wip

Signed-off-by: Alex Jones <[email protected]>
isotope-rs · Oct 25, 2023 · 06e59d8 · 06e59d8
1 parent f599023
commit 06e59d8
Show file tree

Hide file tree

Showing 12 changed files with 311 additions and 94 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,3 +20,6 @@ aws-sdk-macie = "0.33.0"
 v = "0.1.0"
 aws-sdk-config = "0.33.0"
 clap = { version = "4.4.6", features = ["derive"] }
+aws-sdk-sts = "0.33.0"
+aws-sdk-iam = "0.33.0"
+aws-smithy-runtime-api = { version = "0.56.1", features = ["client"] }
diff --git a/src/analyze/mod.rs b/src/analyze/mod.rs
@@ -29,6 +29,9 @@ pub async fn run_analysis(args: &Args) {
             match filtered_analyzer {
                 Some(x) => {
                     let thread_tx = tx.clone();
+                    // Init analyzer
+                    x.run().await;
+
                     let response = x.run().await;
                     match response {
                         Some(respResults) => {
@@ -49,6 +52,10 @@ pub async fn run_analysis(args: &Args) {
             for current_analyzer in analyzers {
                 let thread_tx = tx.clone();
                 tasks.push(tokio::spawn(async move {
+
+                    // Init analyzer
+                    current_analyzer.init().await;
+
                     let response = current_analyzer.run().await;
                     match response {
                         Some(resp_results) => {

diff --git a/src/analyzer/analyzer_trait.rs b/src/analyzer/analyzer_trait.rs
@@ -6,5 +6,9 @@ use crate::analyzer::types::AnalysisResults;
 #[async_trait]
 pub trait Analyzer:  Sync + Send {
     async fn run(&self) -> Option<Vec<AnalysisResults>>;
+
+    async fn init(&self) -> Result<(), Box<dyn std::error::Error>>;
+
+    async fn de_init(&self) -> Result<(), Box<dyn std::error::Error>>;
     fn get_name(&self) -> &str;
 }
diff --git a/src/analyzer/aws_config_analyzer.rs b/src/analyzer/aws_config_analyzer.rs
diff --git a/src/analyzer/macie_analyzer.rs b/src/analyzer/macie_analyzer.rs
diff --git a/src/analyzer/mod.rs b/src/analyzer/mod.rs
@@ -1,18 +1,15 @@
-
+use std::sync::Arc;
 use crate::analyzer::analyzer_trait::Analyzer;
 
 pub mod analyzer_trait;
-mod macie_analyzer;
-mod aws_config_analyzer;
+mod s3_analyzer;
 pub(crate) mod types;
 
