def test_encryption_aws(self):
resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, '../resources/encryption'))
hcl_config_parser = Parser()
module, module_dependency_map, _ = hcl_config_parser.parse_hcl_module(resources_dir,
self.source)
local_graph = LocalGraph(module, module_dependency_map)
local_graph._create_vertices()
local_graph.calculate_encryption_attribute()
all_attributes = [vertex.get_attribute_dict() for vertex in local_graph.vertices]
for attribute_dict in all_attributes:
[resource_type, resource_name] = decode_graph_property_value(
attribute_dict[CustomAttributes.ID]).split(".")
if resource_type in ENCRYPTION_BY_RESOURCE_TYPE:
is_encrypted = attribute_dict[CustomAttributes.ENCRYPTION]
details = attribute_dict[CustomAttributes.ENCRYPTION_DETAILS]
self.assertEqual(is_encrypted, EncryptionValues.ENCRYPTED.value if resource_name.startswith("encrypted")
else EncryptionValues.UNENCRYPTED.value, f'failed for "{resource_type}.{resource_name}"')
if is_encrypted == EncryptionValues.ENCRYPTED.value:
if 'kms_key_id' in attribute_dict or 'kms_master_key_id' in attribute_dict:
self.assertEqual(details, EncryptionTypes.KMS_VALUE.value, f'Bad encryption details for "{resource_type}.{resource_name}"')
else:
self.assertIn(details, [EncryptionTypes.AES256.value, EncryptionTypes.KMS_VALUE.value, EncryptionTypes.NODE_TO_NODE.value, EncryptionTypes.DEFAULT_KMS.value], f'Bad encryption details for "{resource_type}.{resource_name}"')
else:
self.assertEqual(details, "")
else:
self.assertIsNone(attribute_dict.get(CustomAttributes.ENCRYPTION))
self.assertIsNone(attribute_dict.get(CustomAttributes.ENCRYPTION_DETAILS))
def get_decoded_attribute_dict(self):
attributes = self.get_attribute_dict()
if self.encode:
for attribute_key in attributes:
attributes[attribute_key] = decode_graph_property_value(
attributes[attribute_key])
return attributes
def test_malicious_eval(self):
hcl_res = hcl2.loads("""
resource "aws_ecr_repository" "malicious_type" {
encryption_configuration = {
encryption_type = <<EOF
{"_python_object": "gARjYnVpbHRpbnMKZXZhbApWX19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2NhdCAvZXRjL3Bhc3N3ZCcpCoVSLg=="}
EOF
}
name = "malicious_ecr_repo"
}
""")
conf = hcl_res['resource'][0]['aws_ecr_repository']['malicious_type']
try:
decode_graph_property_value(
conf['encryption_configuration'][0]['encryption_type'])
self.fail("Expected to fail due to malicious code in the resource")
except Exception as e:
self.assertIn('arbitrary code execution', str(e))
def is_encrypted(self, atts_dict: dict) -> (bool, str):
result = True
result_description = ""
for att, expected_vals in self.attribute_values_map.items():
att_conf = atts_dict.get(att)
if att_conf:
att_value = decode_graph_property_value(att_conf)
result &= (len(expected_vals) == 0 and att_value
is not None) or att_value in expected_vals
if result:
if att_value == EncryptionTypes.AES256.value:
result_description = att_value
elif "node_to_node_encryption" in att:
result_description = EncryptionTypes.NODE_TO_NODE.value
elif result_description == "":
result_description = EncryptionTypes.KMS_VALUE.value
if result_description == "" and result:
# No encryption config was found. Drop back to defaults:
result = self.enabled_by_default
result_description = self.default_description if self.enabled_by_default else ""
return result, result_description
def get_decoded_attribute_dict(self) -> Dict[str, Any]:
attributes = self.get_attribute_dict()
if self.encode:
for attribute_key, value in attributes.items():
attributes[attribute_key] = decode_graph_property_value(value)
return attributes