---
inputType: "CA10__CaAwsBucket__c"
testData:
 - file: test-data.json
importExtracts:
 - file: /types/CA10__CaAwsBucket__c/object.extracts.yaml
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "No bucket policy is configured, so both HTTP and HTTPS requests are allowed by default."
    remediationMessage: "Configure a bucket policy that denies HTTP requests."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__policyDocument__c"
  - status: "INCOMPLIANT"
    currentStateMessage: "The bucket policy is not configured to deny HTTP requests."
    remediationMessage: "Configure a bucket policy that denies HTTP requests."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
          - IS_EQUAL:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
  - status: "COMPLIANT"
    currentStateMessage: "The bucket policy has been configured to deny HTTP requests."
    check:
      OR: 
        args:
          - GREATER_THAN:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.Bool.\"aws:SecureTransport\" == 'false'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
          - GREATER_THAN:
              left:
                JSON_QUERY_NUMBER:
                  arg:
                    EXTRACT: "caJsonFrom__policyDocument__c"
                  expression: "length(Statement[? Effect == 'Deny' && Condition.NumericLessThan.\"s3:TlsVersion\" == '1.2'])"
                  undeterminedIf: 
                    evaluationError: "The JSON query has failed."
                    resultTypeMismatch: "The JSON query did not return a number type."
              right:
                NUMBER: 0.0
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the field."