syncing with saas

aquasecurity · Sep 18, 2023 · 8415d5c · 8415d5c
1 parent fb42bb2
commit 8415d5c
Show file tree

Hide file tree

Showing 15 changed files with 145 additions and 427 deletions.
diff --git a/collectors/aws/ses/getIdentityDkimAttributes.js b/collectors/aws/ses/getIdentityDkimAttributes.js
@@ -3,14 +3,46 @@ var helpers = require(__dirname + '/../../../helpers/aws');
 
 module.exports = function(AWSConfig, collection, retries, callback) {
     var ses = new AWS.SES(AWSConfig);
+    collection.ses.getIdentityDkimAttributes[AWSConfig.region] = {};
 
-    helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', {Identities: collection.ses.listIdentities[AWSConfig.region].data}, retries, null, null, null, function(err, data) {
-        if (err) {
-            collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err;
+    var identities = collection.ses.listIdentities[AWSConfig.region].data;
+    var identityChunks = chunkArray(identities, 100);
+    var allDkimAttributes = [];
+    var processIdentityChunk = function(chunkIndex) {
+        if (chunkIndex >= identityChunks.length) {
+            allDkimAttributes =  allDkimAttributes.flatMap(obj => Object.values(obj));
+            collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = {
+                DkimAttributes: allDkimAttributes
+            };
+            callback();
+            return;
         }
 
-        collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = data;
+        var chunk = identityChunks[chunkIndex];
+        var params = {
+            Identities: chunk,
+        };
 
-        callback();
-    });
-};
+        setTimeout(function() {
+            helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', params, retries, null, null, null, function(err, data) {
+                if (err) {
+                    collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err;
+                } else if (data && data.DkimAttributes) {
+                    allDkimAttributes = allDkimAttributes.concat(data.DkimAttributes);
+                }
+
+                processIdentityChunk(chunkIndex + 1);
+            });
+        }, 1000);
+    };
+
+    processIdentityChunk(0);
+};
+
+function chunkArray(arr, chunkSize) {
+    var result = [];
+    for (var i = 0; i < arr.length; i += chunkSize) {
+        result.push(arr.slice(i, i + chunkSize));
+    }
+    return result;
+}
diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js
@@ -44,7 +44,7 @@ function parseCollection(path, obj) {
     }
 }
 
-var collect = function(AzureConfig, settings, callback) {
+let collect = function(AzureConfig, settings, callback) {
     // Used to gather info only
     if (settings.gather) {
         return callback(null, calls, postcalls, tertiarycalls, specialcalls);
@@ -92,10 +92,12 @@ var collect = function(AzureConfig, settings, callback) {
             });
         };
 
-        var processCall = function(obj, cb, localData) {
-            var localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID);
+        let processCall = function(obj, cb, localData) {
+            let localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID);
             if (obj.rateLimit) {
                 setTimeout(function() {
+                    console.log('timeout check');
+                    console.log(`url: ${localUrl} obj: ${JSON.stringify(obj)} localData: ${JSON.stringify(localData)}`);
                     makeCall(localUrl, obj, cb, localData);
                 }, obj.rateLimit);
             } else {

diff --git a/collectors/azure/fileService/listSharesSegmented.js b/collectors/azure/fileService/listSharesSegmented.js
@@ -1,10 +1,9 @@
 var async = require('async');
+var azureStorage = require('@azure/storage-file-share');
 
 module.exports = function(collection, reliesOn, callback) {
     if (!reliesOn['storageAccounts.listKeys']) return callback();
 
-    var azureStorage = require('azure-storage');
-
     if (!collection['fileService']['listSharesSegmented']) collection['fileService']['listSharesSegmented'] = {};
     if (!collection['fileService']['getShareAcl']) collection['fileService']['getShareAcl'] = {};
 
@@ -13,39 +12,42 @@ module.exports = function(collection, reliesOn, callback) {
         collection['fileService']['listSharesSegmented'][region] = {};
         collection['fileService']['getShareAcl'][region] = {};
 
-        async.eachOfLimit(regionObj, 5, function(subObj, resourceId, sCb) {
+        async.eachOfLimit(regionObj, 5, async function(subObj, resourceId, sCb) {
             collection['fileService']['listSharesSegmented'][region][resourceId] = {};
 
             if (subObj && subObj.data && subObj.data.keys && subObj.data.keys[0] && subObj.data.keys[0].value) {
                 // Extract storage account name from resourceId
-                var storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1);
-                var storageService = new azureStorage['FileService'](storageAccountName, subObj.data.keys[0].value);
-
-                storageService.listSharesSegmented(null, function(serviceErr, serviceResults) {
-                    if (serviceErr || !serviceResults) {
-                        collection['fileService']['listSharesSegmented'][region][resourceId].err = (serviceErr || 'No data returned');
-                        sCb();
-                    } else {
-                        collection['fileService']['listSharesSegmented'][region][resourceId].data = serviceResults.entries;
-
-                        // Add ACLs
-                        async.eachLimit(serviceResults.entries, 10, function(entryObj, entryCb) {
-                            var entryId = `${resourceId}/fileService/${entryObj.name}`;
-                            collection['fileService']['getShareAcl'][region][entryId] = {};
-
-                            storageService.getShareAcl(entryObj.name, function(getErr, getData) {
-                                if (getErr || !getData) {
-                                    collection['fileService']['getShareAcl'][region][entryId].err = (getErr || 'No data returned');
-                                } else {
-                                    collection['fileService']['getShareAcl'][region][entryId].data = getData;
-                                }
-                                entryCb();
+                const shareItemList = [];
+                try {
+                    const storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1);
+                    const connectionString = `DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${subObj.data.keys[0].value};EndpointSuffix=core.windows.net`;
+                    const storageService = azureStorage.ShareServiceClient.fromConnectionString(connectionString);
+                    const iterator = storageService.listShares();
+                    let item = await iterator.next();
+
+                    while (!item.done) {
+                        let fileShare = item.value.name;
+                        var entryId = `${resourceId}/fileService/${fileShare}`;
+                        shareItemList.push({ name: fileShare, id: entryId});
+                        collection['fileService']['getShareAcl'][region][entryId] = {};
+                        const shareClient = storageService.getShareClient(fileShare);
+                        shareClient.getAccessPolicy()
+                            .then(result => {
+                                collection['fileService']['getShareAcl'][region][entryId].data = result;
+                            })
+                            .catch(err => {
+                                collection['fileService']['getShareAcl'][region][entryId].err = err;
                             });
-                        }, function() {
-                            sCb();
-                        });
+                        item = await iterator.next();
                     }
-                });
+                } catch (exception) {
+                    collection['fileService']['listSharesSegmented'][region][resourceId].err = exception.message;
+                }
+                if (shareItemList.length) {
+                    collection['fileService']['listSharesSegmented'][region][resourceId].data = shareItemList;
+                } else {
+                    collection['fileService']['listSharesSegmented'][region][resourceId].data = [];
+                }
             } else {
                 sCb();
             }

diff --git a/collectors/azure/fileService/listSharesSegmentedNew.js b/collectors/azure/fileService/listSharesSegmentedNew.js
diff --git a/exports.js b/exports.js
@@ -750,7 +750,6 @@ module.exports = {
         'bastionHostExists'              : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'),
 
