github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/group.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/group.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/concurrency"
     7  	"github.com/khulnasoft-lab/defsec/pkg/types"
     8  
     9  	iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
    10  	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  	"github.com/khulnasoft-lab/defsec/pkg/state"
    13  )
    14  
    15  func (a *adapter) adaptGroups(state *state.State) error {
    16  
    17  	a.Tracker().SetServiceLabel("Discovering groups...")
    18  
    19  	var nativeGroups []iamtypes.Group
    20  
    21  	input := &iamapi.ListGroupsInput{}
    22  	for {
    23  		groupsOutput, err := a.api.ListGroups(a.Context(), input)
    24  		if err != nil {
    25  			return err
    26  		}
    27  		nativeGroups = append(nativeGroups, groupsOutput.Groups...)
    28  		a.Tracker().SetTotalResources(len(nativeGroups))
    29  		if !groupsOutput.IsTruncated {
    30  			break
    31  		}
    32  		input.Marker = groupsOutput.Marker
    33  	}
    34  
    35  	a.Tracker().SetServiceLabel("Adapting groups...")
    36  
    37  	state.AWS.IAM.Groups = concurrency.AdaptWithState(nativeGroups, state, a.RootAdapter, a.adaptGroup)
    38  	return nil
    39  }
    40  
    41  func (a *adapter) adaptGroup(apiGroup iamtypes.Group, state *state.State) (*iam.Group, error) {
    42  
    43  	if apiGroup.Arn == nil {
    44  		return nil, fmt.Errorf("group arn not specified")
    45  	}
    46  	if apiGroup.GroupName == nil {
    47  		return nil, fmt.Errorf("group name not specified")
    48  	}
    49  
    50  	metadata := a.CreateMetadataFromARN(*apiGroup.Arn)
    51  
    52  	var policies []iam.Policy
    53  	{
    54  		input := &iamapi.ListAttachedGroupPoliciesInput{
    55  			GroupName: apiGroup.GroupName,
    56  		}
    57  		for {
    58  			policiesOutput, err := a.api.ListAttachedGroupPolicies(a.Context(), input)
    59  			if err != nil {
    60  				a.Debug("Failed to locate policies attached to group '%s': %s", *apiGroup.GroupName, err)
    61  				break
    62  			}
    63  
    64  			for _, apiPolicy := range policiesOutput.AttachedPolicies {
    65  				policy, err := a.adaptAttachedPolicy(apiPolicy)
    66  				if err != nil {
    67  					a.Debug("Failed to adapt policy attached to group '%s': %s", *apiGroup.GroupName, err)
    68  					continue
    69  				}
    70  				policies = append(policies, *policy)
    71  			}
    72  
    73  			if !policiesOutput.IsTruncated {
    74  				break
    75  			}
    76  			input.Marker = policiesOutput.Marker
    77  		}
    78  	}
    79  
    80  	var users []iam.User
    81  	if state != nil {
    82  		for _, user := range state.AWS.IAM.Users {
    83  			for _, userGroup := range user.Groups {
    84  				if userGroup.Name.EqualTo(*apiGroup.GroupName) {
    85  					users = append(users, user)
    86  				}
    87  			}
    88  		}
    89  	}
    90  
    91  	return &iam.Group{
    92  		Metadata: metadata,
    93  		Name:     types.String(*apiGroup.GroupName, metadata),
    94  		Users:    users,
    95  		Policies: policies,
    96  	}, nil
    97  }