fix(query): fn for remote desktop port open to internet and other "security group" associated queries --terraform/aws--cloudformation/aws

assets/libraries/common.rego

@@ -77,7 +77,7 @@ emptyOrNull(null) = true
 
 # Checks if an IP is private
 isPrivateIP(ipVal) {
-	private_ips := ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"]
+	private_ips := ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12", "fc00::/8", "fd00::/8"]
 	some i
 	net.cidr_contains(private_ips[i], ipVal)
 }
@@ -462,7 +462,7 @@ is_recommended_tls(field) {
 }
 
 is_unrestricted(sourceRange) {
-	cidrs := {"0.0.0.0/0", "::/0"}
+	cidrs := {"0.0.0.0/0", "::/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "0:0:0:0:0:0:0:0/0"}
 	sourceRange == cidrs[_]
 }
 
@@ -749,4 +749,4 @@ valid_non_empty_key(field, key) = output {
 	keyObj := field[key]
 	keyObj == ""
 	output := concat(".", ["", key])
-}
+}

assets/libraries/terraform.rego

@@ -2,39 +2,91 @@ package generic.terraform
 
 import data.generic.common as common_lib
 
+unrestricted_ipv6 := ["::/0","0000:0000:0000:0000:0000:0000:0000:0000/0","0:0:0:0:0:0:0:0/0"]
+
 check_cidr(rule) {
 	rule.cidr_blocks[_] == "0.0.0.0/0"
 } else {
 	rule.cidr_block == "0.0.0.0/0"
 } else {
-	rule.ipv6_cidr_blocks[_] == "::/0"
+	rule.ipv6_cidr_blocks[_] == unrestricted_ipv6[_]
+} else {
+	rule.ipv6_cidr_blocks == unrestricted_ipv6[_]
+} else {
+	rule.cidr_ipv4 == "0.0.0.0/0"
 } else {
-	rule.ipv6_cidr_blocks == "::/0"
+	rule.cidr_ipv6 == unrestricted_ipv6[_]
+} 
+
+is_security_group_ingress(type,resource) {
+	type == "aws_security_group_rule"
+	resource.type == "ingress"
 } else {
-	rule.ipv6_cidr_blocks[_] == "0000:0000:0000:0000:0000:0000:0000:0000/0"
+	type == "aws_vpc_security_group_ingress_rule"
+} 
+
+cidr_is_unmasked(resource) {
+	#in line ingress
+	endswith(resource.ingress.cidr_blocks[_], "/0")
 } else {
-	rule.ipv6_cidr_blocks == "0000:0000:0000:0000:0000:0000:0000:0000/0"
+	endswith(resource.ingress.ipv6_cidr_blocks[_], "/0")
 } else {
-	rule.ipv6_cidr_blocks[_] == "0:0:0:0:0:0:0:0/0"
+	#security_group_rule or in line ingress passed as "resource"
+	endswith(resource.cidr_blocks[_], "/0")
 } else {
-	rule.ipv6_cidr_blocks == "0:0:0:0:0:0:0:0/0"
-}
+	endswith(resource.ipv6_cidr_blocks[_], "/0")
+} else {
+	#security_group_ingress_rule
+	endswith(resource.cidr_ipv4, "/0")
+} else {
+	endswith(resource.cidr_ipv6, "/0")
+} 
 
 
-# Checks if a TCP port is open in a rule
+# Checks if a TCP port is open 
 portOpenToInternet(rule, port) {
 	check_cidr(rule)
-	rule.protocol == "tcp"
+	prot_types := ["protocol","ip_protocol"]
+	rule[prot_types[_]] == "tcp"
 	containsPort(rule, port)
 }
 
 portOpenToInternet(rules, port) {
 	rule := rules[_]
 	check_cidr(rule)
-	rule.protocol == "tcp"
+	prot_types := ["protocol","ip_protocol"]
+	rule[prot_types[_]] == "tcp"
 	containsPort(rule, port)
 }
 
