github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/sam/state_machines.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/sam/state_machines.go (about)

     1  package sam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/sam"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     7  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     8  	"github.com/liamg/iamgo"
     9  )
    10  
    11  func getStateMachines(cfFile parser.FileContext) (stateMachines []sam.StateMachine) {
    12  
    13  	stateMachineResources := cfFile.GetResourcesByType("AWS::Serverless::StateMachine")
    14  	for _, r := range stateMachineResources {
    15  		stateMachine := sam.StateMachine{
    16  			Metadata: r.Metadata(),
    17  			Name:     r.GetStringProperty("Name"),
    18  			LoggingConfiguration: sam.LoggingConfiguration{
    19  				Metadata:       r.Metadata(),
    20  				LoggingEnabled: defsecTypes.BoolDefault(false, r.Metadata()),
    21  			},
    22  			ManagedPolicies: nil,
    23  			Policies:        nil,
    24  			Tracing:         getTracingConfiguration(r),
    25  		}
    26  
    27  		if logging := r.GetProperty("Logging"); logging.IsNotNil() {
    28  			stateMachine.LoggingConfiguration.Metadata = logging.Metadata()
    29  			if level := logging.GetProperty("Level"); level.IsNotNil() {
    30  				stateMachine.LoggingConfiguration.LoggingEnabled = defsecTypes.Bool(!level.EqualTo("OFF"), level.Metadata())
    31  			}
    32  		}
    33  
    34  		setStateMachinePolicies(r, &stateMachine)
    35  		stateMachines = append(stateMachines, stateMachine)
    36  	}
    37  
    38  	return stateMachines
    39  }
    40  
    41  func getTracingConfiguration(r *parser.Resource) sam.TracingConfiguration {
    42  	tracing := r.GetProperty("Tracing")
    43  	if tracing.IsNil() {
    44  		return sam.TracingConfiguration{
    45  			Metadata: r.Metadata(),
    46  			Enabled:  defsecTypes.BoolDefault(false, r.Metadata()),
    47  		}
    48  	}
    49  
    50  	return sam.TracingConfiguration{
    51  		Metadata: tracing.Metadata(),
    52  		Enabled:  tracing.GetBoolProperty("Enabled"),
    53  	}
    54  }
    55  
    56  func setStateMachinePolicies(r *parser.Resource, stateMachine *sam.StateMachine) {
    57  	policies := r.GetProperty("Policies")
    58  	if policies.IsNotNil() {
    59  		if policies.IsString() {
    60  			stateMachine.ManagedPolicies = append(stateMachine.ManagedPolicies, policies.AsStringValue())
    61  		} else if policies.IsList() {
    62  			for _, property := range policies.AsList() {
    63  				parsed, err := iamgo.Parse(property.GetJsonBytes(true))
    64  				if err != nil {
    65  					continue
    66  				}
    67  				policy := iam.Policy{
    68  					Metadata: property.Metadata(),
    69  					Name:     defsecTypes.StringDefault("", property.Metadata()),
    70  					Document: iam.Document{
    71  						Metadata: property.Metadata(),
    72  						Parsed:   *parsed,
    73  					},
    74  					Builtin: defsecTypes.Bool(false, property.Metadata()),
    75  				}
    76  				stateMachine.Policies = append(stateMachine.Policies, policy)
    77  			}
    78  		}
    79  	}
    80  }