-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aws credentials #128
Merged
Merged
Aws credentials #128
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
1b84f33
Update validation message.
michaelcfanning 44859e6
AWS credentials validator
michaelcfanning 6f02a1b
Update tests and baselines.
michaelcfanning 5e91e42
Fix azure function build.
michaelcfanning c407958
Fix path typo.
michaelcfanning ce789c1
Fix test file reference.
michaelcfanning ca31218
Reformat commented code.
michaelcfanning c1d2206
Merge branch 'main' into aws-credentials
eddynaka File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
// Copyright (c) Microsoft. All rights reserved. | ||
// Licensed under the MIT license. See LICENSE file in the project root for full license information. | ||
|
||
using System; | ||
using System.Collections.Generic; | ||
using System.Collections.Specialized; | ||
using System.Net; | ||
using System.Net.Http; | ||
using System.Text; | ||
using System.Text.Json; | ||
using System.Text.Json.Serialization; | ||
|
||
using Amazon.IdentityManagement; | ||
using Amazon.IdentityManagement.Model; | ||
using Amazon.IdentityManagement.Model.Internal.MarshallTransformations; | ||
using Amazon.Runtime; | ||
|
||
namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security | ||
{ | ||
internal class AwsCredentialsValidator : ValidatorBase | ||
{ | ||
internal static AwsCredentialsValidator Instance = new AwsCredentialsValidator(); | ||
|
||
public static string IsValidStatic(ref string matchedPattern, | ||
ref Dictionary<string, string> groups, | ||
ref string failureLevel, | ||
ref string fingerprint, | ||
ref string message) | ||
{ | ||
return ValidatorBase.IsValidStatic(Instance, | ||
ref matchedPattern, | ||
ref groups, | ||
ref failureLevel, | ||
ref fingerprint, | ||
ref message); | ||
} | ||
|
||
public static string IsValidDynamic(ref string fingerprint, ref string message) | ||
{ | ||
return ValidatorBase.IsValidDynamic(Instance, | ||
ref fingerprint, | ||
ref message); | ||
} | ||
|
||
protected override string IsValidStaticHelper(ref string matchedPattern, | ||
ref Dictionary<string, string> groups, | ||
ref string failureLevel, | ||
ref string fingerprintText, | ||
ref string message) | ||
{ | ||
string id = groups["id"]; | ||
string key = groups["key"]; | ||
|
||
fingerprintText = new Fingerprint | ||
{ | ||
Id = id, | ||
Key = key, | ||
}.ToString(); | ||
|
||
return nameof(ValidationState.Unknown); | ||
} | ||
|
||
protected override string IsValidDynamicHelper(ref string fingerprintText, | ||
ref string message) | ||
{ | ||
var fingerprint = new Fingerprint(fingerprintText); | ||
|
||
string id = fingerprint.Id; | ||
string key = fingerprint.Key; | ||
|
||
try | ||
{ | ||
var iamClient = new AmazonIdentityManagementServiceClient(id, key); | ||
|
||
GetAccountAuthorizationDetailsRequest request; | ||
GetAccountAuthorizationDetailsResponse response; | ||
|
||
GetUserRequest userRequest = new GetUserRequest(); | ||
GetUserResponse userResponse = iamClient.GetUserAsync().GetAwaiter().GetResult(); | ||
|
||
request = new GetAccountAuthorizationDetailsRequest(); | ||
response = iamClient.GetAccountAuthorizationDetailsAsync(request).GetAwaiter().GetResult(); | ||
|
||
message = BuildAuthorizedMessage(id, response); | ||
} | ||
catch (AmazonIdentityManagementServiceException e) | ||
{ | ||
switch (e.ErrorCode) | ||
{ | ||
case "InvalidClientTokenId": | ||
case "SignatureDoesNotMatch": | ||
{ | ||
return nameof(ValidationState.NoMatch); | ||
} | ||
} | ||
|
||
message = $"An unexpected exception was caught attempting to authenticate AWS id '{id}': {e.Message}"; | ||
return nameof(ValidationState.Unknown); | ||
} | ||
catch (Exception e) | ||
{ | ||
message = $"An unexpected exception was caught attempting to authentic AWS id '{id}': {e.Message}"; | ||
return nameof(ValidationState.Unknown); | ||
} | ||
|
||
/* var client = new HttpClient(); | ||
|
||
try | ||
{ | ||
string uri = "https://iam.amazonaws.com/?Action=GetAccountAuthorizationDetails" + | ||
