github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/iam.go (about)

     1  package iam
     2  
     3  import (
     4  	iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
     5  	"github.com/khulnasoft-lab/defsec/internal/adapters/cloud/aws"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
     7  	"github.com/khulnasoft-lab/defsec/pkg/state"
     8  	"github.com/khulnasoft-lab/defsec/pkg/types"
     9  )
    10  
    11  type adapter struct {
    12  	*aws.RootAdapter
    13  	api *iamapi.Client
    14  }
    15  
    16  func init() {
    17  	aws.RegisterServiceAdapter(&adapter{})
    18  }
    19  
    20  func (a *adapter) Provider() string {
    21  	return "aws"
    22  }
    23  
    24  func (a *adapter) Name() string {
    25  	return "iam"
    26  }
    27  
    28  func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error {
    29  
    30  	a.RootAdapter = root
    31  	a.api = iamapi.NewFromConfig(root.SessionConfig())
    32  
    33  	if err := a.adaptPasswordPolicy(state); err != nil {
    34  		return err
    35  	}
    36  
    37  	if err := a.adaptPolicies(state); err != nil {
    38  		return err
    39  	}
    40  
    41  	if err := a.adaptRoles(state); err != nil {
    42  		return err
    43  	}
    44  
    45  	if err := a.adaptUsers(state); err != nil {
    46  		return err
    47  	}
    48  
    49  	// groups must be transformed last because it depends on users
    50  	if err := a.adaptGroups(state); err != nil {
    51  		return err
    52  	}
    53  
    54  	if err := a.adaptServerCertificates(state); err != nil {
    55  		return err
    56  	}
    57  
    58  	return nil
    59  }
    60  
    61  func (a *adapter) adaptPasswordPolicy(state *state.State) error {
    62  
    63  	a.Tracker().SetServiceLabel("Checking password policy...")
    64  
    65  	output, err := a.api.GetAccountPasswordPolicy(a.Context(), &iamapi.GetAccountPasswordPolicyInput{})
    66  	if err != nil {
    67  		a.Debug("Failed to adapt account password policy: %s", err)
    68  		return nil
    69  	}
    70  	a.Tracker().SetTotalResources(1)
    71  	policy := output.PasswordPolicy
    72  	metadata := a.CreateMetadata("passwordpolicy")
    73  	reusePrevention := 0
    74  	if policy.PasswordReusePrevention != nil {
    75  		reusePrevention = int(*policy.PasswordReusePrevention)
    76  	}
    77  	maxAge := 0
    78  	if policy.MaxPasswordAge != nil {
    79  		maxAge = int(*policy.MaxPasswordAge)
    80  	}
    81  	minimumLength := 0
    82  	if policy.MinimumPasswordLength != nil {
    83  		minimumLength = int(*policy.MinimumPasswordLength)
    84  	}
    85  	state.AWS.IAM.PasswordPolicy = iam.PasswordPolicy{
    86  		Metadata:             metadata,
    87  		ReusePreventionCount: types.Int(reusePrevention, metadata),
    88  		RequireLowercase:     types.Bool(policy.RequireLowercaseCharacters, metadata),
    89  		RequireUppercase:     types.Bool(policy.RequireUppercaseCharacters, metadata),
    90  		RequireNumbers:       types.Bool(policy.RequireNumbers, metadata),
    91  		RequireSymbols:       types.Bool(policy.RequireSymbols, metadata),
    92  		MaxAgeDays:           types.Int(maxAge, metadata),
    93  		MinimumLength:        types.Int(minimumLength, metadata),
    94  	}
    95  
    96  	return nil
    97  }