All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.python.checks.cdk.AbstractIamPolicyStatementCheck Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version
/*
 * SonarQube Python Plugin
 * Copyright (C) 2011-2024 SonarSource SA
 * mailto:info AT sonarsource DOT com
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the Sonar Source-Available License for more details.
 *
 * You should have received a copy of the Sonar Source-Available License
 * along with this program; if not, see https://sonarsource.com/license/ssal/
 */
package org.sonar.python.checks.cdk;

import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.function.Predicate;
import javax.annotation.Nullable;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;

import static org.sonar.python.checks.cdk.CdkPredicate.isFqn;

public abstract class AbstractIamPolicyStatementCheck extends AbstractCdkResourceCheck {

  @Override
  protected void registerFqnConsumer() {
    checkFqn("aws_cdk.aws_iam.PolicyStatement", (ctx, call) ->
      checkPolicyStatement(PolicyStatement.build(ctx, call)));

    checkFqn("aws_cdk.aws_iam.PolicyStatement.from_json", (ctx, call) ->
      getDictionaryFromJson(ctx, call).ifPresent(json ->
        checkPolicyStatementFromJson(PolicyStatement.build(ctx, json))));

    checkFqn("aws_cdk.aws_iam.PolicyDocument.from_json", (ctx, call) ->
      getDictionaryFromJson(ctx, call).ifPresent(json -> getPolicyStatements(ctx, json)
        .forEach(statement -> checkPolicyStatementFromJson(PolicyStatement.build(ctx, statement)))));
  }

  protected void checkPolicyStatement(PolicyStatement policyStatement) {
    if (hasAllowEffect(policyStatement.effect())) {
      checkAllowingPolicyStatement(policyStatement);
    }
  }

  protected void checkPolicyStatementFromJson(PolicyStatement policyStatementFormJson) {
    checkPolicyStatement(policyStatementFormJson);
  }

  protected static boolean hasAllowEffect(@Nullable CdkUtils.ExpressionFlow effect) {
    // default is allow effect
    if (effect == null) {
      return true;
    }
    return effect.hasExpression(isFqn("aws_cdk.aws_iam.Effect.ALLOW").or(isJsonAllow()));
  }

  protected abstract void checkAllowingPolicyStatement(PolicyStatement policyStatement);

  protected static Optional getDictionaryFromJson(SubscriptionContext ctx, CallExpression call) {
    return CdkUtils.getArgument(ctx, call, "obj", 0).flatMap(CdkUtils::getDictionary);
  }

  /**
   * Return a list of PolicyStatement json representation from a PolicyDocument.from_json call
   */
  protected static List getPolicyStatements(SubscriptionContext ctx, DictionaryLiteral json) {
    return CdkUtils.getDictionaryPair(ctx, json, "Statement")
      .map(pair -> pair.value)
      .flatMap(CdkUtils::getList)
      .map(list -> CdkUtils.getDictionaryInList(ctx, list))
      .orElse(Collections.emptyList());
  }

  protected static CdkUtils.ExpressionFlow getSensitiveExpression(CdkUtils.ExpressionFlow expression, Predicate predicate) {
    if (expression.hasExpression(predicate)) {
      return expression;
    } else {
      List listElements = CdkUtils.getList(expression)
        .map(list -> CdkUtils.getListElements(expression.ctx(), list))
        .orElse(Collections.emptyList());

      return listElements.stream()
        .filter(expressionFlow -> expressionFlow.hasExpression(predicate))
        .findAny()
        .orElse(null);
    }
  }

  private static Predicate isJsonAllow() {
    return expression -> CdkUtils.getString(expression).filter("allow"::equalsIgnoreCase).isPresent();
  }


}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy