feat(reorganize_folders): Merge checks. (#1196)

Co-authored-by: sergargar <sergio@verica.io>

providers/aws/services/apigateway/check_extra7156

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7156="7.156"
+CHECK_TITLE_extra7156="[extra7156] Checks if API Gateway V2 has Access Logging enabled"
+CHECK_SCORED_extra7156="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7156="EXTRA"
+CHECK_SEVERITY_extra7156="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7156="AwsApiGatewayV2Api"
+CHECK_ALTERNATE_check7156="extra7156"
+CHECK_SERVICENAME_extra7156="apigateway"
+CHECK_RISK_extra7156="If not enabled the logging of API calls is not possible. This information is important for monitoring API access."
+CHECK_REMEDIATION_extra7156="Enable Access Logging in the API stage."
+CHECK_DOC_extra7156="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-stage-accesslogsettings.html"
+CHECK_CAF_EPIC_extra7156="Logging and Monitoring"
+
+extra7156(){
+
+    # "Check if API Gateway V2 has Access Logging enabled "
+    for regx in $REGIONS; do
+        LIST_OF_API_GW=$($AWSCLI apigatewayv2 get-apis $PROFILE_OPT --region $regx --query Items[*].ApiId --output text 2>&1)
+        if [[ $(echo "$LIST_OF_API_GW" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to get APIs" "$regx"
+            continue
+        fi
+        if [[ $LIST_OF_API_GW ]];then
+            for apigwid in $LIST_OF_API_GW;do
+                API_GW_NAME=$($AWSCLI apigatewayv2 get-apis $PROFILE_OPT --region $regx --query "Items[?ApiId==\`$apigwid\`].Name" --output text)
+                CHECK_STAGES_NAME=$($AWSCLI apigatewayv2 get-stages $PROFILE_OPT --region $regx --api-id $apigwid --query "Items[*].StageName" --output text)
+                if [[ $CHECK_STAGES_NAME ]];then
+                    for stagename in $CHECK_STAGES_NAME;do
+                        CHECK_STAGE_METHOD_LOGGING=$($AWSCLI apigatewayv2 get-stages $PROFILE_OPT --region $regx --api-id $apigwid --query "Items[?StageName == \`$stagename\` ].AccessLogSettings.DestinationArn" --output text)
+                        if [[ $CHECK_STAGE_METHOD_LOGGING ]];then
+                            textPass "$regx: API Gateway V2 $API_GW_NAME ID: $apigwid with stage: $stagename has access logging enabled to $CHECK_STAGE_METHOD_LOGGING" "$regx" "$API_GW_NAME"
+                        else
+                            textFail "$regx: API Gateway V2 $API_GW_NAME ID: $apigwid with stage: $stagename has access logging disabled" "$regx" "$API_GW_NAME"
+                        fi
+                    done
+                else
+                textFail "$regx: No Stage name found for $API_GW_NAME" "$regx" "$API_GW_NAME"
+                fi
+            done
+        else
+            textInfo "$regx: No API Gateway found" "$regx"
+        fi
+    done
+}

providers/aws/services/apigateway/check_extra7157

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7157="7.157"
+CHECK_TITLE_extra7157="[extra7157] Check if API Gateway V2 has configured authorizers"
+CHECK_SCORED_extra7157="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7157="EXTRA"
+CHECK_SEVERITY_extra7157="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7157="AwsApiGatewayV2Api"
+CHECK_ALTERNATE_check746="extra7157"
+CHECK_SERVICENAME_extra7157="apigateway"
+CHECK_RISK_extra7157='If no authorizer is enabled anyone can use the service.'
+CHECK_REMEDIATION_extra7157='Implement JWT or Lambda Function to control access to your API.'
+CHECK_DOC_extra7157='https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-authorizers.html'
+CHECK_CAF_EPIC_extra7157='IAM'
+
+extra7157(){
+  for regx in $REGIONS; do
+    LIST_OF_API_GW=$($AWSCLI apigatewayv2 get-apis $PROFILE_OPT --region $regx --query "Items[*].ApiId" --output text 2>&1)
+    if [[ $(echo "$LIST_OF_API_GW" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_API_GW ]];then
+      for api in $LIST_OF_API_GW; do
+        API_GW_NAME=$($AWSCLI apigatewayv2 get-apis $PROFILE_OPT --region $regx --query "Items[?ApiId==\`$api\`].Name" --output text)
+        AUTHORIZER_CONFIGURED=$($AWSCLI apigatewayv2 --region $regx get-authorizers --api-id $api --query "Items[*].AuthorizerType" --output text)
+        if [[ $AUTHORIZER_CONFIGURED ]]; then
+           textPass "$regx: API Gateway V2 $API_GW_NAME ID $api has authorizer configured" "$regx" "$API_GW_NAME"
+        else
+           textFail "$regx: API Gateway V2 $API_GW_NAME ID $api has no authorizer configured" "$regx" "$API_GW_NAME"
+        fi
+      done
+    else
+      textInfo "$regx: No API Gateways found" "$regx"
+    fi
+  done
+}

