forked from GoogleCloudPlatform/cloud-foundation-fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit.py
77 lines (63 loc) · 2.36 KB
/
audit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import click
from googleapiclient.errors import Error
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
iam_service = discovery.build("iam", "v1", credentials=credentials)
SENSITIVE_PERMISSIONS = {
"resourcemanager.projects.setIamPolicy",
"resourcemanager.folders.setIamPolicy",
"resourcemanager.organizations.setIamPolicy",
}
def get_role_permissions(role):
if role.startswith("roles/"):
endpoint = iam_service.roles()
elif role.startswith("projects/"):
endpoint = iam_service.projects().roles()
elif role.startswith("organizations/"):
endpoint = iam_service.organizations().roles()
else:
raise Exception(f"Invalid role {role}")
response = endpoint.get(name=role).execute()
permissions = response.get("includedPermissions")
return permissions
@click.command()
@click.argument("file", type=click.File("r"))
def main(file):
"""Verify that the set of GCP roles in FILE does not include the
permission setIamPolicy at project, folder or organization level
This program authenticates against GCP using default application
credentials to query project and organization level roles.
"""
clean_roles = [x.rstrip(" \n") for x in file]
roles = (x for x in clean_roles if x)
allok = True
for role in roles:
try:
permissions = set(get_role_permissions(role))
except Error as e:
print(f"WARNING: can't read {role}: {e}")
allok = False
else:
matched_sensitive_permissions = SENSITIVE_PERMISSIONS & permissions
if matched_sensitive_permissions:
print(f"WARNING: {role} contains {matched_sensitive_permissions}")
allok = False
else:
print(f"{role} ok")
exit(0 if allok else 1)
if __name__ == "__main__":
main()