codeql-extractor-bicep/ql/lib/codeql/bicep/frameworks/Microsoft/KeyVault.qll at 0a4e4e770d96dd15cdf98d3e8ee6645ddb06647b · GitHubSecurityLab/codeql-extractor-bicep · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
private import bicep
private import codeql.bicep.Concepts

module KeyVault {
  /**
   * Represents a Microsoft.KeyVault resource in a Bicep file.
   * Provides access to Key Vault properties, access policies, and network ACLs.
   */
  class VaultResource extends AzureResource {
    /**
     * Constructs a VaultResource for any Microsoft.KeyVault resource type.
     * Matches resources with type starting with "Microsoft.KeyVault/".
     */
    VaultResource() { this.getResourceType().regexpMatch("^Microsoft.KeyVault/.*") }

    /**
     * Gets the tenant ID for the Key Vault resource.
     */
    string tenantId() { result = this.getProperties().getTenantId().getValue() }

    /**
     * Gets the properties object for the Key Vault resource.
     */
    KeyVaultProperties::Properties getProperties() { result = this.getProperty("properties") }

    /**
     * Gets the access policies for the Key Vault resource.
     */
    KeyVaultProperties::AccessPolicy getAccessPolicies() {
      result = this.getProperties().getAccessPolicies()
    }

    /**
     * Gets the network ACLs for the Key Vault resource.
     */
    Network::NetworkAcl getNetworkAcls() {
      result = this.getProperties().getNetworkAcls()
    }

    override string toString() { result = "Key Vault Resource" }
  }

  /**
   * Represents a public Microsoft.KeyVault resource with public network access enabled.
   */
  class PublicVaultResource extends PublicResource {
    private VaultResource vaultResource;

    /**
     * Constructs a PublicVaultResource for any Microsoft.KeyVault resource type
     * that has public network access enabled.
     */
    PublicVaultResource() {
      vaultResource.getProperties().publicNetworkAccess() = "Enabled" and
      this = vaultResource
    }

    /**
     * Gets the property that indicates public network access for the Key Vault resource.
     */
    override Expr getPublicAccessProperty() {
      result = vaultResource.getProperties().getPublicNetworkAccess()
    }

    override string toString() { result = "Public Key Vault Resource" }
  }

  module KeyVaultProperties {
    /**
     * The properties object for the Microsoft.KeyVault/vaults type.
     * Provides access to Key Vault configuration and settings.
     */
    class Properties extends ResourceProperties {
      private VaultResource vaultResource;

      /**
       * Constructs a Properties object for the given Key Vault resource.
       */
      Properties() { this = vaultResource.getProperty("properties") }

      /**
       * Returns the parent VaultResource.
       */
      VaultResource getVaultResource() { result = vaultResource }

      /**
       * Gets the tenant ID property.
       */
      StringLiteral getTenantId() { result = this.getProperty("tenantId") }

      /**
       * Gets the tenant ID value.
       */
      string tenantId() { result = this.getTenantId().getValue() }

      /**
       * Gets the create mode property.
       */
      StringLiteral getCreateMode() { result = this.getProperty("createMode") }

      /**
       * Gets the create mode value.
       */
      string createMode() { result = this.getCreateMode().getValue() }

      /**
       * Gets the enabledForDeployment property.
       */
      Boolean getEnabledForDeployment() { result = this.getProperty("enabledForDeployment") }

      /**
       * Returns true if enabled for deployment.
       */
      boolean enabledForDeployment() { result = this.getEnabledForDeployment().getBool() }

      /**
       * Gets the enabledForDiskEncryption property.
       */
      Boolean getEnabledForDiskEncryption() {
        result = this.getProperty("enabledForDiskEncryption")
      }

      /**
       * Returns true if enabled for disk encryption.
       */
      boolean enabledForDiskEncryption() { result = this.getEnabledForDiskEncryption().getBool() }

      /**
       * Gets the enabledForTemplateDeployment property.
       */
      Boolean getEnabledForTemplateDeployment() {
        result = this.getProperty("enabledForTemplateDeployment")
      }

