From 881aad84cac5a8b9f0338e5bf07f8f082b5aa62d Mon Sep 17 00:00:00 2001 From: Stuart Paterson Date: Wed, 5 Sep 2018 14:54:45 +0100 Subject: [PATCH 1/4] Added helper method for block ssh keys. Signed-off-by: Stuart Paterson --- libraries/google_compute_instance.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libraries/google_compute_instance.rb b/libraries/google_compute_instance.rb index 9e2351a4c..c205b63b4 100644 --- a/libraries/google_compute_instance.rb +++ b/libraries/google_compute_instance.rb @@ -110,6 +110,20 @@ def labels_values labels.item.values end + def service_account_scopes + # note instances can have only one service account defined + return [] if !defined?(@instance.service_accounts[0].scopes) + @instance.service_accounts[0].scopes + end + + def block_project_ssh_keys + return false if !defined?(@instance.metadata.items) + @instance.metadata.items.each do |element| + return true if element.key=='block-project-ssh-keys' and element.value='true' + end + false + end + def exists? !@instance.nil? end From 9559c1d44cf69303d30373335f5a7e25a03a30ab Mon Sep 17 00:00:00 2001 From: Stuart Paterson Date: Wed, 5 Sep 2018 15:40:44 +0100 Subject: [PATCH 2/4] Added google_compute_project_info resource. Updated helper in instance. Signed-off-by: Stuart Paterson --- docs/resources/google_compute_project_info.md | 49 +++++++++++++++++++ libraries/google_compute_instance.rb | 2 +- libraries/google_compute_project_info.rb | 47 ++++++++++++++++++ .../controls/google_compute_project_info.rb | 14 ++++++ 4 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 docs/resources/google_compute_project_info.md create mode 100644 libraries/google_compute_project_info.rb create mode 100644 test/integration/verify/controls/google_compute_project_info.rb diff --git a/docs/resources/google_compute_project_info.md b/docs/resources/google_compute_project_info.md new file mode 100644 index 000000000..903032a48 --- /dev/null +++ b/docs/resources/google_compute_project_info.md @@ -0,0 +1,49 @@ +--- +title: About the google_compute_project_info Resource +platform: gcp +--- + +# google\_compute\_project\_info + +Use the `google_compute_project_info` InSpec audit resource to test GCP compute project information. + +
+ +## Syntax + +A `google_compute_project_info` resource block declares the tests for GCP compute project information by project identifier. + + describe google_compute_project_info(project: 'chef-inspec-gcp') do + its('name') { should match 'chef-inspec-gcp' } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that GCP compute project information exists + + describe google_compute_project_info(project: 'chef-inspec-gcp') do + it { should exist } + end + +### Test that GCP compute project default service account is as expected + + describe google_compute_project_info(project: 'chef-inspec-gcp') do + its('default_service_account') { should eq '12345-compute@developer.gserviceaccount.com' } + end + +
+ +## Properties + +* `common_instance_metadata`, `creation_timestamp`, `creation_timestamp_date`, `default_service_account`, `id`, `kind`, `name`, `quotas`, `xpn_project_status` + +
+ + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located. \ No newline at end of file diff --git a/libraries/google_compute_instance.rb b/libraries/google_compute_instance.rb index c205b63b4..5a0347f6d 100644 --- a/libraries/google_compute_instance.rb +++ b/libraries/google_compute_instance.rb @@ -119,7 +119,7 @@ def service_account_scopes def block_project_ssh_keys return false if !defined?(@instance.metadata.items) @instance.metadata.items.each do |element| - return true if element.key=='block-project-ssh-keys' and element.value='true' + return true if element.key=='block-project-ssh-keys' and element.value.casecmp('true').zero? end false end diff --git a/libraries/google_compute_project_info.rb b/libraries/google_compute_project_info.rb new file mode 100644 index 000000000..045378838 --- /dev/null +++ b/libraries/google_compute_project_info.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'gcp_backend' + +module Inspec::Resources + class GoogleComputeProjectInfo < GcpResourceBase + name 'google_compute_project_info' + desc 'Verifies settings for GCP Compute Project Info' + + example " + describe google_compute_project_info(project: 'chef-inspec-gcp') do + it { should exist } + end + " + + def initialize(opts = {}) + # Call the parent class constructor + super(opts) + @display_name = opts[:project] + catch_gcp_errors do + @project_info = @gcp.gcp_compute_client.get_project(opts[:project]) + create_resource_methods(@project_info) + end + end + + def has_enabled_oslogin? + return false if !defined?(@project_info.common_instance_metadata.items) + @project_info.common_instance_metadata.items.each do |element| + return true if element.key=='enable-oslogin' and element.value.casecmp('true').zero? + end + false + end + + def creation_timestamp_date + return false if !defined?(creation_timestamp) + Time.parse(creation_timestamp.to_s) + end + + def exists? + !@project_info.nil? + end + + def to_s + "Compute Project Info #{@display_name}" + end + end +end diff --git a/test/integration/verify/controls/google_compute_project_info.rb b/test/integration/verify/controls/google_compute_project_info.rb new file mode 100644 index 000000000..b4ca9e87c --- /dev/null +++ b/test/integration/verify/controls/google_compute_project_info.rb @@ -0,0 +1,14 @@ +title 'Test GCP Compute Project Info' + +gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') + +control 'gcp-compute-project-info-1.0' do + + impact 1.0 + title 'Ensure GCP Compute Project Info has the correct properties.' + + describe google_compute_project_info(project: gcp_project_id) do + it { should exist } + its('name') { should eq gcp_project_id } + end +end \ No newline at end of file From aea7dc8a7b2c99ecd86044cf5e294c0b61e789fd Mon Sep 17 00:00:00 2001 From: Stuart Paterson Date: Wed, 5 Sep 2018 15:58:42 +0100 Subject: [PATCH 3/4] Added helper for serial ports to instance. Signed-off-by: Stuart Paterson --- libraries/google_compute_instance.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libraries/google_compute_instance.rb b/libraries/google_compute_instance.rb index 5a0347f6d..be8a27cf3 100644 --- a/libraries/google_compute_instance.rb +++ b/libraries/google_compute_instance.rb @@ -124,6 +124,15 @@ def block_project_ssh_keys false end + def has_serial_port_disabled? + return false if !defined?(@instance.metadata.items) + @instance.metadata.items.each do |element| + return true if element.key=='serial-port-enable' and element.value.casecmp('false').zero? + return true if element.key=='serial-port-enable' and element.value=='0' + end + false + end + def exists? !@instance.nil? end From 5cfacf25e8a3dab6e77d838c78f285d1a8ee6cdc Mon Sep 17 00:00:00 2001 From: Stuart Paterson Date: Wed, 5 Sep 2018 17:06:53 +0100 Subject: [PATCH 4/4] Add csek helper method. Signed-off-by: Stuart Paterson --- libraries/google_compute_instance.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libraries/google_compute_instance.rb b/libraries/google_compute_instance.rb index be8a27cf3..ffe144ab7 100644 --- a/libraries/google_compute_instance.rb +++ b/libraries/google_compute_instance.rb @@ -133,6 +133,17 @@ def has_serial_port_disabled? false end + def has_disks_encrypted_with_csek? + return false if !defined?(@instance.disks) + @instance.disks.each do |disk| + return false if !defined?(disk.disk_encryption_key) + return false if disk.disk_encryption_key.nil? + return false if !defined?(disk.disk_encryption_key.sha256) + return false if disk.disk_encryption_key.sha256.nil? + end + true + end + def exists? !@instance.nil? end