From cc0565e2e42ab97daf1d30eb3c4b2abbc720de26 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Tue, 23 Jul 2019 19:16:15 -0400 Subject: [PATCH 01/14] Add 'Constraint' to the package statement --- validator/sql_allowed_authorized_networks.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index e8d61f6c..de8fa81c 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -14,7 +14,7 @@ # limitations under the License. # -package templates.gcp.GCPSQLAllowedAuthorizedNetworksV1 +package templates.gcp.GCPSQLAllowedAuthorizedNetworksConstraintV1 import data.validator.gcp.lib as lib From 194fcd655f1dda27c66814512963acb63512516e Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Tue, 23 Jul 2019 19:16:45 -0400 Subject: [PATCH 02/14] Add 'data' field to the statement that retrieves 'authorizedNetworks'; 'data' is upstream to 'settings' in CAI --- validator/sql_allowed_authorized_networks.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index de8fa81c..f66b8736 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -30,7 +30,7 @@ deny[{ allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) configured_networks := {network | - network = asset.resource.settings.ipConfiguration.authorizedNetworks[_].value + network = asset.resource.data.settings.ipConfiguration.authorizedNetworks[_].value } matched_networks := {network | From 712ab6f5ca5599c14ad343bf9e2ad87312805470 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Tue, 23 Jul 2019 19:17:34 -0400 Subject: [PATCH 03/14] Modify logic to include additional checking for situation where 'authorizedNetworks' does not exist, or contains no content --- validator/sql_allowed_authorized_networks.rego | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index f66b8736..561b94a6 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -29,9 +29,14 @@ deny[{ asset.asset_type == "sqladmin.googleapis.com/Instance" allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) - configured_networks := {network | - network = asset.resource.data.settings.ipConfiguration.authorizedNetworks[_].value - } + + # Check whether authorizedNetworks field exists, so that + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) + + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From be624c4fd0391e315226d66b14fca48cd9df4654 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Tue, 23 Jul 2019 19:19:43 -0400 Subject: [PATCH 04/14] Make same changes to the rego code in gcp_sql_allowed_authorized_networks_v1.yaml --- .../gcp_sql_allowed_authorized_networks_v1.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml index b78caec0..d4867de4 100644 --- a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml +++ b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml @@ -56,7 +56,7 @@ spec: # limitations under the License. # - package templates.gcp.GCPSQLAllowedAuthorizedNetworksV1 + package templates.gcp.GCPSQLAllowedAuthorizedNetworksConstraintV1 import data.validator.gcp.lib as lib @@ -71,9 +71,14 @@ spec: asset.asset_type == "sqladmin.googleapis.com/Instance" allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) - configured_networks := {network | - network = asset.resource.settings.ipConfiguration.authorizedNetworks[_].value - } + + # Check whether authorizedNetworks field exists, so that + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) + + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From 96892a60d665c7c9d2b1513e48e2dec5a390b02f Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Thu, 25 Jul 2019 21:13:35 -0400 Subject: [PATCH 05/14] Add 'data' field to validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json; modify package statement of validator/sql_allowed_authorized_networks_test.rego --- validator/sql_allowed_authorized_networks_test.rego | 2 +- .../fixtures/sql_allowed_authorized_networks/assets/data.json | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/validator/sql_allowed_authorized_networks_test.rego b/validator/sql_allowed_authorized_networks_test.rego index 6c8fb322..56ac81b6 100644 --- a/validator/sql_allowed_authorized_networks_test.rego +++ b/validator/sql_allowed_authorized_networks_test.rego @@ -14,7 +14,7 @@ # limitations under the License. # -package templates.gcp.GCPSQLAllowedAuthorizedNetworksV1 +package templates.gcp.GCPSQLAllowedAuthorizedNetworksConstraintV1 import data.test.fixtures.sql_allowed_authorized_networks.constraints as fixture_constraints diff --git a/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json b/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json index 1572eaf0..2002ae04 100644 --- a/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json +++ b/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json @@ -40,6 +40,7 @@ "name": "//cloudsql.googleapis.com/projects/noble-history-87417/instances/authorized-networks-35", "asset_type": "sqladmin.googleapis.com/Instance", "resource": { + "data":{ "settings": { "activationPolicy": "ALWAYS", "backupConfiguration": { @@ -94,4 +95,5 @@ }, "state": "RUNNABLE" } + } }] From f2709a2f39412c9e3f70ad063af73fb400d84244 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Sat, 10 Aug 2019 09:45:19 -0400 Subject: [PATCH 06/14] change format --- validator/sql_allowed_authorized_networks.