github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/openstack/compute/no_public_access.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/openstack/compute/no_public_access.go (about)

     1  package compute
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckNoPublicAccess = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-OPNSTK-0002",
    15  		Provider:    providers.OpenStackProvider,
    16  		Service:     "compute",
    17  		ShortCode:   "no-public-access",
    18  		Summary:     "A firewall rule allows traffic from/to the public internet",
    19  		Impact:      "Exposure of infrastructure to the public internet",
    20  		Resolution:  "Employ more restrictive firewall rules",
    21  		Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
    22  		Links:       []string{},
    23  		Terraform: &scan.EngineMetadata{
    24  			GoodExamples:        terraformNoPublicAccessGoodExamples,
    25  			BadExamples:         terraformNoPublicAccessBadExamples,
    26  			Links:               terraformNoPublicAccessLinks,
    27  			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
    28  		},
    29  		Severity: severity.Medium,
    30  	},
    31  	func(s *state.State) (results scan.Results) {
    32  		for _, rule := range s.OpenStack.Compute.Firewall.AllowRules {
    33  			if rule.Metadata.IsUnmanaged() {
    34  				continue
    35  			}
    36  			if rule.Enabled.IsFalse() {
    37  				continue
    38  			}
    39  			if rule.Destination.IsEmpty() {
    40  				results.Add(
    41  					"Firewall rule does not restrict destination address internally.",
    42  					rule.Destination,
    43  				)
    44  			} else if cidr.IsPublic(rule.Destination.Value()) {
    45  				results.Add(
    46  					"Firewall rule allows public egress.",
    47  					rule.Destination,
    48  				)
    49  			} else if rule.Source.IsEmpty() {
    50  				results.Add(
    51  					"Firewall rule does not restrict source address internally.",
    52  					rule.Source,
    53  				)
    54  			} else if cidr.IsPublic(rule.Source.Value()) {
    55  				results.Add(
    56  					"Firewall rule allows public ingress.",
    57  					rule.Source,
    58  				)
    59  			} else {
    60  				results.AddPassed(rule)
    61  			}
    62  
    63  		}
    64  		return
    65  	},
    66  )