Merge pull request #6548 from Tohar-orca/support-gcp-iam-policy-membe…

…rs-as-list fix(query): support GCP IAM policy members as lists
Checkmarx · Aug 29, 2023 · b363199 · b363199
2 parents 471beea + 7817ca1
commit b363199
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 0 deletions.
diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego
@@ -21,6 +21,24 @@ CxPolicy[result] {
 	}
 }
 
+CxPolicy[result] {
+	resource := input.document[i].data.google_iam_policy[name]
+
+	tf_lib.check_member(resource.binding[x], "serviceAccount:")
+	has_improperly_privileges(resource.binding[x].role)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "google_iam_policy",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("google_iam_policy[%s].binding[%s].role", [name, format_int(x, 10)]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("google_iam_policy[%s].binding[%s].role should not have admin, editor, owner, or write privileges for service account member", [name, format_int(x, 10)]),
+		"keyActualValue": sprintf("google_iam_policy[%s].binding[%s].role has admin, editor, owner, or write privilege for service account member", [name, format_int(x, 10)]),
+		"searchLine": common_lib.build_search_line(["data", "google_iam_policy", name, "binding", x, "role"], []),
+	}
+}
+
 CxPolicy[result] {
 	resources := {"google_project_iam_binding", "google_project_iam_member"}
 	resource := input.document[i].resource[resources[idx]][name]

diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf
@@ -0,0 +1,15 @@
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/compute.imageUser"
+
+    members = [
+      "serviceAccount:[email protected]",
+    ]
+  }
+  binding {
+    role = "roles/owner"
+    members = [
+      "serviceAccount:[email protected]",
+    ]
+  }
+}
diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf
@@ -0,0 +1,14 @@
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/admin"
+    members = [
+      "serviceAccount:[email protected]",
+    ]
+  }
+  binding {
+    role = "roles/editor"
+    members = [
+      "serviceAccount:[email protected]",
+    ]
+  }
+}
diff --git a/...terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/...terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json
@@ -16,5 +16,23 @@
     "severity": "MEDIUM",
     "line": 18,
     "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "Service Account with Improper Privileges",
+    "severity": "MEDIUM",
+    "line": 10,
+    "fileName": "positive3.tf"
+  },
+  {
+    "queryName": "Service Account with Improper Privileges",
+    "severity": "MEDIUM",
+    "line": 3,
+    "fileName": "positive4.tf"
+  },
+  {
+    "queryName": "Service Account with Improper Privileges",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive4.tf"
   }
 ]