Add redshift

go.mod

@@ -3,7 +3,7 @@ module github.com/aquasecurity/cfsec
 go 1.16
 
 require (
-	github.com/aquasecurity/defsec v0.0.15
+	github.com/aquasecurity/defsec v0.0.16
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/liamg/clinch v1.5.6
 	github.com/liamg/jfather v0.0.2

go.sum

@@ -63,6 +63,8 @@ github.com/aquasecurity/defsec v0.0.14 h1:8Ww1zHXV8LmcS5NB/5H8h3vBLEYaYwIf63mHw+
 github.com/aquasecurity/defsec v0.0.14/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/aquasecurity/defsec v0.0.15 h1:WmUxI6ep6uHDeXxbVIqBZn/QKxhPO4YaBSmirapV7ok=
 github.com/aquasecurity/defsec v0.0.15/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/defsec v0.0.16 h1:w1zHQfOZIcGiGtxxXyUU3o16AoSN2p2PjUlm7Lo+6DQ=
+github.com/aquasecurity/defsec v0.0.16/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

internal/app/cfsec/adapter/aws/adapt.go

@@ -19,6 +19,7 @@ import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/eks"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/elasticache"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/iam"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/redshift"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/s3"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sns"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sqs"
@@ -49,6 +50,7 @@ func Adapt(cfFile parser.FileContext) aws.AWS {
 		IAM:         iam.Adapt(cfFile),
 		EKS:         eks.Adapt(cfFile),
 		ElastiCache: elasticache.Adapt(cfFile),
+		Redshift:    redshift.Adapt(cfFile),
 		S3:          s3.Adapt(cfFile),
 		SNS:         sns.Adapt(cfFile),
 		SQS:         sqs.Adapt(cfFile),

internal/app/cfsec/adapter/aws/redshift/redshift.go

@@ -0,0 +1,50 @@
+package redshift
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/redshift"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func Adapt(cfFile parser.FileContext) redshift.Redshift {
+	return redshift.Redshift{
+		Clusters:       getClusters(cfFile),
+		SecurityGroups: getSecurityGroups(cfFile),
+	}
+}
+
+func getClusters(ctx parser.FileContext) (clusters []redshift.Cluster) {
+	for _, clusterResource := range ctx.GetResourceByType("AWS::Redshift::Cluster") {
+		var cluster redshift.Cluster
+		if subnetProp := clusterResource.GetProperty("ClusterSubnetGroupName"); subnetProp.IsString() {
+			cluster.SubnetGroupName = subnetProp.AsStringValue()
+		} else {
+			cluster.SubnetGroupName = types.StringDefault("", clusterResource.Metadata())
+		}
+		if encryptedProp := clusterResource.GetProperty("Encrypted"); encryptedProp.IsBool() {
+			cluster.Encryption.Enabled = encryptedProp.AsBoolValue()
+		} else {
+			cluster.Encryption.Enabled = types.BoolDefault(false, clusterResource.Metadata())
+		}
+		if keyProp := clusterResource.GetProperty("KmsKeyId"); keyProp.IsString() {
+			cluster.Encryption.KMSKeyID = keyProp.AsStringValue()
+		} else {
+			cluster.Encryption.KMSKeyID = types.StringDefault("", clusterResource.Metadata())
+		}
+		clusters = append(clusters, cluster)
+	}
+	return clusters
+}
+
+func getSecurityGroups(ctx parser.FileContext) (groups []redshift.SecurityGroup) {
+	for _, groupResource := range ctx.GetResourceByType("AWS::Redshift::ClusterSecurityGroup") {
+		var group redshift.SecurityGroup
+		if descProp := groupResource.GetProperty("Description"); descProp.IsString() {
+			group.Description = descProp.AsStringValue()
+		} else {
+			group.Description = types.StringDefault("", groupResource.Metadata())
+		}
+		groups = append(groups, group)
+	}
+	return groups
+}

internal/app/cfsec/rules/aws/redshift/add_description_to_security_group_rule.go

@@ -0,0 +1,39 @@
+package redshift
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/redshift"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift sgr
+Resources:
+  Queue:
+    Type: AWS::Redshift::ClusterSecurityGroup
+    Properties:
+      Description: ""
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good example of redshift sgr
+Resources:
+  Queue:
+    Type: AWS::Redshift::ClusterSecurityGroup
+    Properties:
+      Description: "Disallow bad stuff"
+
+`,
+		},
+		Base: redshift.CheckAddDescriptionToSecurityGroup,
+	})
+}

internal/app/cfsec/rules/aws/redshift/add_description_to_security_group_rule_test.go

@@ -0,0 +1,17 @@
+package redshift
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_Redshift_AddDescriptionToSecurityGroup_FailureExamples(t *testing.T) {
+	expectedCode := "aws-redshift-add-description-to-security-group"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_Redshift_AddDescriptionToSecurityGroup_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-redshift-add-description-to-security-group"
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/redshift/encryption_customer_key_rule.go

@@ -0,0 +1,39 @@
+package redshift
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/redshift"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift cluster
+Resources:
+  Queue:
+    Type: AWS::Redshift::Cluster
+    Properties:
+      Encrypted: true
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift cluster
+Resources:
+  Queue:
+    Type: AWS::Redshift::Cluster
+    Properties:
+      Encrypted: true
+      KmsKeyId: "something"
+
+`,
+		},
+		Base: redshift.CheckEncryptionCustomerKey,
+	})
+}

internal/app/cfsec/rules/aws/redshift/encryption_customer_key_rule_test.go

@@ -0,0 +1,17 @@
+package redshift
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_Redshift_EncryptionCustomerKey_FailureExamples(t *testing.T) {
+	expectedCode := "aws-redshift-encryption-customer-key"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_Redshift_EncryptionCustomerKey_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-redshift-encryption-customer-key"
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/redshift/no_classic_resources_rule.go

@@ -0,0 +1,35 @@
+package redshift
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/redshift"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift sgr
+Resources:
+  Queue:
+    Type: AWS::Redshift::ClusterSecurityGroup
+    Properties:
+      Description: ""
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good example of redshift sgr
+Resources:
+
+`,
+		},
+		Base: redshift.CheckNoClassicResources,
+	})
+}

internal/app/cfsec/rules/aws/redshift/no_classic_resources_rule_test.go

@@ -0,0 +1,17 @@
+package redshift
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_Redshift_NoClassicResources_FailureExamples(t *testing.T) {
+	expectedCode := "aws-redshift-no-classic-resources"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_Redshift_NoClassicResources_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-redshift-no-classic-resources"
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/redshift/use_vpc_rule.go

@@ -0,0 +1,39 @@
+package redshift
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/redshift"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift cluster
+Resources:
+  Queue:
+    Type: AWS::Redshift::Cluster
+    Properties:
+      ClusterSubnetGroupName: ""
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example of redshift cluster
+Resources:
+  Queue:
+    Type: AWS::Redshift::Cluster
+    Properties:
+      ClusterSubnetGroupName: "my-subnet-group"
+
+`,
+		},
+		Base: redshift.CheckUsesVPC,
+	})
+}

internal/app/cfsec/rules/aws/redshift/use_vpc_rule_test.go

@@ -0,0 +1,17 @@
+package redshift
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_Redshift_UseVPC_FailureExamples(t *testing.T) {
+	expectedCode := "aws-redshift-use-vpc"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_Redshift_UseVPC_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-redshift-use-vpc"
+	test.RunPassingExamplesTest(t, expectedCode)
+}