-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add google_storage_bucket_object and google_storage_object_acl resour…
…ces, update README and tf file. Signed-off-by: Stuart Paterson <[email protected]>
- Loading branch information
Stuart Paterson
committed
Aug 15, 2018
1 parent
f8bd897
commit f401f09
Showing
9 changed files
with
306 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: About the google_storage_bucket_object Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_bucket\_object | ||
|
||
Use the `google_storage_bucket_object` InSpec audit resource to test properties of a single GCP storage bucket object. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_bucket_object` resource block declares the tests for a single GCP storage bucket object by bucket name and object name: | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP compute zone exists | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage bucket object has non-zero size | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('size') { should be > 0 } | ||
end | ||
|
||
### Test that a GCP storage bucket object has the expected content type | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('content_type') { should eq "text/plain; charset=utf-8" } | ||
end | ||
|
||
|
||
### Test that a GCP storage bucket object was created within a certain time period | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('time_created_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
|
||
|
||
### Test that a GCP storage bucket object was last updated within a certain time period | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('updated_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `bucket`, `content_type`, `crc32c`, `etag`, `generation`, `id`, `kind`, `md5_hash`, `media_link`, `metageneration`, `name`, `size`, `storage_class`, `time_created_date`, `time_storage_class_updated_date`, `updated_date` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,13 +25,13 @@ The following examples show how to use this InSpec audit resource. | |
|
||
### Test that a GCP storage bucket ACL exists | ||
|
||
describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage default object ACL has the expected role (READER, WRITER or OWNER) | ||
|
||
describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
its('role') { should eq 'OWNER' } | ||
end | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_storage_object_acl Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_object\_acl | ||
|
||
Use the `google_storage_object_acl` InSpec audit resource to test properties of a single GCP storage object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_object_acl` resource block declares the tests for a single GCP storage object ACL by bucket name, object name and entity. | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP storage bucket ACL exists | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage object ACL has the expected role (READER, WRITER or OWNER) | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
its('role') { should eq 'OWNER' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `bucket`, `email`, `entity`, `etag`, `generation`, `id`, `kind`, `object`, `role` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'gcp_backend' | ||
require 'time' | ||
|
||
module Inspec::Resources | ||
class GoogleStorageBucketObject < GcpResourceBase | ||
name 'google_storage_bucket_object' | ||
desc 'Verifies settings for a storage bucket object' | ||
|
||
example " | ||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
it { should exist } | ||
end | ||
" | ||
def initialize(opts = {}) | ||
# Call the parent class constructor | ||
super(opts) | ||
@bucket = opts[:bucket] | ||
@object = opts[:object] | ||
catch_gcp_errors do | ||
@bucket_object = @gcp.gcp_storage_client.get_object(@bucket, @object) | ||
@time_created = @bucket_object.time_created | ||
@time_updated = @bucket_object.updated | ||
@time_class_updated = @bucket_object.time_storage_class_updated | ||
create_resource_methods(@bucket_object) | ||
end | ||
end | ||
|
||
def updated_date | ||
return false if !defined?(@time_updated) | ||
Time.parse(@time_updated.to_s) | ||
end | ||
|
||
def time_storage_class_updated_date | ||
return false if !defined?(@time_class_updated) | ||
Time.parse(@time_class_updated.to_s) | ||
end | ||
|
||
def time_created_date | ||
return false if !defined?(@time_created) | ||
Time.parse(@time_created.to_s) | ||
end | ||
|
||
def exists? | ||
!@bucket_object.nil? | ||
end | ||
|
||
def to_s | ||
"Bucket object #{@bucket}/#{@object}" | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'gcp_backend' | ||
|
||
module Inspec::Resources | ||
class GoogleStorageObjectAcl < GcpResourceBase | ||
name 'google_storage_object_acl' | ||
desc 'Verifies settings for a storage object ACL' | ||
|
||
example " | ||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
" | ||
|
||
def initialize(opts = {}) | ||
# Call the parent class constructor | ||
super(opts) | ||
@bucket = opts[:bucket] | ||
@object = opts[:object] | ||
@entity = opts[:entity] | ||
catch_gcp_errors do | ||
@acl = @gcp.gcp_storage_client.get_object_access_control(@bucket, @object, @entity) | ||
create_resource_methods(@acl) | ||
end | ||
end | ||
|
||
def exists? | ||
!@acl.nil? | ||
end | ||
|
||
def to_s | ||
"Storage Object ACL #{@object}" | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
test/integration/verify/controls/google_storage_bucket_object.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
title 'Storage Bucket Object Properties' | ||
|
||
gcp_storage_bucket_object = attribute(:gcp_storage_bucket_object, default: '', description: 'The GCP bucket with objects.') | ||
gcp_storage_bucket_object_name = attribute(:gcp_storage_bucket_object_name, default: '', description: 'The GCP bucket object name.') | ||
gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') | ||
|
||
control 'gcp-storage-bucket-object-1.0' do | ||
|
||
only_if { gcp_enable_privileged_resources.to_i == 1 } | ||
impact 1.0 | ||
title 'Ensure that the Storage Bucket Object has been created correctly' | ||
|
||
describe google_storage_bucket_object(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name) do | ||
it { should exist } | ||
its('name') { should eq gcp_storage_bucket_object_name } | ||
its('size') { should be > 0 } | ||
its('content_type') { should eq "text/plain; charset=utf-8" } | ||
its('time_created_date') { should be > Time.now - 365*60*60*24*10 } | ||
its('updated_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
end |
19 changes: 19 additions & 0 deletions
19
test/integration/verify/controls/google_storage_object_acl.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
title 'Test single GCP storage object ACL' | ||
|
||
gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') | ||
gcp_storage_bucket_object = attribute(:gcp_storage_bucket_object, default: '', description: 'The GCP bucket with objects.') | ||
gcp_storage_bucket_object_name = attribute(:gcp_storage_bucket_object_name, default: '', description: 'The GCP bucket object name.') | ||
gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') | ||
|
||
control 'gcp-storage-object-acl-1.0' do | ||
|
||
only_if { gcp_enable_privileged_resources.to_i == 1 } | ||
impact 1.0 | ||
title 'Ensure storage default object ACL has the correct properties.' | ||
|
||
describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do | ||
it { should exist } | ||
its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } | ||
its('role') { should eq "OWNER" } | ||
end | ||
end |