-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(parser): support ssl certificates and swagger files set as attri…
- Loading branch information
1 parent
f134433
commit 6fae892
Showing
43 changed files
with
970 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "id": "b16cdb37-ce15-4ab2-8401-d42b05d123fc", | ||
| "queryName": "API Gateway Without Configured Authorizer", | ||
| "severity": "MEDIUM", | ||
| "category": "Access Control", | ||
| "descriptionText": "API Gateway REST API should have an API Gateway Authorizer", | ||
| "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html", | ||
| "platform": "Ansible" | ||
| } |
74 changes: 74 additions & 0 deletions
74
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.ansible as ansLib | ||
|
|
||
| modules := {"community.aws.aws_api_gateway", "aws_api_gateway"} | ||
|
|
||
| CxPolicy[result] { | ||
| task := ansLib.tasks[id][t] | ||
|
|
||
| apiGateway := task[modules[m]] | ||
| ansLib.checkState(apiGateway) | ||
|
|
||
| content_info := get_content(apiGateway) | ||
|
|
||
| object.get(content_info.content.components.securitySchemes[x], "x-amazon-apigateway-authorizer", "undefined") == "undefined" | ||
|
|
||
| result := { | ||
| "documentId": id, | ||
| "searchKey": sprintf("name={{%s}}.{{%s}}.%s", [task.name, modules[m], content_info.attribute]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": sprintf("'%s.%s' has a authorizer set", [modules[m], content_info.attribute]), | ||
| "keyActualValue": sprintf("'%s.%s' does not have a authorizer set", [modules[m], content_info.attribute]), | ||
| } | ||
| } | ||
|
|
||
| CxPolicy[result] { | ||
| task := ansLib.tasks[id][t] | ||
|
|
||
| apiGateway := task[modules[m]] | ||
| ansLib.checkState(apiGateway) | ||
|
|
||
| text := apiGateway.swagger_text | ||
|
|
||
| not contains(text, "x-amazon-apigateway-authorizer") | ||
|
|
||
| result := { | ||
| "documentId": id, | ||
| "searchKey": sprintf("name={{%s}}.{{%s}}.swagger_text", [task.name, modules[m]]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": sprintf("'%s.swagger_text' has a authorizer set", [modules[m]]), | ||
| "keyActualValue": sprintf("'%s.swagger_text' does not have a authorizer set", [modules[m]]), | ||
| } | ||
| } | ||
|
|
||
| CxPolicy[result] { | ||
| task := ansLib.tasks[id][t] | ||
|
|
||
| apiGateway := task[modules[m]] | ||
| ansLib.checkState(apiGateway) | ||
|
|
||
| without_authorizer(apiGateway) | ||
|
|
||
| result := { | ||
| "documentId": id, | ||
| "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": sprintf("'%s' has swagger_file, swagger_text or swagger_dict set", [modules[m]]), | ||
| "keyActualValue": sprintf("'%s' does not have swagger_file, swagger_text or swagger_dict set", [modules[m]]), | ||
| } | ||
| } | ||
|
|
||
| without_authorizer(apiGateway) { | ||
| object.get(apiGateway, "swagger_file", "undefined") == "undefined" | ||
| object.get(apiGateway, "swagger_text", "undefined") == "undefined" | ||
| object.get(apiGateway, "swagger_dict", "undefined") == "undefined" | ||
| } | ||
|
|
||
| get_content(apiGateway) = content_info { | ||
| content := apiGateway.swagger_file.content | ||
| content_info := {"content": content, "attribute": "swagger_file"} | ||
| } else = content_info { | ||
| content := apiGateway.swagger_dict | ||
| content_info := {"content": content, "attribute": "swagger_dict"} | ||
| } |
9 changes: 9 additions & 0 deletions
9
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API definition3 | ||
| community.aws.aws_api_gateway: | ||
| swagger_file: swaggerFile.yaml | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
39 changes: 39 additions & 0 deletions
39
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/negative2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API definition22222 | ||
| community.aws.aws_api_gateway: | ||
| swagger_dict: | ||
| { | ||
| "openapi": "3.0.0", | ||
| "info": | ||
| { | ||
| "title": "Simple API Overview", | ||
| "version": "1.0.0", | ||
| "contact": { "name": "contact", "email": "[email protected]" }, | ||
| }, | ||
| "components": | ||
| { | ||
| "securitySchemes": | ||
| { | ||
| "request_authorizer_single_stagevar": | ||
| { | ||
| "type": "apiKey", | ||
| "name": "Unused", | ||
| "in": "header", | ||
| "x-amazon-apigateway-authtype": "custom", | ||
| "x-amazon-apigateway-authorizer": | ||
