Skip to content

Commit

Permalink
Bugfix/s3 user policy (#1157)
Browse files Browse the repository at this point in the history 
* fix false positive

* fix false positive
  • Loading branch information
@gaurav-gogia
gaurav-gogia authored Feb 18, 2022
1 parent f1acad7 commit 2f294b4
Showing 1 changed file with 58 additions and 19 deletions.
77 changes: 58 additions & 19 deletions pkg/policies/opa/rego/aws/aws_s3_bucket/s3EnforceUserACL.rego
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,67 @@
package accurics

{{.prefix}}s3EnforceUserACL[retVal] {
{{.prefix}}s3EnforceUserACL[bucket.id] {
bucket := input.aws_s3_bucket[_]
checkAcl(bucket.config)
checkPolicy(input, bucket.config)
}

#proceeding forward only if inline policy is not included
not bucket.config.policy
checkAcl(bucket_config) {
lower(bucket_config.acl) != "private"
}

bucket_policy := input.aws_s3_bucket_policy[_]
checkAcl(bucket_config) {
object.get(bucket_config, "acl", "undefined") == [[], null, "undefined"][_]
}

bucket_id := split(bucket.id, ".")[1]
not contains(bucket_policy.config.bucket, bucket_id)
checkPolicy(inobj, bucket_config) {
object.get(bucket_config, "policy", "undefined") != [[], null, "undefined"][_]
policy_object := json_unmarshal(bucket_config.policy)

checkPrincipals(policy_object)
}

rc := "cmVzb3VyY2UgImF3c19zM19idWNrZXRfcG9saWN5IiAiIyNyZXNvdXJjZV9uYW1lIyNQb2xpY3kiIHsKICBidWNrZXQgPSAiJHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfSIKCiAgcG9saWN5ID0gPDxQT0xJQ1kKewogICJWZXJzaW9uIjogIjIwMTItMTAtMTciLAogICJTdGF0ZW1lbnQiOiBbCiAgICB7CiAgICAgICJTaWQiOiAiIyNyZXNvdXJjZV9uYW1lIyMtcmVzdHJpY3QtYWNjZXNzLXRvLXVzZXJzLW9yLXJvbGVzIiwKICAgICAgIkVmZmVjdCI6ICJBbGxvdyIsCiAgICAgICJQcmluY2lwYWwiOiBbCiAgICAgICAgewogICAgICAgICAgIkFXUyI6IFsKICAgICAgICAgICAgImFybjphd3M6aWFtOjojI2Fjb3VudF9pZCMjOnJvbGUvIyNyb2xlX25hbWUjIyIsCiAgICAgICAgICAgICJhcm46YXdzOmlhbTo6IyNhY291bnRfaWQjIzp1c2VyLyMjdXNlcl9uYW1lIyMiCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICBdLAogICAgICAiQWN0aW9uIjogInMzOkdldE9iamVjdCIsCiAgICAgICJSZXNvdXJjZSI6ICJhcm46YXdzOnMzOjo6JHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfS8qIgogICAgfQogIF0KfQpQT0xJQ1kKfQ=="
decode_rc := base64.decode(rc)
replaced_resource_name := replace(decode_rc, "##resource_name##", bucket.name)
checkPolicy(inobj, bucket_config) {
object.get(bucket_config, "policy", "undefined") == [[], null, "undefined"][_]

retVal := {
"Id": bucket.id,
"ReplaceType": "add",
"CodeType": "resource",
"Traverse": "",
"Attribute": "",
"AttributeDataType": "resource",
"Expected": base64.encode(replaced_resource_name),
"Actual": null
}
bucket_policy := inobj.aws_s3_bucket_policy[_]
object.get(bucket_policy.config, "policy", "undefined") != [[], null, "undefined"][_]
policy_object := json_unmarshal(bucket_policy.policy)

checkPrincipals(policy_object)
}

checkPrincipals(policy) {
statement := policy.statement[_]
identifier := statement.principals.identifiers[_]
identifier == "*"
}

# remove all id related prefix and suffix characters generated by terrascan
getCleanID(id) = cleanID {
v1 := trim_left(id, "$")
v2 := trim_left(v1, "{")
v3 := trim_right(v2, "}")
cleanID = cleanEnd(v3)
}

cleanEnd(idv3) = cleanID {
endswith(idv3, ".id")
cleanID = trim_right(idv3, ".id")
}

cleanEnd(idv3) = cleanID {
endswith(idv3, ".bucket")
cleanID = trim_right(idv3, ".bucket")
}

json_unmarshal(s) = result {
s == null
result := json.unmarshal("{}")
}

json_unmarshal(s) = result {
s != null
s1 := lower(s)
result := json.unmarshal(s1)
}

0 comments on commit 2f294b4

Please sign in to comment.