more finetuning and modifications for aws integration

Author: Vikranth Subramanian

pkg/merger/merger.go

@@ -79,6 +79,28 @@ func MergeConfigFiles(
 			}
 		}
 
+		if extraConfig.Integrations.AWS != nil {
+			if config.Integrations.AWS == nil {
+				config.Integrations.AWS = extraConfig.Integrations.AWS
+			} else {
+				config.Integrations.AWS.Enable = extraConfig.Integrations.AWS.Enable
+
+				config.Integrations.AWS.RoleNameToAssume = extraConfig.Integrations.AWS.RoleNameToAssume
+				config.Integrations.AWS.PrimaryAccountID = extraConfig.Integrations.AWS.PrimaryAccountID
+				config.Integrations.AWS.PrimaryRegion = extraConfig.Integrations.AWS.PrimaryRegion
+
+				if extraConfig.Integrations.AWS.PrimaryRegion != "" {
+					config.Integrations.AWS.PrimaryRegion = extraConfig.Integrations.AWS.PrimaryRegion
+				}
+				if extraConfig.Integrations.AWS.TargetRegions != nil {
+					config.Integrations.AWS.TargetRegions = extraConfig.Integrations.AWS.TargetRegions
+				}
+				if extraConfig.Integrations.AWS.TargetAccounts != nil {
+					config.Integrations.AWS.TargetAccounts = extraConfig.Integrations.AWS.TargetAccounts
+				}
+			}
+		}
+
 		if len(extraConfig.IgnoreDirs) > 0 {
 			config.IgnoreDirs = extraConfig.IgnoreDirs
 		}

pkg/merger/merger_test.go

@@ -82,6 +82,14 @@ func TestMergeConfigFiles(t *testing.T) {
 						SeverityThreshold: models.SeverityHigh,
 						PriorityThreshold: models.PriorityImportant,
 					},
+					AWS: &models.AWS{
+						Enable:           true,
+						RoleNameToAssume: "nullify-role",
+						PrimaryAccountID: "123456789012",
+						PrimaryRegion:    "ap-southeast-2",
+						TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
+						TargetAccounts:   &[]string{"123456789012", "123456789013"},
+					},
 				},
 			},
 			expected: &models.Configuration{
@@ -140,6 +148,14 @@ func TestMergeConfigFiles(t *testing.T) {
 						SeverityThreshold: models.SeverityHigh,
 						PriorityThreshold: models.PriorityImportant,
 					},
+					AWS: &models.AWS{
+						Enable:           true,
+						RoleNameToAssume: "nullify-role",
+						PrimaryAccountID: "123456789012",
+						PrimaryRegion:    "ap-southeast-2",
+						TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
+						TargetAccounts:   &[]string{"123456789012", "123456789013"},
+					},
 				},
 			},
 		},
@@ -204,6 +220,14 @@ func TestMergeConfigFiles(t *testing.T) {
 							Low:      "low",
 						},
 					},
+					AWS: &models.AWS{
+						Enable:           true,
+						RoleNameToAssume: "nullify-role",
+						PrimaryAccountID: "123456789012",
+						PrimaryRegion:    "ap-southeast-2",
+						TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
+						TargetAccounts:   &[]string{"123456789012", "123456789013"},
+					},
 				},
 			},
 			repoConfig: nil,
@@ -269,6 +293,14 @@ func TestMergeConfigFiles(t *testing.T) {
 							Low:      "low",
 						},
 					},
+					AWS: &models.AWS{
+						Enable:           true,
+						RoleNameToAssume: "nullify-role",
+						PrimaryAccountID: "123456789012",
+						PrimaryRegion:    "ap-southeast-2",
+						TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
+						TargetAccounts:   &[]string{"123456789012", "123456789013"},
+					},
 				},
 			},
 		},
@@ -423,13 +455,6 @@ func TestMergeConfigFiles(t *testing.T) {
 			globalConfig: &models.Configuration{
 				AttackSurface: &models.AttackSurface{
 					Enable: true,
-					AWSIntegration: &models.AWSIntegration{
-						Enable:           true,
-						PrimaryAccountID: "111111111111",
-						PrimaryRegion:    "ap-southeast-2",
-						TargetRegions:    &[]string{"ap-southeast-1", "us-east-2"},
-						TargetAccounts:   &[]string{"222222222222", "333333333333"},
-					},
 				},
 			},
 			repoConfig: nil,
@@ -440,13 +465,6 @@ func TestMergeConfigFiles(t *testing.T) {
 				PriorityThreshold:        parser.DefaultPriorityThreshold,
 				AttackSurface: &models.AttackSurface{
 					Enable: true,
-					AWSIntegration: &models.AWSIntegration{
-						Enable:           true,
-						PrimaryAccountID: "111111111111",
-						PrimaryRegion:    "ap-southeast-2",
-						TargetRegions:    &[]string{"ap-southeast-1", "us-east-2"},
-						TargetAccounts:   &[]string{"222222222222", "333333333333"},
-					},
 				},
 			},
 		},

