diff --git a/Gemfile b/Gemfile index 80fbc1bbc..8c74064cb 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'bundle' gem 'faraday', '>= 0.16.2' -gem 'google-api-client' +# gem 'google-api-client' gem 'google-cloud' gem 'googleauth' # we are pinning to inspec-core-bin below 6.0 to avoid bringing licensing change in the CI diff --git a/libraries/google_kms_crypto_key_iam_bindings.rb b/libraries/google_kms_crypto_key_iam_bindings.rb index d7abb480e..93b767322 100644 --- a/libraries/google_kms_crypto_key_iam_bindings.rb +++ b/libraries/google_kms_crypto_key_iam_bindings.rb @@ -1,4 +1,4 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' @@ -12,28 +12,42 @@ class GoogleKMSCryptoKeyIAMBindings < GcpResourceBase it { should exist } end " - - def initialize(opts = {}) - # Call the parent class constructor - super(opts) - @crypto_key_url = opts[:crypto_key_url] - end + attr_reader :params + attr_reader :table # FilterTable setup filter_table_config = FilterTable.create filter_table_config.add(:iam_binding_roles, field: :iam_binding_role) - filter_table_config.connect(self, :fetch_data) + filter_table_config.connect(self, :table) - def fetch_data + def initialize(params = {}) + # Call the parent class constructor + super(params.merge({ use_http_transport: true })) + @crypto_key_url = params[:crypto_key_url] + @params = params + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse iam_binding_rows = [] - catch_gcp_errors do - @iam_bindings = @gcp.gcp_client(Google::Apis::CloudkmsV1::CloudKMSService).get_project_location_key_ring_crypto_key_iam_policy(@crypto_key_url) - end - return [] if !@iam_bindings || !@iam_bindings.bindings - @iam_bindings.bindings.map do |iam_binding| + return [] if !@fetched || !@fetched['bindings'] + @iam_bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s) + + @iam_bindings.map do |iam_binding| iam_binding_rows+=[{ iam_binding_role: iam_binding.role }] end @table = iam_binding_rows end + + private + + def product_url + 'https://cloudkms.googleapis.com/v1/' + end + + def resource_base_url + '{{crypto_key_url}}:getIamPolicy' + end end end diff --git a/libraries/google_kms_key_ring_iam_bindings.rb b/libraries/google_kms_key_ring_iam_bindings.rb index 6cd33244f..26605bea8 100644 --- a/libraries/google_kms_key_ring_iam_bindings.rb +++ b/libraries/google_kms_key_ring_iam_bindings.rb @@ -1,8 +1,7 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' require 'time' -require 'google/apis/cloudkms_v1' module Inspec::Resources class GoogleKMSKeyRingIAMBindings < GcpResourceBase @@ -14,28 +13,41 @@ class GoogleKMSKeyRingIAMBindings < GcpResourceBase it { should exist } end " + attr_reader :params + attr_reader :table - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @key_ring_url = opts[:key_ring_url] + super(params.merge({ use_http_transport: true })) + @key_ring_url = params[:key_ring_url] + @params = params + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? end # FilterTable setup filter_table_config = FilterTable.create filter_table_config.add(:iam_binding_roles, field: :iam_binding_role) - filter_table_config.connect(self, :fetch_data) + filter_table_config.connect(self, :table) - def fetch_data + def parse iam_binding_rows = [] - catch_gcp_errors do - @iam_bindings = @gcp.gcp_client(Google::Apis::CloudkmsV1::CloudKMSService).get_project_location_key_ring_iam_policy(@key_ring_url) - end - return [] if !@iam_bindings || !@iam_bindings.bindings - @iam_bindings.bindings.map do |iam_binding| + return [] if !@fetched || !@fetched['bindings'] + @iam_bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s) + @iam_bindings.map do |iam_binding| iam_binding_rows+=[{ iam_binding_role: iam_binding.role }] end @table = iam_binding_rows end + + private + + def product_url + 'https://cloudkms.googleapis.com/v1/' + end + + def resource_base_url + '{{key_ring_url}}:getIamPolicy' + end end end diff --git a/libraries/google_project_alert_policy_condition.rb b/libraries/google_project_alert_policy_condition.rb index c2059066a..22b7a2024 100644 --- a/libraries/google_project_alert_policy_condition.rb +++ b/libraries/google_project_alert_policy_condition.rb @@ -1,7 +1,6 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' -require 'google/apis/monitoring_v3' module Inspec::Resources class GoogleProjectAlertPolicyCondition < GcpResourceBase @@ -14,15 +13,13 @@ class GoogleProjectAlertPolicyCondition < GcpResourceBase end " - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @filter = opts[:filter] - @policy = opts[:policy] - catch_gcp_errors do - @policy_result = @gcp.gcp_client(Google::Apis::MonitoringV3::MonitoringService).get_project_alert_policy(@policy) - @condition = condition_for_filter(@filter) - end + super(params.merge({ use_http_transport: true })) + @filter = params[:filter] + @policy = params[:name] + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + @condition = condition_for_filter(@filter) end def exists? @@ -30,8 +27,9 @@ def exists? end def condition_for_filter(filter) - return nil if !defined?