Added Ip restriction disabled query tf alicloud (Checkmarx#4946)

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "6107c530-7178-464a-88bc-df9cdd364ac8",
+  "queryName": "OSS Bucket Ip Restriction Disabled",
+  "severity": "HIGH",
+  "category": "Networking and Firewall",
+  "descriptionText": "OSS Bucket should have ip restricted access",
+  "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy",
+  "platform": "Terraform",
+  "descriptionID": "93cebe21",
+  "cloudProvider": "alicloud"
+}

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/query.rego

@@ -0,0 +1,29 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as terra_lib
+
+CxPolicy[result] {
+
+	policy := input.document[i].resource.alicloud_oss_bucket[name].policy
+
+    not ip_restricted(policy)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("[%s].policy has restricted ip access",[name]),
+		"keyActualValue": sprintf("[%s].policy does not restrict access via ip",[name]),
+        "searchline":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []),
+	}
+}
+
+ip_restricted(policy)
+{
+	u_policy := common_lib.json_unmarshal(policy)
+	statement := common_lib.get_statement(u_policy)
+    st:=statement[_]
+    possibilities := {"IpAdress", "NotIpAdress"}
+    common_lib.valid_key(st.Condition[possibilities[_]], "acs:SourceIp")
+}

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/negative1.tf

@@ -0,0 +1,47 @@
+resource "alicloud_oss_bucket" "bucket-securetransport2"{
+        policy = <<POLICY
+{
+        "Version": "1",
+        "Statement": 
+        [
+            {
+                "Effect": "Deny",
+                "Action": 
+                [
+                    "oss:RestoreObject",
+                    "oss:ListObjects",
+                    "oss:AbortMultipartUpload",
+                    "oss:PutObjectAcl",
+                    "oss:GetObjectAcl",
+                    "oss:ListParts",
+                    "oss:DeleteObject",
+                    "oss:PutObject",
+                    "oss:GetObject",
+                    "oss:GetVodPlaylist",
+                    "oss:PostVodPlaylist",
+                    "oss:PublishRtmpStream",
+                    "oss:ListObjectVersions",
+                    "oss:GetObjectVersion",
+                    "oss:GetObjectVersionAcl",
+                    "oss:RestoreObjectVersion"
+                ],
+                "Principal": 
+                [
+                    "*"
+                ],
+                "Resource": 
+                [
+                    "acs:oss:*:0000111122223334:af/*"
+                ],
+                "Condition": 
+                {
+                    "IpAdress": 
+                    {
+                        "acs:SourceIp": "10.0.0.0"
+                    }
+                }
+            }
+        ]
+}
+POLICY
+}

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/negative2.tf

@@ -0,0 +1,48 @@
+resource "alicloud_oss_bucket" "bucket-securetransport2"{
+        policy = <<POLICY
+{
+        "Version": "1",
+        "Statement": 
+        [
+            {
+                "Effect": "Deny",
+                "Action": 
+                [
+                    "oss:RestoreObject",
+                    "oss:ListObjects",
+                    "oss:AbortMultipartUpload",
+                    "oss:PutObjectAcl",
+                    "oss:GetObjectAcl",
+                    "oss:ListParts",
+                    "oss:DeleteObject",
+                    "oss:PutObject",
+                    "oss:GetObject",
+                    "oss:GetVodPlaylist",
+                    "oss:PostVodPlaylist",
+                    "oss:PublishRtmpStream",
+                    "oss:ListObjectVersions",
+                    "oss:GetObjectVersion",
+                    "oss:GetObjectVersionAcl",
+                    "oss:RestoreObjectVersion"
+                ],
+                "Principal": 
+                [
+                    "*"
+                ],
+                "Resource": 
+                [
+                    "acs:oss:*:0000111122223334:af/*"
+                ],
+                "Condition": 
+                {
+                    "NotIpAdress": 
+                    {
+                        "acs:SourceIp": "10.0.0.0"
+                    }
+                }
+            }
+        ]
+}
+POLICY
+
+}

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive1.tf

@@ -0,0 +1,14 @@
+resource "alicloud_oss_bucket" "bucket-policy" {
+  bucket = "bucket-170309-policy"
+  acl    = "private"
+
+  policy = <<POLICY
+  {"Statement":
+      [{"Action":
+          ["oss:PutObject", "oss:GetObject", "oss:DeleteBucket"],
+        "Effect":"Allow",
+        "Resource":
+            ["acs:oss:*:*:*"]}],
+   "Version":"1"}
+  POLICY
+}

assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "OSS Bucket Ip Restriction Disabled",
+    "severity": "HIGH",
+    "line": 5,
+    "fileName": "positive1.tf"
+  }
+]