         'logProfileArchiveData'         : require(__dirname + '/plugins/azure/monitor/logProfileArchiveData.js'),
-        'logProfileRetentionPolicy'     : require(__dirname + '/plugins/azure/monitor/logProfileRetentionPolicy.js'),
         'monitorLogsEnabled'            : require(__dirname + '/plugins/azure/monitor/monitorLogsEnabled.js'),
         'diagnosticsCapturedCategories' : require(__dirname + '/plugins/azure/monitor/diagnosticsCapturedCategories.js'),
         'diagnosticsSettingsEnabled'    : require(__dirname + '/plugins/azure/monitor/diagnosticsSettingsEnabled.js'),

diff --git a/helpers/azure/api.js b/helpers/azure/api.js
@@ -143,6 +143,15 @@ var serviceMap = {
             BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Table Service',
             BridgeCollectionService: 'tableservice', DataIdentifier: 'data',
         },
+    'File Service':
+        {
+            enabled: true, isSingleSource: true, InvAsset: 'fileService', InvService: 'fileService',
+            InvResourceCategory: 'storage', InvResourceType: 'file_service', BridgeServiceName: 'fileservice',
+            BridgePluginCategoryName: 'File Service', BridgeProvider: 'Azure', BridgeCall: 'listSharesSegmented',
+            BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: 'fileService',
+            BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'File Service',
+            BridgeCollectionService: 'fileservice', DataIdentifier: 'data',
+        },
     'SQL Databases':
         {
             enabled: true, isSingleSource: true, InvAsset: 'database', InvService: 'sql',
@@ -950,10 +959,7 @@ var specialcalls = {
             reliesOnPath: ['storageAccounts.listKeys'],
             rateLimit: 3000
         },
-        listSharesSegmentedNew: {
-            reliesOnPath: ['storageAccounts.listKeys'],
-            rateLimit: 3000
-        }
+        sendIntegration: serviceMap['File Service']
     },
     blobService: {
         listContainersSegmented: {

diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js
@@ -2,7 +2,7 @@ var shared = require(__dirname + '/../shared.js');
 var auth = require(__dirname + '/auth.js');
 var async = require('async');
 
-const defualyPolicyAssignments = {
+const defualtPolicyAssignments = {
     adaptiveApplicationControlsMonitoringEffect: 'AuditIfNotExists',
     diskEncryptionMonitoringEffect: 'AuditIfNotExists',
     endpointProtectionMonitoringEffect: 'AuditIfNotExists',
@@ -178,8 +178,8 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location
 
     const policyAssignment = policyAssignments.data.find((policyAssignment) => {
         return (policyAssignment &&
-                policyAssignment.displayName &&
-                policyAssignment.displayName.toLowerCase().includes('asc default'));
+            policyAssignment.displayName &&
+            policyAssignment.displayName.toLowerCase().includes('asc default'));
     });
 
     if (!policyAssignment) {
@@ -191,16 +191,14 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location
     // This check is required to handle a defect in the Azure API that causes
     // unmodified ASC policies to return an empty object for parameters: {}
     // https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMSZCA4
-    if (policyAssignment.parameters &&
-        !Object.keys(policyAssignment.parameters).length) {
-        addResult(results, 0,
-            'There ASC Default Policy Assignment includes all plugins', location,
-            policyAssignment.id);
-        return;
-    }
 
-    const policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) ||
-    defualyPolicyAssignments[param] || '';
+    // The api used returns empty parameters in case of all the default values,
+    var policyAssignmentStatus = '';
+    if (policyAssignment.parameters && Object.keys(policyAssignment.parameters).length) {
+        policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) || defualtPolicyAssignments[param] || '';
+    } else {
+        policyAssignmentStatus =  defualtPolicyAssignments[param]
+    }
 
     if (!policyAssignmentStatus.length) {
         addResult(results, 0,

diff --git a/helpers/shared.js b/helpers/shared.js
@@ -20,6 +20,10 @@ var processIntegration = function(serviceName, settings, collection, calls, post
     let localSettings = {};
     localSettings = settings;
 