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index 561b94a6..d9083790 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -31,12 +31,12 @@ deny[{ allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) - configured_networks := {network | - network = config_auth_networks[_].value - } + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From 72dbb91cec9ad86cc2237688992fc04001b29f96 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Sat, 10 Aug 2019 09:45:40 -0400 Subject: [PATCH 07/14] Revert "change format" This reverts commit f2709a2f39412c9e3f70ad063af73fb400d84244. Due to inability to install PyYaml, will revert this change and move work to my personal laptop --- validator/sql_allowed_authorized_networks.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index d9083790..561b94a6 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -31,12 +31,12 @@ deny[{ allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) - configured_networks := {network | - network = config_auth_networks[_].value - } + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From 4acd765f6caa85e2cfd79bd882b0687b47b825b5 Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Sat, 10 Aug 2019 10:53:36 -0400 Subject: [PATCH 08/14] Format rego code --- validator/sql_allowed_authorized_networks.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index 561b94a6..d9083790 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -31,12 +31,12 @@ deny[{ allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) - configured_networks := {network | - network = config_auth_networks[_].value - } + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From a1339fe4d5ee4f92f75e0cbb9f368be0bd25be0a Mon Sep 17 00:00:00 2001 From: FanchenBao Date: Sat, 10 Aug 2019 10:54:14 -0400 Subject: [PATCH 09/14] Format template yaml file --- .../gcp_sql_allowed_authorized_networks_v1.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml index d4867de4..fd57319f 100644 --- a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml +++ b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml @@ -71,14 +71,14 @@ spec: asset.asset_type == "sqladmin.googleapis.com/Instance" allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) - - # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value":"authorized network unspecified"}]) - - configured_networks := {network | - network = config_auth_networks[_].value - } + + # Check whether authorizedNetworks field exists, so that + # we can report violation when this field is not set + config_auth_networks = lib.get_default(asset.resource.data.settings.ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) + + configured_networks := {network | + network = config_auth_networks[_].value + } matched_networks := {network | network = configured_networks[_] From cce6f00274926c7a42bcf4453e4a033dc4a4956d Mon Sep 17 00:00:00 2001 From: Fanchen Bao Date: Fri, 4 Oct 2019 14:00:42 -0400 Subject: [PATCH 10/14] Update sql_allowed_authorized_networks.rego according to master --- validator/sql_allowed_authorized_networks.rego | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index 2db8e668..6c4c5378 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -53,13 +53,8 @@ deny[{ forbidden_networks(params, ipConfiguration) = forbidden { allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) - - # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) - configured_networks := {network | - network = config_auth_networks[_].value + network = ipConfiguration.authorizedNetworks[_].value } matched_networks := {network | @@ -78,4 +73,4 @@ check_ssl(params, ipConfiguration) = result { check_ssl(params, ipConfiguration) = result { requireSsl := lib.get_default(ipConfiguration, "requireSsl", false) result = requireSsl == params.ssl_enabled -} +} \ No newline at end of file From 068f0a8a81748fc7a045b9fd929c550f3c11f987 Mon Sep 17 00:00:00 2001 From: Fanchen Bao Date: Fri, 4 Oct 2019 14:02:48 -0400 Subject: [PATCH 11/14] Add 'data' field for the new fixture --- .../fixtures/sql_allowed_authorized_networks/assets/data.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json b/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json index 61bceeef..0fd22373 100644 --- a/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json +++ b/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json @@ -2,6 +2,7 @@ "name": "//cloudsql.googleapis.com/projects/noble-history-87417/instances/no-authorized-networks", "asset_type": "sqladmin.googleapis.com/Instance", "resource": { + "data": { "settings": { "activationPolicy": "ALWAYS", "backupConfiguration": { @@ -35,6 +36,7 @@ }, "state": "RUNNABLE" } + } }, { "name": "//cloudsql.googleapis.com/projects/noble-history-87417/instances/authorized-networks-35", From f2299f0616d7487356c47a0b6ee88d6564667e4c Mon Sep 17 00:00:00 2001 From: Fanchen Bao Date: Fri, 4 Oct 2019 14:03:29 -0400 Subject: [PATCH 12/14] Fix typo --- validator/sql_allowed_authorized_networks_test.