2021-01-27 22:47:39 +00:00
|
|
|
package middlewares
|
|
|
|
|
|
|
|
|
|
import (
|
2021-03-29 16:10:50 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
|
|
2022-06-28 07:23:29 +00:00
|
|
|
"github.com/snyk/driftctl/enumeration/resource"
|
2022-07-21 08:37:03 +00:00
|
|
|
"github.com/snyk/driftctl/pkg/resource/aws"
|
2021-01-27 22:47:39 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Explodes policy found in aws_s3_bucket.policy from state resources to dedicated resources
|
2021-03-29 16:10:50 +00:00
|
|
|
type AwsBucketPolicyExpander struct {
|
|
|
|
|
resourceFactory resource.ResourceFactory
|
|
|
|
|
}
|
2021-01-27 22:47:39 +00:00
|
|
|
|
2021-03-29 16:10:50 +00:00
|
|
|
func NewAwsBucketPolicyExpander(resourceFactory resource.ResourceFactory) AwsBucketPolicyExpander {
|
|
|
|
|
return AwsBucketPolicyExpander{
|
|
|
|
|
resourceFactory: resourceFactory,
|
|
|
|
|
}
|
2021-01-27 22:47:39 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func (m AwsBucketPolicyExpander) Execute(_, resourcesFromState *[]*resource.Resource) error {
|
|
|
|
|
newList := make([]*resource.Resource, 0)
|
2021-01-27 22:47:39 +00:00
|
|
|
for _, res := range *resourcesFromState {
|
|
|
|
|
// Ignore all resources other than s3_bucket
|
2021-08-18 13:58:28 +00:00
|
|
|
if res.ResourceType() != aws.AwsS3BucketResourceType {
|
2021-01-27 22:47:39 +00:00
|
|
|
newList = append(newList, res)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newList = append(newList, res)
|
|
|
|
|
|
2021-08-18 13:58:28 +00:00
|
|
|
if hasPolicyAttached(res.ResourceId(), resourcesFromState) {
|
2021-08-09 14:03:04 +00:00
|
|
|
res.Attrs.SafeDelete([]string{"policy"})
|
2021-01-27 22:47:39 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
err := m.handlePolicy(res, &newList)
|
2021-01-27 22:47:39 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
*resourcesFromState = newList
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func (m *AwsBucketPolicyExpander) handlePolicy(bucket *resource.Resource, results *[]*resource.Resource) error {
|
2021-04-29 14:36:05 +00:00
|
|
|
policyAttr, exist := bucket.Attrs.Get("policy")
|
|
|
|
|
if !exist || policyAttr == nil || policyAttr == "" {
|
2021-01-27 22:47:39 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-29 16:10:50 +00:00
|
|
|
data := map[string]interface{}{
|
2021-08-18 13:58:28 +00:00
|
|
|
"id": bucket.ResourceId(),
|
2021-04-29 14:36:05 +00:00
|
|
|
"bucket": (*bucket.Attrs)["bucket"],
|
|
|
|
|
"policy": (*bucket.Attrs)["policy"],
|
2021-03-29 16:10:50 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-18 13:58:28 +00:00
|
|
|
newPolicy := m.resourceFactory.CreateAbstractResource(aws.AwsS3BucketPolicyResourceType, bucket.ResourceId(), data)
|
2021-05-04 07:51:03 +00:00
|
|
|
|
|
|
|
|
*results = append(*results, newPolicy)
|
2021-01-27 22:47:39 +00:00
|
|
|
logrus.WithFields(logrus.Fields{
|
2021-08-18 13:58:28 +00:00
|
|
|
"id": newPolicy.ResourceId(),
|
2021-01-27 22:47:39 +00:00
|
|
|
}).Debug("Created new policy from bucket")
|
|
|
|
|
|
2021-04-29 14:36:05 +00:00
|
|
|
bucket.Attrs.SafeDelete([]string{"policy"})
|
2021-01-27 22:47:39 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Return true if the bucket has a aws_bucket_policy resource attached to itself.
|
|
|
|
|
// It is mandatory since it's possible to have a aws_bucket with an inline policy
|
|
|
|
|
// AND a aws_bucket_policy resource at the same time. At the end, on the AWS console,
|
|
|
|
|
// the aws_bucket_policy will be used.
|
2021-08-09 14:03:04 +00:00
|
|
|
func hasPolicyAttached(bucket string, resourcesFromState *[]*resource.Resource) bool {
|
2021-01-27 22:47:39 +00:00
|
|
|
for _, res := range *resourcesFromState {
|
2021-08-18 13:58:28 +00:00
|
|
|
if res.ResourceType() == aws.AwsS3BucketPolicyResourceType &&
|
|
|
|
|
res.ResourceId() == bucket {
|
2021-01-27 22:47:39 +00:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
