From 8b5e8323bb56f01e4914f30132cf257db7447cef Mon Sep 17 00:00:00 2001
From: AkhtarAmir <31914988+AkhtarAmir@users.noreply.github.com>
Date: Fri, 21 Apr 2023 23:04:38 +0500
Subject: [PATCH] Added logic to also check statement effect (#1287)

* Added logic to also check statement effect

* Update rules/cloud/policies/aws/iam/filter_iam_pass_role.rego

* changing spaces to tabs for linting

---------

Co-authored-by: M-Akhtar <muhammad.akhtar@acqu.co>
Co-authored-by: Gio Rodriguez <gioroddev@gmail.com>
---
 .../policies/aws/iam/filter_iam_pass_role.rego    | 15 ++++++++++++---
 .../aws/iam/filter_iam_pass_role_test.rego        | 11 ++++++++++-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
index 3750dc9fb..cd15cd78f 100644
--- a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
+++ b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
@@ -21,9 +21,18 @@
 #           provider: aws
 package builtin.aws.iam.aws0342
 
+allows_permission(statements, permission, effect) {
+	statement := statements[_]
+	statement.Effect == effect
+	action = statement.Action[_]
+	action == permission
+}
+
 deny[res] {
 	policy := input.aws.iam.policies[_]
-	action := policy.document.value
-	contains(action, "iam:PassRole")
-	res = result.new("Warning: 'iam:PassRole' action is present in policy", policy.document)
+	value = json.unmarshal(policy.document.value)
+	statements = value.Statement
+	not allows_permission(statements, "iam:PassRole", "Deny")
+	allows_permission(statements, "iam:PassRole", "Allow")
+	res = result.new("IAM policy allows 'iam:PassRole' action", policy.document)
 }
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
index 536c090c5..57fd58239 100644
--- a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
+++ b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
@@ -1,6 +1,6 @@
 package builtin.aws.iam.aws0342
 
-test_with_iam_pass_role {
+test_with_allow_iam_pass_role {
 	policies := [{
 		"name": "policy_with_iam_pass_role",
 		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
@@ -9,6 +9,15 @@ test_with_iam_pass_role {
 	count(r) == 1
 }
 
+test_with_deny_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Deny\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
 test_with_no_iam_pass_role {
 	policies := [{
 		"name": "policy_without_iam_pass_role",