Adding new feature to analyze role bindings at resouce level (GoogleC…

…loudPlatform#784)

Co-authored-by: Abdel SGHIOUAR <[email protected]>

tools/custom-roles-analyzer/README.md

@@ -24,13 +24,11 @@ It will print results in file which contains following fields:
 1. Custom Role - Name of the custom role.
 2. Parent - Parent of the custom role. It can be an organization or project.
 3. List of predefined roles - List of predefined roles by which this custom role is made of.
-4. Additional permissions required - Any additional permission apart from predefined roles we need to rebuild this custom role.
-5. No of additional permissions - Total number of additional permissions required to rebuild this custom role.
-6. No of original permissions - Total number of permissions originally this custom role has.
-7. Is Exact Match - If this custom role matches exactly to 1 or more predefined roles then it is set to True otherwise false.
-
-It provides results in CSV or JSON format. Default is CSV.
-
+4. Additional permissions required - Any additional permission apart from predefined roles we need to build this custom role again.
+5. Is Exact Match - If this custom role matches exactly to 1 or more predefined roles then it is set to True otherwise false.
+
+It provides result in CSV or JSON format. Default is CSV.
+
 
 # Getting Started
 

tools/custom-roles-analyzer/analyze.sh

@@ -17,4 +17,4 @@
 
 mvn compile exec:java \
   -Dexec.mainClass="com.google.cloud.pso.security.CustomRoleAnalyzer" \
-  -Dexec.args="$1 $2 $3 $4" 
+  -Dexec.args="$1 $2 $3 $4 $5 $6" 

tools/custom-roles-analyzer/pom.xml

@@ -31,7 +31,7 @@ limitations under the License.
 <dependency>
   <groupId>com.google.cloud</groupId>
   <artifactId>google-iam-admin</artifactId>
-  <version>1.1.1</version>
+  <version>1.1.4</version>
 </dependency>
 <dependency>
   <groupId>com.google.apis</groupId>
@@ -59,11 +59,16 @@ limitations under the License.
   <artifactId>guava</artifactId>
   <version>31.0.1-jre</version>
 </dependency>
-    <dependency>
-      <groupId>com.google.flogger</groupId>
-      <artifactId>google-extensions</artifactId>
-      <version>0.7.4</version>
-    </dependency>
+<dependency>
+  <groupId>com.google.flogger</groupId>
+  <artifactId>google-extensions</artifactId>
+  <version>0.7.4</version>
+</dependency>
+<dependency>
+  <groupId>com.google.cloud</groupId>
+  <artifactId>google-cloud-asset</artifactId>
+  <version>3.2.14</version>
+</dependency>
 </dependencies>
   <build>
     <plugins>

tools/custom-roles-analyzer/src/main/java/com/google/cloud/pso/security/CustomRoleAnalyzer.java

@@ -16,6 +16,7 @@
 
 package com.google.cloud.pso.security;
 
+import com.google.cloud.pso.security.asset.AssetServiceUtil;
 import com.google.cloud.pso.security.constants.GenericConstants;
 import com.google.cloud.pso.security.util.CustomRoleAnalyzerHelper;
 import com.google.common.flogger.GoogleLogger;
@@ -31,6 +32,8 @@ public static void main(String[] args) {
 
     String orgId = "";
     String resultFormat = GenericConstants.DEFAULT_FORMAT;
+    boolean binding = false;
+    boolean customRoleAnalysis = false;
 
