complete SAM checks (#29)

go.mod

@@ -4,7 +4,7 @@ go 1.16
 
 require (
 	github.com/apparentlymart/go-cidr v1.1.0
-	github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf
+	github.com/aquasecurity/defsec v0.0.39
 	github.com/liamg/jfather v0.0.2
 	github.com/liamg/tml v0.4.0
 	github.com/spf13/cobra v1.2.1

go.sum

@@ -62,6 +62,30 @@ github.com/aquasecurity/defsec v0.0.38-0.20211202103545-b5b8849450c9 h1:fgGbzM/N
 github.com/aquasecurity/defsec v0.0.38-0.20211202103545-b5b8849450c9/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
 github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf h1:HD/CwABWPR1iD18Zaf/wPENN6rMKUmyD4RVnlfNMMHQ=
 github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202150847-444824e0b664 h1:YzvRYLmu3deyC4Wf6QrWvcb3iqgc2RTVHHiTykdZbcY=
+github.com/aquasecurity/defsec v0.0.38-0.20211202150847-444824e0b664/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202151317-49073d729686 h1:Rf3UdwpQu6rqlUfSg6VcUABb587D4th8gN6H2m0ClrU=
+github.com/aquasecurity/defsec v0.0.38-0.20211202151317-49073d729686/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202154419-d594e7f5da4a h1:WCMe4TmD/FFyo3PVNwFu2bCN7Qa55mACI/tN64b4+tI=
+github.com/aquasecurity/defsec v0.0.38-0.20211202154419-d594e7f5da4a/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202154813-a8f06cb40d8d h1:OthlJ7rVpC0S8F+qUDuehcVEW/JG3CJ59vg2OdaKbpA=
+github.com/aquasecurity/defsec v0.0.38-0.20211202154813-a8f06cb40d8d/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202160241-d83b25ead044 h1:rRKkBKMz0dZpMNEZq/kzI7DmvrUihrGeUSDVtct2ep0=
+github.com/aquasecurity/defsec v0.0.38-0.20211202160241-d83b25ead044/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202161757-d84ca68f3ae0 h1:Q15KxrS4BSe3nnet/6tmUniq+aJcuLrEm5NLCSgkY7o=
+github.com/aquasecurity/defsec v0.0.38-0.20211202161757-d84ca68f3ae0/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202165623-c5c733e8f427 h1:CEF+BseRwkazD+2KIeZaBDXFGhcRS0uEdzvx8ckQB4E=
+github.com/aquasecurity/defsec v0.0.38-0.20211202165623-c5c733e8f427/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202165845-4b964f19ef54 h1:FMXpegDORcyzyS+Set/1UMEfpC+7jYcO1d5rO5RD+3s=
+github.com/aquasecurity/defsec v0.0.38-0.20211202165845-4b964f19ef54/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202170330-25a726735d94 h1:gRwq7flkNBu01SccjpMn4H4MPSltmPqXx1px/E+j2zw=
+github.com/aquasecurity/defsec v0.0.38-0.20211202170330-25a726735d94/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38-0.20211202171943-fc8aa959d2b3 h1:5mj9J/bd9NXS6/MWL7SYWCuX1WeBmB5uGX5UuT/t4/E=
+github.com/aquasecurity/defsec v0.0.38-0.20211202171943-fc8aa959d2b3/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.38 h1:nIxKDsJNatjbZ7XA6uQ0mnPSnKpCJsZt4CoDlr2UOBE=
+github.com/aquasecurity/defsec v0.0.38/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/defsec v0.0.39 h1:C89/VOojkIb0MZBXHZ/vrlSW+DeEy42w+mg6vwjenI4=
+github.com/aquasecurity/defsec v0.0.39/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

internal/app/cfsec/adapter/aws/sam/function.go

@@ -0,0 +1,55 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/util"
+	"github.com/aquasecurity/defsec/provider/aws/iam"
+	"github.com/aquasecurity/defsec/provider/aws/sam"
+)
+
+func getFunctions(cfFile parser.FileContext) (functions []sam.Function) {
+
+	functionResources := cfFile.GetResourceByType("AWS::Serverless::Function")
+	for _, r := range functionResources {
+		function := sam.Function{
+			Metadata:     r.Metadata(),
+			FunctionName: r.GetStringProperty("FunctionName"),
+			Tracing:      r.GetStringProperty("Tracing", sam.TracingModePassThrough),
+		}
+
+		setFunctionPolicies(r, &function)
+		functions = append(functions, function)
+	}
+
+	return functions
+}
+
+func setFunctionPolicies(r *parser.Resource, function *sam.Function) {
+	policies := r.GetProperty("Policies")
+	if policies.IsNotNil() {
+		if policies.IsString() {
+			function.ManagedPolicies = append(function.ManagedPolicies, policies.AsStringValue())
+		} else if policies.IsList() {
+			for _, property := range policies.AsList() {
+				if property.IsMap() {
+					policyDoc, err := getPolicyDocument(property, r.SourceFormat())
+					if err != nil {
+
+						function.ManagedPolicies = append(function.ManagedPolicies, property.AsStringValue())
+						continue
+					}
+					function.Policies = append(function.Policies, *policyDoc)
+				} else {
+					function.ManagedPolicies = append(function.ManagedPolicies, property.AsStringValue())
+				}
+
+			}
+		}
+	}
+}
+
+func getPolicyDocument(policyProp *parser.Property, sourceFormat parser.SourceFormat) (*iam.PolicyDocument, error) {
+	policyDoc := util.GetJsonBytes(policyProp, sourceFormat, true)
+
+	return iam.ParsePolicyDocument(policyDoc, policyProp.Metadata())
+}

