github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/iam/policy.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 5 "github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 "github.com/liamg/iamgo" 8 ) 9 10 func getPolicies(ctx parser.FileContext) (policies []iam.Policy) { 11 for _, policyResource := range ctx.GetResourcesByType("AWS::IAM::Policy") { 12 13 policy := iam.Policy{ 14 Metadata: policyResource.Metadata(), 15 Name: policyResource.GetStringProperty("PolicyName"), 16 Document: iam.Document{ 17 Metadata: policyResource.Metadata(), 18 Parsed: iamgo.Document{}, 19 }, 20 Builtin: defsecTypes.Bool(false, policyResource.Metadata()), 21 } 22 23 if policyProp := policyResource.GetProperty("PolicyDocument"); policyProp.IsNotNil() { 24 doc, err := iamgo.Parse(policyProp.GetJsonBytes()) 25 if err != nil { 26 continue 27 } 28 policy.Document.Parsed = *doc 29 } 30 31 policies = append(policies, policy) 32 } 33 return policies 34 } 35 36 func getRoles(ctx parser.FileContext) (roles []iam.Role) { 37 for _, roleResource := range ctx.GetResourcesByType("AWS::IAM::Role") { 38 policyProp := roleResource.GetProperty("Policies") 39 roleName := roleResource.GetStringProperty("RoleName") 40 41 roles = append(roles, iam.Role{ 42 Metadata: roleResource.Metadata(), 43 Name: roleName, 44 Policies: getPoliciesDocs(policyProp), 45 }) 46 } 47 return roles 48 } 49 50 func getUsers(ctx parser.FileContext) (users []iam.User) { 51 for _, userResource := range ctx.GetResourcesByType("AWS::IAM::User") { 52 policyProp := userResource.GetProperty("Policies") 53 userName := userResource.GetStringProperty("GroupName") 54 55 users = append(users, iam.User{ 56 Metadata: userResource.Metadata(), 57 Name: userName, 58 LastAccess: defsecTypes.TimeUnresolvable(userResource.Metadata()), 59 Policies: getPoliciesDocs(policyProp), 60 AccessKeys: getAccessKeys(ctx, userName.Value()), 61 }) 62 } 63 return users 64 } 65 66 func getAccessKeys(ctx parser.FileContext, username string) (accessKeys []iam.AccessKey) { 67 for _, keyResource := range ctx.GetResourcesByType("AWS::IAM::AccessKey") { 68 keyUsername := keyResource.GetStringProperty("UserName") 69 if !keyUsername.EqualTo(username) { 70 continue 71 } 72 active := defsecTypes.BoolDefault(false, keyResource.Metadata()) 73 if statusProp := keyResource.GetProperty("Status"); statusProp.IsString() { 74 active = defsecTypes.Bool(statusProp.AsString() == "Active", statusProp.Metadata()) 75 } 76 77 accessKeys = append(accessKeys, iam.AccessKey{ 78 Metadata: keyResource.Metadata(), 79 AccessKeyId: defsecTypes.StringUnresolvable(keyResource.Metadata()), 80 CreationDate: defsecTypes.TimeUnresolvable(keyResource.Metadata()), 81 LastAccess: defsecTypes.TimeUnresolvable(keyResource.Metadata()), 82 Active: active, 83 }) 84 } 85 return accessKeys 86 } 87 88 func getGroups(ctx parser.FileContext) (groups []iam.Group) { 89 for _, groupResource := range ctx.GetResourcesByType("AWS::IAM::Group") { 90 policyProp := groupResource.GetProperty("Policies") 91 groupName := groupResource.GetStringProperty("GroupName") 92 93 groups = append(groups, iam.Group{ 94 Metadata: groupResource.Metadata(), 95 Name: groupName, 96 Policies: getPoliciesDocs(policyProp), 97 }) 98 } 99 return groups 100 } 101 102 func getPoliciesDocs(policiesProp *parser.Property) []iam.Policy { 103 var policies []iam.Policy 104 105 for _, policy := range policiesProp.AsList() { 106 policyProp := policy.GetProperty("PolicyDocument") 107 policyName := policy.GetStringProperty("PolicyName") 108 109 doc, err := iamgo.Parse(policyProp.GetJsonBytes()) 110 if err != nil { 111 continue 112 } 113 114 policies = append(policies, iam.Policy{ 115 Metadata: policyProp.Metadata(), 116 Name: policyName, 117 Document: iam.Document{ 118 Metadata: policyProp.Metadata(), 119 Parsed: *doc, 120 }, 121 Builtin: defsecTypes.Bool(false, policyProp.Metadata()), 122 }) 123 } 124 return policies 125 }