feat: add policy to oslogin is enabled for VMs (#406)

* Ensure oslogin is enabled for a Project * Fixed all test files and constraint name for compute-enable-os-login * added correct description * added description message for OSlogin * description message is updated in templates
GoogleCloudPlatform · Oct 26, 2021 · f42d51f · f42d51f
1 parent f797171
commit f42d51f
Show file tree

Hide file tree

Showing 9 changed files with 686 additions and 0 deletions.
diff --git a/policies/templates/gcp_compute_enable_oslogin_project_v1.yaml b/policies/templates/gcp_compute_enable_oslogin_project_v1.yaml
@@ -0,0 +1,79 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: templates.gatekeeper.sh/v1alpha1
+kind: ConstraintTemplate
+metadata:
+  name: gcp-compute-enable-oslogin-project-v1
+spec:
+  crd:
+    spec:
+      names:
+        kind: GCPComputeRequireOSLoginConstraintV1
+      validation:
+        openAPIV3Schema:
+          properties: {}
+
+  targets:
+   validation.gcp.forsetisecurity.org:
+      rego: | #INLINE("validator/compute_enable_oslogin_project.rego")
+            #
+            # Copyright 2021 Google LLC
+            #
+            # Licensed under the Apache License, Version 2.0 (the "License");
+            # you may not use this file except in compliance with the License.
+            # You may obtain a copy of the License at
+            #
+            #      http://www.apache.org/licenses/LICENSE-2.0
+            #
+            # Unless required by applicable law or agreed to in writing, software
+            # distributed under the License is distributed on an "AS IS" BASIS,
+            # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+            # See the License for the specific language governing permissions and
+            # limitations under the License.
+            #
+            
+            package templates.gcp.GCPComputeRequireOSLoginConstraintV1
+            
+            import data.validator.gcp.lib as lib
+            
+            deny[{
+            	"msg": message,
+            	"details": metadata,
+            }] {
+            	constraint := input.constraint
+            	lib.get_constraint_params(constraint, params)
+            	asset := input.asset
+            	asset.asset_type == "compute.googleapis.com/Instance"
+            	instance := asset.resource.data
+            	meta := lib.get_default(instance, "metadata", {"items": []})
+            	key = "enable-oslogin"
+            
+            	# check if key is available and values are as expected
+            	not metadata_enable_oslogin(meta)
+            
+            	message := sprintf("On this resource %v Ensure that required key '%v' is present and value is true.", [asset.name, key])
+            	metadata := {"resource": asset.name, "key_in_violation": key}
+            }
+            
+            # All other cases for metadata items are violations
+            default metadata_enable_oslogin(meta) = false
+            
+            # check for enable_oslogin under metadata items - no violation
+            metadata_enable_oslogin(meta) {
+            	metadatum := meta.items[_]
+            	metadatum.key == "enable-oslogin"
+            	metadatum.value == "true"
+            }
+            #ENDINLINE
diff --git a/samples/compute_enable_oslogin_project.yaml b/samples/compute_enable_oslogin_project.yaml
@@ -0,0 +1,28 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPComputeRequireOSLoginConstraintV1
+metadata:
+  name: compute-enable-oslogin-project
+  annotations:
+    bundles.validator.forsetisecurity.org/cis-v1.1: 4.04
+    description: Verifies that all VMs in a project have OS login enabled.