+portOpenToInternet(rule, port) {
+	check_cidr(rule)
+	prot_types := ["protocol","ip_protocol"]
+	open_port := ["all","-1"]
+	rule[prot_types[_]] == open_port[_]
+}
+
+portOpenToInternet(rules, port) {
+	rule := rules[_]
+	check_cidr(rule)
+	prot_types := ["protocol","ip_protocol"]
+	open_port := ["all","-1"]
+	rule[prot_types[_]] == open_port[_]
+}
+
+get_ingress_list(ingress) = result {
+	is_array(ingress)
+	result := {
+		"value" : ingress,
+		"is_unique_element" : false
+	}
+} else = result {
+	result := {
+		"value" : [ingress],
+		"is_unique_element" : true
+	}
+}
+
 # Checks if a port is included in a rule
 containsPort(rule, port) {
 	rule.from_port <= port

assets/queries/terraform/aws/http_port_open/query.rego

@@ -1,19 +1,89 @@
 package Cx
 
 import data.generic.terraform as tf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
+	#Case of "aws_vpc_security_group_ingress_rule" or "aws_security_group_rule"
+	types := ["aws_vpc_security_group_ingress_rule","aws_security_group_rule"]
+	resource := input.document[i].resource[types[i2]][name]
+
+	tf_lib.is_security_group_ingress(types[i2],resource)
+	tf_lib.portOpenToInternet(resource, 80)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": types[i2],
+		"resourceName": tf_lib.get_resource_name(resource, name),	
+		"searchKey": sprintf("%s[%s]", [types[i2],name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s[%s] should not open the HTTP port (80)", [types[i2],name]),
+		"keyActualValue": sprintf("%s[%s] opens the HTTP port (80)", [types[i2],name]),
+		"searchLine": common_lib.build_search_line(["resource", types[i2], name], []),
+	}
+}
+
+CxPolicy[result] {
+	#Case of "aws_security_group"
 	resource := input.document[i].resource.aws_security_group[name]
 
-	tf_lib.portOpenToInternet(resource.ingress, 80)
+	ingress_list := tf_lib.get_ingress_list(resource.ingress)
+	results := http_is_open(ingress_list.value[i2],ingress_list.is_unique_element,name,i2)
+	results != ""
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "aws_security_group",
 		"resourceName": tf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("aws_security_group[%s]", [name]),
+		"searchKey": results.searchKey,
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine,
+	}
+}
+
+CxPolicy[result] {
+	#Case of "security-group" Module
+	module := input.document[i].module[name]
+	types := ["ingress_with_cidr_blocks","ingress_with_ipv6_cidr_blocks"]
+	ingressKey := common_lib.get_module_equivalent_key("aws", module.source, "aws_security_group", types[t])
+	common_lib.valid_key(module, ingressKey)
+
+	ingress := module[ingressKey][i2]
+
+	tf_lib.portOpenToInternet(ingress, 80)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": sprintf("module[%s].%s.%d", [name, ingressKey,i2]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "aws_security_group.ingress shouldn't open the HTTP port (80)",
-		"keyActualValue": "aws_security_group.ingress opens the HTTP port (80)",
+		"keyExpectedValue": sprintf("module[%s].%s.%d should not open the HTTP port (80)",[name, ingressKey,i2]),
+		"keyActualValue": sprintf("module[%s].%s.%d opens the HTTP port (80)",[name, ingressKey,i2]),
+		"searchLine": common_lib.build_search_line(["module", name, ingressKey, i2], []),
 	}
 }
+
+http_is_open(ingress,is_unique_element,name,i2) = results {
+	is_unique_element
+	tf_lib.portOpenToInternet(ingress, 80)
+
+	results := {
+		"searchKey" : sprintf("aws_security_group[%s].ingress", [name]),
+		"keyExpectedValue" : sprintf("aws_security_group[%s].ingress should not open the HTTP port (80)",[name]),
+		"keyActualValue" : sprintf("aws_security_group[%s].ingress opens the HTTP port (80)",[name]),
+		"searchLine" : common_lib.build_search_line(["resource", "aws_security_group", name, "ingress"], []),
+	}
+} else = results {
+	not is_unique_element
+	tf_lib.portOpenToInternet(ingress, 80)
+
+	results := {
+		"searchKey" : sprintf("aws_security_group[%s].ingress[%d]", [name,i2]),
+		"keyExpectedValue" : sprintf("aws_security_group[%s].ingress[%d] should not open the HTTP port (80)", [name,i2]),
+		"keyActualValue" : sprintf("aws_security_group[%s].ingress[%d] opens the HTTP port (80)", [name,i2]),
+		"searchLine" : common_lib.build_search_line(["resource", "aws_security_group", name, "ingress", i2], []),
+	}
+} else = ""

