[Security Policies] Tidy up test data generators

elastic#293 ---NOTE--- This is an imported commit, it was initially committed to the csp-security-policies repo which was then merged into cloudbeat. See: elastic/cloudbeat#1405
orestisfl · Oct 12, 2023 · 6870bb7 · 6870bb7
1 parent 76988ee
commit 6870bb7
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 76 deletions.
diff --git a/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego b/bundle/compliance/cis_gcp/rules/cis_1_7/test.rego
@@ -9,12 +9,24 @@ date_within_last_90_days := time.format(time.add_date(time.now_ns(), 0, 0, -2))
 
 date_before_last_90_days := time.format(time.add_date(time.now_ns(), 0, 0, -91))
 
+type := "identity-management"
+
+subType := "gcp-iam-service-account-key"
+
 test_violation {
-	eval_fail with input as test_data.generate_iam_service_account_key({"validAfterTime": date_before_last_90_days})
+	eval_fail with input as test_data.generate_gcp_asset(
+		type, subType,
+		{"data": {"validAfterTime": date_before_last_90_days}},
+		{},
+	)
 }
 
 test_pass {
-	eval_pass with input as test_data.generate_iam_service_account_key({"validAfterTime": date_within_last_90_days})
+	eval_pass with input as test_data.generate_gcp_asset(
+		type, subType,
+		{"data": {"validAfterTime": date_within_last_90_days}},
+		{},
+	)
 }
 
 test_not_evaluated {

diff --git a/bundle/compliance/cis_gcp/test_data.rego b/bundle/compliance/cis_gcp/test_data.rego
@@ -1,17 +1,5 @@
 package cis_gcp.test_data
 
-generate_iam_policy(members, role) = {
-	"resource": {
-		"resource": {},
-		"iam_policy": {"bindings": [{
-			"role": role,
-			"members": members,
-		}]},
-	},
-	"type": "key-management",
-	"subType": "gcp-iam-service-account",
-}
-
 generate_gcp_asset(type, subtype, resource, iam_policy) = {
 	"resource": {
 		"resource": resource,
@@ -21,6 +9,13 @@ generate_gcp_asset(type, subtype, resource, iam_policy) = {
 	"subType": subtype,
 }
 
+generate_iam_policy(members, role) = generate_gcp_asset(
+	"key-management",
+	"gcp-iam-service-account",
+	{},
+	{"bindings": [{"role": role, "members": members}]},
+)
+
 generate_monitoring_asset(log_metrics, alerts) = {
 	"resource": {
 		"log_metrics": log_metrics,
@@ -30,70 +25,44 @@ generate_monitoring_asset(log_metrics, alerts) = {
 	"subType": "gcp-monitoring",
 }
 
-generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = {
-	"resource": {
-		"resource": {"data": {
-			"nextRotationTime": nextRotationTime,
-			"rotationPeriod": rotationPeriod,
-			"primary": primary,
-		}},
-		"iam_policy": {"bindings": [{
-			"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
-			"members": members,
-		}]},
-	},
-	"type": "key-management",
-	"subType": "gcp-cloudkms-crypto-key",
-}
+generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = generate_gcp_asset(
+	"key-management",
+	"gcp-cloudkms-crypto-key",
+	{"data": {"nextRotationTime": nextRotationTime, "rotationPeriod": rotationPeriod, "primary": primary}},
+	{"bindings": [{"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": members}]},
+)
 
-generate_gcs_resource(members, isBucketLevelAccessEnabled) = {
-	"resource": {
-		"resource": {"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}},
-		"iam_policy": {"bindings": [{
-			"role": "roles/storage.objectViewer",
-			"members": members,
-		}]},
-	},
-	"type": "cloud-storage",
-	"subType": "gcp-storage-bucket",
-}
+generate_gcs_resource(members, isBucketLevelAccessEnabled) = generate_gcp_asset(
+	"cloud-storage",
+	"gcp-storage-bucket",
+	{"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}},
+	{"bindings": [{"role": "roles/storage.objectViewer", "members": members}]},
+)
 
-generate_bq_resource(config, subType, members) = {
-	"resource": {
-		"resource": {"data": {"defaultEncryptionConfiguration": config}},
-		"iam_policy": {"bindings": [{
-			"role": "roles/bigquery.dataViewer",
-			"members": members,
-		}]},
-	},
-	"type": "cloud-storage",
-	"subType": subType,
-}
-
-generate_compute_resource(subType, info) = {
-	"resource": {"resource": {"data": info}},
-	"type": "cloud-compute",
-	"subType": subType,
-}
+generate_bq_resource(config, subType, members) = generate_gcp_asset(
+	"cloud-storage",
+	subType,
+	{"data": {"defaultEncryptionConfiguration": config}},
+	{"bindings": [{"role": "roles/bigquery.dataViewer", "members": members}]},
+)
 
-generate_iam_service_account_key(resourceData) = {
-	"resource": {
-		"resource": {"data": resourceData},
-		"iam_policy": {},
-	},
-	"type": "kidentity-management",
-	"subType": "gcp-iam-service-account-key",
-}
+generate_compute_resource(subType, info) = generate_gcp_asset(
+	"cloud-compute",
+	subType,
+	{"data": info},
+	{},
+)
 
-not_eval_resource = {
-	"resource": {},
-	"type": "key-management",
-	"subType": "no-exisitng-type",
-}
+not_eval_resource = generate_gcp_asset(
+	"key-management",
+	"non-existing-subtype",
+	{},
+	{},
+)
 
-# missing resource.iam_policy
-no_policy_resource = {
-	"resource": {"resource": {}},
-	"type": "key-management",
-	"subType": "gcp-iam",
-}
+no_policy_resource = generate_gcp_asset(
+	"key-management",
+	"gcp-iam",
+	{},
+	null, # missing resource.iam_policy
+)