prowler/lib/common/allowlist

#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

allowlist(){
  # Check if the file is an S3 URI
  if grep -q -E "^s3://([^/]+)/(.*?([^/]+))$" <<< "${ALLOWLIST_FILE}"; then
    allowlist_S3
  # Check if the file is a DynamoDB ARN
  elif grep -q -E "^arn:[aws\|aws\-cn\|aws\-us\-gov]+:dynamodb:[a-z]{2}-[north\|south\|east\|west\|central]+-[1-9]{1}:[0-9]{12}:table\/[a-zA-Z0-9._-]+$" <<< "${ALLOWLIST_FILE}"; then
    allowlist_DynamoDB
  else
    # Check if the file is a DynamoDB ARN
    allowlist_Textfile
  fi
}

allowlist_S3() {
  # download s3 object
  local S3_ALLOWLIST_FILE=allowlist_s3_file.txt
  echo -e "${NOTICE} Downloading allowlist from S3 URI ${ALLOWLIST_FILE} ...${NORMAL}"  
  if ! "${AWSCLI}" s3 cp "${ALLOWLIST_FILE}" "${S3_ALLOWLIST_FILE}" ${PROFILE_OPT} > /dev/null 2>&1; then
    echo "${BAD} FAIL! Access Denied trying to download allowlist from the S3 URI, please make sure it is correct and/or you have permissions to get the S3 object.${NORMAL}"
    EXITCODE=1
    exit "${EXITCODE}"
  fi
  echo -e "${OK} Success! Allowlist was downloaded, starting Prowler...${NORMAL}"
  # ignore lines starting with # (comments)
  # ignore inline comments: check1:foo # inline comment
  ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "${S3_ALLOWLIST_FILE}") | sed 's/[[:space:]]*#.*$//g')
  # remove temporary file
  rm -f "${S3_ALLOWLIST_FILE}"
}

allowlist_DynamoDB() {
  echo -e "${NOTICE} Getting allowlist from DynamoDB table ${ALLOWLIST_FILE} ...${NORMAL}"
  DYNAMO_REGION=$(cut -d ":" -f 4 <<< "${ALLOWLIST_FILE}")
  DYNAMO_TABLE=$(cut -d "/" -f 2 <<< "${ALLOWLIST_FILE}")
  DYNAMO_ITEMS=$(${AWSCLI} dynamodb execute-statement --statement "SELECT rule FROM \"${DYNAMO_TABLE}\" WHERE account_id=""'""${ACCOUNT_NUM}""'"" or account_id='*'" ${PROFILE_OPT} --region ${DYNAMO_REGION} --output json 2>&1 )
  if grep -q -E 'AccessDenied|UnauthorizedOperation|ResourceNotFoundException' <<< "${DYNAMO_ITEMS}"; then
    echo "${BAD} FAIL! Access Denied trying to get allowlist from the DynamoDB, please make sure it is correct and/or you have permissions to scan the table ${DYNAMO_TABLE}.${NORMAL}"
    EXITCODE=1
    exit ${EXITCODE}
  fi
  if [[ $(jq '."Items" | length' <<< "${DYNAMO_ITEMS}") -eq 0 ]]; then
    echo "${NOTICE} No allowed resources were found for account ${ACCOUNT_NUM}, starting Prowler...${NORMAL}"
  else
    # Convert elements to allowlist file
    ALLOWLIST=$(jq -r '.Items[].rule.S' <<< "${DYNAMO_ITEMS}")
    if grep -q "null" <<< "${ALLOWLIST}"; then
      echo "${BAD} FAIL! No rule key found in DynamoDB table, please make sure the table has rule as a sort key and account_id as the partition key...${NORMAL}"
      EXITCODE=1
      exit ${EXITCODE}
    else
      echo "${OK} Success! Allowed resources were added for account ${ACCOUNT_NUM}, starting Prowler...${NORMAL}"
    fi
  fi
}

allowlist_Textfile() {
  echo -e "${NOTICE} Getting allowlist from input file ${ALLOWLIST_FILE} ...${NORMAL}"
  # Check if input allowlist file exists
  if [[ -f "${ALLOWLIST_FILE}" ]]; then
    # ignore lines starting with # (comments)
    # ignore inline comments: check1:foo # inline comment
    ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "${ALLOWLIST_FILE}") | sed 's/[[:space:]]*#.*$//g')
    echo -e "${OK} Success! Allowlist was downloaded, starting Prowler...${NORMAL}"
  else
    echo "${BAD} FAIL! ${ALLOWLIST_FILE} does not exist, please input a valid allowlist file.${NORMAL}"
    EXITCODE=1
    exit ${EXITCODE}
  fi
}