internal/app/cfsec/adapter/aws/sam/http_api.go

@@ -0,0 +1,45 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/sam"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func getHttpApis(cfFile parser.FileContext) (apis []sam.HttpAPI) {
+
+	apiResources := cfFile.GetResourceByType("AWS::Serverless::HttpApi")
+	for _, r := range apiResources {
+		api := sam.HttpAPI{
+			Metadata:             r.Metadata(),
+			Name:                 r.GetStringProperty("Name", ""),
+			DomainConfiguration:  getDomainConfiguration(r),
+			AccessLogging:        getAccessLogging(r),
+			DefaultRouteSettings: getRouteSettings(r),
+		}
+
+		apis = append(apis, api)
+	}
+
+	return apis
+}
+
+func getRouteSettings(r *parser.Resource) sam.RouteSettings {
+
+	route := r.GetProperty("DefaultRouteSettings")
+	if route.IsNil() {
+		return sam.RouteSettings{
+			Metadata:               r.Metadata(),
+			LoggingEnabled:         types.BoolDefault(false, r.Metadata()),
+			DataTraceEnabled:       types.BoolDefault(false, r.Metadata()),
+			DetailedMetricsEnabled: types.BoolDefault(false, r.Metadata()),
+		}
+	}
+
+	return sam.RouteSettings{
+		Metadata:               route.Metadata(),
+		LoggingEnabled:         route.GetBoolProperty("LoggingLevel"),
+		DataTraceEnabled:       route.GetBoolProperty("DataTraceEnabled"),
+		DetailedMetricsEnabled: route.GetBoolProperty("DetailedMetricsEnabled"),
+	}
+}

internal/app/cfsec/adapter/aws/sam/sam.go

@@ -18,5 +18,9 @@ func Adapt(cfFile parser.FileContext) (sam sam.SAM) {
 	}()
 
 	sam.APIs = getApis(cfFile)
+	sam.HttpAPIs = getHttpApis(cfFile)
+	sam.Functions = getFunctions(cfFile)
+	sam.StateMachines = getStateMachines(cfFile)
+	sam.SimpleTables = getSimpleTables(cfFile)
 	return sam
 }

internal/app/cfsec/adapter/aws/sam/state_machines.go

@@ -0,0 +1,59 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/sam"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func getStateMachines(cfFile parser.FileContext) (stateMachines []sam.StateMachine) {
+
+	stateMachineResources := cfFile.GetResourceByType("AWS::Serverless::StateMachine")
+	for _, r := range stateMachineResources {
+		stateMachine := sam.StateMachine{
+			Metadata:             r.Metadata(),
+			Name:                 r.GetStringProperty("Name"),
+			LoggingConfiguration: sam.LoggingConfiguration{},
+			Tracing:              getTracingConfiguration(r),
+		}
+
+		setStateMachinePolicies(r, &stateMachine)
+		stateMachines = append(stateMachines, stateMachine)
+	}
+
+	return stateMachines
+}
+
+func getTracingConfiguration(r *parser.Resource) sam.TracingConfiguration {
+	tracing := r.GetProperty("Tracing")
+	if tracing.IsNil() {
+		return sam.TracingConfiguration{
+			Metadata: r.Metadata(),
+			Enabled:  types.BoolDefault(false, r.Metadata()),
+		}
+	}
+
+	return sam.TracingConfiguration{
+		Metadata: tracing.Metadata(),
+		Enabled:  tracing.GetBoolProperty("Enabled"),
+	}
+}
+
+func setStateMachinePolicies(r *parser.Resource, stateMachine *sam.StateMachine) {
+	policies := r.GetProperty("Policies")
+	if policies.IsNotNil() {
+		if policies.IsString() {
+			stateMachine.ManagedPolicies = append(stateMachine.ManagedPolicies, policies.AsStringValue())
+		} else if policies.IsList() {
+			for _, property := range policies.AsList() {
+				policyDoc, err := getPolicyDocument(property, r.SourceFormat())
+				if err != nil {
+
+					stateMachine.ManagedPolicies = append(stateMachine.ManagedPolicies, property.AsStringValue())
+					continue
+				}
+				stateMachine.Policies = append(stateMachine.Policies, *policyDoc)
+			}
+		}
+	}
+}

