From 5c175ec3dd90c8b71e62ff5c6566cab626036721 Mon Sep 17 00:00:00 2001 From: Or Ouziel Date: Sun, 10 Sep 2023 11:18:12 +0300 Subject: [PATCH] [Security Policies] Tidy up test data generators (#293) --- .../cis_gcp/rules/cis_1_7/test.rego | 16 ++- bundle/compliance/cis_gcp/test_data.rego | 117 +++++++----------- 2 files changed, 57 insertions(+), 76 deletions(-) diff --git a/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego b/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego index 06c438f4..25bb3540 100644 --- a/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego +++ b/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego @@ -9,12 +9,24 @@ date_within_last_90_days := time.format(time.add_date(time.now_ns(), 0, 0, -2)) date_before_last_90_days := time.format(time.add_date(time.now_ns(), 0, 0, -91)) +type := "identity-management" + +subType := "gcp-iam-service-account-key" + test_violation { - eval_fail with input as test_data.generate_iam_service_account_key({"validAfterTime": date_before_last_90_days}) + eval_fail with input as test_data.generate_gcp_asset( + type, subType, + {"data": {"validAfterTime": date_before_last_90_days}}, + {}, + ) } test_pass { - eval_pass with input as test_data.generate_iam_service_account_key({"validAfterTime": date_within_last_90_days}) + eval_pass with input as test_data.generate_gcp_asset( + type, subType, + {"data": {"validAfterTime": date_within_last_90_days}}, + {}, + ) } test_not_evaluated { diff --git a/bundle/compliance/cis_gcp/test_data.rego b/bundle/compliance/cis_gcp/test_data.rego index 3eabddc3..24e0daf7 100644 --- a/bundle/compliance/cis_gcp/test_data.rego +++ b/bundle/compliance/cis_gcp/test_data.rego @@ -1,17 +1,5 @@ package cis_gcp.test_data -generate_iam_policy(members, role) = { - "resource": { - "resource": {}, - "iam_policy": {"bindings": [{ - "role": role, - "members": members, - }]}, - }, - "type": "key-management", - "subType": "gcp-iam-service-account", -} - generate_gcp_asset(type, subtype, resource, iam_policy) = { "resource": { "resource": resource, @@ -21,6 +9,13 @@ generate_gcp_asset(type, subtype, resource, iam_policy) = { "subType": subtype, } +generate_iam_policy(members, role) = generate_gcp_asset( + "key-management", + "gcp-iam-service-account", + {}, + {"bindings": [{"role": role, "members": members}]}, +) + generate_monitoring_asset(log_metrics, alerts) = { "resource": { "log_metrics": log_metrics, @@ -30,70 +25,44 @@ generate_monitoring_asset(log_metrics, alerts) = { "subType": "gcp-monitoring", } -generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = { - "resource": { - "resource": {"data": { - "nextRotationTime": nextRotationTime, - "rotationPeriod": rotationPeriod, - "primary": primary, - }}, - "iam_policy": {"bindings": [{ - "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", - "members": members, - }]}, - }, - "type": "key-management", - "subType": "gcp-cloudkms-crypto-key", -} +generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = generate_gcp_asset( + "key-management", + "gcp-cloudkms-crypto-key", + {"data": {"nextRotationTime": nextRotationTime, "rotationPeriod": rotationPeriod, "primary": primary}}, + {"bindings": [{"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": members}]}, +) -generate_gcs_resource(members, isBucketLevelAccessEnabled) = { - "resource": { - "resource": {"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}}, - "iam_policy": {"bindings": [{ - "role": "roles/storage.objectViewer", - "members": members, - }]}, - }, - "type": "cloud-storage", - "subType": "gcp-storage-bucket", -} +generate_gcs_resource(members, isBucketLevelAccessEnabled) = generate_gcp_asset( + "cloud-storage", + "gcp-storage-bucket", + {"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}}, + {"bindings": [{"role": "roles/storage.objectViewer", "members": members}]}, +) -generate_bq_resource(config, subType, members) = { - "resource": { - "resource": {"data": {"defaultEncryptionConfiguration": config}}, - "iam_policy": {"bindings": [{ - "role": "roles/bigquery.dataViewer", - "members": members, - }]}, - }, - "type": "cloud-storage", - "subType": subType, -} - -generate_compute_resource(subType, info) = { - "resource": {"resource": {"data": info}}, - "type": "cloud-compute", - "subType": subType, -} +generate_bq_resource(config, subType, members) = generate_gcp_asset( + "cloud-storage", + subType, + {"data": {"defaultEncryptionConfiguration": config}}, + {"bindings": [{"role": "roles/bigquery.dataViewer", "members": members}]}, +) -generate_iam_service_account_key(resourceData) = { - "resource": { - "resource": {"data": resourceData}, - "iam_policy": {}, - }, - "type": "kidentity-management", - "subType": "gcp-iam-service-account-key", -} +generate_compute_resource(subType, info) = generate_gcp_asset( + "cloud-compute", + subType, + {"data": info}, + {}, +) -not_eval_resource = { - "resource": {}, - "type": "key-management", - "subType": "no-exisitng-type", -} +not_eval_resource = generate_gcp_asset( + "key-management", + "non-existing-subtype", + {}, + {}, +) -# missing resource.iam_policy -no_policy_resource = { - "resource": {"resource": {}}, - "type": "key-management", - "subType": "gcp-iam", -} +no_policy_resource = generate_gcp_asset( + "key-management", + "gcp-iam", + {}, + null, # missing resource.iam_policy +)