Rules now working

Marina Limeira · Marina Limeira · commit f7f16fe592e4 · 2022-11-24T14:41:30.000+01:00
diff --git a/rules/aws_instance_example_type_test.go b/rules/aws_instance_example_type_test.go
diff --git a/rules/aws_security_group_rule_invalid_cidr_block.go b/rules/aws_security_group_rule_invalid_cidr_block.go
@@ -43,14 +43,15 @@ func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Link() string {
 
 // Check checks whether ...
 func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Check(runner tflint.Runner) error {
-	// This rule is an example to get a top-level resource attribute.
 	resources, err := runner.GetResourceContent("aws_security_group_rule", &hclext.BodySchema{
 		Attributes: []hclext.AttributeSchema{
-			{Name: "cidr_blocks"},
-			{Name: "ipv6_cidr_blocks"},
+			// Required attributes
 			{Name: "from_port"},
 			{Name: "to_port"},
 			{Name: "type"},
+			// Optional attributes
+			{Name: "cidr_blocks"},
+			{Name: "ipv6_cidr_blocks"},
 		},
 	}, nil)
 	if err != nil {
@@ -62,6 +63,7 @@ func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Check(runner tflint.Runner) e
 
 	for _, resource := range resources.Blocks {
 		typeAttribute, exists := resource.Body.Attributes["type"]
+		// well this cant not exist
 		if !exists {
 			continue
 		}
@@ -75,23 +77,20 @@ func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Check(runner tflint.Runner) e
 			continue
 		}
 
+		//  A Port value of ALL
 		fromPortAttribute, exists := resource.Body.Attributes["from_port"]
 		if !exists {
 			continue
 		}
 
+		var fromPort int
+		err = runner.EvaluateExpr(fromPortAttribute.Expr, &fromPort, nil)
+
 		toPortAttribute, exists := resource.Body.Attributes["to_port"]
 		if !exists {
 			continue
 		}
 
-		// TODO what means that each field doesnt exist?
-		// Case 1:
-		// From 0, to 0.
-
-		var fromPort int
-		err = runner.EvaluateExpr(fromPortAttribute.Expr, &fromPort, nil)
-
 		var toPort int
 		err = runner.EvaluateExpr(toPortAttribute.Expr, &toPort, nil)
 
@@ -102,39 +101,32 @@ func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Check(runner tflint.Runner) e
 			continue
 		}
 
-		ipv6CidrBlocksAttribute, exists := resource.Body.Attributes["ipv6_cidr_blocks"]
+		cidrBlocksAttribute, exists := resource.Body.Attributes["cidr_blocks"]
 		if exists {
-			var ipv6CidrBlocks []string
-			err = runner.EvaluateExpr(ipv6CidrBlocksAttribute.Expr, &ipv6CidrBlocks, nil)
-
-			//err = runner.EnsureNoError(err, func() error {
-			if doesCidrBlocksContainAll(ipv6CidrBlocks) {
+			var cidrBlocks []string
+			err = runner.EvaluateExpr(cidrBlocksAttribute.Expr, &cidrBlocks, nil)
+			if doesIpv4CidrBlocksAllowAll(cidrBlocks) {
 				return runner.EmitIssue(
 					r,
-					fmt.Sprintf("cidr_blocks are %v", ipv6CidrBlocks),
-					ipv6CidrBlocksAttribute.Expr.Range(),
+					"cidr_blocks can not contain '0.0.0.0/0' when allowing 'ingress' access to ports 22 and/or 3389",
+					cidrBlocksAttribute.Expr.Range(),
 				)
-			} //)
+			}
 
