github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/policy.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/policy.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/concurrency"
     8  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     9  
    10  	"github.com/liamg/iamgo"
    11  
    12  	iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
    13  	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    15  	"github.com/khulnasoft-lab/defsec/pkg/state"
    16  )
    17  
    18  func (a *adapter) adaptPolicies(state *state.State) error {
    19  
    20  	a.Tracker().SetServiceLabel("Discovering policies...")
    21  
    22  	var nativePolicies []iamtypes.Policy
    23  
    24  	input := &iamapi.ListPoliciesInput{
    25  		Scope: iamtypes.PolicyScopeTypeLocal,
    26  	}
    27  	for {
    28  		policiesOutput, err := a.api.ListPolicies(a.Context(), input)
    29  		if err != nil {
    30  			return err
    31  		}
    32  		nativePolicies = append(nativePolicies, policiesOutput.Policies...)
    33  		a.Tracker().SetTotalResources(len(nativePolicies))
    34  		if !policiesOutput.IsTruncated {
    35  			break
    36  		}
    37  		input.Marker = policiesOutput.Marker
    38  	}
    39  
    40  	a.Tracker().SetServiceLabel("Adapting policies...")
    41  
    42  	state.AWS.IAM.Policies = concurrency.Adapt(nativePolicies, a.RootAdapter, a.adaptPolicy)
    43  	return nil
    44  }
    45  
    46  func (a *adapter) adaptPolicy(apiPolicy iamtypes.Policy) (*iam.Policy, error) {
    47  
    48  	if apiPolicy.Arn == nil {
    49  		return nil, fmt.Errorf("policy arn not specified")
    50  	}
    51  	if apiPolicy.PolicyName == nil {
    52  		return nil, fmt.Errorf("policy name not specified")
    53  	}
    54  
    55  	output, err := a.api.GetPolicyVersion(a.Context(), &iamapi.GetPolicyVersionInput{
    56  		PolicyArn: apiPolicy.Arn,
    57  		VersionId: apiPolicy.DefaultVersionId,
    58  	})
    59  	if err != nil {
    60  		return nil, err
    61  	}
    62  
    63  	metadata := a.CreateMetadataFromARN(*apiPolicy.Arn)
    64  
    65  	document, err := iamgo.ParseString(*output.PolicyVersion.Document)
    66  	if err != nil {
    67  		return nil, err
    68  	}
    69  
    70  	name := defsecTypes.StringDefault("", metadata)
    71  	if apiPolicy.PolicyName != nil {
    72  		name = defsecTypes.String(*apiPolicy.PolicyName, metadata)
    73  	}
    74  
    75  	return &iam.Policy{
    76  		Metadata: metadata,
    77  		Name:     name,
    78  		Document: iam.Document{
    79  			Metadata: metadata,
    80  			Parsed:   *document,
    81  		},
    82  		Builtin: defsecTypes.Bool(strings.HasPrefix(*apiPolicy.Arn, "arn:aws:iam::aws:"), metadata),
    83  	}, nil
    84  }
    85  
    86  func (a *adapter) adaptAttachedPolicy(apiPolicy iamtypes.AttachedPolicy) (*iam.Policy, error) {
    87  
    88  	if apiPolicy.PolicyArn == nil {
    89  		return nil, fmt.Errorf("policy arn not specified")
    90  	}
    91  	if apiPolicy.PolicyName == nil {
    92  		return nil, fmt.Errorf("policy name not specified")
    93  	}
    94  
    95  	policyOutput, err := a.api.GetPolicy(a.Context(), &iamapi.GetPolicyInput{
    96  		PolicyArn: apiPolicy.PolicyArn,
    97  	})
    98  	if err != nil {
    99  		return nil, err
   100  	}
   101  
   102  	return a.adaptPolicy(*policyOutput.Policy)
   103  }