     List<String> commandlineArgs = null;
     if (args != null && args.length > 0) {
@@ -39,50 +42,83 @@ public static void main(String[] args) {
       logger.atInfo().log(GenericConstants.OPTIONS_HELP);
       System.exit(1);
     }
-    if (commandlineArgs.contains("-o")
-        && commandlineArgs.size() > (commandlineArgs.indexOf("-o") + 1)) {
-      orgId = (String) commandlineArgs.get(commandlineArgs.indexOf("-o") + 1);
+    if (commandlineArgs.contains("--org")
+        && commandlineArgs.size() > (commandlineArgs.indexOf("--org") + 1)) {
+      orgId = (String) commandlineArgs.get(commandlineArgs.indexOf("--org") + 1);
     } else {
       logger.atInfo().log(GenericConstants.OPTIONS_HELP);
       System.exit(1);
     }
-    if (commandlineArgs.contains("-f")
-        && commandlineArgs.size() > (commandlineArgs.indexOf("-o") + 1)) {
-      resultFormat = (String) commandlineArgs.get(commandlineArgs.indexOf("-f") + 1);
+    if (commandlineArgs.contains("--format")
+        && commandlineArgs.size() > (commandlineArgs.indexOf("--org") + 1)) {
+      resultFormat = (String) commandlineArgs.get(commandlineArgs.indexOf("--format") + 1);
       if (!resultFormat.equals(GenericConstants.JSON_FORMAT)
           || !resultFormat.equals(GenericConstants.DEFAULT_FORMAT)) {
         logger.atWarning().log("Unsupported format: " + resultFormat);
         logger.atInfo().log("Using defualt format: " + GenericConstants.DEFAULT_FORMAT);
         resultFormat = GenericConstants.DEFAULT_FORMAT;
       }
     }
-    logger.atInfo().log("Staring custom role analysis for org : " + orgId);
 
-    CustomRoleAnalyzerHelper analyzerHelper = new CustomRoleAnalyzerHelper();
-    try {
-      analyzerHelper.initilize(orgId, resultFormat);
-    } catch (Exception e) {
-      logger.atSevere().withCause(e).log("Unable to initialize custom role analyzer tool.");
-      System.exit(1);
+    if (commandlineArgs.contains("--binding-analysis")) {
+      binding = true;
+    }
+    if (commandlineArgs.contains("--role-analysis")) {
+      customRoleAnalysis = true;
+    }
+    if (!binding && !customRoleAnalysis) {
+      logger.atInfo().log("Choosing execution of default tool as custom role analysis.");
+      customRoleAnalysis = true;
     }
 
-    try {
-      analyzerHelper.processOrgLevelCustomRoles(orgId);
-    } catch (Exception e) {
-      logger.atSevere().withCause(e).log("Unable to process org level custom roles.");
-      System.exit(1);
+    if (customRoleAnalysis) {
+
+      logger.atInfo().log("Staring custom role analysis for org : " + orgId);
+
+      CustomRoleAnalyzerHelper analyzerHelper = new CustomRoleAnalyzerHelper();
+      try {
+        analyzerHelper.initilize(orgId, resultFormat);
+      } catch (Exception e) {
+        logger.atSevere().withCause(e).log("Unable to initialize custom role analyzer tool.");
+        System.exit(1);
+      }
+
+      try {
+        analyzerHelper.processOrgLevelCustomRoles(orgId);
+      } catch (Exception e) {
+        logger.atSevere().withCause(e).log("Unable to process org level custom roles.");
+        System.exit(1);
+      }
+      try {
+        analyzerHelper.processProjectLevelCustomRoles(orgId);
+      } catch (Exception e) {
+        logger.atSevere().withCause(e).log("Unable to process project level custom roles.");
+        System.exit(1);
+      }
+      logger.atInfo().log(
+          "Successfully executed custom role analysis and results are written to: "
+              + GenericConstants.RESULT_FILENAME
+              + "."
+              + resultFormat);
     }
-    try {
-      analyzerHelper.processProjectLevelCustomRoles(orgId);
-    } catch (Exception e) {
-      logger.atSevere().withCause(e).log("Unable to process project level custom roles.");
-      System.exit(1);
+
+    if (binding) {
+      String scope = GenericConstants.ORGANIZATIONS + GenericConstants.SEPARATOR + orgId;
+      String query = "";
+      logger.atInfo().log("Staring role binding analysis for scope : " + scope);
+      AssetServiceUtil assetServiceUtil = new AssetServiceUtil();
+      try {
+        assetServiceUtil.analyzeBindings(scope, query);
+      } catch (Exception e) {
+        logger.atSevere().withCause(e).log("Unable to process bindings for the roles.");
+        System.exit(1);
+      }
+      logger.atInfo().log(
+          "Successfully executed role binding analysis and results are written to: "
+              + GenericConstants.RESULT_FILENAME_ROLE_BINDING
+              + "."
+              + GenericConstants.DEFAULT_FORMAT);
     }
-    logger.atInfo().log(
-        "Successfully executed custom role analysis and results are written to: "
-            + GenericConstants.RESULT_FILENAME
-            + "."
-            + resultFormat);
     System.exit(1);
   }
 }