assets/queries/terraform/aws/http_port_open/test/negative1.tf

@@ -0,0 +1,66 @@
+resource "aws_security_group" "negative1-1" {
+
+  ingress {
+    description = "Remote desktop open private"
+    from_port   = 70
+    to_port     = 81
+    protocol    = "tcp"
+  }
+}
+
+resource "aws_security_group" "negative1-2" {
+
+  ingress {
+    description = "Remote desktop open private"
+    from_port   = 79
+    to_port     = 100
+    protocol    = "tcp"
+    cidr_blocks = ["0.1.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "negative1-3" {
+
+  ingress {
+    description = "Remote desktop open private"
+    from_port   = 3380
+    to_port     = 3450
+    protocol    = "tcp"
+    ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
+  }
+}
+
+resource "aws_security_group" "negative1-4" {
+  name        = "allow_tls"
+  description = "sample"
+
+  ingress {
+    description = "sample"
+    from_port   = 100
+    to_port     = 200
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "sample"
+    from_port   = 100
+    to_port     = 200
+    protocol    = "tcp"
+    ipv6_cidr_blocks = ["fd00::/8", "::/0"]
+  }
+}
+
+resource "aws_security_group" "negative1-5" {
+  name        = "allow_tls"
+  description = "sample"
+
+  ingress {
+    description = "sample"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["192.120.0.0/16"]
+    ipv6_cidr_blocks = ["fd00::/8"]
+  }
+}

assets/queries/terraform/aws/http_port_open/test/negative2.tf

@@ -0,0 +1,31 @@
+resource "aws_security_group" "ec2" {
+  description = "ec2 sg"
+  name        = "secgroup-ec2"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "negative2-1" {
+  security_group_id = aws_security_group.negative.id
+  from_port         = 80
+  to_port           = 80
+  ip_protocol       = "tcp"
+  description       = "TLS from VPC"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "negative2-2" {
+  security_group_id = aws_security_group.ec2.id
+  cidr_ipv4         = "0.0.1.0/0"
+  from_port         = 80
+  to_port           = 80
+  ip_protocol       = "tcp"
+  description       = "allows RDP from Internet"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "negative2-3" {
+  security_group_id = aws_security_group.ec2.id
+  cidr_ipv6         = "2001:db8:abcd:0012::/64"
+  from_port         = 80 
+  to_port           = 80
+  ip_protocol       = "-1"
+  description       = "allows RDP from Internet"
+}

assets/queries/terraform/aws/http_port_open/test/negative3.tf

@@ -0,0 +1,34 @@
+resource "aws_security_group" "ec2" {
+  description = "ec2 sg"
+  name        = "secgroup-ec2"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "negative3-1" {
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  security_group_id = aws_security_group.negative.id
+  description       = "TLS from VPC"
+}
+
+resource "aws_security_group_rule" "negative3-2" {
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.1.0/0"]
+  security_group_id = aws_security_group.ec2.id
+  description        = "allows RDP from Internet (IPv4)"
+}
+
+resource "aws_security_group_rule" "negative3-3" {
+  type              = "ingress"
+  from_port         = 79
+  to_port           = 100
+  protocol          = "-1" 
+  ipv6_cidr_blocks  = ["2001:db8:abcd:0012::/64"]
+  security_group_id = aws_security_group.ec2.id
+  description       = "allows RDP from Internet (IPv6)"
+}