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validator/sql_allowed_authorized_networks_test.rego b/validator/sql_allowed_authorized_networks_test.rego index 1913ff66..0739ec00 100644 --- a/validator/sql_allowed_authorized_networks_test.rego +++ b/validator/sql_allowed_authorized_networks_test.rego @@ -37,7 +37,7 @@ test_sql_allowed_authorized_networks_default { violation.details.resource == "//cloudsql.googleapis.com/projects/noble-history-87417/instances/authorized-networks-35" } -test_sql_allowed_authorized_networks_ssl_disabled { +test_sql_allowed_authorized_networks_ssl_enabled { constraints := [fixture_constraints.ssl_enabled] violations := find_violations with data.test_constraints as constraints count(violations) == 1 From cde6f792ddc56c1e9aa172a65458daf8aec9da50 Mon Sep 17 00:00:00 2001 From: Fanchen Bao Date: Fri, 4 Oct 2019 14:04:30 -0400 Subject: [PATCH 13/14] Add 'data' field to policy rego code --- validator/sql_allowed_authorized_networks.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index 6c4c5378..4bd30451 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -28,7 +28,7 @@ deny[{ asset := input.asset asset.asset_type == "sqladmin.googleapis.com/Instance" - check_ssl(params, asset.resource.settings.ipConfiguration) == false + check_ssl(params, asset.resource.data.settings.ipConfiguration) == false message := sprintf("%v has networks with SSL settings in violation of policy", [asset.name]) metadata := {"resource": asset.name} @@ -44,7 +44,7 @@ deny[{ asset := input.asset asset.asset_type == "sqladmin.googleapis.com/Instance" - forbidden := forbidden_networks(params, asset.resource.settings.ipConfiguration) + forbidden := forbidden_networks(params, asset.resource.data.settings.ipConfiguration) count(forbidden) > 0 message := sprintf("%v has authorized networks that are not allowed: %v", [asset.name, forbidden]) From 5dfe5a7a3e54738f3783f440d054a545e2c921c2 Mon Sep 17 00:00:00 2001 From: Fanchen Bao Date: Fri, 4 Oct 2019 14:05:56 -0400 Subject: [PATCH 14/14] Inlining and formatting --- policies/templates/gcp_cmek_settings_v1.yaml | 1 - .../gcp_sql_allowed_authorized_networks_v1.yaml | 11 +++-------- validator/sql_allowed_authorized_networks.rego | 2 +- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/policies/templates/gcp_cmek_settings_v1.yaml b/policies/templates/gcp_cmek_settings_v1.yaml index b2bed69e..40dc97ee 100644 --- a/policies/templates/gcp_cmek_settings_v1.yaml +++ b/policies/templates/gcp_cmek_settings_v1.yaml @@ -53,7 +53,6 @@ spec: }] { constraint := input.constraint lib.get_constraint_params(constraint, params) - exempt_list := lib.get_default(params, "exemptions", []) asset := input.asset asset.asset_type == "cloudkms.googleapis.com/CryptoKey" diff --git a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml index 89f481a7..32bc12fa 100644 --- a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml +++ b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml @@ -70,7 +70,7 @@ spec: asset := input.asset asset.asset_type == "sqladmin.googleapis.com/Instance" - check_ssl(params, asset.resource.settings.ipConfiguration) == false + check_ssl(params, asset.resource.data.settings.ipConfiguration) == false message := sprintf("%v has networks with SSL settings in violation of policy", [asset.name]) metadata := {"resource": asset.name} @@ -86,7 +86,7 @@ spec: asset := input.asset asset.asset_type == "sqladmin.googleapis.com/Instance" - forbidden := forbidden_networks(params, asset.resource.settings.ipConfiguration) + forbidden := forbidden_networks(params, asset.resource.data.settings.ipConfiguration) count(forbidden) > 0 message := sprintf("%v has authorized networks that are not allowed: %v", [asset.name, forbidden]) @@ -95,13 +95,8 @@ spec: forbidden_networks(params, ipConfiguration) = forbidden { allowed_authorized_networks = lib.get_default(params, "authorized_networks", []) - - # Check whether authorizedNetworks field exists, so that - # we can report violation when this field is not set - config_auth_networks = lib.get_default(ipConfiguration, "authorizedNetworks", [{"value": "authorized network unspecified"}]) - configured_networks := {network | - network = config_auth_networks[_].value + network = ipConfiguration.authorizedNetworks[_].value } matched_networks := {network | diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego index 4bd30451..cdb2fb5c 100644 --- a/validator/sql_allowed_authorized_networks.rego +++ b/validator/sql_allowed_authorized_networks.rego @@ -73,4 +73,4 @@ check_ssl(params, ipConfiguration) = result { check_ssl(params, ipConfiguration) = result { requireSsl := lib.get_default(ipConfiguration, "requireSsl", false) result = requireSsl == params.ssl_enabled -} \ No newline at end of file +}