Fixed identification of list function false positive with resource Azure#2919 (Azure#2941)

Author: BernieWhite

docs/CHANGELOG-v1.md

@@ -41,6 +41,8 @@ What's changed since pre-release v1.38.0-B0011:
 - Bug fixes:
   - Fixed failed to expand with direct outputs reference by @BernieWhite.
     [#2935](https://github.com/Azure/PSRule.Rules.Azure/issues/2935)
+  - Fixed identification of `list*` function false positive with resource by @BernieWhite.
+    [#2919](https://github.com/Azure/PSRule.Rules.Azure/issues/2919)
 
 ## v1.38.0-B0011 (pre-release)
 

src/PSRule.Rules.Azure/Data/Template/TokenStreamValidator.cs

@@ -15,7 +15,7 @@ internal static class TokenStreamValidator
         private const string FN_PARAMETERS = "parameters";
         private const string FN_VARIABLES = "variables";
         private const string FN_IF = "if";
-        private const string FN_LISTKEYS = "listKeys";
+        private const string FN_LIST = "list";
         private const string FN_REFERNECE = "reference";
 
         /// <summary>
@@ -72,7 +72,7 @@ public static bool UsesListKeysFunction(TokenStream stream)
                     continue;
                 }
 
-                if (IsFunction(token, FN_LISTKEYS))
+                if (IsFunctionWithPrefix(token, FN_LIST) && !IsFunction(token, FN_LIST))
                     return true;
             }
             return false;
@@ -168,5 +168,11 @@ private static bool IsFunction(ExpressionToken token, string name)
             return token.Type == ExpressionTokenType.Element &&
                 string.Equals(token.Content, name, StringComparison.OrdinalIgnoreCase);
         }
+
+        private static bool IsFunctionWithPrefix(ExpressionToken token, string prefix)
+        {
+            return token.Type == ExpressionTokenType.Element &&
+                token.Content.StartsWith(prefix, StringComparison.OrdinalIgnoreCase);
+        }
     }
 }

tests/PSRule.Rules.Azure.Tests/Tests.Bicep.9.goodStreamingJobs.bicep

@@ -11,6 +11,10 @@ resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' = {
   name: 'aStorageAccount'
 }
 
+resource search 'Microsoft.Search/searchServices@2022-09-01' existing = {
+  name: 'aSearch'
+}
+
 resource goodStreamingJobs 'Microsoft.StreamAnalytics/streamingjobs@2021-10-01-preview' = {
   name: 'goodStreamingJobs'
   properties: {
@@ -23,7 +27,7 @@ resource goodStreamingJobs 'Microsoft.StreamAnalytics/streamingjobs@2021-10-01-p
             type: 'Microsoft.Sql/Server/Database'
             properties: {
               password: secret
-            } 
+            }
           }
         }
       }
@@ -35,7 +39,7 @@ resource goodStreamingJobs 'Microsoft.StreamAnalytics/streamingjobs@2021-10-01-p
             type: 'Microsoft.Sql/Server/Database'
             properties: {
               password: storage.listKeys().keys[0].value
-            } 
+            }
           }
         }
       }
@@ -47,16 +51,27 @@ resource goodStreamingJobs 'Microsoft.StreamAnalytics/streamingjobs@2021-10-01-p
             type: 'Microsoft.Sql/Server/Database'
             properties: {
               password: secretFromKeyVault
-            } 
+            }
+          }
+        }
+      }
+      {
+        name: 'inputUsingSearchService'
+        properties: {
+          type: 'Reference'
+          datasource: {
+            type: 'Microsoft.Sql/Server/Database'
+            properties: {
+              password: search.listAdminKeys().primaryKey
+            }
           }
         }
       }
     ]
     outputs: [
       {
         name: 'outputWithoutPassword'
-        properties: {
-        }
+        properties: {}
       }
     ]
   }

