networkMode", "private-with-nat"); customContext.put("region", "us-east-1"); SecurityProfile secProfile = SecurityProfile.valueOf(profile); RuntimeType runtimeType = RuntimeType.valueOf(runtime); if (!shouldFail) { customContext.put("kmsKeyRotationDays", "365"); customContext.put("customerManagedKeysEnabled", "true"); customContext.put("acmAutoRenewal", "true"); customContext.put("certExpirationMonitoring", "true"); } TestInfrastructureBuilder builder = new TestInfrastructureBuilder( "TestSecretsRotationEdge", secProfile, runtimeType, customContext); builder.createMinimalInfrastructure(); new KeyManagementRules().install(builder.getSystemContext()); if (shouldFail) { assertThrows(Exception.class, () -> Template.fromStack(builder.getStack()), "Expected secrets rotation validation to fail"); } else { assertDoesNotThrow(() -> Template.fromStack(builder.getStack()), "Expected secrets rotation validation to pass"); } } }