Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 fix aws.s3.bucket.policy resource #5228

Merged
merged 5 commits into from
Feb 21, 2025
Merged

🐛 fix aws.s3.bucket.policy resource #5228

merged 5 commits into from
Feb 21, 2025

Conversation

afiune
Copy link
Contributor

@afiune afiune commented Feb 15, 2025

This change allows running aws.s3.bucket.policy when in discovery mode.

cnspec shell aws --discover s3-buckets

Also, fixes the issue discovered at #5218
where we noticed that the policy resource doesn't implement the id() func properly.

Closes #5169

@afiune
🐛 fix aws.s3.bucket.policy resource
75b2543 
This change allows running `aws.s3.bucket.policy` when in discovery
mode.

```
cnspec shell aws --discover s3-buckets
```

Also, fixes the issue discovered at #5218
where we noticed that the policy resource doesn't implement the `id()`
func properly.

Closes #5169

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
afiune
afiune commented Feb 15, 2025
View reviewed changes
providers/aws/resources/aws.lr
// Name for the policy
name string
// Bucket name that this policy belongs
bucketName string
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a breaking change, but a bucket policy doesn't have a name. It belongs to a bucket and, to calculate the bucket policy ID we need the bucket name, so I re purpose this field.

If this is not acceptable, I am ok creating an internal struct to pass the bucket name but, we need to do something about this namefield that says it is the name of the policy, but it's not.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't know whether this is used by someone or not. Perhaps keep both for a while and add a comment to name that it's deprecated. We can remove it in next major release

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If someone is using it, they are using it incorrectly but I agree, I'll put it back with a deprecation.

afiune
afiune commented Feb 15, 2025
View reviewed changes
providers/aws/resources/aws.lr Outdated
// Document for the policy
document string
// Version of the policy
version() string
// List of statements for the policy
statements() []dict
// Whether the bucket policy exists
exists bool
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buckets can have a policy, but not all of them has it. This is very helpful, I think.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why this is needed. If there is no bucket policy then that resource shouldn't be created, right? Do we have some specific requirement to have the MQL object even when such resource in AWS doesn't exist?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should be able to use null comparisons if we need to check that a policy exists or does not exist on a bucket. like aws.s3.bucket.policy != null -- does that not work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds it is possible! 🙌🏽 Thank you both for the correction 💯

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 15, 2025
edited
Loading

Test Results

3 335 tests  ±0   3 331 ✅ ±0   1m 39s ⏱️ -15s
  385 suites ±0       4 💤 ±0 
   29 files   ±0       0 ❌ ±0 

Results for commit 958b932. ± Comparison against base commit 0162b01.

♻️ This comment has been updated with latest results.

@afiune
🔄 do not create bucket policy if not exists
01b8dd5 
Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
@afiune afiune requested review from vjeffrey and imilchev February 20, 2025 00:46
@vjeffrey
Copy link
Contributor

i'm hitting a panic when i try to test this

cnquery> aws.s3.buckets { policy != null }
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x8 pc=0x1071ee7d0]

goroutine 176 [running]:
go.mondoo.com/cnquery/v11/providers/aws/resources.(*mqlAwsS3BucketPolicy).MqlID(0x10cd66390?)
	/Users/vj/go/src/go.mondoo.io/cnquery/providers/aws/resources/aws.lr.go:20888

vjeffrey
vjeffrey reviewed Feb 20, 2025
View reviewed changes
providers/aws/resources/aws_s3.go Outdated
if isNotFoundForS3(err) {
return emptyAwsS3BucketPolicy(a.MqlRuntime)
}
if err != nil && !isNotFoundForS3(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps it would be useful to set the plugin state here? plugin.StateIsNull | plugin.StateIsSet

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I learned something new today. Thanks @vjeffrey 👍🏽

@afiune
🐛 set policy to plugin.StateIsNull when not found
99d3c83 
Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
@afiune afiune requested a review from vjeffrey February 20, 2025 22:59
@vjeffrey
Copy link
Contributor

hmm. the other panic is gone:

cnquery> aws.s3.buckets { policy != null }
aws.s3.buckets: [
  0: {
    policy != null: false
  }

but i'm seeing this:

cnquery> aws.s3.buckets { public }
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x98 pc=0x10bb6fbb8]

goroutine 83 [running]:
go.mondoo.com/cnquery/v11/providers/aws/resources.(*mqlAwsS3BucketPolicy).parsePolicyDocument(0x14000faa008?)
	/Users/vj/go/src/go.mondoo.io/cnquery/providers/aws/resources/aws_s3.go:714 +0x18
go.mondoo.com/cnquery/v11/providers/aws/resources.(*mqlAwsS3Bucket).public(0x14000faa008)
	/Users/vj/go/src/go.mondoo.io/cnquery/providers/aws/resources/aws_s3.go:462 +0x23c

@mm-weber
Copy link
Contributor

@afiune

Tested this PR on the proposed solution, something seems to be off, still:
image

This does throw an error, too:
image

Tested this against via cnspec shell aws --discover s3-buckets using a s3 bucket with those properties:
image via aws.s3.bucket {*} .

@afiune
Copy link
Contributor Author

afiune commented Feb 21, 2025

@vjeffrey @mm-weber ugh, I think that there are a few moving parts that I missed, specially since we merged #5218 and that is where it's throwing a panic.

Will have something to review soon.

@afiune
🐛 fix accessing aws.s3.bucket.policy
958b932 
Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
afiune
afiune commented Feb 21, 2025
View reviewed changes
providers/aws/resources/aws_s3.go
@@ -133,6 +158,9 @@ func initAwsS3Bucket(runtime *plugin.Runtime, args map[string]*llx.RawData) (map
var arn string
if args["arn"] != nil {
arn = args["arn"].Value.(string)
if !strings.HasPrefix(arn, "arn:aws:s3:") {
return nil, nil, errors.Newf("not a valid bucket ARN '%s'", arn)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During testing I detected that, if you are NOT in discovery and, you try to access aws.s3.bucket then we try to "create a bucket resource" of the AWS account, which is incorrect.

Now, we will exit with helpful error message:

cnquery> aws.s3.bucket
not a valid bucket ARN 'arn:aws:sts::123456789012'
aws.s3.bucket: no data available

vjeffrey
vjeffrey reviewed Feb 21, 2025
View reviewed changes
providers/aws/resources/aws.lr Outdated
// Unique ID for the policy
id string
// Name for the policy
// Deprecated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can you add "use bucketName instead" so that the deprecation reason is clear?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@afiune afiune merged commit f89614d into main Feb 21, 2025
8 checks passed
@afiune afiune deleted the afiune/aws/bucket-policy branch February 21, 2025 18:01
@github-actions github-actions bot locked and limited conversation to collaborators Feb 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vjeffrey vjeffrey vjeffrey approved these changes

@imilchev imilchev Awaiting requested review from imilchev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS S3 Bucket Policy does not work as expected on asset (type issue?)
4 participants
@afiune @vjeffrey @mm-weber @imilchev