zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

[rule]
id = "java-ownership-check"
languages = ["java"]
category = "ownership"
confidence = "medium"
description = "Resource ownership comparison where at least one side names a principal-flavored getter (e.g., getUserId().equals(resource.getOwnerId()))"
query = """
(method_invocation
  object: (method_invocation
    name: (identifier) @getter)
  name: (identifier) @method_name
  arguments: (argument_list
    (method_invocation
      name: (identifier) @other_getter))
) @match
"""

[rule.predicates.getter]
match = "(?i)^(getId|getUserId|getOwnerId|getCreatedBy|getAuthorId)$"

[rule.predicates.method_name]
eq = "equals"

[rule.predicates.other_getter]
match = "(?i)^(getId|getUserId|getOwnerId|getCreatedBy|getAuthorId)$"

# At least one side of the equality must name a principal-flavored getter.
# Without this, `record.getId().equals(other.getId())` (record filtering /
# dedup) trips the rule even though no user-vs-resource comparison is
# happening. See issue #19.
[[rule.cross_predicates]]
kind = "any_match"
captures = ["getter", "other_getter"]
match = "(?i)^(getUserId|getOwnerId|getCreatedBy|getAuthorId)$"

[[rule.tests]]
input = """
public class Service {
    public void check() {
        if (user.getUserId().equals(resource.getOwnerId())) { allow(); }
    }
}
"""
expect_match = true

[[rule.tests]]
input = """
public class Service {
    public void check() {
        if (user.getName().equals(other.getName())) { compare(); }
    }
}
"""
expect_match = false

# Reverse-side TP: principal getter on the right, plain getId on the left.
[[rule.tests]]
input = """
public class Service {
    public void check() {
        if (record.getId().equals(other.getOwnerId())) { allow(); }
    }
}
"""
expect_match = true

# FP from issue #19: filtering records out of a set in audit code —
# both sides are bare `getId()`, no principal involved.
[[rule.tests]]
input = """
public class AuditFileQueueSpool {
    public void check() {
        if (record.getId().equals(indexRecord.getId())) { skip(); }
    }
}
"""
expect_match = false

# FP from issue #19: validating a permission isn't duplicated — again,
# both sides are bare `getId()`.
[[rule.tests]]
input = """
public class XUserPermissionServiceBase {
    public void check() {
        if (xUserPerm.getId().equals(mObj.getId())) { skip(); }
    }
}
"""
expect_match = false