#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra760="7.60"
CHECK_TITLE_extra760="[extra760] Find secrets in Lambda functions code "
CHECK_SCORED_extra760="NOT_SCORED"
CHECK_CIS_LEVEL_extra760="EXTRA"
CHECK_SEVERITY_extra760="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction"
CHECK_ALTERNATE_check760="extra760"
CHECK_SERVICENAME_extra760="lambda"
CHECK_RISK_extra760='The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.'
CHECK_REMEDIATION_extra760='Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables. '
CHECK_DOC_extra760='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
CHECK_CAF_EPIC_extra760='IAM'

extra760(){
  SECRETS_TEMP_FOLDER="${PROWLER_DIR}/secrets-${ACCOUNT_NUM}-${PROWLER_START_TIME}"
  if [[ ! -d "${SECRETS_TEMP_FOLDER}" ]]; then
    # this folder is deleted once this check is finished
    mkdir "${SECRETS_TEMP_FOLDER}"
  fi

  for regx in ${REGIONS}; do
    CHECK_DETECT_SECRETS_INSTALLATION=$(secretsDetector)
    if [[ $? -eq 241 ]]; then
      textInfo "$regx: python library detect-secrets not found. Make sure it is installed correctly." "$regx"
    else
      LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} --region "${regx}" --query 'Functions[*].FunctionName' --output text 2>&1)
      if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
        textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
        continue
      fi
      if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
        for lambdafunction in ${LIST_OF_FUNCTIONS}; do
          LAMBDA_FUNCTION_FOLDER="${SECRETS_TEMP_FOLDER}/extra760-${lambdafunction}-${regx}"
          LAMBDA_FUNCTION_FILE="${lambdafunction}-code.zip"
          LAMBDA_CODE_LOCATION=$("${AWSCLI}" lambda get-function ${PROFILE_OPT} --region "${regx}" --function-name "${lambdafunction}" --query 'Code.Location' --output text 2>&1)
          if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LAMBDA_CODE_LOCATION}"; then
            textInfo "${regx}: Access Denied trying to get Lambda functions" "${regx}" "${lambdafunction}"
            continue
          fi

          mkdir "${LAMBDA_FUNCTION_FOLDER}"

          # DOWNLOAD the code in a zip file
          CURL_ERROR=$(curl -s --show-error "${LAMBDA_CODE_LOCATION}" -o "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}" 2>&1)
          if [[ -n "${CURL_ERROR}" ]]; then
            textInfo "${regx}: Error trying to get Lambda function code for ${lambdafunction} - ${CURL_ERROR}" "${regx}" "${lambdafunction}"
            # delete files to not leave trace, user must look at the function
            if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
              rm -fr "${LAMBDA_FUNCTION_FOLDER}"
            fi
            continue
          fi
          if ! grep -q 'Zip archive data' <(file "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}"); then
            textInfo "${regx}: Error trying to get Lambda function code for ${lambdafunction}. File is not a Zip" "${regx}" "${lambdafunction}"
            # delete files to not leave trace, user must look at the function
            if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
              rm -fr "${LAMBDA_FUNCTION_FOLDER}"
            fi
            continue
          fi

          unzip -qq "${LAMBDA_FUNCTION_FOLDER}/${LAMBDA_FUNCTION_FILE}" -d "${LAMBDA_FUNCTION_FOLDER}" && {
            FINDINGS=$(secretsDetector folder "${LAMBDA_FUNCTION_FOLDER}")
            if [[ ${FINDINGS} -eq 0 ]]; then
              textPass "${regx}: No secrets found in Lambda function ${lambdafunction} code" "${regx}" "${lambdafunction}"
            else
              textFail "${regx}: Potential secret found in Lambda function ${lambdafunction} code" "${regx}" "${lambdafunction}"
            fi
          }

          # delete files to not leave trace, user must look at the function
          if [[ -d "${LAMBDA_FUNCTION_FOLDER}" ]]; then
            rm -fr "${LAMBDA_FUNCTION_FOLDER}"
          fi
        done
      else
        textInfo "${regx}: No Lambda functions found" "${regx}"
      fi
    fi
  done

  if [[ -d "${SECRETS_TEMP_FOLDER}" ]]; then
    rm -fr "${SECRETS_TEMP_FOLDER}"
  fi
}