+
+spec:
+  severity: high
+  match:
+      gcp:
+        target: ["organization/*"]
+  parameters: {}
diff --git a/validator/compute_enable_oslogin_project.rego b/validator/compute_enable_oslogin_project.rego
@@ -0,0 +1,48 @@
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package templates.gcp.GCPComputeRequireOSLoginConstraintV1
+
+import data.validator.gcp.lib as lib
+
+deny[{
+	"msg": message,
+	"details": metadata,
+}] {
+	constraint := input.constraint
+	lib.get_constraint_params(constraint, params)
+	asset := input.asset
+	asset.asset_type == "compute.googleapis.com/Instance"
+	instance := asset.resource.data
+	meta := lib.get_default(instance, "metadata", {"items": []})
+	key = "enable-oslogin"
+
+	# check if key is available and values are as expected
+	not metadata_enable_oslogin(meta)
+
+	message := sprintf("On this resource %v Ensure that required key '%v' is present and value is true.", [asset.name, key])
+	metadata := {"resource": asset.name, "key_in_violation": key}
+}
+
+# All other cases for metadata items are violations
+default metadata_enable_oslogin(meta) = false
+
+# check for enable_oslogin under metadata items - no violation
+metadata_enable_oslogin(meta) {
+	metadatum := meta.items[_]
+	metadatum.key == "enable-oslogin"
+	metadatum.value == "true"
+}
diff --git a/validator/compute_enable_oslogin_project_test.rego b/validator/compute_enable_oslogin_project_test.rego
@@ -0,0 +1,60 @@
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package templates.gcp.GCPComputeRequireOSLoginConstraintV1
+
+import data.validator.gcp.lib as lib
+import data.validator.test_utils as test_utils
+
+# Importing the test data
+import data.test.fixtures.compute_enable_oslogin.assets.compute.instance_no_violation as fixture_compute_instance_no_violation
+import data.test.fixtures.compute_enable_oslogin.assets.compute.instance_violation as fixture_compute_instance_violation
+import data.test.fixtures.compute_enable_oslogin.assets.compute.no_instances as fixture_compute_no_instance
+import data.test.fixtures.compute_enable_oslogin.assets.compute.no_metadata as fixture_compute_instance_no_metadata
+
+import data.test.fixtures.compute_enable_oslogin.constraints as fixture_constraint
+
+template_name := "GCPComputeRequireOSLoginConstraintV1"
+
+#### Testing for GCE instances
+
+#1. No instances at all
+test_enable_oslogin_project_compute_no_instances {
+	expected_resource_names := {"//dns.googleapis.com/projects/186783260185/managedZones/correct"}
+	test_utils.check_test_violations_count(fixture_compute_no_instance, [fixture_constraint], template_name, 1)
+}
+
+#2. One instance with correct key
+test_enable_oslogin_project_compute_instance_no_violations {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"}
+	test_utils.check_test_violations_count(fixture_compute_instance_no_violation, [fixture_constraint], template_name, 1)
+}
+
+#3. One instance without correct key
+test_enable_oslogin_project_compute_instance_violations {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost-violation"}
+	test_utils.check_test_violations_count(fixture_compute_instance_violation, [fixture_constraint], template_name, 1)
+}
+
+#4. An instance without metadata configured at all (metadata_config doesn't exist).
+test_enable_oslogin_project_compute_instance_no_metadata {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"}
+	expected_field_name := "key_in_violation"
+	expected_field_values := {"enable-oslogin"}
+	test_utils.check_test_violations_count(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, 1)
+	test_utils.check_test_violations_resources(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, expected_resource_names)
+	test_utils.check_test_violations_signature(fixture_compute_instance_no_metadata, [fixture_constraint], template_name)
+	test_utils.check_test_violations_metadata(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, expected_field_name, expected_field_values)
+}
diff --git a/...dator/test/fixtures/compute_enable_oslogin/assets/compute/instance_no_violation/data.json b/...dator/test/fixtures/compute_enable_oslogin/assets/compute/instance_no_violation/data.json
@@ -0,0 +1,163 @@
+[
+  {
+	"name": "//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost",
+	"asset_type": "compute.googleapis.com/Instance",
+	"ancestry_path": "organization/614830067722/folder/561421552790/project/my-test-project",
+	"resource": {
+		"version": "v1",
+		"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
