Add custom map value function (#847)

- support passing a function into the mapvalue of Contains function
aquasecurity · Jul 9, 2021 · 715c2d4 · 715c2d4
1 parent ac78d78
commit 715c2d4
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 3 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -1,13 +1,22 @@
 {
     "version": "0.2.0",
     "configurations": [
+
         {
             "name": "Basic tfsec",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/cmd/tfsec/main.go",
             "args": ["${workspaceFolder}/example"]
+        },
+        {
+            "name": "custom_functions test",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/tfsec/main.go",
+            "args": ["${workspaceFolder}/example/custom_functions"]
         }
     ]
 }
diff --git a/example/custom_functions/.tfsec/functions_tfchecks.yaml b/example/custom_functions/.tfsec/functions_tfchecks.yaml
@@ -0,0 +1,22 @@
+---
+checks:
+  - code: TAG_custom
+    description: Custom check to ensure the Environment tag is applied
+    errorMessage: The required Environment tag was missing or invalid
+    matchSpec:
+      action: contains
+      name: tags
+      value: 
+        Environment:
+          action: isAny
+          value: 
+            - production
+            - test
+            - dev
+            - staging
+
+    requiredTypes:
+    - resource
+    severity: ERROR
+    requiredLabels:
+    - aws_lb
diff --git a/example/custom_functions/main.tf b/example/custom_functions/main.tf
@@ -0,0 +1,6 @@
+resource "aws_lb" "test_lb" {
+
+  tags = {
+    Environment = "uat"
+  }
+}
diff --git a/internal/app/tfsec/block/hclattribute.go b/internal/app/tfsec/block/hclattribute.go
@@ -97,13 +97,11 @@ func (attr *HCLAttribute) listContains(val cty.Value, stringToLookFor string, ig
 func (attr *HCLAttribute) mapContains(checkValue interface{}, val cty.Value) bool {
 	switch t := checkValue.(type) {
 	case map[interface{}]interface{}:
-
 		for k, v := range t {
-
 			valueMap := val.AsValueMap()
 			for key, value := range valueMap {
 				rawValue := getRawValue(value)
-				if key == k && rawValue == v {
+				if key == k && evaluate(v, rawValue) {
 					return true
 				}
 			}

diff --git a/internal/app/tfsec/block/value_functions.go b/internal/app/tfsec/block/value_functions.go
@@ -0,0 +1,42 @@
+package block
+
+const (
+	functionNameKey = "action"
+	valueNameKey    = "value"
+)
+
+var functions = map[string]func(interface{}, interface{}) bool{
+	"isAny":  isAny,
+	"isNone": isNone,
+}
+
+func evaluate(criteriaValue interface{}, testValue interface{}) bool {
+	switch t := criteriaValue.(type) {
+	case map[interface{}]interface{}:
+		if t[functionNameKey] != nil {
+			functionName := t[functionNameKey].(string)
+			if functions[functionName] != nil {
+				return functions[functionName](t[valueNameKey], testValue)
+			}
+		}
+	default:
+		return t == testValue
+	}
+	return false
+}
+
+func isAny(criteriaValues interface{}, testValue interface{}) bool {
+	switch t := criteriaValues.(type) {
+	case []interface{}:
+		for _, v := range t {
+			if v == testValue {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func isNone(criteriaValues interface{}, testValue interface{}) bool {
+	return !isAny(criteriaValues, testValue)
+}