"?X-Amz-Algorithm=AWS4-HMAC-SHA256" + | ||
$"&X-Amz-Credential={id}"; | ||
|
||
HttpResponseMessage response = client.GetAsync(uri).GetAwaiter().GetResult(); | ||
|
||
switch (response.StatusCode) | ||
{ | ||
case HttpStatusCode.Forbidden: | ||
{ | ||
message = $"for AWS credential id '{id}'."; | ||
return nameof(ValidationState.Unauthorized); | ||
} | ||
} | ||
} | ||
catch (Exception e) | ||
{ | ||
message = $"An unexpected exception was caught attempting to authentic AWS id '{id}': {e.Message}"; | ||
return nameof(ValidationState.Unknown); | ||
} | ||
*/ | ||
return nameof(ValidationState.Authorized); | ||
} | ||
|
||
private string BuildAuthorizedMessage(string id, GetAccountAuthorizationDetailsResponse response) | ||
{ | ||
var policyNames = new List<string>(); | ||
|
||
foreach (ManagedPolicyDetail policy in response.Policies) | ||
{ | ||
policyNames.Add(policy.PolicyName); | ||
} | ||
|
||
string policyNamesText = string.Join(", ", policyNames); | ||
return $"id '{id}' is authorized for role policies '{policyNamesText}'."; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83 changes: 83 additions & 0 deletions
83
....Security/TestData/SecurePlaintextSecrets/ExpectedOutputs/SEC101_007.AwsCredentials.sarif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
{ | ||
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", | ||
"version": "2.1.0", | ||
"runs": [ | ||
{ | ||
"tool": { | ||
"driver": { | ||
"name": "testhost", | ||
"organization": "Microsoft Corporation", | ||
"product": "Microsoft.TestHost", | ||
"fullName": "testhost 15.0.0.0", | ||
"version": "15.0.0.0", | ||
"semanticVersion": "15.0.0", | ||
"rules": [ | ||
{ | ||
"id": "SEC101/007", | ||
"name": "DoNotExposePlaintextSecrets/AwsCredentials", | ||
"fullDescription": { | ||
"text": "Do not expose plaintext (or base64-encoded plaintext) secrets in versioned engineering content." | ||
}, | ||
"messageStrings": { | ||
"NotApplicable_InvalidMetadata": { | ||
"text": "'{0}' was not evaluated for check '{1}' because the analysis is not relevant for the following reason: {2}." | ||
}, | ||
"Default": { | ||
"text": "'{0}' contains {1}{2}{3}{4}{5}." | ||
} | ||
}, | ||
"helpUri": "https://github.com/microsoft/sarif-pattern-matcher" | ||
} | ||
] | ||
} | ||
}, | ||
"invocations": [ | ||
{ | ||
"executionSuccessful": true | ||
} | ||
], | ||
"results": [ | ||
{ | ||
"ruleId": "SEC101/007", | ||
"ruleIndex": 0, | ||
"message": { | ||
"id": "Default", | ||
"arguments": [ | ||
"SEC101_007.AwsCredentials.txt", | ||
"an apparent ", | ||
"", | ||
"AWS access key and secret", | ||
"", | ||
" (no validation occurred as it was not enabled. Pass '--dynamic-validation' on the command-line to validate this match)" | ||
] | ||
}, | ||
"locations": [ | ||
{ | ||
"physicalLocation": { | ||
"artifactLocation": { | ||
"uri": "src/Plugins/Tests.Security/TestData/SecurePlaintextSecrets/Inputs/SEC101_007.AwsCredentials.txt", | ||
"uriBaseId": "SRC_ROOT" | ||
}, | ||
"region": { | ||
"startLine": 1, | ||
"startColumn": 16, | ||
"endLine": 2, | ||
"endColumn": 60, | ||
"charOffset": 15, | ||
"charLength": 81, | ||
"snippet": { | ||
"text": "AKIAIOSFODNN7EXAMPLE\r\nAWSSecretAccessKey\twJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
} | ||
} | ||
} | ||
} | ||
], | ||
"fingerprints": { | ||
"ValidationFingerprint/v1": "[id=AKIAIOSFODNN7EXAMPLE][key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY]" | ||
} | ||
} | ||
], | ||
"columnKind": "utf16CodeUnits" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
...ugins/Tests.Security/TestData/SecurePlaintextSecrets/Inputs/SEC101_007.AwsCredentials.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
AWSAccessKeyId AKIAIOSFODNN7EXAMPLE | ||
AWSSecretAccessKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be able to replace use of the AWS SDK with direct REST API calls, just didn't do sufficient research to make it happen. Relevant code is at https://github.com/aws/aws-sdk-net/, specifically, the code in t\sdk\src\Core\Amazon.Runtime\Internal\Auth\AWS4Signer.cs