From aa7a8c0d9ae12b29a79bf14f5d4c7f0d6645e5e8 Mon Sep 17 00:00:00 2001
From: Saurabh Chakraborthy <saurchak@amazon.com>
Date: Fri, 17 Nov 2023 22:17:41 +0530
Subject: [PATCH] Add 'non-compliant' and 'compliant' samples for
 aws-missing-encryption-cdk@v1.0 and
 missing-authentication-for-critical-function-cdk@v1.0

---
 .../aws_missing_encryption_cdk_compliant.py       | 15 +++++++++++++++
 .../aws_missing_encryption_cdk_noncompliant.py    | 14 ++++++++++++++
 ...ication_for_critical_function_cdk_compliant.py | 14 ++++++++++++++
 ...tion_for_critical_function_cdk_noncompliant.py | 15 +++++++++++++++
 4 files changed, 58 insertions(+)
 create mode 100644 src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_compliant.py
 create mode 100644 src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_noncompliant.py
 create mode 100644 src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_compliant.py
 create mode 100644 src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_noncompliant.py

diff --git a/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_compliant.py b/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_compliant.py
new file mode 100644
index 0000000..722b583
--- /dev/null
+++ b/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_compliant.py
@@ -0,0 +1,15 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact rule=aws-missing-encryption-cdk@v1.0 defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_sqs as sqs
+
+
+class Stack(cdk.Stack):
+
+    def missing_encryption_compliant(self):
+        # Compliant: encryption present
+        encrypted_queue = sqs.Queue(self, 'encrypted_queue',
+                                    encryption=sqs.QueueEncryption.KMS_MANAGED)
+# {/fact}
diff --git a/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_noncompliant.py b/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_noncompliant.py
new file mode 100644
index 0000000..ffcf597
--- /dev/null
+++ b/src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_noncompliant.py
@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact rule=aws-missing-encryption-cdk@v1.0 defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_sqs as sqs
+
+
+class Stack(cdk.Stack):
+
+    def missing_encryption_noncompliant(self):
+        # Noncompliant: missing encryption
+        unencrypted_queue = sqs.Queue(self, 'unencrypted_queue')
+# {/fact}
diff --git a/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_compliant.py b/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_compliant.py
new file mode 100644
index 0000000..c1d6213
--- /dev/null
+++ b/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_compliant.py
@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact rule=missing-authentication-for-critical-function-cdk@v1.0 defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3Stack(cdk.Stack):
+
+    def missing_authentication_compliant(self):
+        # Compliant: bucket is private
+        public_bucket = s3.Bucket(self, 'bucket')
+# {/fact}
diff --git a/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_noncompliant.py b/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_noncompliant.py
new file mode 100644
index 0000000..7d291b1
--- /dev/null
+++ b/src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_noncompliant.py
@@ -0,0 +1,15 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact rule=missing-authentication-for-critical-function-cdk@v1.0 defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3Stack(cdk.Stack):
+
+    def missing_authentication_noncompliant(self):
+        # Noncompliant: bucket made public
+        public_bucket = s3.Bucket(self, 'bucket')
+        public_bucket.grant_public_access()
+# {/fact}