| { | ||
| "type": "request", | ||
| "identitySource": "stageVariables.stage", | ||
| "authorizerCredentials": "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", | ||
| "authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", | ||
| "authorizerResultTtlInSeconds": 300, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
27 changes: 27 additions & 0 deletions
27
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/negative3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API 222 | ||
| aws_api_gateway: | ||
| swagger_text: | | ||
| openapi: 3.0.0 | ||
| info: | ||
| title: Sample API | ||
| description: Optional multiline or single-line description | ||
| version: 0.1.9 | ||
| components: | ||
| securitySchemes: | ||
| request_authorizer_single_stagevar: | ||
| type: apiKey | ||
| name: Unused | ||
| in: header | ||
| x-amazon-apigateway-authtype: custom | ||
| x-amazon-apigateway-authorizer: | ||
| type: request | ||
| identitySource: stageVariables.stage | ||
| authorizerCredentials: arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole | ||
| authorizerUri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations | ||
| authorizerResultTtlInSeconds: 300 | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
31 changes: 31 additions & 0 deletions
31
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API definition | ||
| community.aws.aws_api_gateway: | ||
| swagger_dict: | ||
| { | ||
| "openapi": "3.0.0", | ||
| "info": | ||
| { | ||
| "title": "Simple API Overview", | ||
| "version": "1.0.0", | ||
| "contact": { "name": "contact", "email": "[email protected]" }, | ||
| }, | ||
| "components": | ||
| { | ||
| "securitySchemes": | ||
| { | ||
| "request_authorizer_single_stagevar": | ||
| { | ||
| "type": "apiKey", | ||
| "name": "Unused", | ||
| "in": "header", | ||
| "x-amazon-apigateway-authtype": "custom", | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
8 changes: 8 additions & 0 deletions
8
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API definition2 | ||
| aws_api_gateway: | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
9 changes: 9 additions & 0 deletions
9
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API 222 | ||
| aws_api_gateway: | ||
| swagger_file: swaggerFileWithoutAuthorizer.json | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
21 changes: 21 additions & 0 deletions
21
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive4.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| - name: Setup AWS API Gateway setup on AWS and deploy API 222 | ||
| aws_api_gateway: | ||
| swagger_text: | | ||
| openapi: 3.0.0 | ||
| info: | ||
| title: Sample API | ||
| description: Optional multiline or single-line description | ||
| version: 0.1.9 | ||
| components: | ||
| ssecuritySchemes: | ||
| request_authorizer_single_stagevar: | ||
| type: apiKey | ||
| name: Unused | ||
| in: header | ||
| x-amazon-apigateway-authtype: custom | ||
| stage: production | ||
| cache_enabled: true | ||
| cache_size: "1.6" | ||
| tracing_enabled: true | ||
| endpoint_type: EDGE | ||
| state: present |
26 changes: 26 additions & 0 deletions
26
.../ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| [ | ||
| { | ||
| "queryName": "API Gateway Without Configured Authorizer", | ||
| "severity": "MEDIUM", | ||
| "line": 3, | ||
| "fileName": "positive1.yaml" | ||
| }, | ||
| { | ||
| "queryName": "API Gateway Without Configured Authorizer", | ||
| "severity": "MEDIUM", | ||
| "line": 2, | ||
| "fileName": "positive2.yaml" | ||
| }, | ||
| { | ||
| "queryName": "API Gateway Without Configured Authorizer", | ||
| "severity": "MEDIUM", | ||
| "line": 3, | ||
| "fileName": "positive3.yaml" | ||
| }, | ||
| { | ||
| "queryName": "API Gateway Without Configured Authorizer", | ||
| "severity": "MEDIUM", | ||
| "line": 3, | ||
| "fileName": "positive4.yaml" | ||
| } | ||
| ] |
28 changes: 28 additions & 0 deletions
28
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/swaggerFile.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| { | ||
| "openapi": "3.0.0", | ||
| "info": { | ||
| "title": "Simple API Overview", | ||
| "version": "1.0.0", | ||
| "contact": { | ||
| "name": "contact", | ||
| "email": "[email protected]" | ||
| } | ||
| }, | ||
| "components": { | ||
| "securitySchemes": { | ||
