-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: application level encryption (#157)
* feat: non encrypted properties * feat: refractor encryption fails processor * feat: add support for rego processor * feat: reconciliation of sql and ruby detector * feat: add pluralize * merge: fix merge conflicts * feat: add support for custom detector type * feat: skip adding verifiers * chore: go mod tidy * feat: add verified by fields * fix: manually resolve merge conflicts * chore: refractor verifiers * test: add integration tests for verified by * fix: linting issue * fix: manually resolve merge conflicts * chore: snake case rego variables * chore: remove tanker from default processors * fix: tests failing * feat: add root singularize option * fix: correct typo * fix: tests * fix: remove debug log * fix: tests * feat: remove detect ruby classes
- Loading branch information
Showing
21 changed files
with
548 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
integration/flags/.snapshots/TestReportFlags-report-dataflow-verified-by
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
data_types: | ||
- name: Country | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 8 | ||
encrypted: true | ||
verified_by: | ||
- detector: detect_encrypted_ruby_class_properties | ||
filename: user.rb | ||
line_number: 2 | ||
- name: ruby | ||
locations: | ||
- filename: user.rb | ||
line_number: 2 | ||
- name: Date of birth | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 6 | ||
- name: Email Address | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 5 | ||
encrypted: true | ||
verified_by: | ||
- detector: detect_encrypted_ruby_class_properties | ||
filename: user.rb | ||
line_number: 2 | ||
- name: ruby | ||
locations: | ||
- filename: user.rb | ||
line_number: 2 | ||
- name: Firstname | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 3 | ||
- name: Lastname | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 4 | ||
- name: Physical Address | ||
detectors: | ||
- name: detect_sql_create_public_table | ||
locations: | ||
- filename: schema.sql | ||
line_number: 7 | ||
encrypted: true | ||
verified_by: | ||
- detector: detect_encrypted_ruby_class_properties | ||
filename: user.rb | ||
line_number: 2 | ||
- name: ruby | ||
locations: | ||
- filename: user.rb | ||
line_number: 2 | ||
components: [] | ||
|
||
|
||
-- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
CREATE TABLE public.Users ( | ||
id bigint NOT NULL, | ||
first_name character varying NOT NULL, | ||
last_name character varying NOT NULL, | ||
email character varying NOT NULL, | ||
tanker_encrypted_date_of_birth character varying NOT NULL, | ||
city character varying NOT NULL, | ||
country character varying NOT NULL, | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
class Users < ApplicationRecord | ||
encrypts :email, :country, :city # requires the detection of the structure too | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,38 @@ | ||
detect_ruby_logger: | ||
type: "risk" | ||
patterns: | ||
- | | ||
logger.info(<$ARGUMENT>) | ||
languages: | ||
- ruby | ||
detect_encrypted_ruby_class_properties: | ||
type: "verifier" | ||
patterns: | ||
- | | ||
class $CLASS_NAME < ApplicationRecord | ||
encrypts <$ARGUMENT> | ||
end | ||
param_parenting: true | ||
root_singularize: true | ||
root_lowercase: true | ||
languages: | ||
- ruby | ||
detect_sql_create_public_table: | ||
type: "data_type" | ||
patterns: | ||
- | | ||
CREATE TABLE public.$TABLE_NAME ( | ||
<$COLUMN> | ||
) | ||
param_parenting: true | ||
root_singularize: true | ||
root_lowercase: true | ||
languages: | ||
- sql | ||
processors: | ||
- query: | | ||
verified_by = data.bearer.encrypted_verified.verified_by | ||
encrypted = data.bearer.encrypted_verified.encrypted | ||
modules: | ||
- path: processors/encrypted_verified.rego | ||
name: bearer.encrypted_verified |
34 changes: 34 additions & 0 deletions
34
pkg/commands/process/settings/processors/encrypted_verified.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package bearer.encrypted_verified | ||
|
||
import future.keywords | ||
|
||
|
||
default encrypted := false | ||
|
||
|
||
ruby_encrypted[location] { | ||
some detection in input.all_detections | ||
detection.detector_type == "detect_encrypted_ruby_class_properties" | ||
detection.value.classification.decision.state == "valid" | ||
location = detection | ||
} | ||
|
||
encrypted = true { | ||
some detection in ruby_encrypted | ||
detection.value.object_name == input.target.value.object_name | ||
detection.value.field_name == input.target.value.field_name | ||
input.target.value.field_name != "" | ||
input.target.value.object_name != "" | ||
} | ||
|
||
verified_by[verification] { | ||
some detection in ruby_encrypted | ||
detection.value.object_name == input.target.value.object_name | ||
detection.value.field_name == input.target.value.field_name | ||
|
||
verification = { | ||
"detector": "detect_encrypted_ruby_class_properties", | ||
"filename": detection.source.filename, | ||
"line_number": detection.source.line_number | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.