From 5e6ca031ae3bfecc5390e5890a0ac7509387620d Mon Sep 17 00:00:00 2001
From: khushboosharma <khushboo@turbot.com>
Date: Wed, 17 Jan 2024 14:07:43 +0530
Subject: [PATCH] add principal to the resource policy graphs #318

---
 dashboards/iam/iam.sp                 |  6 +++
 dashboards/iam/iam_edges.sp           | 75 +++++++++++++++++++++++++++
 dashboards/iam/iam_nodes.sp           | 17 ++++++
 dashboards/iam/iam_resource_policy.sp | 20 +++++--
 4 files changed, 115 insertions(+), 3 deletions(-)

diff --git a/dashboards/iam/iam.sp b/dashboards/iam/iam.sp
index e92c1258..1c2e2d8e 100644
--- a/dashboards/iam/iam.sp
+++ b/dashboards/iam/iam.sp
@@ -49,6 +49,12 @@ category "iam_policy_action" {
   icon  = "electric_bolt"
 }
 
+category "iam_policy_principal" {
+  title = "IAM Policy Principal"
+  color = local.iam_color
+  icon  = "person"
+}
+
 category "iam_policy_condition" {
   title = "IAM Policy Condition"
   color = local.iam_color
diff --git a/dashboards/iam/iam_edges.sp b/dashboards/iam/iam_edges.sp
index b459f5ec..db83538a 100644
--- a/dashboards/iam/iam_edges.sp
+++ b/dashboards/iam/iam_edges.sp
@@ -110,6 +110,81 @@ edge "iam_policy_statement" {
   param "iam_policy_arns" {}
 }
 
+edge "iam_policy_statement_principal" {
+  title = "principal"
+  sql = <<-EOQ
+
+    select
+      --distinct on (p.arn,action)
+      concat('principal:', principal) to_id,
+      concat('statement:', i) as from_id
+    from
+     jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+        ) as principal
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_action" {
+  title = "action"
+  sql = <<-EOQ
+
+    select
+      concat('principal:', principal) as from_id,
+      concat('action:', action) as to_id
+    from
+     jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+     jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+     jsonb_array_elements_text(t.stmt -> 'Action') as action
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_condition" {
+  title = "condition"
+  sql   = <<-EOQ
+
+    select
+      concat('statement:', i, ':condition:', condition.key) as to_id,
+      concat('principal:', principal) as from_id
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+      jsonb_each(t.stmt -> 'Condition') as condition
+    where
+      stmt -> 'Condition' <> 'null'
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_notaction" {
+  sql = <<-EOQ
+
+    select
+      concat('action:', notaction) as to_id,
+      concat('principal:', principal) as from_id,
+      concat(lower(t.stmt ->> 'Effect'), ' not action') as title,
+      lower(t.stmt ->> 'Effect') as category
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+        jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+      jsonb_array_elements_text(t.stmt -> 'NotAction') as notaction
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
 edge "iam_policy_statement_action" {
   //title = "allows"
   sql = <<-EOQ
diff --git a/dashboards/iam/iam_nodes.sp b/dashboards/iam/iam_nodes.sp
index e00c0130..4ba2b60e 100644
--- a/dashboards/iam/iam_nodes.sp
+++ b/dashboards/iam/iam_nodes.sp
@@ -126,6 +126,23 @@ node "iam_policy_statement" {
   param "iam_policy_stds" {}
 }
 
+node "iam_policy_statement_principal" {
+  category = category.iam_policy_principal
+
+  sql = <<-EOQ
+   select
+      concat('principal:', principal ) as id,
+      case when principal = '*' then principal || ' [All principal]' else principal end as title
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array(($1 :: jsonb), '$.Statement[*].Principal.*')
+        ) as principal
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
 node "iam_policy_statement_action_notaction" {
   category = category.iam_policy_action
 
diff --git a/dashboards/iam/iam_resource_policy.sp b/dashboards/iam/iam_resource_policy.sp
index cc026d34..a17db8a2 100644
--- a/dashboards/iam/iam_resource_policy.sp
+++ b/dashboards/iam/iam_resource_policy.sp
@@ -32,6 +32,13 @@ graph "iam_resource_policy_structure" {
       }
     }
 
+    node {
+      base = node.iam_policy_statement_principal
+      args = {
+        iam_policy_stds = param.policy_std
+      }
+    }
+
     node {
       base = node.iam_policy_statement_action_notaction
       args = {
@@ -68,14 +75,21 @@ graph "iam_resource_policy_structure" {
     }
 
     edge {
-      base = edge.iam_policy_statement_action
+      base = edge.iam_policy_statement_principal
+      args = {
+        iam_policy_stds = param.policy_std
+      }
+    }
+
+    edge {
+      base = edge.iam_resource_policy_statement_action
       args = {
         iam_policy_stds = param.policy_std
       }
     }
 
     edge {
-      base = edge.iam_policy_statement_condition
+      base = edge.iam_resource_policy_statement_condition
       args = {
         iam_policy_stds = param.policy_std
       }
@@ -96,7 +110,7 @@ graph "iam_resource_policy_structure" {
     }
 
     edge {
-      base = edge.iam_policy_statement_notaction
+      base = edge.iam_resource_policy_statement_notaction
       args = {
         iam_policy_stds = param.policy_std
       }