| "request_authorizer_single_stagevar": { | ||
| "type": "apiKey", | ||
| "name": "Unused", | ||
| "in": "header", | ||
| "x-amazon-apigateway-authtype": "custom", | ||
| "x-amazon-apigateway-authorizer": { | ||
| "type": "request", | ||
| "identitySource": "stageVariables.stage", | ||
| "authorizerCredentials": "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", | ||
| "authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", | ||
| "authorizerResultTtlInSeconds": 300 | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
20 changes: 20 additions & 0 deletions
20
assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/swaggerFile.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| openapi: 3.0.0 | ||
| info: | ||
| title: Simple API Overview | ||
| version: 1.0.0 | ||
| contact: | ||
| name: contact | ||
| email: [email protected] | ||
| components: | ||
| securitySchemes: | ||
| request_authorizer_single_stagevar: | ||
| type: apiKey | ||
| name: Unused | ||
| in: header | ||
| x-amazon-apigateway-authtype: custom | ||
| x-amazon-apigateway-authorizer: | ||
| type: request | ||
| identitySource: stageVariables.stage | ||
| authorizerCredentials: arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole | ||
| authorizerUri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations | ||
| authorizerResultTtlInSeconds: 300 |
21 changes: 21 additions & 0 deletions
21
...ible/aws/api_gateway_without_configured_authorizer/test/swaggerFileWithoutAuthorizer.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| { | ||
| "openapi": "3.0.0", | ||
| "info": { | ||
| "title": "Simple API Overview", | ||
| "version": "1.0.0", | ||
| "contact": { | ||
| "name": "contact", | ||
| "email": "[email protected]" | ||
| } | ||
| }, | ||
| "components": { | ||
| "securitySchemes": { | ||
| "request_authorizer_single_stagevar": { | ||
| "type": "apiKey", | ||
| "name": "Unused", | ||
| "in": "header", | ||
| "x-amazon-apigateway-authtype": "custom" | ||
| } | ||
| } | ||
| } | ||
| } |
14 changes: 14 additions & 0 deletions
14
...ible/aws/api_gateway_without_configured_authorizer/test/swaggerFileWithoutAuthorizer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| openapi: 3.0.0 | ||
| info: | ||
| title: Simple API Overview | ||
| version: 1.0.0 | ||
| contact: | ||
| name: contact | ||
| email: [email protected] | ||
| components: | ||
| securitySchemes: | ||
| request_authorizer_single_stagevar: | ||
| type: apiKey | ||
| name: Unused | ||
| in: header | ||
| x-amazon-apigateway-authtype: custom |
9 changes: 9 additions & 0 deletions
9
assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_128/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "id": "d5ec2080-340a-4259-b885-f833c4ea6a31", | ||
| "queryName": "Certificate RSA Key Bytes Lower Than 128", | ||
| "severity": "MEDIUM", | ||
| "category": "Insecure Configurations", | ||
| "descriptionText": "The certificate should use a RSA key with length higher than 128 bytes", | ||
| "descriptionUrl": "https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html", | ||
| "platform": "Ansible" | ||
| } |
20 changes: 20 additions & 0 deletions
20
assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_128/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.ansible as ansLib | ||
|
|
||
| CxPolicy[result] { | ||
| task := ansLib.tasks[id][t] | ||
|
|
||
| acm := task["community.aws.aws_acm"] | ||
| ansLib.checkState(acm) | ||
|
|
||
| acm.certificate.rsa_key_bytes <= 128 | ||
|
|
||
| result := { | ||
| "documentId": id, | ||
| "searchKey": sprintf("name={{%s}}.community.aws.aws_acm.certificate", [task.name]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "'community.aws.aws_acm.certificate' uses a RSA key with length higher than 128 bytes", | ||
| "keyActualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with length higher than 128 bytes", | ||
| } | ||
| } |
6 changes: 6 additions & 0 deletions
6
assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_128/test/negative.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| - name: upload a self-signed certificate2 | ||
| community.aws.aws_acm: | ||
| certificate: "{{ lookup('file', 'rsa4096.pem' ) }}" | ||
| privateKey: "{{ lookup('file', 'key.pem' ) }}" | ||
| name_tag: my_cert | ||
| region: ap-southeast-2 |
Oops, something went wrong.