      /**
       * Returns true if enabled for template deployment.
       */
      boolean enabledForTemplateDeployment() {
        result = this.getEnabledForTemplateDeployment().getBool()
      }

      /**
       * Gets the softDeleteEnabled property.
       */
      Boolean getSoftDeleteEnabled() { result = this.getProperty("softDeleteEnabled") }

      /**
       * Returns true if soft delete is enabled.
       */
      boolean softDeleteEnabled() { result = this.getSoftDeleteEnabled().getBool() }

      /**
       * Gets the purgeProtectionEnabled property.
       */
      Boolean getPurgeProtectionEnabled() { result = this.getProperty("purgeProtectionEnabled") }

      /**
       * Returns true if purge protection is enabled.
       */
      boolean purgeProtectionEnabled() { result = this.getPurgeProtectionEnabled().getBool() }

      /**
       * Gets the publicNetworkAccess property.
       */
      StringLiteral getPublicNetworkAccess() { result = this.getProperty("publicNetworkAccess") }

      /**
       * Gets the public network access value.
       */
      string publicNetworkAccess() { result = this.getPublicNetworkAccess().getValue() }

      /**
       * Gets the network ACLs for the Key Vault.
       */
      Network::NetworkAcl getNetworkAcls() {
        result = this.getProperty("networkAcls")
      }

      /**
       * Gets all access policies for the Key Vault.
       */
      AccessPolicy getAccessPolicies() {
        result = this.getProperty("accessPolicies").(Array).getElements()
      }

      /**
       * Gets a specific access policy by index.
       */
      AccessPolicy getAccessPolicy(int index) {
        result = this.getProperty("accessPolicies").(Array).getElement(index)
      }

      override string toString() {
        result = "Key Vault Properties"
      }
    }

    /**
     * Represents an access policy for a Key Vault resource.
     */
    class AccessPolicy extends Object {
      private KeyVaultProperties::Properties properties;

      /**
       * Constructs an AccessPolicy object for the given Key Vault properties.
       */
      AccessPolicy() { this = properties.getProperty("accessPolicies").(Array).getElements() }

      /**
       * Returns the tenant ID of the access policy.
       */
      string getTenantId() { result = this.getProperty("tenantId").(StringLiteral).getValue() }

      /**
       * Returns the object ID of the access policy.
       */
      string getObjectId() { result = this.getProperty("objectId").(StringLiteral).getValue() }

      /**
       * Returns a string representation of the access policy.
       */
      string toString() { result = "AccessPolicy" }
    }

    /**
     * Represents the permissions associated with a Key Vault access policy.
     */
    class AccessPolicyPermissions extends Object {
      private AccessPolicy accessPolicy;

      /**
       * Constructs an AccessPolicyPermissions object for the given access policy.
       */
      AccessPolicyPermissions() { this = accessPolicy.getProperty("permissions") }

      /**
       * Gets the certificates permissions array.
       */
      Array getCertificates() { result = this.getProperty("certificates") }

      /**
       * Gets a certificate permission by index.
       */
      StringLiteral getCertificate(int index) { result = this.getCertificates().getElement(index) }

      /**
       * Gets the keys permissions array.
       */
      Array getKeys() { result = this.getProperty("keys") }

      /**
       * Gets a key permission by index.
       */
      StringLiteral getKey(int index) { result = this.getKeys().getElement(index) }

      /**
       * Gets the secrets permissions array.
       */
      Array getSecrets() { result = this.getProperty("secrets") }

      /**
       * Gets a secret permission by index.
       */
      StringLiteral getSecret(int index) { result = this.getSecrets().getElement(index) }

      /**
       * Gets the storage permissions array.
       */
      Array getStorages() { result = this.getProperty("storage") }

      /**
       * Gets a storage permission by index.
       */
      StringLiteral getStorage(int index) { result = this.getStorages().getElement(index) }

      /**
       * Returns a string representation of the access policy permissions.
       */
      string toString() { result = "AccessPolicyPermissions" }
    }
  }
}