github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/sqs/queue.go (about) 1 package sqs 2 3 import ( 4 "fmt" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 11 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/sqs" 12 13 "github.com/liamg/iamgo" 14 ) 15 16 func getQueues(ctx parser.FileContext) (queues []sqs.Queue) { 17 for _, r := range ctx.GetResourcesByType("AWS::SQS::Queue") { 18 queue := sqs.Queue{ 19 Metadata: r.Metadata(), 20 QueueURL: defsecTypes.StringDefault("", r.Metadata()), 21 Encryption: sqs.Encryption{ 22 Metadata: r.Metadata(), 23 ManagedEncryption: defsecTypes.Bool(false, r.Metadata()), 24 KMSKeyID: r.GetStringProperty("KmsMasterKeyId"), 25 }, 26 Policies: []iam.Policy{}, 27 } 28 if policy, err := getPolicy(r.ID(), ctx); err == nil { 29 queue.Policies = append(queue.Policies, *policy) 30 } 31 queues = append(queues, queue) 32 } 33 return queues 34 } 35 36 func getPolicy(id string, ctx parser.FileContext) (*iam.Policy, error) { 37 for _, policyResource := range ctx.GetResourcesByType("AWS::SQS::QueuePolicy") { 38 documentProp := policyResource.GetProperty("PolicyDocument") 39 if documentProp.IsNil() { 40 continue 41 } 42 queuesProp := policyResource.GetProperty("Queues") 43 if queuesProp.IsNil() { 44 continue 45 } 46 for _, queueRef := range queuesProp.AsList() { 47 if queueRef.IsString() && queueRef.AsString() == id { 48 raw := documentProp.GetJsonBytes() 49 parsed, err := iamgo.Parse(raw) 50 if err != nil { 51 continue 52 } 53 return &iam.Policy{ 54 Metadata: documentProp.Metadata(), 55 Name: defsecTypes.StringDefault("", documentProp.Metadata()), 56 Document: iam.Document{ 57 Metadata: documentProp.Metadata(), 58 Parsed: *parsed, 59 }, 60 Builtin: defsecTypes.Bool(false, documentProp.Metadata()), 61 }, nil 62 } 63 } 64 } 65 return nil, fmt.Errorf("no matching policy found") 66 }