providers/aws/services/apigateway/check_extra722

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra722="7.22"
+CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled"
+CHECK_SCORED_extra722="NOT_SCORED"
+CHECK_CIS_LEVEL_extra722="EXTRA"
+CHECK_SEVERITY_extra722="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi"
+CHECK_ALTERNATE_check722="extra722"
+CHECK_SERVICENAME_extra722="apigateway"
+CHECK_RISK_extra722='If not enabled; monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.'
+CHECK_REMEDIATION_extra722='Monitoring is an important part of maintaining the reliability; availability; and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user; role; or an AWS service in API Gateway. Using the information collected by CloudTrail; you can determine the request that was made to API Gateway; the IP address from which the request was made; who made the request; etc.'
+CHECK_DOC_extra722='https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html'
+CHECK_CAF_EPIC_extra722='Logging and Monitoring'
+
+extra722(){
+  # "Check if API Gateway has logging enabled "
+  for regx in $REGIONS; do
+    LIST_OF_API_GW=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query items[*].id --output text 2>&1)
+    if [[ $(echo "$LIST_OF_API_GW" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_API_GW ]];then
+      for apigwid in $LIST_OF_API_GW;do
+        API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$apigwid\`].name" --output text)
+        CHECK_STAGES_NAME=$($AWSCLI apigateway get-stages $PROFILE_OPT --region $regx --rest-api-id $apigwid --query "item[*].stageName" --output text)
+        if [[ $CHECK_STAGES_NAME ]];then
+          for stagname in $CHECK_STAGES_NAME;do
+            CHECK_STAGE_METHOD_LOGGING=$($AWSCLI apigateway get-stages $PROFILE_OPT --region $regx --rest-api-id $apigwid --query "item[?stageName == \`$stagname\` ].methodSettings" --output text |awk '{ print $6 }' |egrep 'ERROR|INFO')
+            if [[ $CHECK_STAGE_METHOD_LOGGING ]];then
+              textPass "$regx: API Gateway $API_GW_NAME ID $apigwid in $stagname has logging enabled as $CHECK_STAGE_METHOD_LOGGING" "$regx" "$API_GW_NAME"
+            else
+              textFail "$regx: API Gateway $API_GW_NAME ID $apigwid in $stagname has logging disabled" "$regx" "$API_GW_NAME"
+            fi
+          done
+        else
+           textFail "$regx: No Stage name found for $API_GW_NAME" "$regx" "$API_GW_NAME"
+        fi
+      done
+    else
+       textInfo "$regx: No API Gateway found" "$regx"
+    fi
+  done
+}

providers/aws/services/apigateway/check_extra743

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra743="7.43"
+CHECK_TITLE_extra743="[extra743] Check if API Gateway has client certificate enabled to access your backend endpoint"
+CHECK_SCORED_extra743="NOT_SCORED"
+CHECK_CIS_LEVEL_extra743="EXTRA"
+CHECK_SEVERITY_extra743="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi"
+CHECK_ALTERNATE_check743="extra743"
+CHECK_SERVICENAME_extra743="apigateway"
+CHECK_RISK_extra743='Possible man in the middle attacks and other similar risks.'
+CHECK_REMEDIATION_extra743='Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. It’s used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.'
+CHECK_DOC_extra743='https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/'
+CHECK_CAF_EPIC_extra743='Data Protection'
+
+extra743(){
+  for regx in $REGIONS; do
+    LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_REST_APIS ]];then
+      for api in $LIST_OF_REST_APIS; do
+        API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
+        LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text)
+        if [[ $LIST_OF_STAGES ]]; then
+          for stage in $LIST_OF_STAGES; do
+            CHECK_CERTIFICATE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].clientCertificateId" --output text)
+            if [[ $CHECK_CERTIFICATE ]]; then
+                textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has client certificate enabled" "$regx" "$API_GW_NAME"
+              else
+                textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not client certificate enabled" "$regx" "$API_GW_NAME"
+            fi
+          done
+        fi
+      done
+    else
+      textInfo "$regx: No API Gateways found" "$regx"
+    fi
+  done
+}

