fix: hws console user two-factor authentication rule

[Lyc-heng]

Thank you for your contribution to CloudRec!

What About:

• Server (java)
• Collector (go)
• Rule (opa)

Description:

hws adds an IAM rule to check whether console users have enabled two-factor authentication

Summary by Sourcery

Add an OPA policy rule to flag Huawei Cloud console users without two-factor authentication enabled

New Features:

• Introduce hws_console_account_disable_mfa_39 Rego package to evaluate console user MFA status
• Add input.json, metadata.json, and relation.json files to support the new MFA rule

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Add OPA policy to detect HUAWEI Cloud console users without two-factor authentication, complemented by corresponding input schema, metadata, and relation files.

Entity relationship diagram for input schema in new OPA policy

erDiagram
    INPUT {
        string name
        string domain_id
        string access_mode
        object LoginProtects
    }
    USER_ATTRIBUTE {
        string name
        string domain_id
        string access_mode
    }
    INPUT ||--o| USER_ATTRIBUTE : contains

Loading

Class diagram for new OPA policy: hws_console_account_disable_mfa_39

classDiagram
    class input {
        UserAttribute: object
        LoginProtects: object | null
    }
    class UserAttribute {
        name: string
        domain_id: string
        access_mode: string
    }
    class hws_console_account_disable_mfa_39 {
        risk: bool
        login_without_mfa_rule: bool
        user_name: string
        user_id: string
    }
    input --> UserAttribute
    hws_console_account_disable_mfa_39 --> input
    hws_console_account_disable_mfa_39 : risk if login_without_mfa_rule
    hws_console_account_disable_mfa_39 : login_without_mfa_rule if access_mode == "console" and LoginProtects == null

Loading

File-Level Changes

Change	Details	Files
Implement two-factor authentication check for console users in OPA	Define new package and import rego.v1 Set default risk and intermediate login_without_mfa_rule flags Flag risk when login_without_mfa_rule is true Map user_name and user_id from input attributes Trigger login_without_mfa_rule if access_mode is console and LoginProtects is null	rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/policy.rego
Add supporting rule artifacts (input schema, metadata, relations)	Provide sample input template Include rule metadata definitions Establish rule relationships	rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/metadata.json rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/relation.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @Lyc-heng, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new security rule for Huawei Cloud Identity and Access Management (IAM) to enhance account security. The rule specifically identifies console users who have not enabled two-factor authentication (MFA), flagging them as a medium-level risk. This helps ensure that critical access points are protected with an additional layer of security, aligning with best practices for cloud resource management.

Highlights

• New Security Rule: A new Open Policy Agent (OPA) rule has been introduced for Huawei Cloud Identity and Access Management (IAM) users.
• MFA Enforcement: This rule specifically identifies console users who have not enabled two-factor authentication (MFA), flagging them as a medium-level security risk.
• Policy Logic: The Rego policy checks if a user's access mode is 'console' and if their 'LoginProtects' attribute is null, indicating the absence of MFA.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)
• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)

General comments:

• The local vars user_name and user_id aren’t actually used by any rule—either drop them or wire them into your output/reporting logic.
• Consider renaming the package and login_without_mfa_rule to match your other policy naming conventions for better consistency and clarity.
• Double-check that input.LoginProtects is the correct path and covers both null and empty-array cases in your event schema so no console users slip through untested.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The local vars user_name and user_id aren’t actually used by any rule—either drop them or wire them into your output/reporting logic.
- Consider renaming the package and login_without_mfa_rule to match your other policy naming conventions for better consistency and clarity.
- Double-check that input.LoginProtects is the correct path and covers both null and empty-array cases in your event schema so no console users slip through untested.

## Individual Comments

### Comment 1
<location> `rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json:1` </location>
<code_context>
8DM44qIu6MCtkv1ytefO
</code_context>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

### Comment 2
<location> `rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json:1` </location>
<code_context>
gMT6Jdf0RD0TFcnCeY8U
</code_context>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

### Comment 3
<location> `rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json:1` </location>
<code_context>
YLLvBEJ6h4SRvCY22Li2Jo9gyFVj1jTJI7QmauOKmeYhV9YQRluvREqv96lWVSCTWsUfLNdAQuV7fJB3c7lIzrK9K6HYKTHQsgUu6D6XNxkvoAV4XMrKz6DUeWVe
</code_context>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

### Comment 4
<location> `rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json:1` </location>
<code_context>
IGFMPX7bIq2ClRDPd7wJ
</code_context>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

### Comment 5
<location> `rules/HUAWEI_CLOUD/HUAWEI_CLOUD_IAM User_202511060951_877031/input.json:1` </location>
<code_context>
1bZ9i4Gf7sVIVkPCNNmK
</code_context>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces a new OPA rule to detect Huawei Cloud IAM console users that do not have multi-factor authentication (MFA) enabled. The changes include the Rego policy file, along with its metadata and sample input data.

My review focuses on the correctness and maintainability of the new rule. I've identified a couple of areas for improvement:

• The Rego policy contains unused variables which should be removed to improve code clarity.
• The sample input data seems to have an inconsistency in user IDs between different objects, which should be corrected to ensure the test data is representative and reliable for this and future rules.

Overall, the core logic of the rule is sound and addresses the intended security check. The suggested changes will improve the quality of the codebase.

[gemini-code-assist]

The test data in this file appears to be inconsistent. The User.id (xzmYe08vYH68aPTljptq7Q3rTuiRvtCA) is different from UserAttribute.id (4qSCghh2GeXMORBbVMVYzQDIN27VYpkR). According to the collector logic in collector/hws/collector/iam/user.go, the UserAttribute details are fetched for the user from the User object, so their IDs should be the same. While this doesn't break the current rule, incorrect test data can cause issues with testing and future rule development. Please correct the test data to be consistent.

[gemini-code-assist]

The variables user_name and user_id are defined but are not used anywhere in the policy. This adds unnecessary clutter and can be confusing for future readers. It's best to remove this dead code.