feat(graph): equals/not_equals_ignore_case operators (solvers) (#3698)

* Add equal/not equal ignore case operators * Add equal/not equal ignore case operators Co-authored-by: egotfried <[email protected]>
bridgecrewio · Oct 23, 2022 · 9aeab2e · 9aeab2e
1 parent 6ed886e
commit 9aeab2e
Show file tree

Hide file tree

Showing 14 changed files with 195 additions and 37 deletions.
diff --git a/checkov/common/checks_infra/checks_parser.py b/checkov/common/checks_infra/checks_parser.py
@@ -42,7 +42,9 @@
     IsTrueAttributeSolver,
     IsFalseAttributeSolver,
     IntersectsAttributeSolver,
-    NotIntersectsAttributeSolver
+    NotIntersectsAttributeSolver,
+    EqualsIgnoreCaseAttributeSolver,
+    NotEqualsIgnoreCaseAttributeSolver
 )
 from checkov.common.checks_infra.solvers.connections_solvers.connection_one_exists_solver import \
     ConnectionOneExistsSolver
@@ -92,7 +94,9 @@
     "is_true": IsTrueAttributeSolver,
     "is_false": IsFalseAttributeSolver,
     "intersects": IntersectsAttributeSolver,
-    "not_intersects": NotIntersectsAttributeSolver
+    "not_intersects": NotIntersectsAttributeSolver,
+    "equals_ignore_case": EqualsIgnoreCaseAttributeSolver,
+    "not_equals_ignore_case": NotEqualsIgnoreCaseAttributeSolver
 }
 
 operators_to_complex_solver_classes: dict[str, Type[BaseComplexSolver]] = {

diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/__init__.py b/checkov/common/checks_infra/solvers/attribute_solvers/__init__.py
@@ -30,3 +30,5 @@
 from checkov.common.checks_infra.solvers.attribute_solvers.is_false_attribute_solver import IsFalseAttributeSolver  # noqa
 from checkov.common.checks_infra.solvers.attribute_solvers.intersects_attribute_solver import IntersectsAttributeSolver  # noqa
 from checkov.common.checks_infra.solvers.attribute_solvers.not_intersects_attribute_solver import NotIntersectsAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.equals_ignore_case_attribute_solver import EqualsIgnoreCaseAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.not_equals_ignore_case_attribute_solver import NotEqualsIgnoreCaseAttributeSolver  # noqa
diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/equals_ignore_case_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/equals_ignore_case_attribute_solver.py
@@ -0,0 +1,17 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.graph.checks_infra.enums import Operators
+from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver
+
+
+class EqualsIgnoreCaseAttributeSolver(BaseAttributeSolver):
+    operator = Operators.EQUALS_IGNORE_CASE  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        attr_val = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+        # if this value contains an underendered variable, then we cannot evaluate the check,
+        # so return True (since we cannot return UNKNOWN)
+        # handle edge cases in some policies that explicitly look for blank values
+        if self.value != '' and self._is_variable_dependant(attr_val, vertex['source_']):
+            return True
+        return str(attr_val).lower() == str(self.value).lower()
diff --git a/.../common/checks_infra/solvers/attribute_solvers/not_equals_ignore_case_attribute_solver.py b/.../common/checks_infra/solvers/attribute_solvers/not_equals_ignore_case_attribute_solver.py
@@ -0,0 +1,11 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.graph.checks_infra.enums import Operators
+from .equals_ignore_case_attribute_solver import EqualsIgnoreCaseAttributeSolver
+
+
+class NotEqualsIgnoreCaseAttributeSolver(EqualsIgnoreCaseAttributeSolver):
+    operator = Operators.NOT_EQUALS_IGNORE_CASE  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        return not super()._get_operation(vertex, attribute)
diff --git a/checkov/common/graph/checks_infra/enums.py b/checkov/common/graph/checks_infra/enums.py
@@ -62,3 +62,5 @@ class Operators:
     IS_FALSE = 'is_false'
     INTERSECTS = 'intersects'
     NOT_INTERSECTS = 'not_intersects'
+    EQUALS_IGNORE_CASE = 'equals_ignore_case'
+    NOT_EQUALS_IGNORE_CASE = 'not_equals_ignore_case'
diff --git a/docs/3.Custom Policies/YAML Custom Policies.md b/docs/3.Custom Policies/YAML Custom Policies.md
@@ -88,41 +88,43 @@ definition:
 
