github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/ec2/nacl.go (about)

     1  package ec2
     2  
     3  import (
     4  	"strconv"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
    11  )
    12  
    13  func getNetworkACLs(ctx parser.FileContext) (acls []ec2.NetworkACL) {
    14  	for _, aclResource := range ctx.GetResourcesByType("AWS::EC2::NetworkAcl") {
    15  		acl := ec2.NetworkACL{
    16  			Metadata:      aclResource.Metadata(),
    17  			Rules:         getRules(aclResource.ID(), ctx),
    18  			IsDefaultRule: defsecTypes.BoolDefault(false, aclResource.Metadata()),
    19  		}
    20  		acls = append(acls, acl)
    21  	}
    22  	return acls
    23  }
    24  
    25  func getRules(id string, ctx parser.FileContext) (rules []ec2.NetworkACLRule) {
    26  	for _, ruleResource := range ctx.GetResourcesByType("AWS::EC2::NetworkAclEntry") {
    27  		aclID := ruleResource.GetProperty("NetworkAclId")
    28  		if aclID.IsString() && aclID.AsString() == id {
    29  
    30  			rule := ec2.NetworkACLRule{
    31  				Metadata: ruleResource.Metadata(),
    32  				Type:     defsecTypes.StringDefault(ec2.TypeIngress, ruleResource.Metadata()),
    33  				Action:   defsecTypes.StringDefault(ec2.ActionAllow, ruleResource.Metadata()),
    34  				Protocol: defsecTypes.String("-1", ruleResource.Metadata()),
    35  				CIDRs:    nil,
    36  			}
    37  
    38  			if egressProperty := ruleResource.GetProperty("Egress"); egressProperty.IsBool() {
    39  				if egressProperty.AsBool() {
    40  					rule.Type = defsecTypes.String(ec2.TypeEgress, egressProperty.Metadata())
    41  				} else {
    42  					rule.Type = defsecTypes.String(ec2.TypeIngress, egressProperty.Metadata())
    43  				}
    44  			}
    45  
    46  			if actionProperty := ruleResource.GetProperty("RuleAction"); actionProperty.IsString() {
    47  				if actionProperty.AsString() == ec2.ActionAllow {
    48  					rule.Action = defsecTypes.String(ec2.ActionAllow, actionProperty.Metadata())
    49  				} else {
    50  					rule.Action = defsecTypes.String(ec2.ActionDeny, actionProperty.Metadata())
    51  				}
    52  			}
    53  
    54  			if protocolProperty := ruleResource.GetProperty("Protocol"); protocolProperty.IsInt() {
    55  				protocol := protocolProperty.AsIntValue().Value()
    56  				rule.Protocol = defsecTypes.String(strconv.Itoa(protocol), protocolProperty.Metadata())
    57  			}
    58  
    59  			if ipv4Cidr := ruleResource.GetProperty("CidrBlock"); ipv4Cidr.IsString() {
    60  				rule.CIDRs = append(rule.CIDRs, ipv4Cidr.AsStringValue())
    61  			}
    62  
    63  			if ipv6Cidr := ruleResource.GetProperty("Ipv6CidrBlock"); ipv6Cidr.IsString() {
    64  				rule.CIDRs = append(rule.CIDRs, ipv6Cidr.AsStringValue())
    65  			}
    66  
    67  			rules = append(rules, rule)
    68  		}
    69  	}
    70  	return rules
    71  }