+		"discovery_name": "Instance",
+		"parent": "//cloudresourcemanager.googleapis.com/projects/my-test-project",
+		"data": {
+			"canIpForward": false,
+			"deletionProtection": false,
+			"disks": [{
+				"autoDelete": true,
+				"boot": true,
+				"initializeParams": {
+					"diskSizeGb": "20",
+					"diskType": "projects/my-test-project/zones/us-central1-f/diskTypes/pd-standard",
+					"sourceImage": "projects/centos-cloud/global/images/centos-8-v20210512"
+				},
+				"mode": "READ_WRITE"
+			}],
+			"displayDevice": {
+				"enableDisplay": false
+			},
+			"machineType": "projects/my-test-project/zones/us-central1-f/machineTypes/e2-micro",
+			"metadata": {
+				"items": [{
+					"key": "block-project-ssh-keys",
+					"value": "true"
+				}, {
+					"key": "enable-oslogin",
+					"value": "true"
+				}, {
+					"key": "environment",
+					"value": "dev"
+				}, {
+					"key": "name",
+					"value": "test-jumphost"
+				}, {
+					"key": "serial-port-enable",
+					"value": "false"
+				}, {
+					"key": "startup-script",
+					"value": "echo instance created through terraform \u003e /readme.txt"
+				}]
+			},
+			"name": "test-jumphost",
+			"networkInterfaces": [{
+				"accessConfigs": [{
+					"type": "ONE_TO_ONE_NAT"
+				}],
+				"subnetwork": "projects/my-test-project/regions/us-central1/subnetworks/primary-dmz-subnet"
+			}],
+			"scheduling": {
+				"automaticRestart": true
+			},
+			"serviceAccounts": [{
+				"email": "default",
+				"scopes": ["https://www.googleapis.com/auth/cloud-platform"]
+			}],
+			"shieldedInstanceConfig": {
+				"enableIntegrityMonitoring": true,
+				"enableSecureBoot": false,
+
+				"enableVtpm": true
+			},
+			"tags": {
+				"items": ["ingress-inet", "egress-inet"]
+			}
+		}
+	}
+  },
+  {
+    "name": "//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost-violation",
+    "asset_type": "compute.googleapis.com/Instance",
+    "ancestry_path": "organization/614830067722/folder/561421552790/project/my-test-project",
+    "resource": {
+      "version": "v1",
+      "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
+      "discovery_name": "Instance",
+      "parent": "//cloudresourcemanager.googleapis.com/projects/my-test-project",
+      "data": {
+        "canIpForward": false,
+        "deletionProtection": false,
+        "disks": [
+          {
+            "autoDelete": true,
+            "boot": true,
+            "initializeParams": {
+              "diskSizeGb": "20",
+              "diskType": "projects/my-test-project/zones/us-central1-f/diskTypes/pd-standard",
+              "sourceImage": "projects/centos-cloud/global/images/centos-8-v20210512"
+            },
+            "mode": "READ_WRITE"
+          }
+        ],
+        "displayDevice": {
+          "enableDisplay": false
+        },
+        "machineType": "projects/my-test-project/zones/us-central1-f/machineTypes/e2-micro",
+        "metadata": {
+          "items": [
+            {
+              "key": "enable-oslogin",
+              "value": "false"
+            },
+            {
+              "key": "environment",
+              "value": "dev"
+            },
+            {
+              "key": "name",
+              "value": "test-jumphost-violation"
+            },
+            {
+              "key": "serial-port-enable",
+              "value": "false"
+            },
+            {
+              "key": "startup-script",
+              "value": "echo instance created through terraform \u003e /readme.txt"
+            }
+          ]
+        },
+        "name": "test-jumphost-violation",
+        "networkInterfaces": [
+          {
+            "accessConfigs": [
+              {
+                "type": "ONE_TO_ONE_NAT"
+              }
+            ],
+            "subnetwork": "projects/my-test-project/regions/us-central1/subnetworks/primary-dmz-subnet"
+          }
+        ],
+        "scheduling": {
+          "automaticRestart": true
+        },
+        "serviceAccounts": [
+          {
+            "email": "default",
+            "scopes": [
+              "https://www.googleapis.com/auth/cloud-platform"
+            ]
+          }
+        ],
+        "shieldedInstanceConfig": {
+          "enableIntegrityMonitoring": true,
+          "enableSecureBoot": false,
+          "enableVtpm": true
+        },
+        "tags": {
+          "items": [
+            "ingress-inet",
+            "egress-inet"
+          ]
+        }
+      }
+    }
+  }
+]