+    if (settings.govcloud) {
+        localEvent.awsOrGov = 'aws-us-gov';
+    }
+
     localEvent.collection = {};
     localEvent.previousCollection = {};
 

diff --git a/plugins/aws/lambda/lambdaOldRuntimes.js b/plugins/aws/lambda/lambdaOldRuntimes.js
@@ -36,14 +36,21 @@ module.exports = {
             { 'id':'nodejs8.10', 'name': 'Node.js 8.10', 'endOfLifeDate': '2020-03-06' },
             { 'id':'nodejs10.x', 'name': 'Node.js 10.x', 'endOfLifeDate': '2022-02-14' },
             { 'id':'nodejs12.x', 'name': 'Node.js 12', 'endOfLifeDate': '2023-03-31'},
+            { 'id':'nodejs14.x', 'name': 'Node.js 14', 'endOfLifeDate': '2023-11-27'},
+            { 'id':'nodejs16.x', 'name': 'Node.js 16', 'endOfLifeDate': '2024-03-11'},
             { 'id':'dotnetcore3.1', 'name': '.Net Core 3.1', 'endOfLifeDate': '2023-03-31' },
             { 'id':'dotnetcore2.1', 'name': '.Net Core 2.1', 'endOfLifeDate': '2022-04-15' },
             { 'id':'dotnetcore2.0', 'name': '.Net Core 2.0', 'endOfLifeDate': '2018-10-01' },
             { 'id':'dotnetcore1.0', 'name': '.Net Core 1.0', 'endOfLifeDate': '2019-06-27' },
+            { 'id':'dotnet7', 'name': '.Net 7', 'endOfLifeDate': '2024-05-14' },
             { 'id':'python2.7', 'name': 'Python 2.7', 'endOfLifeDate': '2022-05-30' },
             { 'id':'python3.5', 'name': 'Python 3.5', 'endOfLifeDate': '2020-09-13' },
             { 'id':'ruby2.5', 'name': 'Ruby 2.5', 'endOfLifeDate': '2022-03-31' },
+            { 'id':'ruby2.7', 'name': 'Ruby 2.7', 'endOfLifeDate': '2023-12-07' },
             { 'id':'python3.6', 'name': 'Python 3.6', 'endOfLifeDate': '2022-08-29'},
+            { 'id':'python3.7', 'name': 'Python 3.7', 'endOfLifeDate': '2023-11-27'},
+            { 'id':'go1.x', 'name': 'Go 1', 'endOfLifeDate': '2023-12-31'},
+            { 'id':'java8', 'name': 'Java 8', 'endOfLifeDate': '2023-12-31'},
         ];
 
         async.each(regions.lambda, function(region, rcb){

diff --git a/plugins/azure/fileservice/fileServiceAllAccessAcl.js b/plugins/azure/fileservice/fileServiceAllAccessAcl.js
@@ -9,8 +9,8 @@ module.exports = {
     description: 'Ensures file shares do not allow full write, delete, or read ACL permissions',
     more_info: 'File shares can be configured to allow to read, write, or delete permissions from a share. This option should not be configured unless there is a strong business requirement.',
     recommended_action: 'Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges.',
-    link: 'https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal',
-    apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmentedNew', 'fileService:getShareAcl'],
+    link: 'https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal',
+    apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmented', 'fileService:getShareAcl'],
     compliance: {
         hipaa: 'HIPAA access controls require data to be secured with least-privileged ' +
                 'ACLs. File Service ACLs enable granular permissions for data access.',
@@ -60,7 +60,6 @@ module.exports = {
                             'No existing File Service shares found', location, storageAccount.id);
                     } else {
                         listSharesSegmented.data.forEach(function(fileShare) {
-                            fileShare.id = `${storageAccount.id}/fileService/${fileShare.name}`;
                             // Add share ACL
                             var getShareAcl = helpers.addSource(cache, source,
                                 ['fileService', 'getShareAcl', location, fileShare.id]);

diff --git a/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js b/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js
@@ -40,7 +40,8 @@ const listKeys = [
 
 const listSharesSegmented = [
     {
-        "name": "file1 "
+        "name": "file1",
+        "id": "/subscriptions/1234/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Storage/storageAccounts/csb100320011e293683/fileService/file1"
     }
 ];