 ### Attribute Condition: Operators
 
-| Operator              | Value in YAML           |
-|-----------------------|-------------------------|
-| Equals                | `equals`                |
-| Not Equals            | `not_equals`            |
-| Regex Match           | `regex_match`           |
-| Not Regex Match       | `not_regex_match`       |
-| Exists                | `exists`                |
-| Not Exists            | `not_exists`            |
-| One Exists            | `one_exists`            |
-| Any                   | `any`                   |
-| Contains              | `contains`              |
-| Not Contains          | `not_contains`          |
-| Within                | `within`                |
-| Starts With           | `starting_with`         |
-| Not Starts With       | `not_starting_with`     |
-| Ends With             | `ending_with`           |
-| Not Ends With         | `not_ending_with`       |
-| Greater Than          | `greater_than`          |
-| Greater Than Or Equal | `greater_than_or_equal` |
-| Less Than             | `less_than`             |
-| Less Than Or Equal    | `less_than_or_equal`    |
-| Subset                | `subset`                |
-| Not Subset            | `not_subset`            |
-| Is Empty              | `is_empty`              |
-| Is Not Empty          | `is_not_empty`          |
-| Length Equals         | `length_equals`         |
-| Length Not Equals     | `length_equals`         |
-| Length Less Than      | `length_less_than`      |
-| Length Less Than Or Equal   | `length_less_than_or_equal`      |
-| Length Greater Than   | `length_greater_than`   |
-| Length Greater Than Or Equal   | `length_greater_than_or_equal`   |
-| Is False              | `is_false`              |
-| Is True               | `is_true`               |
-| Intersects            | `intersects`            |
-| Not Intersects        | `not_intersects`        |
+| Operator                     | Value in YAML                  |
+|------------------------------|--------------------------------|
+| Equals                       | `equals`                       |
+| Not Equals                   | `not_equals`                   |
+| Regex Match                  | `regex_match`                  |
+| Not Regex Match              | `not_regex_match`              |
+| Exists                       | `exists`                       |
+| Not Exists                   | `not_exists`                   |
+| One Exists                   | `one_exists`                   |
+| Any                          | `any`                          |
+| Contains                     | `contains`                     |
+| Not Contains                 | `not_contains`                 |
+| Within                       | `within`                       |
+| Starts With                  | `starting_with`                |
+| Not Starts With              | `not_starting_with`            |
+| Ends With                    | `ending_with`                  |
+| Not Ends With                | `not_ending_with`              |
+| Greater Than                 | `greater_than`                 |
+| Greater Than Or Equal        | `greater_than_or_equal`        |
+| Less Than                    | `less_than`                    |
+| Less Than Or Equal           | `less_than_or_equal`           |
+| Subset                       | `subset`                       |
+| Not Subset                   | `not_subset`                   |
+| Is Empty                     | `is_empty`                     |
+| Is Not Empty                 | `is_not_empty`                 |
+| Length Equals                | `length_equals`                |
+| Length Not Equals            | `length_equals`                |
+| Length Less Than             | `length_less_than`             |
+| Length Less Than Or Equal    | `length_less_than_or_equal`    |
+| Length Greater Than          | `length_greater_than`          |
+| Length Greater Than Or Equal | `length_greater_than_or_equal` |
+| Is False                     | `is_false`                     |
+| Is True                      | `is_true`                      |
+| Intersects                   | `intersects`                   |
+| Not Intersects               | `not_intersects`               |
+| Equals Ignore Case           | `equals_ignore case`           |
+| Not Equals Ignore Case       | `not_equals_ignore case`       |
 
 All those operators are supporting JSONPath attribute expression by adding the `jsonpath_` prefix to the operator, for example - `jsonpath_length_equals`
 

diff --git a/...rraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/BooleanString.yaml b/...rraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/BooleanString.yaml
@@ -0,0 +1,12 @@
+metadata:
+  id: "BooleanString"
+scope:
+  provider: "Azure"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "azurerm_storage_account"
+  attribute: "allow_blob_public_access"
+  operator: "equals_ignore_case"
+  value: "TRUE"
+
diff --git a/...rm/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/EncryptedResources.yaml b/...rm/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/EncryptedResources.yaml
@@ -0,0 +1,14 @@
+metadata:
+  id: "EncryptedResources"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "aws_rds_cluster"
+    - "aws_neptune_cluster"
+    - "aws_s3_bucket"
+  attribute: "encryption_"
+  operator: "equals_ignore_case"
+  value: "encrypted"
+
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/__init__.py b/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/__init__.py
diff --git a/...s/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py b/...s/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py
@@ -0,0 +1,34 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestEqualsIgnoreCaseSolver(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestEqualsIgnoreCaseSolver, self).setUp()
+
+    def test_equals_ignore_case_solver_wildcard(self):
+        root_folder = '../../../resources/encryption_test'
+        check_id = "EncryptedResources"
+        should_pass = ['aws_rds_cluster.rds_cluster_encrypted', 'aws_s3_bucket.encrypted_bucket',
+                       'aws_neptune_cluster.encrypted_neptune']
+        should_fail = ['aws_rds_cluster.rds_cluster_unencrypted', 'aws_s3_bucket.unencrypted_bucket',
+                       'aws_neptune_cluster.unencrypted_neptune']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        super(TestEqualsIgnoreCaseSolver, self).run_test(root_folder=root_folder, expected_results=expected_results,
+                                                         check_id=check_id)
+
+    def test_equals_ignore_case_solver_boolean(self):
+        root_folder = '../../../resources/boolean_test'
+        check_id = "BooleanString"
+        should_pass = ['azurerm_storage_account.fail1', 'azurerm_storage_account.fail2',
+                       'azurerm_storage_account.fail3']
+        should_fail = ['azurerm_storage_account.pass1', 'azurerm_storage_account.pass2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        super(TestEqualsIgnoreCaseSolver, self).run_test(root_folder=root_folder, expected_results=expected_results,
+                                                         check_id=check_id)
diff --git a/...orm/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/BooleanString.yaml b/...orm/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/BooleanString.yaml
@@ -0,0 +1,12 @@
+metadata:
+  id: "BooleanString"
+scope:
+  provider: "Azure"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "azurerm_storage_account"
+  attribute: "allow_blob_public_access"
+  operator: "not_equals_ignore_case"
+  value: "FALSE"
+
diff --git a/...raph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/EncryptedResources.yaml b/...raph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/EncryptedResources.yaml
@@ -0,0 +1,14 @@
+metadata:
+  id: "EncryptedResources"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "aws_rds_cluster"
+    - "aws_neptune_cluster"
+    - "aws_s3_bucket"
+  attribute: "encryption_"
+  operator: "not_equals_ignore_case"
+  value: "unencrypted"
+
diff --git a/.../terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/__init__.py b/.../terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/__init__.py
diff --git a/...rraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py b/...rraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py
@@ -0,0 +1,34 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestNotEqualsIgnoreCaseSolver(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestNotEqualsIgnoreCaseSolver, self).setUp()
+
+    def test_not_equals_ignore_case_solver_wildcard(self):
+        root_folder = '../../../resources/encryption_test'
+        check_id = "EncryptedResources"
+        should_pass = ['aws_rds_cluster.rds_cluster_encrypted', 'aws_s3_bucket.encrypted_bucket',
+                       'aws_neptune_cluster.encrypted_neptune']
+        should_fail = ['aws_rds_cluster.rds_cluster_unencrypted', 'aws_s3_bucket.unencrypted_bucket',
+                       'aws_neptune_cluster.unencrypted_neptune']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        super(TestNotEqualsIgnoreCaseSolver, self).run_test(root_folder=root_folder, expected_results=expected_results,
+                                                            check_id=check_id)
+
+    def test_not_equals_ignore_case_solver_boolean(self):
+        root_folder = '../../../resources/boolean_test'
+        check_id = "BooleanString"
+        should_pass = ['azurerm_storage_account.fail1', 'azurerm_storage_account.fail2',
+                       'azurerm_storage_account.fail3']
+        should_fail = ['azurerm_storage_account.pass1', 'azurerm_storage_account.pass2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        super(TestNotEqualsIgnoreCaseSolver, self).run_test(root_folder=root_folder, expected_results=expected_results,
+                                                            check_id=check_id)