(@policy_result.conditions) || @policy_result.conditions.nil? - @policy_result.conditions.each do |condition| + @policy_result = GoogleInSpec::Monitoring::Property::AlertPolicyConditionsArray.parse(@fetched['conditions'], to_s) + return nil if !defined?(@policy_result) || @policy_result.nil? + @policy_result.each do |condition| next if !defined?(condition.condition_threshold.filter) || condition.condition_threshold.filter.nil? return condition if condition.condition_threshold.filter == filter end @@ -61,5 +59,15 @@ def aggregation_cross_series_reducer def to_s "Alert Policy Condition #{@policy} \"#{@filter}\"" end + + private + + def product_url(_ = nil) + 'https://monitoring.googleapis.com/v3/' + end + + def resource_base_url + '{{name}}' + end end end diff --git a/libraries/google_project_iam_binding.rb b/libraries/google_project_iam_binding.rb index dec488e84..3a7b5c8e5 100644 --- a/libraries/google_project_iam_binding.rb +++ b/libraries/google_project_iam_binding.rb @@ -1,4 +1,4 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' @@ -12,23 +12,24 @@ class GoogleProjectIAMBinding < GcpResourceBase it { should exist } end " + attr_reader :params - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @project = opts[:project] - @role = opts[:role] + super(params.merge({ use_http_transport: true })) + @project = params[:project] + @params = params + @role = params[:role] @iam_binding_exists = false @members_list=[] - catch_gcp_errors do - # NOTE: this is the same call as for the plural iam_bindings resource because there isn't an easy way to pull out a singular binding - @iam_bindings = @gcp.gcp_project_client.get_project_iam_policy(@project) - raise Inspec::Exceptions::ResourceFailed, "google_project_iam_binding is missing expected IAM policy 'bindings' property" if !@iam_bindings || !@iam_bindings.bindings - @iam_bindings.bindings.each do |binding| - next if binding.role != @role - @iam_binding_exists=true - @members_list=binding.members - end + # NOTE: this is the same call as for the plural iam_bindings resource because there isn't an easy way to pull out a singular binding + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post') + @bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s) + raise Inspec::Exceptions::ResourceFailed, "google_project_iam_binding is missing expected IAM policy 'bindings' property" if !@bindings + @bindings.each do |binding| + next if binding.role != @role.to_s + @iam_binding_exists=true + @members_list=binding.members end end @@ -44,5 +45,15 @@ def exists? def to_s "Project IAM Binding #{@role}" end + + private + + def product_url + 'https://cloudresourcemanager.googleapis.com/v1/' + end + + def resource_base_url + 'projects/{{project}}:getIamPolicy' + end end end diff --git a/libraries/google_project_iam_bindings.rb b/libraries/google_project_iam_bindings.rb index 8a5f29929..660188666 100644 --- a/libraries/google_project_iam_bindings.rb +++ b/libraries/google_project_iam_bindings.rb @@ -1,4 +1,4 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' @@ -13,28 +13,51 @@ class GoogleProjectIAMBindings < GcpResourceBase ... end " + attr_reader :params + attr_reader :table - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @project = opts[:project] + super(params.merge({ use_http_transport: true })) + @params = params + @project = params[:project] + @iam_binding_exists = false + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post') + parse unless @fetched.nil? end # FilterTable setup filter_table_config = FilterTable.create filter_table_config.add(:iam_binding_roles, field: :iam_binding_role) - filter_table_config.connect(self, :fetch_data) + filter_table_config.connect(self, :table) - def fetch_data + def parse iam_binding_rows = [] - catch_gcp_errors do - @iam_bindings = @gcp.gcp_project_client.get_project_iam_policy(@project) - end - return [] if !@iam_bindings || !@iam_bindings.bindings - @iam_bindings.bindings.map do |iam_binding| + @bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s) + return [] if !