compliance-scan/tests/test_compliance.py

"""Tests for compliance checking functionality."""

from datetime import datetime


class TestComplianceChecks:
    """Tests for compliance validation logic."""

    def test_check_bsi_validity(self) -> None:
        """Test BSI cipher suite validity checking."""
        # Valid BSI-approved cipher suite (not expired)
        cipher_suite_valid = {
            "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "iana_recommended": "N",
            "bsi_approved": True,
            "bsi_valid_until": "2029",
        }
        # Check that current year is before 2029
        current_year = datetime.now().year
        assert current_year < 2029, "Test assumes current year < 2029"
        # BSI-approved and valid should be compliant
        assert cipher_suite_valid["bsi_approved"] is True
        assert int(cipher_suite_valid["bsi_valid_until"]) > current_year

        # Expired BSI-approved cipher suite
        cipher_suite_expired = {
            "name": "TLS_OLD_CIPHER",
            "iana_recommended": "N",
            "bsi_approved": True,
            "bsi_valid_until": "2020",
        }
        # BSI-approved but expired should not be compliant
        assert cipher_suite_expired["bsi_approved"] is True
        assert int(cipher_suite_expired["bsi_valid_until"]) < current_year

        # No BSI data
        cipher_suite_no_bsi = {
            "name": "TLS_CHACHA20_POLY1305_SHA256",
            "iana_recommended": "Y",
            "bsi_approved": False,
            "bsi_valid_until": None,
        }
        # Without BSI approval, compliance depends on IANA
        assert cipher_suite_no_bsi["bsi_approved"] is False

    def test_check_iana_recommendation(self) -> None:
        """Test IANA recommendation checking."""
        # IANA recommended cipher suite
        cipher_suite_recommended = {
            "name": "TLS_AES_256_GCM_SHA384",
            "iana_recommended": "Y",
            "bsi_approved": True,
            "bsi_valid_until": "2031",
        }
        assert cipher_suite_recommended["iana_recommended"] == "Y"

        # IANA not recommended cipher suite
        cipher_suite_not_recommended = {
            "name": "TLS_RSA_WITH_AES_128_CBC_SHA",
            "iana_recommended": "N",
            "bsi_approved": False,
            "bsi_valid_until": None,
        }
        assert cipher_suite_not_recommended["iana_recommended"] == "N"

        # No IANA data (should default to non-compliant)
        cipher_suite_no_iana = {
            "name": "TLS_UNKNOWN_CIPHER",
            "iana_recommended": None,
            "bsi_approved": False,
            "bsi_valid_until": None,
        }
        assert cipher_suite_no_iana["iana_recommended"] is None