github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/role.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/iam/role.go (about)

     1  package iam
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/concurrency"
     7  	"github.com/khulnasoft-lab/defsec/pkg/types"
     8  
     9  	iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
    10  	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  	"github.com/khulnasoft-lab/defsec/pkg/state"
    13  )
    14  
    15  func (a *adapter) adaptRoles(state *state.State) error {
    16  
    17  	a.Tracker().SetServiceLabel("Discovering roles...")
    18  
    19  	var nativeRoles []iamtypes.Role
    20  
    21  	input := &iamapi.ListRolesInput{}
    22  	for {
    23  		rolesOutput, err := a.api.ListRoles(a.Context(), input)
    24  		if err != nil {
    25  			return err
    26  		}
    27  		nativeRoles = append(nativeRoles, rolesOutput.Roles...)
    28  		a.Tracker().SetTotalResources(len(nativeRoles))
    29  		if !rolesOutput.IsTruncated {
    30  			break
    31  		}
    32  		input.Marker = rolesOutput.Marker
    33  	}
    34  
    35  	a.Tracker().SetServiceLabel("Adapting roles...")
    36  	state.AWS.IAM.Roles = concurrency.Adapt(nativeRoles, a.RootAdapter, a.adaptRole)
    37  
    38  	return nil
    39  }
    40  
    41  func (a *adapter) adaptRole(apiRole iamtypes.Role) (*iam.Role, error) {
    42  
    43  	if apiRole.Arn == nil {
    44  		return nil, fmt.Errorf("role arn not specified")
    45  	}
    46  	if apiRole.RoleName == nil {
    47  		return nil, fmt.Errorf("role name not specified")
    48  	}
    49  
    50  	var policies []iam.Policy
    51  
    52  	input := &iamapi.ListAttachedRolePoliciesInput{
    53  		RoleName: apiRole.RoleName,
    54  	}
    55  	for {
    56  		policiesOutput, err := a.api.ListAttachedRolePolicies(a.Context(), input)
    57  		if err != nil {
    58  			a.Debug("Failed to locate policies attached to role '%s': %s", *apiRole.RoleName, err)
    59  			break
    60  		}
    61  
    62  		for _, apiPolicy := range policiesOutput.AttachedPolicies {
    63  			policy, err := a.adaptAttachedPolicy(apiPolicy)
    64  			if err != nil {
    65  				a.Debug("Failed to adapt policy attached to role '%s': %s", *apiRole.RoleName, err)
    66  				continue
    67  			}
    68  			policies = append(policies, *policy)
    69  		}
    70  
    71  		if !policiesOutput.IsTruncated {
    72  			break
    73  		}
    74  		input.Marker = policiesOutput.Marker
    75  	}
    76  
    77  	metadata := a.CreateMetadataFromARN(*apiRole.Arn)
    78  
    79  	return &iam.Role{
    80  		Metadata: metadata,
    81  		Name:     types.String(*apiRole.RoleName, metadata),
    82  		Policies: policies,
    83  	}, nil
    84  }