feat(INT-6665): review GCP permissions

JupiterOne-Archives · Jan 20, 2023 · 6c55fc7 · 6c55fc7
1 parent 3e216e2
commit 6c55fc7
Show file tree

Hide file tree

Showing 39 changed files with 370 additions and 68 deletions.
diff --git a/commands/documentPermissions.ts b/commands/documentPermissions.ts
@@ -1,8 +1,10 @@
+/* eslint-disable no-console */
 import { promises as fs } from 'fs';
 import * as path from 'path';
 import { Command } from 'commander';
 import { invocationConfig } from '../src';
 import { GoogleCloudIntegrationStep } from '../src/types';
+import chalk from 'chalk';
 
 const table = require('markdown-table');
 
@@ -31,29 +33,65 @@ documentPermissionsCommand.parse();
 
 async function executeDocumentPermissionsAction(options: DocumentCommandArgs) {
   const { outputFile } = options;
+
+  console.log(
+    chalk.gray(
+      'DOCUMENT PERMISSIONS (START): Collecting permissions from steps...',
+    ),
+  );
+
   const documentationFilePath = path.join(process.cwd(), outputFile);
   const oldDocumentationFile = await getDocumentationFile(
     documentationFilePath,
   );
 
+  if (!oldDocumentationFile) {
+    return;
+  }
+
   const newGeneratedDocumentationSection = getNewDocumentationVersion();
 
+  console.log(chalk.gray(newGeneratedDocumentationSection));
+
   if (!newGeneratedDocumentationSection) return;
 
   const newDocumentationFile = replaceBetweenDocumentMarkers(
     oldDocumentationFile,
     newGeneratedDocumentationSection,
   );
 
-  await fs.writeFile(documentationFilePath, newDocumentationFile, {
-    encoding: 'utf-8',
-  });
+  try {
+    await fs.writeFile(documentationFilePath, newDocumentationFile, {
+      encoding: 'utf-8',
+    });
+  } catch (error) {
+    console.log(
+      chalk.gray(
+        `Unable to write documentation file from path ${documentationFilePath}.`,
+      ),
+    );
+  }
+
+  console.log(
+    chalk.gray(
+      `DOCUMENT PERMISSIONS (END): Finished document permissions process.`,
+    ),
+  );
 }
 
-function getDocumentationFile(documentationFilePath: string): Promise<string> {
-  return fs.readFile(documentationFilePath, {
-    encoding: 'utf-8',
-  });
+function getDocumentationFile(documentationFilePath: string) {
+  try {
+    chalk.gray(`Reading documentation file from ${documentationFilePath}`);
+    return fs.readFile(documentationFilePath, {
+      encoding: 'utf-8',
+    });
+  } catch (error) {
+    console.log(
+      chalk.gray(
+        `Unable to read documentation file from path ${documentationFilePath}. Aborting`,
+      ),
+    );
+  }
 }
 
 function getNewDocumentationVersion(): string | undefined {
@@ -62,21 +100,32 @@ function getNewDocumentationVersion(): string | undefined {
   const permissionsList = integrationSteps.reduce(
     (accumulatedPermissions, step) => {
       const googleCloudIntegrationStep = step as GoogleCloudIntegrationStep;
-      return googleCloudIntegrationStep.permissions
-        ? [...accumulatedPermissions, ...googleCloudIntegrationStep.permissions]
+      const googleCloudIntegrationStepPermissions =
+        googleCloudIntegrationStep.permissions?.reduce(
+          (accumulatedStepPermissions, stepPermission) => {
+            return !accumulatedPermissions.includes(stepPermission)
+              ? [...accumulatedStepPermissions, stepPermission]
+              : accumulatedStepPermissions;
+          },
+          [] as string[],
+        );
+      return googleCloudIntegrationStepPermissions
+        ? [...accumulatedPermissions, ...googleCloudIntegrationStepPermissions]
         : accumulatedPermissions;
     },
     [] as string[],
   );
 