@bindings + @bindings.map do |iam_binding| iam_binding_rows+=[{ iam_binding_role: iam_binding.role }] end + @iam_binding_exists=true @table = iam_binding_rows end + + def exists? + @iam_binding_exists + end + + def to_s + "Project IAM Binding #{@role}" + end + + private + + def product_url + 'https://cloudresourcemanager.googleapis.com/v1/' + end + + def resource_base_url + 'projects/{{project}}:getIamPolicy' + end end end diff --git a/libraries/google_project_logging_audit_config.rb b/libraries/google_project_logging_audit_config.rb index 2b604dd13..e62632837 100644 --- a/libraries/google_project_logging_audit_config.rb +++ b/libraries/google_project_logging_audit_config.rb @@ -1,4 +1,4 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' @@ -12,29 +12,29 @@ class GoogleProjectLoggingAuditConfig < GcpResourceBase it { should exist } end " + attr_reader :params - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @project = opts[:project] - catch_gcp_errors do - @audit_logging_configs = @gcp.gcp_project_client.get_project_iam_policy(@project) - @default_types = [] - @default_exempted_members = {} - if defined?(@audit_logging_configs.audit_configs) && @audit_logging_configs.audit_configs.instance_of?(::Array) - @audit_logging_configs.audit_configs.each do |service_config| - next if service_config.service != 'allServices' - service_config.audit_log_configs.each do |config| - @default_types+=[config.log_type] - @default_exempted_members[config.log_type]=config.exempted_members if defined?(config.exempted_members) && !config.exempted_members.nil? - end - end + super(params.merge({ use_http_transport: true })) + @project = params[:project] + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post') + @default_types = [] + @default_exempted_members = {} + return unless defined?(@fetched['auditConfigs']) && @fetched['auditConfigs'].instance_of?(::Array) + @audit_logging_configs = GoogleInSpec::Iam::Property::IamPolicyAuditConfigsArray.parse(@fetched['auditConfigs'], to_s) + + @audit_logging_configs.each do |service_config| + next if service_config.service != 'allServices' + service_config.audit_log_configs.each do |config| + @default_types+=[config.log_type] + @default_exempted_members[config.log_type]=config.exempted_members if defined?(config.exempted_members) && !config.exempted_members.nil? end end end def exists? - defined?(@audit_logging_configs.audit_configs) && !@audit_logging_configs.audit_configs.nil? + defined?(@audit_logging_configs) && !@audit_logging_configs.nil? end attr_reader :default_types @@ -48,5 +48,15 @@ def has_default_exempted_members? def to_s "Logging Audit Config For #{@project}" end + + private + + def product_url + 'https://cloudresourcemanager.googleapis.com/v1/' + end + + def resource_base_url + 'projects/{{project}}:getIamPolicy' + end end end diff --git a/libraries/google_storage_bucket_iam_bindings.rb b/libraries/google_storage_bucket_iam_bindings.rb index 6ecb0f341..56d9cd7d3 100644 --- a/libraries/google_storage_bucket_iam_bindings.rb +++ b/libraries/google_storage_bucket_iam_bindings.rb @@ -1,4 +1,4 @@ -# frozen_string_literal: true +# frozen_string_literal: false require 'gcp_backend' @@ -13,28 +13,45 @@ class GoogleStorageBucketIamBindings < GcpResourceBase ... end " + attr_reader :params + attr_reader :table - def initialize(opts = {}) + def initialize(params = {}) # Call the parent class constructor - super(opts) - @bucket = opts[:bucket] + super(params.merge({ use_http_transport: true })) + @params = params + @bucket = params[:bucket] + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? end # FilterTable setup filter_table_config = FilterTable.create filter_table_config.add(:iam_binding_roles, field: :iam_binding_role) - filter_table_config.connect(self, :fetch_data) + filter_table_config.connect(self, :table) - def fetch_data + def parse iam_binding_rows = [] - catch_gcp_errors do - @iam_bindings = @gcp.gcp_storage_client.get_bucket_iam_policy(@bucket) - end - return [] if !@iam_bindings || !@iam_bindings.bindings - @iam_bindings.bindings.map do |iam_binding| + return [] if !@fetched || !@fetched['bindings'] + @bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s) + @bindings.map do |iam_binding| iam_binding_rows+=[{ iam_binding_role: iam_binding.role }] end @table = iam_binding_rows end + + def to_s + "Bucket IamBinding #{@params[:bucket]} Role: #{@params[:role]}" + end + + private + + def product_url + 'https://storage.googleapis.com/storage/v1/' + end + + def resource_base_url + 'b/{{bucket}}/iam' + end end end diff --git a/libraries/google_user.rb b/libraries/google_user.rb index 81be96b6e..b416ccec5 100644 --- a/libraries/google_user.rb +++ b/libraries/google_user.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'gcp_backend' -require 'google/apis/admin_directory_v1' +require 'google-apis-admin_directory_v1' module Inspec::Resources class GoogleUser < GcpResourceBase diff --git a/libraries/google_users.rb b/libraries/google_users.rb index af3332101..7f8bceace 100644 --- a/libraries/google_users.rb +++ b/libraries/google_users.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'gcp_backend' -require 'google/apis/admin_directory_v1' +require 'google-apis-admin_directory_v1' module Inspec::Resources class GoogleUsers < GcpResourceBase