feat: CIS-1.1 - 4.03 Ensure "Block Project-wide SSH keys" is enabled …

…for VM instances (#405) * review comment fix for compute-block-ssh-keys * added all test files for compute-block-ssh-keys * deleted in constraints for compute-block-ssh-keys * compute-block-ssh-keys test rego updated to pick single non violated instance from multiple instances * removed the repeated lines in test files
GoogleCloudPlatform · Oct 21, 2021 · f797171 · f797171
1 parent 4eb5b36
commit f797171
Show file tree

Hide file tree

Showing 9 changed files with 701 additions and 0 deletions.
diff --git a/policies/templates/gcp_compute_block_ssh_keys_v1.yaml b/policies/templates/gcp_compute_block_ssh_keys_v1.yaml
@@ -0,0 +1,77 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: templates.gatekeeper.sh/v1alpha1
+kind: ConstraintTemplate
+metadata:
+  name: gcp-compute-block-ssh-keys-v1
+spec:
+  crd:
+    spec:
+      names:
+        kind: GCPComputeBlockSSHKeysConstraintV1
+      validation:
+        openAPIV3Schema:
+          properties: {}
+  targets:
+    validation.gcp.forsetisecurity.org:
+      rego: | #INLINE("validator/compute_block_ssh_keys.rego")
+        #
+        # Copyright 2021 Google LLC
+        #
+        # Licensed under the Apache License, Version 2.0 (the "License");
+        # you may not use this file except in compliance with the License.
+        # You may obtain a copy of the License at
+        #
+        #      http://www.apache.org/licenses/LICENSE-2.0
+        #
+        # Unless required by applicable law or agreed to in writing, software
+        # distributed under the License is distributed on an "AS IS" BASIS,
+        # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+        # See the License for the specific language governing permissions and
+        # limitations under the License.
+        #
+        package templates.gcp.GCPComputeBlockSSHKeysConstraintV1
+        
+        import data.validator.gcp.lib as lib
+        
+        deny[{
+        	"msg": message,
+        	"details": metadata,
+        }] {
+        	constraint := input.constraint
+        	lib.get_constraint_params(constraint, params)
+        	asset := input.asset
+        	asset.asset_type == "compute.googleapis.com/Instance"
+        	instance := asset.resource.data
+        	meta := lib.get_default(instance, "metadata", {"items": []})
+        	key = "block-project-ssh-keys"
+        
+        	# check if key is available and values are as expected
+        	not metadata_blocks_project_keys(meta)
+        
+        	message := sprintf("On this resource %v check the required key '%v' is in violation.", [asset.name, key])
+        	metadata := {"resource": asset.name, "key_in_violation": key}
+        }
+        
+        # All other cases for metadata items are violations
+        default metadata_blocks_project_keys(meta) = false
+        
+        # check for block-project-ssh-keys under metadata items - no violation
+        metadata_blocks_project_keys(meta) {
+        	metadatum := meta.items[_]
+        	metadatum.key == "block-project-ssh-keys"
+        	metadatum.value == "true"
+        }
+        #ENDINLINE
diff --git a/samples/compute_block_ssh_keys.yaml b/samples/compute_block_ssh_keys.yaml
@@ -0,0 +1,27 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPComputeBlockSSHKeysConstraintV1
+metadata:
+  name:  compute_block_ssh_keys
+  annotations:
+    description: Checks if "Block Project-wide SSH keys" is enabled for VM instances
+    bundles.validator.forsetisecurity.org/cis-v1.1: 4.03
+spec:
+  severity: high
+  match:
+      gcp:
+        target: ["organization/*"]
+  parameters: {}
diff --git a/validator/compute_block_ssh_keys.rego b/validator/compute_block_ssh_keys.rego
@@ -0,0 +1,47 @@
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package templates.gcp.GCPComputeBlockSSHKeysConstraintV1
+
+import data.validator.gcp.lib as lib