pkg/models/attack_surface.go

@@ -4,21 +4,11 @@ type AttackSurface struct {
 	// global only
 	Enable               bool                       `yaml:"enable"`
 	EnableDNSEnumeration bool                       `yaml:"enable_dns_enumeration"`
-	AWSIntegration       *AWSIntegration            `yaml:"aws_integration"`
 	Hosts                []string                   `yaml:"hosts,omitempty"`
 	IncludeOnly          []AttackSurfaceIncludeOnly `yaml:"include_only,omitempty"`
 	Ignore               []AttackSurfaceIgnore      `yaml:"ignore,omitempty"`
 }
 
-type AWSIntegration struct {
-	Enable           bool      `yaml:"enable"`
-	RoleNameToAssume string    `yaml:"role_name_to_assume"`
-	PrimaryAccountID string    `yaml:"primary_account_id,omitempty"`
-	PrimaryRegion    string    `yaml:"primary_region,omitempty"`
-	TargetRegions    *[]string `yaml:"target_regions,omitempty"`
-	TargetAccounts   *[]string `yaml:"target_accounts,omitempty"`
-}
-
 type AttackSurfaceIncludeOnly struct {
 	Hosts []string                      `yaml:"hosts,omitempty"`
 	HTTP  *HTTPAttackSurfaceIncludeOnly `yaml:"http,omitempty"`

pkg/models/integrations.go

@@ -2,6 +2,7 @@ package models
 
 type Integrations struct {
 	Jira *Jira `yaml:"jira,omitempty"`
+	AWS  *AWS  `yaml:"aws,omitempty"`
 }
 
 type Jira struct {
@@ -31,3 +32,12 @@ type Assignee struct {
 	Name string `yaml:"name,omitempty"`
 	ID   string `yaml:"id,omitempty"`
 }
+
+type AWS struct {
+	Enable           bool      `yaml:"enable"`
+	RoleNameToAssume string    `yaml:"role_name_to_assume"`
+	PrimaryAccountID string    `yaml:"primary_account_id"`
+	PrimaryRegion    string    `yaml:"primary_region"`
+	TargetRegions    *[]string `yaml:"target_regions,omitempty"`
+	TargetAccounts   *[]string `yaml:"target_accounts,omitempty"`
+}

tests/integration_test.go

@@ -152,6 +152,14 @@ func TestIntegration(t *testing.T) {
 				PriorityThreshold: models.PriorityImportant,
 				OnFixTransition:   "Done",
 			},
+			AWS: &models.AWS{
+				Enable:           true,
+				RoleNameToAssume: "nullify-role",
+				PrimaryAccountID: "123456789012",
+				PrimaryRegion:    "ap-southeast-2",
+				TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
+				TargetAccounts:   &[]string{"123456789012", "123456789013"},
+			},
 		},
 		AttackSurface: &models.AttackSurface{
 			Enable:               true,
@@ -188,14 +196,6 @@ func TestIntegration(t *testing.T) {
 					},
 				},
 			},
-			AWSIntegration: &models.AWSIntegration{
-				Enable:           true,
-				PrimaryAccountID: "123456789012",
-				PrimaryRegion:    "ap-southeast-2",
-				TargetRegions:    &[]string{"ap-southeast-2", "us-east-2"},
-				TargetAccounts:   &[]string{"123456789012", "123456789013"},
-				RoleNameToAssume: "nullify-role",
-			},
 		},
 	}
 

tests/nullify.yaml

@@ -94,6 +94,13 @@ integrations:
     severity_threshold: HIGH
     priority_threshold: IMPORTANT
     on_fix_transition: Done
+  aws:
+    enable: true
+    role_name_to_assume: nullify-role
+    primary_account_id: 123456789012
+    primary_region: ap-southeast-2
+    target_regions: [ap-southeast-2, us-east-2]
+    target_accounts: [123456789012, 123456789013]
 attack_surface:
   enable: true
   enable_dns_enumeration: true
@@ -114,10 +121,4 @@ attack_surface:
       http:
         paths: [/auth]
         methods: [POST]
-  aws_integration:
-    enable: true
-    role_name_to_assume: nullify-role
-    primary_account_id: 123456789012
-    primary_region: ap-southeast-2
-    target_regions: [ap-southeast-2, us-east-2]
-    target_accounts: [123456789012, 123456789013]
+