Skip to content

Commit

Permalink
bucket policy check false positive fix (#828)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gaurav-gogia
gaurav-gogia committed Jun 2, 2021
1 parent dec6618 commit 971845a
Showing 1 changed file with 16 additions and 7 deletions.
23 changes: 16 additions & 7 deletions pkg/policies/opa/rego/aws/aws_s3_bucket/s3EnforceUserACL.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,23 @@ package accurics
#proceeding forward only if inline policy is not included
not bucket.config.policy

bucket_policies_set := { policy_id | policy_id := split(input.aws_s3_bucket_policy[_].id, "." )[1] }
bucket_policy := input.aws_s3_bucket_policy[_]

not bucket_policies_set[split(bucket.id, ".")[1]]
bucket_id := split(bucket.id, ".")[1]
not contains(bucket_policy.config.bucket, bucket_id)

rc = "cmVzb3VyY2UgImF3c19zM19idWNrZXRfcG9saWN5IiAiIyNyZXNvdXJjZV9uYW1lIyNQb2xpY3kiIHsKICBidWNrZXQgPSAiJHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfSIKCiAgcG9saWN5ID0gPDxQT0xJQ1kKewogICJWZXJzaW9uIjogIjIwMTItMTAtMTciLAogICJTdGF0ZW1lbnQiOiBbCiAgICB7CiAgICAgICJTaWQiOiAiIyNyZXNvdXJjZV9uYW1lIyMtcmVzdHJpY3QtYWNjZXNzLXRvLXVzZXJzLW9yLXJvbGVzIiwKICAgICAgIkVmZmVjdCI6ICJBbGxvdyIsCiAgICAgICJQcmluY2lwYWwiOiBbCiAgICAgICAgewogICAgICAgICAgIkFXUyI6IFsKICAgICAgICAgICAgImFybjphd3M6aWFtOjojI2Fjb3VudF9pZCMjOnJvbGUvIyNyb2xlX25hbWUjIyIsCiAgICAgICAgICAgICJhcm46YXdzOmlhbTo6IyNhY291bnRfaWQjIzp1c2VyLyMjdXNlcl9uYW1lIyMiCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICBdLAogICAgICAiQWN0aW9uIjogInMzOkdldE9iamVjdCIsCiAgICAgICJSZXNvdXJjZSI6ICJhcm46YXdzOnMzOjo6JHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfS8qIgogICAgfQogIF0KfQpQT0xJQ1kKfQ=="
decode_rc = base64.decode(rc)
rc := "cmVzb3VyY2UgImF3c19zM19idWNrZXRfcG9saWN5IiAiIyNyZXNvdXJjZV9uYW1lIyNQb2xpY3kiIHsKICBidWNrZXQgPSAiJHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfSIKCiAgcG9saWN5ID0gPDxQT0xJQ1kKewogICJWZXJzaW9uIjogIjIwMTItMTAtMTciLAogICJTdGF0ZW1lbnQiOiBbCiAgICB7CiAgICAgICJTaWQiOiAiIyNyZXNvdXJjZV9uYW1lIyMtcmVzdHJpY3QtYWNjZXNzLXRvLXVzZXJzLW9yLXJvbGVzIiwKICAgICAgIkVmZmVjdCI6ICJBbGxvdyIsCiAgICAgICJQcmluY2lwYWwiOiBbCiAgICAgICAgewogICAgICAgICAgIkFXUyI6IFsKICAgICAgICAgICAgImFybjphd3M6aWFtOjojI2Fjb3VudF9pZCMjOnJvbGUvIyNyb2xlX25hbWUjIyIsCiAgICAgICAgICAgICJhcm46YXdzOmlhbTo6IyNhY291bnRfaWQjIzp1c2VyLyMjdXNlcl9uYW1lIyMiCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICBdLAogICAgICAiQWN0aW9uIjogInMzOkdldE9iamVjdCIsCiAgICAgICJSZXNvdXJjZSI6ICJhcm46YXdzOnMzOjo6JHthd3NfczNfYnVja2V0LiMjcmVzb3VyY2VfbmFtZSMjLmlkfS8qIgogICAgfQogIF0KfQpQT0xJQ1kKfQ=="
decode_rc := base64.decode(rc)
replaced_resource_name := replace(decode_rc, "##resource_name##", bucket.name)

traverse = ""
retVal := { "Id": bucket.id, "ReplaceType": "add", "CodeType": "resource", "Traverse": traverse, "Attribute": "", "AttributeDataType": "resource", "Expected": base64.encode(replaced_resource_name), "Actual": null }
}
retVal := {
"Id": bucket.id,
"ReplaceType": "add",
"CodeType": "resource",
"Traverse": "",
"Attribute": "",
"AttributeDataType": "resource",
"Expected": base64.encode(replaced_resource_name),
"Actual": null
}
}

0 comments on commit 971845a

Please sign in to comment.