+
+deny[{
+	"msg": message,
+	"details": metadata,
+}] {
+	constraint := input.constraint
+	lib.get_constraint_params(constraint, params)
+	asset := input.asset
+	asset.asset_type == "compute.googleapis.com/Instance"
+	instance := asset.resource.data
+	meta := lib.get_default(instance, "metadata", {"items": []})
+	key = "block-project-ssh-keys"
+
+	# check if key is available and values are as expected
+	not metadata_blocks_project_keys(meta)
+
+	message := sprintf("On this resource %v check the required key '%v' is in violation.", [asset.name, key])
+	metadata := {"resource": asset.name, "key_in_violation": key}
+}
+
+# All other cases for metadata items are violations
+default metadata_blocks_project_keys(meta) = false
+
+# check for block-project-ssh-keys under metadata items - no violation
+metadata_blocks_project_keys(meta) {
+	metadatum := meta.items[_]
+	metadatum.key == "block-project-ssh-keys"
+	metadatum.value == "true"
+}
diff --git a/validator/compute_block_ssh_keys_test.rego b/validator/compute_block_ssh_keys_test.rego
@@ -0,0 +1,63 @@
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package templates.gcp.GCPComputeBlockSSHKeysConstraintV1
+
+import data.validator.gcp.lib as lib
+import data.validator.test_utils as test_utils
+
+# Importing the test data
+import data.test.fixtures.compute_block_ssh_keys.assets.compute.instance_no_violation as fixture_compute_instance_no_violation
+import data.test.fixtures.compute_block_ssh_keys.assets.compute.instance_violation as fixture_compute_instance_violation
+import data.test.fixtures.compute_block_ssh_keys.assets.compute.no_instances as fixture_compute_no_instance
+import data.test.fixtures.compute_block_ssh_keys.assets.compute.no_metadata as fixture_compute_instance_no_metadata
+
+# Importing the test constraint
+import data.test.fixtures.compute_block_ssh_keys.constraints as fixture_constraints
+
+template_name := "GCPComputeBlockSSHKeysConstraintV1"
+
+#### Testing for GCE instances
+
+#1. No instances at all
+test_block_ssh_keys_compute_no_instances {
+	expected_resource_names := {"//dns.googleapis.com/projects/186783260185/managedZones/correct"}
+	test_utils.check_test_violations_count(fixture_compute_no_instance, [fixture_constraints], template_name, 0)
+}
+
+#2. One instance with correct key
+test_block_ssh_keys_compute_instance_no_violations {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"}
+	test_utils.check_test_violations_count(fixture_compute_instance_no_violation, [fixture_constraints], template_name, 1)
+	test_utils.check_test_violations_resources(fixture_compute_instance_violation, [fixture_constraints], template_name, expected_resource_names)
+	test_utils.check_test_violations_signature(fixture_compute_instance_violation, [fixture_constraints], template_name)
+}
+
+#3. One instance without correct key
+test_block_ssh_keys_compute_instance_violations {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"}
+	test_utils.check_test_violations_count(fixture_compute_instance_violation, [fixture_constraints], template_name, 1)
+}
+
+#4. An instance without metadata configured at all (metadata_config doesn't exist).
+test_block_ssh_keys_compute_instance_no_metadata {
+	expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"}
+	expected_field_name := "key_in_violation"
+	expected_field_values := {"block-project-ssh-keys"}
+	test_utils.check_test_violations_count(fixture_compute_instance_no_metadata, [fixture_constraints], template_name, 1)
+	test_utils.check_test_violations_resources(fixture_compute_instance_no_metadata, [fixture_constraints], template_name, expected_resource_names)
+	test_utils.check_test_violations_signature(fixture_compute_instance_no_metadata, [fixture_constraints], template_name)
+	test_utils.check_test_violations_metadata(fixture_compute_instance_no_metadata, [fixture_constraints], template_name, expected_field_name, expected_field_values)
+}