Add support for passing private auditors (#5)

xen0l · web-flow · commit 8538b60199a8 · 2020-02-19T00:27:37.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+__pycache__
diff --git a/README.md b/README.md
@@ -31,6 +31,13 @@ Custom config file (passed to [parliament](https://github.com/duo-labs/parliamen
 
 **Default:** ''
 
+### private_auditors
+Private auditors path (passed to [parliament](https://github.com/duo-labs/parliament)).
+
+**Required:** False
+
+**Default:** ''
+
 ## Example usage
 ### Without specifying a path
 ```
diff --git a/iam-lint b/iam-lint
@@ -24,6 +24,7 @@ POLICY_FILE_SUFFIX=${2:-"json"}
 
 PARLIAMENT_MINIMUM_SEVERITY=${INPUT_MINIMUM_SEVERITY:-}
 PARLIAMENT_CONFIG=${INPUT_CONFIG:-}
+PARLIAMENT_PRIVATE_AUDITORS=${INPUT_PRIVATE_AUDITORS:-}
 
 POLICY_FILES={}
 PARLIAMENT_ARGS=()
@@ -38,6 +39,11 @@ if [[ -n "${PARLIAMENT_CONFIG}" ]]; then
     PARLIAMENT_ARGS+=("${PARLIAMENT_CONFIG}")
 fi
 
+if [[ -n "${PARLIAMENT_PRIVATE_AUDITORS}" ]]; then
+    PARLIAMENT_ARGS+=("--private_auditors")
+    PARLIAMENT_ARGS+=("${PARLIAMENT_PRIVATE_AUDITORS}")
+fi
+
 PARLIAMENT_VERSION="$(python -c 'import pkg_resources; print(pkg_resources.get_distribution("parliament").version)')"
 
 printf "Policy dir path: %s\n" "${POLICY_DIR_PATH}"
diff --git a/tests/private_auditors/config_override.yaml b/tests/private_auditors/config_override.yaml
@@ -0,0 +1,5 @@
+SENSITIVE_BUCKET_ACCESS:
+  title: Sensitive bucket access
+  description: Allows read access to an important S3 bucket
+  severity: MEDIUM
+  group: CUSTOM
diff --git a/tests/private_auditors/sensitive_bucket_access.py b/tests/private_auditors/sensitive_bucket_access.py
@@ -0,0 +1,23 @@
+from parliament import is_arn_match, expand_action
+
+
+def audit(policy):
+    action_resources = {}
+    for action in expand_action("s3:*"):
+        # Iterates through a list of containing elements such as
+        # {'service': 's3', 'action': 'GetObject'}
+        action_name = "{}:{}".format(action["service"], action["action"])
+        action_resources[action_name] = policy.get_allowed_resources(
+            action["service"], action["action"]
+        )
+
+    for action_name in action_resources:
+        resources = action_resources[action_name]
+        for r in resources:
+            if is_arn_match("object", "arn:aws:s3:::secretbucket*", r) or is_arn_match(
+                "object", "arn:aws:s3:::othersecretbucket*", r
+            ):
+                policy.add_finding(
+                    "SENSITIVE_BUCKET_ACCESS",
+                    location={"action": action_name, "resource": r},
+                )
diff --git a/tests/test_policies/private_auditors/policy.json b/tests/test_policies/private_auditors/policy.json
@@ -0,0 +1,8 @@
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "s3:GetObject",
+        "Resource": "arn:aws:s3:::secretbucket/*"
+    }
+}
diff --git a/tests/tests.sh b/tests/tests.sh
@@ -5,6 +5,7 @@ ROOT=$(cd $(dirname $0)/../ >/dev/null; pwd)
 TESTS_DIR="${ROOT}/tests"
 TEST_POLICY_DIR="${ROOT}/tests/test_policies"
 TEST_CONFIG_DIR="${ROOT}/tests/test_configs"
+TEST_PRIVATE_AUDITORS_DIR="${ROOT}/tests/private_auditors"
 
 oneTimeSetUp() {
     cd ${ROOT}
@@ -46,10 +47,26 @@ testArgumentsConfig() {
                 "[ ${RC} -eq 1 ]"
     assertTrue "--config custom_config.yml not in output" \
                 "[ $(echo ${OUTPUT} | grep -c -- "--config /config_override.yaml") -eq 1 ]"
-    assertTrue "config severity override didn't work" \
+    assertTrue "config severity override didn't work as expected" \
                 "[ $(echo ${OUTPUT} | grep -c "HIGH - Unknown action") -eq 1 ]"
 }
 
+testArgumentsPrivateAuditors() {
+    OUTPUT="$(docker run -e INPUT_PRIVATE_AUDITORS=private_auditors \
+                         -e INPUT_CONFIG=private_auditors/config_override.yaml \
+                         -v ${TEST_POLICY_DIR}/private_auditors:/src \
+                         -v ${TEST_PRIVATE_AUDITORS_DIR}:/private_auditors \
+                         iam-lint /src)"
+    RC=$?
+
+    assertTrue "iam-lint exited with a different return code than expected: ${RC}" \
+                "[ ${RC} -eq 1 ]"
+    assertTrue "--private_auditors private_auditors not in output" \
+                "[ $(echo ${OUTPUT} | grep -c -- "--private_auditors private_auditors") -eq 1 ]"
+    assertTrue "private_auditors didn't work as expected" \
+                "[ $(echo ${OUTPUT} | grep -c "MEDIUM - Sensitive bucket access") -eq 1 ]"
+}
+
 #
 # Lint functionality tests
 #
