From 352f5744674f0ffae91f71d4cc25dd78804959d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= <joao.Reigota@checkmarx.com>
Date: Fri, 24 Sep 2021 16:53:13 +0100
Subject: [PATCH] feat(query): added support to tf modules for S3 Bucket Allows
 Public Policy (#4268)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: João Reigota <joao.reigota@checkmarx.com>
---
 .../s3_bucket_with_public_policy/query.rego   | 32 +++++++++++++++++++
 .../test/{negative.tf => negative1.tf}        |  0
 .../test/negative2.tf                         | 32 +++++++++++++++++++
 .../test/{positive.tf => positive1.tf}        |  0
 .../test/positive2.tf                         | 32 +++++++++++++++++++
 .../test/positive3.tf                         | 31 ++++++++++++++++++
 .../test/positive_expected_result.json        | 18 +++++++++--
 7 files changed, 143 insertions(+), 2 deletions(-)
 rename assets/queries/terraform/aws/s3_bucket_with_public_policy/test/{negative.tf => negative1.tf} (100%)
 create mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative2.tf
 rename assets/queries/terraform/aws/s3_bucket_with_public_policy/test/{positive.tf => positive1.tf} (100%)
 create mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive2.tf
 create mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive3.tf

diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego b/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego
index 18157addefa..0a7cbb4c26f 100644
--- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego
+++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego
@@ -13,6 +13,7 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'block_public_policy' is equal 'true'",
 		"keyActualValue": "'block_public_policy' is missing",
+		"searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_public_access_block", name], []),
 	}
 }
 
@@ -26,5 +27,36 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'block_public_policy' is equal 'true'",
 		"keyActualValue": "'block_public_policy' is equal 'false'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_public_access_block", name, "block_public_policy"], []),
+	}
+}
+
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "block_public_policy")
+	not common_lib.valid_key(module, keyToCheck)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("module[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'block_public_policy' is equal 'true'",
+		"keyActualValue": "'block_public_policy' is missing",
+		"searchLine": common_lib.build_search_line(["module", name], []),
+	}
+}
+
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "block_public_policy")
+	module[keyToCheck] == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("module[%s].%s", [name, keyToCheck]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'block_public_policy' is equal 'true'",
+		"keyActualValue": "'block_public_policy' is equal 'false'",
+		"searchLine": common_lib.build_search_line(["module", name, keyToCheck], []),
 	}
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative.tf b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative1.tf
similarity index 100%
rename from assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative.tf
rename to assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative1.tf
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative2.tf b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative2.tf
new file mode 100644
index 00000000000..b0b671e64f2
--- /dev/null
+++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/negative2.tf
@@ -0,0 +1,32 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+  restrict_public_buckets = true
+  block_public_acls = true
+  block_public_policy = true
+
+  versioning = {
+    enabled = true
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive.tf b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive1.tf
similarity index 100%
rename from assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive.tf
rename to assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive1.tf
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive2.tf
new file mode 100644
index 00000000000..2e15b484b38
--- /dev/null
+++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive2.tf
@@ -0,0 +1,32 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+  restrict_public_buckets = true
+  block_public_acls = true
+  block_public_policy = false
+
+  versioning = {
+    enabled = true
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive3.tf b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive3.tf
new file mode 100644
index 00000000000..7fd50cbc1d2
--- /dev/null
+++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive3.tf
@@ -0,0 +1,31 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+  restrict_public_buckets = true
+  block_public_acls = true
+
+  versioning = {
+    enabled = true
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json
index 10ed3ed9b97..7987d2d89bd 100755
--- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json
+++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json
@@ -2,11 +2,25 @@
   {
     "queryName": "S3 Bucket Allows Public Policy",
     "severity": "HIGH",
-    "line": 18
+    "line": 18,
+    "filename": "positive1.tf"
   },
   {
     "queryName": "S3 Bucket Allows Public Policy",
     "severity": "HIGH",
-    "line": 9
+    "line": 9,
+    "filename": "positive1.tf"
+  },
+  {
+    "queryName": "S3 Bucket Allows Public Policy",
+    "severity": "HIGH",
+    "line": 1,
+    "filename": "positive3.tf"
+  },
+  {
+    "queryName": "S3 Bucket Allows Public Policy",
+    "severity": "HIGH",
+    "line": 9,
+    "filename": "positive2.tf"
   }
 ]