providers/aws/services/apigateway/check_extra744

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra744="7.44"
+CHECK_TITLE_extra744="[extra744] Check if API Gateway has a WAF ACL attached"
+CHECK_SCORED_extra744="NOT_SCORED"
+CHECK_CIS_LEVEL_extra744="EXTRA"
+CHECK_SEVERITY_extra744="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
+CHECK_ALTERNATE_check744="extra744"
+CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"
+CHECK_SERVICENAME_extra744="apigateway"
+CHECK_RISK_extra744='Potential attacks and / or abuse of service; more even for even for internet reachable services.'
+CHECK_REMEDIATION_extra744='Use AWS WAF to protect your API Gateway API from common web exploits; such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance; compromise security; or consume excessive resources.'
+CHECK_DOC_extra744='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html'
+CHECK_CAF_EPIC_extra744='Infrastructure Security'
+
+extra744(){
+  for regx in $REGIONS; do
+    LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_REST_APIS ]];then
+      for api in $LIST_OF_REST_APIS; do
+        API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
+        LIST_OF_STAGES=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query 'item[*].stageName' --output text)
+        if [[ $LIST_OF_STAGES ]]; then
+          for stage in $LIST_OF_STAGES; do
+            CHECK_WAFACL=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-stages --rest-api-id $api --query "item[?stageName==\`$stage\`].webAclArn" --output text)
+            if [[ $CHECK_WAFACL ]]; then
+                textPass "$regx: API Gateway $API_GW_NAME ID $api in $stage has $CHECK_WAFACL WAF ACL attached" "$regx" "$API_GW_NAME"
+              else
+                textFail "$regx: API Gateway $API_GW_NAME ID $api in $stage has not WAF ACL attached" "$regx" "$API_GW_NAME"
+            fi
+          done
+        fi
+      done
+    else
+      textInfo "$regx: No API Gateways found" "$regx"
+    fi
+  done
+}

providers/aws/services/apigateway/check_extra745

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra745="7.45"
+CHECK_TITLE_extra745="[extra745] Check if API Gateway endpoint is public or private"
+CHECK_SCORED_extra745="NOT_SCORED"
+CHECK_CIS_LEVEL_extra745="EXTRA"
+CHECK_SEVERITY_extra745="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi"
+CHECK_ALTERNATE_check745="extra745"
+CHECK_SERVICENAME_extra745="apigateway"
+CHECK_RISK_extra745='If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.'
+CHECK_REMEDIATION_extra745='Verify that any public Api Gateway is protected and audited. Detective controls for common risks should be implemented.'
+CHECK_DOC_extra745='https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6'
+CHECK_CAF_EPIC_extra745='Infrastructure Security'
+
+extra745(){
+  for regx in $REGIONS; do
+    LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_REST_APIS ]];then
+      for api in $LIST_OF_REST_APIS; do
+        API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
+        ENDPOINT_CONFIG_TYPE=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-api --rest-api-id $api --query endpointConfiguration.types --output text)
+        if [[ $ENDPOINT_CONFIG_TYPE ]]; then
+          case $ENDPOINT_CONFIG_TYPE in
+            PRIVATE )
+              textPass "$regx: API Gateway $API_GW_NAME ID $api is set as $ENDPOINT_CONFIG_TYPE" "$regx" "$API_GW_NAME"
+            ;;
+            REGIONAL )
+              textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" "$API_GW_NAME"
+            ;;
+            EDGE )
+              textFail "$regx: API Gateway $API_GW_NAME ID $api is internet accesible as $ENDPOINT_CONFIG_TYPE" "$regx" "$API_GW_NAME"
+          esac
+        fi
+      done
+    else
+      textInfo "$regx: No API Gateways found" "$regx"
+    fi
+  done
+}

providers/aws/services/apigateway/check_extra746

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra746="7.46"
+CHECK_TITLE_extra746="[extra746] Check if API Gateway has configured authorizers"
+CHECK_SCORED_extra746="NOT_SCORED"
+CHECK_CIS_LEVEL_extra746="EXTRA"
+CHECK_SEVERITY_extra746="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi"
+CHECK_ALTERNATE_check746="extra746"
+CHECK_SERVICENAME_extra746="apigateway"
+CHECK_RISK_extra746='If no authorizer is enabled anyone can use the service.'
+CHECK_REMEDIATION_extra746='Implement Amazon Cognito or a Lambda function to control access to your API.'
+CHECK_DOC_extra746='https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html'
+CHECK_CAF_EPIC_extra746='IAM'
+
+extra746(){
+  for regx in $REGIONS; do
+    LIST_OF_REST_APIS=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-rest-apis --query 'items[*].id' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
+        continue
+    fi
+    if [[ $LIST_OF_REST_APIS ]];then
+      for api in $LIST_OF_REST_APIS; do
+        API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
+        AUTHORIZER_CONFIGURED=$($AWSCLI $PROFILE_OPT --region $regx apigateway get-authorizers --rest-api-id $api --query items[*].type --output text)
+        if [[ $AUTHORIZER_CONFIGURED ]]; then
+           textPass "$regx: API Gateway $API_GW_NAME ID $api has authorizer configured" "$regx" "$API_GW_NAME"
+        else
+           textFail "$regx: API Gateway $API_GW_NAME ID $api has not authorizer configured" "$regx" "$API_GW_NAME"
+        fi
+      done
+    else
+      textInfo "$regx: No API Gateways found" "$regx"
+    fi
+  done
+}