 		}
 
-		cidrBlocksAttribute, exists := resource.Body.Attributes["ipv6_cidr_blocks"]
+		ipv6CidrBlocksAttribute, exists := resource.Body.Attributes["ipv6_cidr_blocks"]
 		if exists {
-			var cidrBlocks []string
-			err = runner.EvaluateExpr(cidrBlocksAttribute.Expr, &cidrBlocks, nil)
-
-			//err = runner.EnsureNoError(err, func() error {
-			if doesCidrBlocksContainAll(cidrBlocks) {
-
+			var ipv6CidrBlocks []string
+			err = runner.EvaluateExpr(ipv6CidrBlocksAttribute.Expr, &ipv6CidrBlocks, nil)
+			if doesIpv6CidrBlocksAllowAll(ipv6CidrBlocks) {
 				return runner.EmitIssue(
 					r,
-					fmt.Sprintf("cidr_blocks are %v", cidrBlocks),
-					cidrBlocksAttribute.Expr.Range(),
+					"ipv6_cidr_blocks can not contain '::/0' when allowing 'ingress' access to ports 22 and/or 3389",
+					ipv6CidrBlocksAttribute.Expr.Range(),
 				)
 			}
-			//})
 		}
-
 		if err != nil {
 			return err
 		}
@@ -144,6 +136,7 @@ func (r *AwsSecurityGroupRuleInvalidCidrBlockRule) Check(runner tflint.Runner) e
 }
 
 func doesPortRangeContainsRemoteAccess(fromPort int, toPort int) bool {
+	// TODO add case for 0, 0
 	remoteAccessPorts := []int{22, 3389}
 
 	for _, port := range remoteAccessPorts {
@@ -157,7 +150,20 @@ func doesPortRangeContainsRemoteAccess(fromPort int, toPort int) bool {
 	return false
 }
 
-func doesCidrBlocksContainAll(cidrBlocks []string) bool {
-	return true
+func doesIpv4CidrBlocksAllowAll(cidrBlocks []string) bool {
+	for _, cidrBlock := range cidrBlocks {
+		if cidrBlock == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
+}
 
+func doesIpv6CidrBlocksAllowAll(ipv6CidrBlocks []string) bool {
+	for _, cidrBlock := range ipv6CidrBlocks {
+		if cidrBlock == "::/0" {
+			return true
+		}
+	}
+	return false
 }
diff --git a/rules/aws_security_group_rule_invalid_cidr_block_test.go b/rules/aws_security_group_rule_invalid_cidr_block_test.go
@@ -1,18 +1,65 @@
 package rules
 
 import (
-	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 	"testing"
-)
 
-func TestDoesPortRangeContainsRemoteAccess(t *testing.T) {
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
 
-	_ := []struct {
+func Test_AwsSecurityGroupRuleInvalidCidrBlock(t *testing.T) {
+	tests := []struct {
 		Name     string
 		Content  string
 		Expected helper.Issues
 	}{
 		{
-			Name:    "issue found",
-			Content: ""}}
+			Name: "Find issues 0.0.0.0/0 allows ingress access through 22",
+			Content: `
+resource "aws_security_group_rule" "rule" {
+  from_port         = 10
+  to_port           = 300
+  protocol          = "tcp"
+  type              = "ingress"
+  cidr_blocks       = ["0.0.0.0/0", "10.0.0.0/16"]
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsSecurityGroupRuleInvalidCidrBlockRule(),
+					Message: "cidr_blocks can not contain '0.0.0.0/0' when allowing 'ingress' access to ports 22 and/or 3389",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 7, Column: 23},
+						End:      hcl.Pos{Line: 7, Column: 51},
+					},
+				},
+			},
+		},
+		{
+			Name: "Find no issues 0.0.0.0/0 allows ingress access through 80",
+			Content: `
+resource "aws_security_group_rule" "rule" {
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  type              = "ingress"
+  cidr_blocks       = ["0.0.0.0/0", "10.0.0.0/16"]
+}`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAwsSecurityGroupRuleInvalidCidrBlockRule()
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content})
+
+			if err := rule.Check(runner); err != nil {
+				t.Fatalf("Unexpected error occurred: %s", err)
+			}
+
+			helper.AssertIssues(t, test.Expected, runner.Issues)
+		})
+	}
 }