-pub fn generate_analyzers<'a>( config: aws_config::SdkConfig) -> Vec<Box<dyn Analyzer  + 'a>> {
-    let analyzers: Vec<Box<dyn Analyzer>> = vec!(Box::new(aws_config_analyzer::AWSConfigAnalyzer {
-        config: config.clone(),
-    }),
-        Box::new(macie_analyzer::MacieAnalyzer{
-            config: config.clone(),
-        })
-    );
+pub fn generate_analyzers<'a>(config: aws_config::SdkConfig) -> Vec<Box<dyn Analyzer + 'a>> {
+    let analyzers: Vec<Box<dyn Analyzer>> = vec![
+         Box::new(s3_analyzer::S3Analyzer {
+            config: Arc::new(config),
+        }),
+    ];
     analyzers
-}
+}
diff --git a/src/analyzer/s3_analyzer.rs b/src/analyzer/s3_analyzer.rs
@@ -0,0 +1,135 @@
+use crate::analyzer::analyzer_trait;
+use crate::analyzer::types::AnalysisResults;
+use crate::utils;
+use async_trait::async_trait;
+use colored::Colorize;
+use std::sync::Arc;
+use aws_sdk_s3;
+const role_name: &str = "DetectPublicS3BucketsRole";
+const policy_name: &str = "DetectPublicS3BucketsPolicy";
+const policy_document: &str = r#"{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListAllMyBuckets",
+                "s3:GetBucketAcl"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+"#;
+const assume_role_policy_document: &str = r#"{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "s3.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+"#;
+pub struct S3Analyzer {
+    pub config: Arc<aws_config::SdkConfig>,
+}
+#[async_trait]
+impl analyzer_trait::Analyzer for S3Analyzer {
+    async fn init(&self) -> Result<(), Box<dyn std::error::Error>> {
+        println!(
+            "{} {} {}",
+            "Initialising".green(),
+            "S3".blue(),
+            "analyzer".green()
+        );
+       //  let c1 = Arc::clone(&self.config);
+       //  // fetch account
+       //  let acc = utils::sts::get_account_id(c1).await;
+       //  println!("Account ID {}", acc.unwrap().green());
+       //
+       //  let c2 = Arc::clone(&self.config);
+       //  let c3 = Arc::clone(&self.config);
+       //  let c4 = Arc::clone(&self.config);
+       //  let mut shouldCreate: bool = false;
+       //  // Role ------------------------------------------------------------------------------------
+       //  match utils::iam::check_role_exists(c2, role_name).await {
+       //      Ok(x) => println!("Role {} exists", role_name),
+       //      _ => {
+       //          shouldCreate = true;
+       //          println!("Role {} does not exist", role_name)
+       //      }
+       //  }
+       //  if shouldCreate {
+       //      let response = utils::iam::create_role(c3, role_name, assume_role_policy_document).await?;
+       //      println!(
+       //          "Created role {} with ARN {}",
+       //          response.role_name.unwrap(),
+       //          response.arn.unwrap()
+       //      );
+       //  }
+       // // Policy ----------------------------------------------------------------------------------
+       //  let policy = utils::iam::create_policy(c4, policy_name, policy_document).await;
+       //  match policy {
+       //      Ok(p) => println!("Created {:?}", p),
+       //      Err(e) => {
+       //          println!("Error creating policy {} {}", policy_name, e);
+       //      },
+       //  }
+        // -----------------------------------------------------------------------------------------
+        Ok(())
+    }
+
+    async fn de_init(&self) -> Result<(), Box<dyn std::error::Error>> {
+        println!(
+            "{} {} {}",
+            "De-initialising".green(),
+            "S3".blue(),
+            "analyzer".green()
+        );
+
+        Ok(())
+    }
+    async fn run(&self) -> Option<Vec<AnalysisResults>> {
+        println!(
+            "{} {} {}",
+            "Running".green(),
+            "S3".blue(),
+            "analyzer".green()
+        );
+        let s3 = aws_sdk_s3::Client::new(&self.config);
+
+        let s3_response = s3.list_buckets().send().await;
+
+        for bucket in s3_response.unwrap().buckets {
+            for b in bucket {
+                let bucket_name = b.name.unwrap();
+                // Check if the S3 bucket is publicly accessible.
+                let acl_response = s3
+                    .get_bucket_acl()
+                    .bucket(&bucket_name)
+                    .send()
+                    .await;
+
+                for grant in acl_response.unwrap().grants {
+                    if let Some(grantee) = grant.first() {
+                        if grantee.clone().grantee.unwrap().uri == Some("http://acs.amazonaws.com/groups/global/AllUsers".to_string()) {
+                            println!("Publicly accessible S3 bucket: {}", bucket_name);
+                        }
+                    }
+                }
+            }
+        }
+
+        Some(vec![AnalysisResults {
+            message: "".to_string(),
+        }])
+    }
+
+    fn get_name(&self) -> &str {
+        "s3"
+    }
+}
diff --git a/src/main.rs b/src/main.rs
@@ -4,6 +4,7 @@ mod configure;
 mod config;
 mod analyzer;
 mod outputs;
+mod utils;
 
 // const
 const CARGO_PKG_NAME: &str = "isotope";