From 42bc99e0affff5270f6c21b62886257f4eb9401a Mon Sep 17 00:00:00 2001 From: erezrokah Date: Mon, 23 Jan 2023 19:46:30 +0200 Subject: [PATCH 1/2] fix(gcp-project-policies): Use correct API to get Policy v3, fix policy --- ...t_configured_across_services_and_users.sql | 18 ++++++---- .../resourcemanager/project_policies_fetch.go | 12 ++----- .../project_policies_mock_test.go | 35 +++++++++++++++++++ 3 files changed, 49 insertions(+), 16 deletions(-) create mode 100644 plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go diff --git a/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql b/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql index 10dc0113d2f7fd..4ecd4bdd9c6335 100644 --- a/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql +++ b/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql @@ -29,7 +29,13 @@ WITH project_policy_audit_configs AS (SELECT project_id, audit_config ->> 'service' AS "service", jsonb_array_elements(audit_config -> 'auditLogConfigs') ->> 'logType' AS logs, jsonb_array_elements(audit_config -> 'auditLogConfigs') ->> 'exemptedMembers' AS exempted - FROM project_policy_audit_configs) + FROM project_policy_audit_configs), + valid_log_types AS (SELECT project_id, service, count(*) as valid_types + FROM log_types + WHERE exempted IS NULL + AND logs IN ('ADMIN_READ', 'DATA_READ', 'DATA_WRITE') + AND service = 'allServices' + GROUP BY project_id, service) SELECT service AS resource_id, :'execution_time'::timestamp AS execution_time, :'framework' AS framework, @@ -38,10 +44,8 @@ SELECT service "project_id" AS project_id, CASE WHEN - exempted IS NULL - AND logs IN ('DATA_READ', 'DATA_WRITE') - AND service = 'allServices' - THEN 'fail' - ELSE 'pass' + valid_types = 3 + THEN 'pass' + ELSE 'fail' END AS status -FROM log_types; +FROM valid_log_types; diff --git a/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go b/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go index 6d680aad0f0407..f45a6cd3eec572 100644 --- a/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go +++ b/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go @@ -3,24 +3,18 @@ package resourcemanager import ( "context" - "cloud.google.com/go/iam/apiv1/iampb" - resourcemanager "cloud.google.com/go/resourcemanager/apiv3" "github.com/cloudquery/plugin-sdk/schema" "github.com/cloudquery/plugins/source/gcp/client" + pb "google.golang.org/api/cloudresourcemanager/v3" ) func fetchProjectPolicies(ctx context.Context, meta schema.ClientMeta, r *schema.Resource, res chan<- any) error { c := meta.(*client.Client) - projectsClient, err := resourcemanager.NewProjectsClient(ctx, c.ClientOptions...) + projectsClient, err := pb.NewService(ctx, c.ClientOptions...) if err != nil { return err } - output, err := projectsClient.GetIamPolicy( - ctx, - &iampb.GetIamPolicyRequest{ - Resource: "projects/" + c.ProjectId, - }, - ) + output, err := projectsClient.Projects.GetIamPolicy("projects/"+c.ProjectId, &pb.GetIamPolicyRequest{}).Context(ctx).Do() if err != nil { return err } diff --git a/plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go b/plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go new file mode 100644 index 00000000000000..a76f13f3fe3811 --- /dev/null +++ b/plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go @@ -0,0 +1,35 @@ +package resourcemanager + +import ( + "encoding/json" + "net/http" + "testing" + + "github.com/cloudquery/plugin-sdk/faker" + "github.com/cloudquery/plugins/source/gcp/client" + "github.com/julienschmidt/httprouter" + pb "google.golang.org/api/cloudresourcemanager/v3" +) + +func createProjectPolicies(mux *httprouter.Router) error { + var item pb.Policy + if err := faker.FakeObject(&item); err != nil { + return err + } + mux.POST("/v3/projects/testProject:getIamPolicy", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) { + b, err := json.Marshal(&item) + if err != nil { + http.Error(w, "unable to marshal request: "+err.Error(), http.StatusBadRequest) + return + } + if _, err := w.Write(b); err != nil { + http.Error(w, "failed to write", http.StatusBadRequest) + return + } + }) + return nil +} + +func TestProjectPolicies(t *testing.T) { + client.MockTestRestHelper(t, ProjectPolicies(), createProjectPolicies, client.TestOptions{}) +} From 6ba30112ef855a1d4678cbb5e409cd34da90c20e Mon Sep 17 00:00:00 2001 From: erezrokah Date: Mon, 23 Jan 2023 19:56:25 +0200 Subject: [PATCH 2/2] chore: Add code comment --- .../resources/services/resourcemanager/project_policies_fetch.go | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go b/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go index f45a6cd3eec572..710d3fa69cb759 100644 --- a/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go +++ b/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go @@ -14,6 +14,7 @@ func fetchProjectPolicies(ctx context.Context, meta schema.ClientMeta, r *schema if err != nil { return err } + // We need to use the protobut client to get the current version of the policy struct (v3) output, err := projectsClient.Projects.GetIamPolicy("projects/"+c.ProjectId, &pb.GetIamPolicyRequest{}).Context(ctx).Do() if err != nil { return err