tests/PSRule.Rules.Azure.Tests/Tests.Bicep.9.json

@@ -4,14 +4,14 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.13.1.58284",
-      "templateHash": "8685448171369407541"
+      "version": "0.28.1.47646",
+      "templateHash": "18275092912549928193"
     }
   },
   "resources": [
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2020-10-01",
+      "apiVersion": "2022-09-01",
       "name": "secret_good",
       "properties": {
         "expressionEvaluationOptions": {
@@ -29,13 +29,13 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.13.1.58284",
-              "templateHash": "3563517143203947158"
+              "version": "0.28.1.47646",
+              "templateHash": "1518984315103849805"
             }
           },
           "parameters": {
             "secret": {
-              "type": "secureString"
+              "type": "securestring"
             }
           },
           "resources": [
@@ -53,7 +53,7 @@
     },
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2020-10-01",
+      "apiVersion": "2022-09-01",
       "name": "secret_bad",
       "properties": {
         "expressionEvaluationOptions": {
@@ -71,8 +71,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.13.1.58284",
-              "templateHash": "13907904796621207265"
+              "version": "0.28.1.47646",
+              "templateHash": "6215663120730168687"
             }
           },
           "parameters": {
@@ -95,7 +95,7 @@
     },
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2020-10-01",
+      "apiVersion": "2022-09-01",
       "name": "streaming_jobs_good",
       "properties": {
         "expressionEvaluationOptions": {
@@ -121,16 +121,16 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.13.1.58284",
-              "templateHash": "1243191437263886583"
+              "version": "0.28.1.47646",
+              "templateHash": "3797411740136360330"
             }
           },
           "parameters": {
             "secret": {
-              "type": "secureString"
+              "type": "securestring"
             },
             "secretFromKeyVault": {
-              "type": "secureString"
+              "type": "securestring"
             }
           },
           "resources": [
@@ -180,6 +180,18 @@
                         }
                       }
                     }
+                  },
+                  {
+                    "name": "inputUsingSearchService",
+                    "properties": {
+                      "type": "Reference",
+                      "datasource": {
+                        "type": "Microsoft.Sql/Server/Database",
+                        "properties": {
+                          "password": "[listAdminKeys(resourceId('Microsoft.Search/searchServices', 'aSearch'), '2022-09-01').primaryKey]"
+                        }
+                      }
+                    }
                   }
                 ],
                 "outputs": [
@@ -199,7 +211,7 @@
     },
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2020-10-01",
+      "apiVersion": "2022-09-01",
       "name": "streaming_jobs_bad",
       "properties": {
         "expressionEvaluationOptions": {
@@ -217,8 +229,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.13.1.58284",
-              "templateHash": "14384591199981266606"
+              "version": "0.28.1.47646",
+              "templateHash": "4134825371520485157"
             }
           },
           "parameters": {
@@ -267,7 +279,7 @@
     },
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2020-10-01",
+      "apiVersion": "2022-09-01",
       "name": "reference_good",
       "properties": {
         "expressionEvaluationOptions": {
@@ -280,8 +292,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.13.1.58284",
-              "templateHash": "9418583989023446705"
+              "version": "0.28.1.47646",
+              "templateHash": "6922313715624563061"
             }
           },
           "parameters": {

tests/PSRule.Rules.Azure.Tests/TokenStreamValidatorTests.cs

@@ -9,7 +9,7 @@ namespace PSRule.Rules.Azure
     public sealed class TokenStreamValidatorTests
     {
         [Fact]
-        public void HasInsecureToken()
+        public void HasLiteralValue()
         {
             Assert.True(Helper.HasLiteralValue("password"));
             Assert.True(Helper.HasLiteralValue("123"));
@@ -33,8 +33,12 @@ public void GetParameterTokenValue()
         [Fact]
         public void UsesListKeysFunction()
         {
-            Assert.True(Helper.UsesListKeysFunction("[listKeys(resourceId('Microsoft.Storage/storageAccounts', 'aStorageAccount'), '2021-09-01').keys[0].value]"));
-            Assert.True(Helper.UsesListKeysFunction("[listKeys(resourceId('Microsoft.Storage/storageAccounts', 'aStorageAccount'), '2021-09-01')]"));
+            Assert.True(Helper.UsesListKeysFunction("[listKeys(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-09-01').keys[0].value]"));
+            Assert.True(Helper.UsesListKeysFunction("[listKeys(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-09-01')]"));
+            Assert.True(Helper.UsesListKeysFunction("[listAdminKeys(resourceId('Microsoft.Search/searchServices', 'search1'), '2022-09-01').primaryKey]"));
+            Assert.True(Helper.UsesListKeysFunction("[listQueryKeys(resourceId('Microsoft.Search/searchServices', 'search1'), '2021-09-01').value[0].key]"));
+            Assert.False(Helper.UsesListKeysFunction("[list(resourceId('Microsoft.OperationalInsights/workspaces', 'workspace1'), '2023-09-01').value[0].properties.name]"));
+            Assert.False(Helper.UsesListKeysFunction("[resourceId('Microsoft.Storage/storageAccounts', 'storage1')]"));
         }
 
         [Fact]