From 4daa0d1750ac839698523ec448064e20671dabbc Mon Sep 17 00:00:00 2001 From: Kuemjong Jeong Date: Thu, 27 Oct 2022 14:31:41 +0900 Subject: [PATCH] feat(terraform): add CKV NCP rules about Network ACL. (#3668) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [22.09.27][추가] CKV_NCP_1 * [22.09.27][추가] CKV_NCP_2 * Apply suggestions from code review Co-authored-by: Anton Grübel * Apply suggestions from code review Co-authored-by: Anton Grübel * Apply suggestions from code review Co-authored-by: Anton Grübel * Create main.yml * [22.09.28][수정] Lint test * Delete main.yml * [22.09.29][수정]testcode 수정 * [22.09.29][수정] 테스트 코드 수정 * [22.09.29][수정] 테스트코드 수정 * [22.09.29][수정] add test resource for 'ncloud_access_control_group_rule' * [22.10.03][add]CKV_AWS_3 RULE * [22.10.04][add]CKV_NCP_4, CKV_NCP_5 RULE * [22.10.04][add] NCP ACG Inbound for port 22, 3389 * [22.10.04][add] NCP NACL for port 20, 21, 22, 3389 * [22.10.05][modify] LBSecureProtocols.py * [22.10.05][add] NCP ACGIngress & Egress Check * [22.10.06][add] NCP rules about ACG, LB, NACL, Encrpytion * [22.10.06][refactor] rename rules * [22.10.07][add] NCP NACLPortCheck * [22.10.08][refactor] modify rule id 77 to 14 * [22.10.14][add] add NCP rule about Network ACL * [22.10.03][add]CKV_AWS_3 RULE * [22.10.18][test] commit test * [22.10.19][refactor] adjust ncp rule 12 * [22.10.25][fix] delete guideline Co-authored-by: pj991207 Co-authored-by: Anton Grübel Co-authored-by: taeng0204 Co-authored-by: yudam --- .../checks/resource/ncp/NACLPortCheck.py | 24 ++++++++++ .../ncp/example_NACLPortCheck/main.tf | 46 +++++++++++++++++++ .../checks/resource/ncp/test_NACLPortCheck.py | 42 +++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 checkov/terraform/checks/resource/ncp/NACLPortCheck.py create mode 100644 tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf create mode 100644 tests/terraform/checks/resource/ncp/test_NACLPortCheck.py diff --git a/checkov/terraform/checks/resource/ncp/NACLPortCheck.py b/checkov/terraform/checks/resource/ncp/NACLPortCheck.py new file mode 100644 index 00000000000..e12cac40a5a --- /dev/null +++ b/checkov/terraform/checks/resource/ncp/NACLPortCheck.py @@ -0,0 +1,24 @@ +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck +from checkov.common.models.enums import CheckResult, CheckCategories + + +class NACLPortCheck(BaseResourceCheck): + def __init__(self): + name = "An inbound Network ACL rule should not allow ALL ports." + id = "CKV_NCP_12" + supported_resources = ('ncloud_network_acl_rule',) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf): + if 'inbound' in conf.keys(): + for inbound in conf['inbound']: + if 'port_range' in inbound.keys(): + for port_range in inbound['port_range']: + if port_range == "1-65535": + return CheckResult.FAILED + return CheckResult.PASSED + return CheckResult.FAILED + + +check = NACLPortCheck() diff --git a/tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf b/tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf new file mode 100644 index 00000000000..081f59ef8f3 --- /dev/null +++ b/tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf @@ -0,0 +1,46 @@ +resource "ncloud_network_acl_rule" "pass" { + network_acl_no = ncloud_network_acl.nacl.id + + inbound { + priority = 110 + protocol = "TCP" + rule_action = "ALLOW" + deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id + port_range = "22" + } +} + +resource "ncloud_network_acl_rule" "pass1" { + network_acl_no = ncloud_network_acl.nacl.id + + inbound { + priority = 110 + protocol = "TCP" + rule_action = "ALLOW" + deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id + port_range = "1-43" + } +} + +resource "ncloud_network_acl_rule" "fail" { + network_acl_no = ncloud_network_acl.nacl.id + + inbound { + priority = 110 + protocol = "TCP" + rule_action = "ALLOW" + deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id + } +} + +resource "ncloud_network_acl_rule" "fail1" { + network_acl_no = ncloud_network_acl.nacl.id + + inbound { + priority = 110 + protocol = "TCP" + rule_action = "ALLOW" + deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id + port_range = "1-65535" + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/ncp/test_NACLPortCheck.py b/tests/terraform/checks/resource/ncp/test_NACLPortCheck.py new file mode 100644 index 00000000000..a0c71b52c18 --- /dev/null +++ b/tests/terraform/checks/resource/ncp/test_NACLPortCheck.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.ncp.NACLPortCheck import check +from checkov.terraform.runner import Runner + + +class TestNACLPortCheck(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_NACLPortCheck" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "ncloud_network_acl_rule.pass", + "ncloud_network_acl_rule.pass1" + } + failing_resources = { + "ncloud_network_acl_rule.fail", + "ncloud_network_acl_rule.fail1" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() \ No newline at end of file