From 1f949b4175e1c7987c36ee49cf153279eeaaa2fb Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Wed, 29 Apr 2020 12:06:47 +0200
Subject: [PATCH] Improved AWS partition handle

---
 checks/check_extra788 |  1 +
 include/assume_role   |  6 +++---
 include/outputs       | 34 +++++++++++++++++-----------------
 3 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/checks/check_extra788 b/checks/check_extra788
index 1afcb9db..f09a9fcc 100644
--- a/checks/check_extra788
+++ b/checks/check_extra788
@@ -40,6 +40,7 @@ extra788(){
           if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION ]]; then
             # get content of IpAddress."aws:SourceIp" and get a clean list
             LIST_CONDITION_IPS=$(cat $TEMP_POLICY_FILE | jq '.Statement[0] .Condition.IpAddress."aws:SourceIp"'| awk -F'"' '{print $2}' | tr -d '",^$' | sed '/^$/d')
+            unset CONDITION_HAS_PUBLIC_IP_ARRAY
             for condition_ip in "${LIST_CONDITION_IPS}";do
               CONDITION_HAS_PRIVATE_IP=$(echo "${condition_ip}" | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)')
               if [[ $CONDITION_HAS_PRIVATE_IP ]];then
diff --git a/include/assume_role b/include/assume_role
index 58b21399..25a244f4 100644
--- a/include/assume_role
+++ b/include/assume_role
@@ -29,18 +29,18 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
     #Check if external ID has bee provided if so execute with external ID if not ignore
     if [[ -z $ROLE_EXTERNAL_ID ]]; then
         # assume role command
-        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
             --role-session-name ProwlerAssessmentSession \
             --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
     else 
-        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
             --role-session-name ProwlerAssessmentSession \
             --duration-seconds $SESSION_DURATION_TO_ASSUME \
             --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 
     fi 
 
     # assume role command
-    #$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+    #$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
     #    --role-session-name ProwlerAssessmentSession \
     #    --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
 
diff --git a/include/outputs b/include/outputs
index 40913044..24fb83f4 100644
--- a/include/outputs
+++ b/include/outputs
@@ -32,13 +32,13 @@ textPass(){
   else
     REPREGION=$REGION
   fi
-  if [[ " ${MODES[@]} " =~ " csv " ]]; then
+  if [[ "${MODES[@]}" =~ "csv" ]]; then
     echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
   fi
-  if [[ " ${MODES[@]} " =~ " json " ]]; then
+  if [[ "${MODES[@]}" =~ "json" ]]; then
     generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
   fi
-  if [[ " ${MODES[@]} " =~ " json-asff " ]]; then
+  if [[ "${MODES[@]}" =~ "json-asff" ]]; then
     JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL")
     echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF
     if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
@@ -48,10 +48,10 @@ textPass(){
   if is_junit_output_enabled; then
     output_junit_success "$1"
   fi
-  if [[ " ${MODES[@]} " =~ " mono " ]]; then
+  if [[ "${MODES[@]}" =~ "mono" ]]; then
     echo "      $OK PASS!$NORMAL $1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
   fi
-  if [[ " ${MODES[@]} " =~ " text " || " ${MODES[@]} " =~ " mono " ]]; then
+  if [[ "${MODES[@]}" =~ "text" || "${MODES[@]}" =~ "mono" ]]; then
     echo "      $OK PASS!$NORMAL $1"
   fi
 }
@@ -66,19 +66,19 @@ textInfo(){
   else
     REPREGION=$REGION
   fi
-  if [[ " ${MODES[@]} " =~ " csv " ]]; then
+  if [[ "${MODES[@]}" =~ "csv" ]]; then
     echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
   fi
-  if [[ " ${MODES[@]} " =~ " json " ]]; then
+  if [[ "${MODES[@]}" =~ "json" ]]; then
     generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
   fi
   if is_junit_output_enabled; then
     output_junit_info "$1"
   fi
-  if [[ " ${MODES[@]} " =~ " mono " ]]; then
+  if [[ "${MODES[@]}" =~ "mono" ]]; then
     echo "      $NOTICE INFO! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
   fi
-  if [[ " ${MODES[@]} " =~ " text " ]]; then
+  if [[ "${MODES[@]}" =~ "text" ]]; then
     echo "      $NOTICE INFO! $1 $NORMAL"
   fi
 }
@@ -91,13 +91,13 @@ textFail(){
   else
     REPREGION=$REGION
   fi
-  if [[ " ${MODES[@]} " =~ " csv " ]]; then
+  if [[ "${MODES[@]}" =~ "csv" ]]; then
     echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}FAIL${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
   fi
-  if [[ " ${MODES[@]} " =~ " json " ]]; then
+  if [[ "${MODES[@]}" =~ "json" ]]; then
     generateJsonOutput "$1" "Fail" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
   fi
-  if [[ " ${MODES[@]} " =~ " json-asff " ]]; then
+  if [[ "${MODES[@]}" =~ "json-asff" ]]; then
     JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "FAILED" "HIGH")
     echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF}
     if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
@@ -107,10 +107,10 @@ textFail(){
   if is_junit_output_enabled; then
     output_junit_failure "$1"
   fi
-  if [[ " ${MODES[@]} " =~ " mono " ]]; then
+  if [[ "${MODES[@]}" =~ "mono" ]]; then
     echo "      $BAD FAIL! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
   fi
-  if [[ " ${MODES[@]} " =~ " text " ]]; then
+  if [[ "${MODES[@]}" =~ "text" ]]; then
     echo "      $BAD FAIL! $1 $NORMAL"
   fi
 }
@@ -150,9 +150,9 @@ textTitle(){
     group_ids="$CYAN [$5] $NORMAL"
   fi
 
-  if [[ " ${MODES[@]} " =~ " csv " ]]; then
+  if [[ "${MODES[@]}" =~ "csv" ]]; then
       >&2 echo "$TITLE_ID $TITLE_TEXT" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
-  elif [[ " ${MODES[@]} " =~ " json " || " ${MODES[@]} " =~ " json-asff " ]]; then
+  elif [[ "${MODES[@]}" =~ "json" || "${MODES[@]}" =~ "json-asff" ]]; then
     :
   else
     if [[ "$ITEM_SCORED" == "Scored" ]]; then
@@ -213,7 +213,7 @@ generateJsonAsffOutput(){
 -n '{
       "SchemaVersion": "2018-10-08",
       "Id": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)",
-      "ProductArn": "arn:aws:securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default",
+      "ProductArn": "arn:${AWS_PARTITION}:securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default",
       "ProductFields": {
           "ProviderName": "Prowler",
           "ProviderVersion": $PROWLER_VERSION