shows under privileges as well

main.go

@@ -221,17 +221,26 @@ func main() {
 					},
 				},
 				Action: func(*cli.Context) error {
-					over, err := pike.Inspect(directory, init)
+					Difference, err := pike.Inspect(directory, init)
 					if err != nil {
 						return err
 					}
-					if over != nil {
+					if Difference.Under != nil {
+						fmt.Println("The following are under-permissive: ")
+						for _, v := range Difference.Under {
+							fmt.Println(v)
+						}
+						return errors.New("under-permissive")
+					}
+
+					if Difference.Over != nil {
 						fmt.Println("The following are over-permissive: ")
-						for _, v := range over {
+						for _, v := range Difference.Over {
 							fmt.Println(v)
 						}
 						return errors.New("over-permissive")
 					}
+
 					return nil
 				},
 			},

src/inspect.go

@@ -7,15 +7,21 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-func Inspect(directory string, init bool) ([]string, error) {
+type PolicyDiff struct {
+	Over  []string
+	Under []string
+}
+
+func Inspect(directory string, init bool) (PolicyDiff, error) {
 	var iacPolicy Identity.Policy
+	var Difference PolicyDiff
 
 	rawIACPolicy, err := MakePolicy(directory, nil, init, false)
 	if err != nil {
 		if errors.Is(err, &emptyIACError{}) {
 			log.Info().Msgf("nothing to do for IAC as %s for directory %s", err, directory)
 		} else {
-			return nil, err
+			return Difference, err
 		}
 	}
 
@@ -25,28 +31,28 @@ func Inspect(directory string, init bool) ([]string, error) {
 		if errors.Is(err, &Identity.EmptyParseError{}) {
 			log.Info().Msgf("nothing to do for IAC as parse for %s was empty", directory)
 		} else {
-			return nil, err
+			return Difference, err
 		}
 	}
 
 	iamIdentity, err := Identity.GetIam()
 	if err != nil {
 		log.Info().Msgf("nothing to do for AWS as %s ", err)
-		return nil, err
+		return Difference, err
 	}
 
-	result, err := CompareAllow(iamIdentity, iacPolicy)
+	Difference, err = CompareAllow(iamIdentity, iacPolicy)
 	if err != nil {
-		return nil, err
+		return Difference, err
 	}
 
-	return result, nil
+	return Difference, nil
 }
 
-func CompareAllow(identity Identity.IAM, policy Identity.Policy) ([]string, error) {
+func CompareAllow(identity Identity.IAM, policy Identity.Policy) (PolicyDiff, error) {
 	var identityAllows []string
 	var policyAllows []string
-	var over []string
+	var difference PolicyDiff
 
 	for _, identityPolicy := range identity.Policies {
 		statements := identityPolicy.Statements
@@ -68,11 +74,17 @@ func CompareAllow(identity Identity.IAM, policy Identity.Policy) ([]string, erro
 
 	for _, permission := range identityAllows {
 		if !contains(policyAllows, permission) {
-			over = append(over, permission)
+			difference.Over = append(difference.Over, permission)
+		}
+	}
+
+	for _, permission := range policyAllows {
+		if !contains(identityAllows, permission) {
+			difference.Under = append(difference.Under, permission)
 		}
 	}
 
-	return over, nil
+	return difference, nil
 }
 
 func contains(s []string, e string) bool {

src/inspect_test.go

@@ -39,13 +39,17 @@ func TestCompareAllow(t *testing.T) {
 	tests := []struct {
 		name    string
 		args    args
-		want    []string
+		want    PolicyDiff
 		wantErr bool
 	}{
-		{"pass empty", args{identity, policy}, nil, false},
-		{"pass not empty", args{identity, morePolicy}, nil, false},
-		{"pass", args{moreIdentity, morePolicy}, nil, false},
-		{"different", args{moreIdentity, policy}, []string{"s3:*", "s3-object-lambda:*"}, false},
+		{"pass empty",
+			args{identity, policy}, PolicyDiff{}, false},
+		{"pass not empty",
+			args{identity, morePolicy}, PolicyDiff{nil, []string{"s3:*", "s3-object-lambda:*"}}, false},
+		{"pass",
+			args{moreIdentity, morePolicy}, PolicyDiff{}, false},
+		{"different",
+			args{moreIdentity, policy}, PolicyDiff{[]string{"s3:*", "s3-object-lambda:*"}, nil}, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -70,11 +74,11 @@ func TestInspect(t *testing.T) {
 	tests := []struct {
 		name    string
 		args    args
-		want    []string
+		want    PolicyDiff
 		wantErr bool
 	}{
 		//	{"Pass", args{"../terraform/aws/backup", false}, []string{"foo", "bar"}, false},
-		{"no dir", args{"../terraform/aws/nodir", false}, nil, true},
+		{"no dir", args{"../terraform/aws/nodir", false}, PolicyDiff{}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {