From be7af7b3ac089c833255627e3f0a7fa912382235 Mon Sep 17 00:00:00 2001 From: Stuart Paterson Date: Tue, 11 Sep 2018 11:27:12 +0100 Subject: [PATCH] Updates to controls affected by service account name change. Signed-off-by: Stuart Paterson --- test/integration/configuration/gcp_inspec_config.rb | 2 +- .../verify/controls/google_storage_bucket_acl.rb | 5 +++-- .../verify/controls/google_storage_bucket_iam_binding.rb | 7 ++++--- .../verify/controls/google_storage_default_object_acl.rb | 5 +++-- .../verify/controls/google_storage_object_acl.rb | 5 +++-- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb index d38a2481f..4e117b54f 100644 --- a/test/integration/configuration/gcp_inspec_config.rb +++ b/test/integration/configuration/gcp_inspec_config.rb @@ -83,7 +83,7 @@ def self.add_random_string(length=25) :gcp_logging_project_exclusion_name => "gcp-inspec-project-exclusion-#{add_random_string}", :gcp_network_name => "gcp-inspec-network", :gcp_subnetwork_name => "gcp-inspec-subnetwork", - :gcp_db_instance_name => "gcp-inspec-db-instance", + :gcp_db_instance_name => "gcp-inspec-db-#{add_random_string}", :gcp_db_name => "inspecgcp", :gcp_db_type => "MYSQL_5_7", :gcp_db_size => "db-f1-micro", diff --git a/test/integration/verify/controls/google_storage_bucket_acl.rb b/test/integration/verify/controls/google_storage_bucket_acl.rb index 1a27c74a4..acf6c9458 100644 --- a/test/integration/verify/controls/google_storage_bucket_acl.rb +++ b/test/integration/verify/controls/google_storage_bucket_acl.rb @@ -2,6 +2,7 @@ gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') gcp_storage_bucket_acl = attribute(:gcp_storage_bucket_acl, default: '', description: 'The GCP bucket with ACL set.') +gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.') gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') control 'gcp-storage-bucket-acl-1.0' do @@ -10,9 +11,9 @@ impact 1.0 title 'Ensure storage bucket ACL has the correct properties.' - describe google_storage_bucket_acl(bucket: gcp_storage_bucket_acl, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do + describe google_storage_bucket_acl(bucket: gcp_storage_bucket_acl, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do it { should exist } - its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } its('role') { should eq "OWNER" } its('bucket') { should eq gcp_storage_bucket_acl } end diff --git a/test/integration/verify/controls/google_storage_bucket_iam_binding.rb b/test/integration/verify/controls/google_storage_bucket_iam_binding.rb index aba633784..b48a1b6c0 100644 --- a/test/integration/verify/controls/google_storage_bucket_iam_binding.rb +++ b/test/integration/verify/controls/google_storage_bucket_iam_binding.rb @@ -4,6 +4,7 @@ gcp_storage_bucket_binding = attribute(:gcp_storage_bucket_binding, default: '', description: 'The GCP bucket with IAM binding.') gcp_storage_bucket_member = attribute(:gcp_storage_bucket_member, default: '', description: 'The GCP bucket with IAM member.') gcp_storage_bucket_policy = attribute(:gcp_storage_bucket_policy, default: '', description: 'The GCP bucket with IAM policy.') +gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.') gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') control 'gcp-storage-bucket-iam-binding-1.0' do @@ -16,20 +17,20 @@ it { should exist } its ('members.count'){ should eq 1 } # i.e. our service account # below is brittle, could extract service account email from tf in the future... - its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } end describe google_storage_bucket_iam_binding(bucket: gcp_storage_bucket_member, role: 'roles/storage.objectViewer') do it { should exist } its ('members.count'){ should eq 1 } # i.e. our service account # below is brittle, could extract service account email from tf in the future... - its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } end describe google_storage_bucket_iam_binding(bucket: gcp_storage_bucket_policy, role: 'roles/storage.admin') do it { should exist } its ('members.count'){ should eq 1 } # i.e. our service account # below is brittle, could extract service account email from tf in the future... - its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } end end \ No newline at end of file diff --git a/test/integration/verify/controls/google_storage_default_object_acl.rb b/test/integration/verify/controls/google_storage_default_object_acl.rb index aff0ef739..c868d9446 100644 --- a/test/integration/verify/controls/google_storage_default_object_acl.rb +++ b/test/integration/verify/controls/google_storage_default_object_acl.rb @@ -2,6 +2,7 @@ gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') gcp_storage_object_default_acl = attribute(:gcp_storage_bucket_name, default: '', description: 'The GCP bucket with default ACL set.') +gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.') gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') control 'gcp-storage-default-object-acl-1.0' do @@ -10,9 +11,9 @@ impact 1.0 title 'Ensure storage default object ACL has the correct properties.' - describe google_storage_default_object_acl(bucket: gcp_storage_object_default_acl, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do + describe google_storage_default_object_acl(bucket: gcp_storage_object_default_acl, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do it { should exist } - its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } its('role') { should eq "OWNER" } end diff --git a/test/integration/verify/controls/google_storage_object_acl.rb b/test/integration/verify/controls/google_storage_object_acl.rb index 40de6ae84..59c92fe55 100644 --- a/test/integration/verify/controls/google_storage_object_acl.rb +++ b/test/integration/verify/controls/google_storage_object_acl.rb @@ -3,6 +3,7 @@ gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') gcp_storage_bucket_object = attribute(:gcp_storage_bucket_object, default: '', description: 'The GCP bucket with objects.') gcp_storage_bucket_object_name = attribute(:gcp_storage_bucket_object_name, default: '', description: 'The GCP bucket object name.') +gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.') gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.') control 'gcp-storage-object-acl-1.0' do @@ -11,9 +12,9 @@ impact 1.0 title 'Ensure storage default object ACL has the correct properties.' - describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do + describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do it { should exist } - its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" } + its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" } its('role') { should eq "OWNER" } end end \ No newline at end of file