Merge pull request #3 from GitHubSecurityLab/vault

feat: Add KeyVault framework support

Author: GeekMasher

ql/lib/codeql/bicep/Frameworks.qll

@@ -1,4 +1,5 @@
 import frameworks.Microsoft.Compute
 import frameworks.Microsoft.Network
 import frameworks.Microsoft.Storage
-import frameworks.Microsoft.Databases
+import frameworks.Microsoft.Databases
+import frameworks.Microsoft.KeyVault

ql/lib/codeql/bicep/frameworks/Microsoft/KeyVault.qll

@@ -0,0 +1,162 @@
+private import bicep
+private import codeql.bicep.Concepts
+private import Network
+
+module KeyVault {
+  class VaultResource extends Resource {
+    /**
+     * Constructs a VaultResource for any Microsoft.KeyVault resource type.
+     */
+    VaultResource() { this.getResourceType().regexpMatch("^Microsoft.KeyVault/.*") }
+
+    string tenantId() { result = this.getProperties().getTenantId().getValue() }
+
+    KeyVaultProperties::Properties getProperties() { result = this.getProperty("properties") }
+
+    KeyVaultProperties::AccessPolicy getAccessPolicies() {
+      result = this.getProperties().getAccessPolicies()
+    }
+
+    Network::NetworkAcl getNetworkAcls() {
+      result = this.getProperties().getNetworkAcls()
+    }
+
+    override string toString() { result = "Key Vault Resource" }
+  }
+
+  class PublicVaultResource extends PublicResource {
+    private VaultResource vaultResource;
+
+    /**
+     * Constructs a PublicVaultResource for any Microsoft.KeyVault resource type
+     * that has public network access enabled.
+     */
+    PublicVaultResource() {
+      vaultResource.getProperties().publicNetworkAccess() = "Enabled" and
+      this = vaultResource
+    }
+
+    override Expr getPublicAccessProperty() {
+      result = vaultResource.getProperties().getPublicNetworkAccess()
+    }
+
+    override string toString() { result = "Public Key Vault Resource" }
+  }
+
+  module KeyVaultProperties {
+    /**
+     * The properties object for the Microsoft.KeyVault/vaults type.
+     */
+    class Properties extends Object {
+      private VaultResource vaultResource;
+
+      /**
+       * Constructs a Properties object for the given Key Vault resource.
+       */
+      Properties() { this = vaultResource.getProperty("properties") }
+
+      /**
+       * Returns the parent VaultResource.
+       */
+      VaultResource getVaultResource() { result = vaultResource }
+
+      StringLiteral getTenantId() { result = this.getProperty("tenantId") }
+
+      string tenantId() { result = this.getTenantId().getValue() }
+
+      StringLiteral getCreateMode() { result = this.getProperty("createMode") }
+
+      string createMode() { result = this.getCreateMode().getValue() }
+
+      Boolean getEnabledForDeployment() { result = this.getProperty("enabledForDeployment") }
+
+      boolean enabledForDeployment() { result = this.getEnabledForDeployment().getBool() }
+
+      Boolean getEnabledForDiskEncryption() {
+        result = this.getProperty("enabledForDiskEncryption")
+      }
+
+      boolean enabledForDiskEncryption() { result = this.getEnabledForDiskEncryption().getBool() }
+
+      Boolean getEnabledForTemplateDeployment() {
+        result = this.getProperty("enabledForTemplateDeployment")
+      }
+
+      boolean enabledForTemplateDeployment() {
+        result = this.getEnabledForTemplateDeployment().getBool()
+      }
+
+      Boolean getSoftDeleteEnabled() { result = this.getProperty("softDeleteEnabled") }
+
+      boolean softDeleteEnabled() { result = this.getSoftDeleteEnabled().getBool() }
+
+      Boolean getPurgeProtectionEnabled() { result = this.getProperty("purgeProtectionEnabled") }
+
+      boolean purgeProtectionEnabled() { result = this.getPurgeProtectionEnabled().getBool() }
+
+      StringLiteral getPublicNetworkAccess() { result = this.getProperty("publicNetworkAccess") }
+
+      string publicNetworkAccess() { result = this.getPublicNetworkAccess().getValue() }
+
+      Network::NetworkAcl getNetworkAcls() {
+        result = this.getProperty("networkAcls")
+      }
+
+      AccessPolicy getAccessPolicies() {
+        result = this.getProperty("accessPolicies").(Array).getElements()
+      }
+
+      AccessPolicy getAccessPolicy(int index) {
+        result = this.getProperty("accessPolicies").(Array).getElement(index)
+      }
+    }
+
+    class AccessPolicy extends Object {
+      private KeyVaultProperties::Properties properties;
+
+      /**
+       * Constructs an AccessPolicy object for the given Key Vault properties.
+       */
+      AccessPolicy() { this = properties.getProperty("accessPolicies").(Array).getElements() }
+
+      /**
+       * Returns the tenant ID of the access policy.
+       */
+      string getTenantId() { result = this.getProperty("tenantId").(StringLiteral).getValue() }
+
+      /**
+       * Returns the object ID of the access policy.
+       */
+      string getObjectId() { result = this.getProperty("objectId").(StringLiteral).getValue() }
+
+      string toString() { result = "AccessPolicy" }
+    }
+
+    class AccessPolicyPermissions extends Object {
+      private AccessPolicy accessPolicy;
+
+      /**
+       * Constructs an AccessPolicyPermissions object for the given access policy.
+       */
+      AccessPolicyPermissions() { this = accessPolicy.getProperty("permissions") }
+
+      Array getCertificates() { result = this.getProperty("certificates") }
+
+      StringLiteral getCertificate(int index) { result = this.getCertificates().getElement(index) }
+
+      Array getKeys() { result = this.getProperty("keys") }
+
+      StringLiteral getKey(int index) { result = this.getKeys().getElement(index) }
+
+      Array getSecrets() { result = this.getProperty("secrets") }
+
+      StringLiteral getSecret(int index) { result = this.getSecrets().getElement(index) }
+
+      Array getStorages() { result = this.getProperty("storage") }
+
+      StringLiteral getStorage(int index) { result = this.getStorages().getElement(index) }
+
+      string toString() { result = "AccessPolicyPermissions" }
+    }
+  }
+}

ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll

@@ -112,6 +112,62 @@ module Network {
     }
   }
 
+
+  class NetworkAcl extends Object {
+    private Resource resource;
+
+    NetworkAcl() {
+      exists(Object props |
+        props = resource.getProperty("properties") and
+        this = props.getProperty(["networkAcl", "networkAcls"])
+      )
+    }
+
+    Resource getResource() { result = resource }
+
+    StringLiteral getBypass() {
+      result = this.getProperty("bypass")
+    }
+
+    string bypass() {
+      result = this.getBypass().getValue()
+    }
+
+    StringLiteral getDefaultAction() {
+      result = this.getProperty("defaultAction")
+    }
+
+    string defaultAction() {
+      result = this.getDefaultAction().getValue()
+    }
+
+    IpRule getIpRules() {
+      result = this.getProperty("ipRules").(Array).getElements()
+    }
+
+    string toString() {
+      result = "Network ACL"
+    }
+  }
+
+  class IpRule extends Object {
+    private NetworkAcl acl;
+
+    IpRule() {
+      this = acl.getProperty("ipRules").(Array).getElements()
+    }
+
+    NetworkAcl getNetworkAcl() { result = acl }
+
+    StringLiteral getValue() {
+      result = this.getProperty("value")
+    }
+
+    string toString() {
+      result = "IP Rule"
+    }
+  }
+
   module VirtualNetworkProperties {
     /**
      * The properties object for the Microsoft.Network/virtualNetworks/subnets type.

ql/test/library-tests/frameworks/vaults/Vaults.expected

@@ -0,0 +1,7 @@
+keyvault
+| app.bicep:1:1:51:1 | Key Vault Resource |
+keyvaultPolicies
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:11:7:19:7 | AccessPolicy |
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:20:7:28:7 | AccessPolicy |
+keyvaultNetworkAcls
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:36:18:49:5 | Network ACL |

ql/test/library-tests/frameworks/vaults/Vaults.ql

@@ -0,0 +1,15 @@
+import bicep
+
+query predicate keyvault(KeyVault::VaultResource vault) { any() }
+
+query predicate keyvaultPolicies(
+  KeyVault::VaultResource vault, KeyVault::KeyVaultProperties::AccessPolicy policy
+) {
+  policy = vault.getAccessPolicies()
+}
+
+query predicate keyvaultNetworkAcls(
+  KeyVault::VaultResource vault, Network::NetworkAcl networkAcl
+) {
+  networkAcl = vault.getNetworkAcls()
+}

ql/test/library-tests/frameworks/vaults/app.bicep

@@ -0,0 +1,51 @@
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
+  name: 'mykeyvault'
+  location: 'eastus'
+  properties: {
+    tenantId: '00000000-0000-0000-0000-000000000000'
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    accessPolicies: [
+      {
+        tenantId: '00000000-0000-0000-0000-000000000000'
+        objectId: '11111111-1111-1111-1111-111111111111'
+        permissions: {
+          keys: [ 'get', 'list' ]
+          secrets: [ 'get' ]
+          certificates: []
+        }
+      },
+      {
+        tenantId: '00000000-0000-0000-0000-000000000000'
+        objectId: '22222222-2222-2222-2222-222222222222'
+        permissions: {
+          keys: [ 'get' ]
+          secrets: [ 'get', 'set' ]
+          certificates: [ 'get' ]
+        }
+      }
+    ]
+    enabledForDeployment: false
+    enabledForDiskEncryption: false
+    enabledForTemplateDeployment: false
+    enableSoftDelete: true
+    enablePurgeProtection: true
+    publicNetworkAccess: 'Disabled' // Recommended: restrict public access
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Deny'
+      ipRules: [
+        {
+          value: '203.0.113.0/24'
+        }
+      ]
+      virtualNetworkRules: [
+        {
+          id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet'
+        }
+      ]
+    }
+  }
+}