github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/openstack/networking.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/openstack/networking.go (about)

     1  package openstack
     2  
     3  import (
     4  	"github.com/google/uuid"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers/openstack"
     6  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     7  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     8  )
     9  
    10  func adaptNetworking(modules terraform.Modules) openstack.Networking {
    11  	return openstack.Networking{
    12  		SecurityGroups: adaptSecurityGroups(modules),
    13  	}
    14  }
    15  
    16  func adaptSecurityGroups(modules terraform.Modules) []openstack.SecurityGroup {
    17  	groupMap := make(map[string]openstack.SecurityGroup)
    18  	for _, groupBlock := range modules.GetResourcesByType("openstack_networking_secgroup_v2") {
    19  		group := openstack.SecurityGroup{
    20  			Metadata:    groupBlock.GetMetadata(),
    21  			Name:        groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
    22  			Description: groupBlock.GetAttribute("description").AsStringValueOrDefault("", groupBlock),
    23  			Rules:       nil,
    24  		}
    25  		groupMap[groupBlock.ID()] = group
    26  	}
    27  
    28  	for _, ruleBlock := range modules.GetResourcesByType("openstack_networking_secgroup_rule_v2") {
    29  		rule := openstack.SecurityGroupRule{
    30  			Metadata:  ruleBlock.GetMetadata(),
    31  			IsIngress: defsecTypes.Bool(true, ruleBlock.GetMetadata()),
    32  			EtherType: defsecTypes.IntDefault(4, ruleBlock.GetMetadata()),
    33  			Protocol:  ruleBlock.GetAttribute("protocol").AsStringValueOrDefault("tcp", ruleBlock),
    34  			PortMin:   ruleBlock.GetAttribute("port_range_min").AsIntValueOrDefault(0, ruleBlock),
    35  			PortMax:   ruleBlock.GetAttribute("port_range_max").AsIntValueOrDefault(0, ruleBlock),
    36  			CIDR:      ruleBlock.GetAttribute("remote_ip_prefix").AsStringValueOrDefault("", ruleBlock),
    37  		}
    38  
    39  		switch etherType := ruleBlock.GetAttribute("ethertype"); {
    40  		case etherType.Equals("IPv4"):
    41  			rule.EtherType = defsecTypes.Int(4, etherType.GetMetadata())
    42  		case etherType.Equals("IPv6"):
    43  			rule.EtherType = defsecTypes.Int(6, etherType.GetMetadata())
    44  		}
    45  
    46  		switch direction := ruleBlock.GetAttribute("direction"); {
    47  		case direction.Equals("egress"):
    48  			rule.IsIngress = defsecTypes.Bool(false, direction.GetMetadata())
    49  		case direction.Equals("ingress"):
    50  			rule.IsIngress = defsecTypes.Bool(true, direction.GetMetadata())
    51  		}
    52  
    53  		groupID := ruleBlock.GetAttribute("security_group_id")
    54  		if refBlock, err := modules.GetReferencedBlock(groupID, ruleBlock); err == nil {
    55  			if group, ok := groupMap[refBlock.ID()]; ok {
    56  				group.Rules = append(group.Rules, rule)
    57  				groupMap[refBlock.ID()] = group
    58  				continue
    59  			}
    60  		}
    61  
    62  		group := openstack.SecurityGroup{
    63  			Metadata:    defsecTypes.NewUnmanagedMetadata(),
    64  			Name:        defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
    65  			Description: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
    66  			Rules:       []openstack.SecurityGroupRule{rule},
    67  		}
    68  		groupMap[uuid.NewString()] = group
    69  
    70  	}
    71  
    72  	var groups []openstack.SecurityGroup
    73  	for _, group := range groupMap {
    74  		groups = append(groups, group)
    75  	}
    76  	return groups
    77  }