internal/app/cfsec/adapter/aws/sam/tables.go

@@ -0,0 +1,40 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/sam"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func getSimpleTables(cfFile parser.FileContext) (tables []sam.SimpleTable) {
+
+	tableResources := cfFile.GetResourceByType("AWS::Serverless::SimpleTable")
+	for _, r := range tableResources {
+		table := sam.SimpleTable{
+			Metadata:         r.Metadata(),
+			TableName:        r.GetStringProperty("TableName"),
+			SSESpecification: getSSESpecification(r),
+		}
+
+		tables = append(tables, table)
+	}
+
+	return tables
+}
+
+func getSSESpecification(r *parser.Resource) sam.SSESpecification {
+	sse := r.GetProperty("SSESpecification")
+	if sse.IsNil() {
+		return sam.SSESpecification{
+			Metadata:       r.Metadata(),
+			Enabled:        types.BoolDefault(false, r.Metadata()),
+			KMSMasterKeyID: types.StringDefault("", r.Metadata()),
+		}
+	}
+
+	return sam.SSESpecification{
+		Metadata:       sse.Metadata(),
+		Enabled:        sse.GetBoolProperty("SSEEnabled"),
+		KMSMasterKeyID: sse.GetStringProperty("KMSMasterKeyID"),
+	}
+}

internal/app/cfsec/rules/aws/sam/use_secure_tls_rule.go → internal/app/cfsec/rules/aws/sam/api_use_secure_tls_rule.go

@@ -39,6 +39,6 @@ Resources:
 `,
 		},
 
-		Base: sam.CheckUseSecureTlsPolicy,
+		Base: sam.CheckApiUseSecureTlsPolicy,
 	})
 }

internal/app/cfsec/rules/aws/sam/api_use_secure_tls_rule_test.go

@@ -0,0 +1,18 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+	"github.com/aquasecurity/defsec/rules/aws/sam"
+
+	"testing"
+)
+
+func Test_CheckApiUseSecureTlsPolicy_FailureExamples(t *testing.T) {
+	expectedCode := sam.CheckApiUseSecureTlsPolicy.Rule().LongID()
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_CheckApiUseSecureTlsPolicy_PassedExamples(t *testing.T) {
+	expectedCode := sam.CheckApiUseSecureTlsPolicy.Rule().LongID()
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/sam/enable_access_logging_rule.go → internal/app/cfsec/rules/aws/sam/enable_api_access_logging_rule.go

@@ -42,6 +42,6 @@ Resources:
 `,
 		},
 
-		Base: sam.CheckEnableAccessLogging,
+		Base: sam.CheckEnableApiAccessLogging,
 	})
 }

internal/app/cfsec/rules/aws/sam/enable_api_access_logging_rule_test.go

@@ -0,0 +1,18 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+	"github.com/aquasecurity/defsec/rules/aws/sam"
+
+	"testing"
+)
+
+func Test_CheckEnableApiAccessLogging_FailureExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiAccessLogging.Rule().LongID()
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_CheckEnableApiAccessLogging_PassedExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiAccessLogging.Rule().LongID()
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule.go → internal/app/cfsec/rules/aws/sam/enable_api_cache_encryption_rule.go

@@ -53,6 +53,6 @@ Resources:
 `,
 		},
 
-		Base: sam.CheckEnableCacheEncryption,
+		Base: sam.CheckEnableApiCacheEncryption,
 	})
 }

internal/app/cfsec/rules/aws/sam/enable_api_cache_encryption_rule_test.go

@@ -0,0 +1,18 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+	"github.com/aquasecurity/defsec/rules/aws/sam"
+
+	"testing"
+)
+
+func Test_CheckEnableApiCacheEncryption_FailureExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiCacheEncryption.Rule().LongID()
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_CheckEnableApiCacheEncryption_PassedExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiCacheEncryption.Rule().LongID()
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/sam/enable_tracing_rule.go → internal/app/cfsec/rules/aws/sam/enable_api_tracing_rule.go

@@ -46,6 +46,6 @@ Resources:
 `,
 		},
 
-		Base: sam.CheckEnableTracing,
+		Base: sam.CheckEnableApiTracing,
 	})
 }

internal/app/cfsec/rules/aws/sam/enable_api_tracing_rule_test.go

@@ -0,0 +1,18 @@
+package sam
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+	"github.com/aquasecurity/defsec/rules/aws/sam"
+
+	"testing"
+)
+
+func Test_CheckEnableApiTracingFailureExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiTracing.Rule().LongID()
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_CheckEnableApiTracing_PassedExamples(t *testing.T) {
+	expectedCode := sam.CheckEnableApiTracing.Rule().LongID()
+	test.RunPassingExamplesTest(t, expectedCode)
+}