fix: improve CIDR related checks

Signed-off-by: Nikita Pivkin <[email protected]>

checks/cloud/aws/ec2/no_public_egress_sgr.rego

@@ -35,11 +35,12 @@ package builtin.aws.ec2.aws0104
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some rule in input.aws.ec2.securitygroups[_].egressrules
 	some block in rule.cidrs
-	cidr.is_public(block.value)
-	cidr.count_addresses(block.value) > 1
+	net.cidr_allows_all_ips(block.value)
 	res := result.new(
 		"Security group rule allows egress to multiple public internet addresses.",
 		block,

checks/cloud/aws/ec2/no_public_egress_sgr_test.rego

@@ -12,7 +12,11 @@ test_deny_sg_with_public_egress if {
 }
 
 test_allow_sg_without_private_egress if {
-	inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [{"value": "10.0.0.0/16"}]}]}]}}}
+	inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [
+		{"value": "10.0.0.0/8"},
+		{"value": "192.168.164.0/23"},
+		{"value": "22.0.0.0/8"},
+	]}]}]}}}
 
 	test.assert_empty(check.deny) with input as inp
 }

checks/cloud/azure/network/no_public_egress.rego

@@ -31,12 +31,14 @@ package builtin.azure.network.azure0051
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
 	rule.outbound.value
 	rule.allow.value
 	some addr in rule.destinationaddresses
-	cidr.is_public(addr.value)
+	net.cidr_allows_all_ips(addr.value)
 	res := result.new("Security group rule allows egress to public internet.", addr)
 }

checks/cloud/azure/network/no_public_egress_test.rego

@@ -16,6 +16,17 @@ test_deny_outbound_rule_with_wildcard_destination_address if {
 	count(res) == 1
 }
 
+test_deny_outbound_rule_with_public_destination_address if {
+	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
+		"allow": {"value": true},
+		"outbound": {"value": true},
+		"destinationaddresses": [{"value": "0.0.0.0/0"}],
+	}]}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
 test_allow_outbound_rule_with_private_destination_address if {
 	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
 		"allow": {"value": true},

checks/cloud/google/compute/no_public_egress.rego

@@ -31,14 +31,15 @@ package builtin.google.compute.google0035
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some network in input.google.compute.networks
 	some rule in network.firewall.egressrules
 	rule.firewallrule.isallow.value
 	rule.firewallrule.enforced.value
 	some destination in rule.destinationranges
-	cidr.is_public(destination.value)
-	cidr.count_addresses(destination.value) > 1
+	net.cidr_allows_all_ips(destination.value)
 	res := result.new(
 		"Firewall rule allows egress traffic to multiple addresses on the public internet.",
 		destination,

checks/cloud/google/compute/no_public_egress_test.rego

@@ -21,7 +21,7 @@ test_deny_egress_rule_with_multiple_public_destinations if {
 	count(res) == 1
 }
 
-test_allow_egress_rule_with_public_destination if {
+test_allow_egress_rule_with_private_destination if {
 	inp := {"google": {"compute": {"networks": [{"firewall": {"egressrules": [{
 		"firewallrule": {
 			"isallow": {"value": true},

lib/cloud/net.rego

@@ -12,7 +12,7 @@ ssh_port := 22
 
 rdp_port := 3389
 
-all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0"}
+all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0", "*"}
 
 # "-1" or "all" equivalent to all protocols
 # https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html