github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/arm/network/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/arm/network/adapt.go (about)

     1  package network
     2  
     3  import (
     4  	"strconv"
     5  	"strings"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/network"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scanners/azure"
     9  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
    10  )
    11  
    12  func Adapt(deployment azure.Deployment) network.Network {
    13  	return network.Network{
    14  		SecurityGroups:         adaptSecurityGroups(deployment),
    15  		NetworkWatcherFlowLogs: adaptNetworkWatcherFlowLogs(deployment),
    16  	}
    17  }
    18  
    19  func adaptSecurityGroups(deployment azure.Deployment) (sgs []network.SecurityGroup) {
    20  	for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkSecurityGroups") {
    21  		sgs = append(sgs, adaptSecurityGroup(resource, deployment))
    22  	}
    23  	return sgs
    24  
    25  }
    26  
    27  func adaptSecurityGroup(resource azure.Resource, deployment azure.Deployment) network.SecurityGroup {
    28  	return network.SecurityGroup{
    29  		Metadata: resource.Metadata,
    30  		Rules:    adaptSecurityGroupRules(resource, deployment),
    31  	}
    32  }
    33  
    34  func adaptSecurityGroupRules(resource azure.Resource, deployment azure.Deployment) (rules []network.SecurityGroupRule) {
    35  	for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkSecurityGroups/securityRules") {
    36  		rules = append(rules, adaptSecurityGroupRule(resource))
    37  	}
    38  	return rules
    39  }
    40  
    41  func adaptSecurityGroupRule(resource azure.Resource) network.SecurityGroupRule {
    42  	sourceAddressPrefixes := resource.Properties.GetMapValue("sourceAddressPrefixes").AsStringValuesList("")
    43  	sourceAddressPrefixes = append(sourceAddressPrefixes, resource.Properties.GetMapValue("sourceAddressPrefix").AsStringValue("", resource.Metadata))
    44  
    45  	var sourcePortRanges []network.PortRange
    46  	for _, portRange := range resource.Properties.GetMapValue("sourcePortRanges").AsList() {
    47  		sourcePortRanges = append(sourcePortRanges, expandRange(portRange.AsString(), resource.Metadata))
    48  	}
    49  	sourcePortRanges = append(sourcePortRanges, expandRange(resource.Properties.GetMapValue("sourcePortRange").AsString(), resource.Metadata))
    50  
    51  	destinationAddressPrefixes := resource.Properties.GetMapValue("destinationAddressPrefixes").AsStringValuesList("")
    52  	destinationAddressPrefixes = append(destinationAddressPrefixes, resource.Properties.GetMapValue("destinationAddressPrefix").AsStringValue("", resource.Metadata))
    53  
    54  	var destinationPortRanges []network.PortRange
    55  	for _, portRange := range resource.Properties.GetMapValue("destinationPortRanges").AsList() {
    56  		destinationPortRanges = append(destinationPortRanges, expandRange(portRange.AsString(), resource.Metadata))
    57  	}
    58  	destinationPortRanges = append(destinationPortRanges, expandRange(resource.Properties.GetMapValue("destinationPortRange").AsString(), resource.Metadata))
    59  
    60  	allow := defsecTypes.BoolDefault(false, resource.Metadata)
    61  	if resource.Properties.GetMapValue("access").AsString() == "Allow" {
    62  		allow = defsecTypes.Bool(true, resource.Metadata)
    63  	}
    64  
    65  	outbound := defsecTypes.BoolDefault(false, resource.Metadata)
    66  	if resource.Properties.GetMapValue("direction").AsString() == "Outbound" {
    67  		outbound = defsecTypes.Bool(true, resource.Metadata)
    68  	}
    69  
    70  	return network.SecurityGroupRule{
    71  		Metadata:             resource.Metadata,
    72  		Outbound:             outbound,
    73  		Allow:                allow,
    74  		SourceAddresses:      sourceAddressPrefixes,
    75  		SourcePorts:          sourcePortRanges,
    76  		DestinationAddresses: destinationAddressPrefixes,
    77  		DestinationPorts:     destinationPortRanges,
    78  		Protocol:             resource.Properties.GetMapValue("protocol").AsStringValue("", resource.Metadata),
    79  	}
    80  }
    81  
    82  func adaptNetworkWatcherFlowLogs(deployment azure.Deployment) (flowLogs []network.NetworkWatcherFlowLog) {
    83  	for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkWatchers/flowLogs") {
    84  		flowLogs = append(flowLogs, adaptNetworkWatcherFlowLog(resource))
    85  	}
    86  	return flowLogs
    87  }
    88  
    89  func adaptNetworkWatcherFlowLog(resource azure.Resource) network.NetworkWatcherFlowLog {
    90  	return network.NetworkWatcherFlowLog{
    91  		Metadata: resource.Metadata,
    92  		RetentionPolicy: network.RetentionPolicy{
    93  			Metadata: resource.Metadata,
    94  			Enabled:  resource.Properties.GetMapValue("retentionPolicy").GetMapValue("enabled").AsBoolValue(false, resource.Metadata),
    95  			Days:     resource.Properties.GetMapValue("retentionPolicy").GetMapValue("days").AsIntValue(0, resource.Metadata),
    96  		},
    97  	}
    98  }
    99  
   100  func expandRange(r string, m defsecTypes.Metadata) network.PortRange {
   101  	start := 0
   102  	end := 65535
   103  	switch {
   104  	case r == "*":
   105  	case strings.Contains(r, "-"):
   106  		if parts := strings.Split(r, "-"); len(parts) == 2 {
   107  			if p1, err := strconv.ParseInt(parts[0], 10, 32); err == nil {
   108  				start = int(p1)
   109  			}
   110  			if p2, err := strconv.ParseInt(parts[1], 10, 32); err == nil {
   111  				end = int(p2)
   112  			}
   113  		}
   114  	default:
   115  		if val, err := strconv.ParseInt(r, 10, 32); err == nil {
   116  			start = int(val)
   117  			end = int(val)
   118  		}
   119  	}
   120  
   121  	return network.PortRange{
   122  		Metadata: m,
   123  		Start:    start,
   124  		End:      end,
   125  	}
   126  }