-
Notifications
You must be signed in to change notification settings - Fork 42
/
password_uppercase_required.go
92 lines (83 loc) · 2.71 KB
/
password_uppercase_required.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package iam
import (
"fmt"
"github.com/Zeus-Labs/ZeusCloud/rules/types"
"github.com/neo4j/neo4j-go-driver/v4/neo4j"
)
// TODO: Figure out how to test this with CDK.
type PasswordUppercaseRequired struct{}
func (PasswordUppercaseRequired) UID() string {
return "iam/password_uppercase_required"
}
func (PasswordUppercaseRequired) Description() string {
return "Password policy should require at least one uppercase character."
}
func (PasswordUppercaseRequired) Severity() types.Severity {
return types.Moderate
}
func (PasswordUppercaseRequired) RiskCategories() types.RiskCategoryList {
return []types.RiskCategory{
types.IamMisconfiguration,
}
}
func (PasswordUppercaseRequired) Execute(tx neo4j.Transaction) ([]types.Result, error) {
records, err := tx.Run(
`MATCH (a:AWSAccount{inscope: true})-[:RESOURCE]->(app:AccountPasswordPolicy)
RETURN app.id as resource_id,
'AccountPasswordPolicy' as resource_type,
a.id as account_id,
CASE
WHEN app.require_uppercase_characters THEN 'passed'
ELSE 'failed'
END as status,
CASE
WHEN app.require_uppercase_characters IS NULL THEN 'The require uppercase characters field has not been set in the account password policy.'
WHEN app.require_uppercase_characters THEN 'The account password policy requires uppercase characters.'
ELSE 'The account password policy does not require uppercase characters.'
END as context`,
nil,
)
if err != nil {
return nil, err
}
var results []types.Result
for records.Next() {
record := records.Record()
resourceID, _ := record.Get("resource_id")
resourceIDStr, ok := resourceID.(string)
if !ok {
return nil, fmt.Errorf("resource_id %v should be of type string", resourceID)
}
resourceType, _ := record.Get("resource_type")
resourceTypeStr, ok := resourceType.(string)
if !ok {
return nil, fmt.Errorf("resource_type %v should be of type string", resourceType)
}
accountID, _ := record.Get("account_id")
accountIDStr, ok := accountID.(string)
if !ok {
return nil, fmt.Errorf("account_id %v should be of type string", accountID)
}
status, _ := record.Get("status")
statusStr, ok := status.(string)
if !ok {
return nil, fmt.Errorf("status %v should be of type string", status)
}
context, _ := record.Get("context")
contextStr, ok := context.(string)
if !ok {
return nil, fmt.Errorf("context %v should be of type string", context)
}
results = append(results, types.Result{
ResourceID: resourceIDStr,
ResourceType: resourceTypeStr,
AccountID: accountIDStr,
Status: statusStr,
Context: contextStr,
})
}
return results, nil
}
func (PasswordUppercaseRequired) ProduceRuleGraph(tx neo4j.Transaction, resourceId string) (neo4j.Result, error) {
return nil, nil
}