function isMatchingCompliantPolicy()

in src/rules/s3/S3BucketSSLRequestsOnly.ts [51:81]

• 31 lines of code
• 10 McCabe index (conditional complexity)

function isMatchingCompliantPolicy(
  node: CfnBucketPolicy,
  bucketLogicalId: string,
  bucketName: string | undefined
): boolean {
  const bucket = NagRules.resolveResourceFromInstrinsic(node, node.bucket);
  if (bucket !== bucketLogicalId && bucket !== bucketName) {
    return false;
  }
  const resolvedPolicyDocument = Stack.of(node).resolve(node.policyDocument);
  for (const statement of resolvedPolicyDocument.Statement) {
    const resolvedStatement = Stack.of(node).resolve(statement);
    const secureTransport =
      resolvedStatement?.Condition?.Bool?.['aws:SecureTransport'];
    if (
      resolvedStatement.Effect === 'Deny' &&
      checkMatchingAction(resolvedStatement.Action) === true &&
      checkMatchingPrincipal(resolvedStatement.Principal) === true &&
      (secureTransport === 'false' || secureTransport === false) &&
      checkMatchingResources(
        node,
        bucketLogicalId,
        bucketName,
        resolvedStatement.Resource
      ) === true
    ) {
      return true;
    }
  }
  return false;
}