-  const tableMarkdown = getTableMarkdown(permissionsList);
+  const tableMarkdown = getTableMarkdown(
+    permissionsList.sort((a, b) => a.localeCompare(b)),
+  );
 
   return `${J1_PERMISSIONS_DOCUMENTATION_MARKER_START}\n${tableMarkdown}\n${J1_PERMISSIONS_DOCUMENTATION_MARKER_END}`;
 }
 
 function getTableMarkdown(permissionsList: string[]): string {
   return table([
-    ['Permissions List'],
+    [`Permissions List (${permissionsList.length})`],
     ...permissionsList.map((permission) => [`\`${permission}\``]),
   ]);
 }

diff --git a/docs/jupiterone.md b/docs/jupiterone.md
@@ -570,5 +570,114 @@ If you prefer not to use Google managed roles, the following list of specific
 permissions can be used to provision only the required ones:
 
 <!-- {J1_PERMISSIONS_DOCUMENTATION_MARKER_START} -->
-
+| Permissions List (108)                                  |
+| ------------------------------------------------------- |
+| `accesscontextmanager.accessLevels.list`                |
+| `accesscontextmanager.accessPolicies.list`              |
+| `accesscontextmanager.servicePerimeters.list`           |
+| `apigateway.apiconfigs.getIamPolicy`                    |
+| `apigateway.apiconfigs.list`                            |
+| `apigateway.apis.getIamPolicy`                          |
+| `apigateway.apis.list`                                  |
+| `apigateway.gateways.getIamPolicy`                      |
+| `apigateway.gateways.list`                              |
+| `appengine.applications.get`                            |
+| `appengine.instances.list`                              |
+| `appengine.services.list`                               |
+| `appengine.versions.list`                               |
+| `bigquery.datasets.get`                                 |
+| `bigquery.models.getData`                               |
+| `bigquery.models.getMetadata`                           |
+| `bigquery.models.list`                                  |
+| `bigquery.tables.get`                                   |
+| `bigquery.tables.getIamPolicy`                          |
+| `bigquery.tables.list`                                  |
+| `bigtable.appProfiles.list`                             |
+| `bigtable.backups.list`                                 |
+| `bigtable.clusters.list`                                |
+| `bigtable.instances.list`                               |
+| `bigtable.tables.list`                                  |
+| `billing.budgets.list`                                  |
+| `binaryauthorization.policy.get`                        |
+| `cloudasset.assets.listCloudbillingBillingAccounts`     |
+| `cloudasset.assets.listCloudbillingProjectBillingInfos` |
+| `cloudasset.assets.searchAllIamPolicies`                |
+| `cloudbuild.builds.get`                                 |
+| `cloudbuild.builds.list`                                |
+| `cloudbuild.integrations.get`                           |
+| `cloudbuild.integrations.list`                          |
+| `cloudbuild.repositories.get`                           |
+| `cloudbuild.repositories.list`                          |
+| `cloudbuild.workerpools.list`                           |
+| `cloudfunctions.functions.list`                         |
+| `cloudkms.cryptoKeys.getIamPolicy`                      |
+| `cloudkms.cryptoKeys.list`                              |
+| `cloudkms.keyRings.list`                                |
+| `cloudsql.instances.list`                               |
+| `compute.addresses.list`                                |
+| `compute.backendBuckets.list`                           |
+| `compute.backendServices.list`                          |
+| `compute.disks.list`                                    |
+| `compute.firewalls.list`                                |
+| `compute.forwardingRules.list`                          |
+| `compute.globalAddresses.list`                          |
+| `compute.globalForwardingRules.list`                    |
+| `compute.healthChecks.list`                             |
+| `compute.images.get`                                    |
+| `compute.images.getIamPolicy`                           |
+| `compute.images.list`                                   |
+| `compute.instanceGroups.list`                           |
+| `compute.instances.list`                                |
+| `compute.networks.list`                                 |
+| `compute.projects.get`                                  |
+| `compute.regionBackendServices.list`                    |
+| `compute.regionHealthChecks.list`                       |
+| `compute.regionTargetHttpProxies.list`                  |
+| `compute.regionTargetHttpsProxies.list`                 |
+| `compute.regionUrlMaps.list`                            |
+| `compute.snapshots.list`                                |
+| `compute.sslPolicies.list`                              |
+| `compute.subnetworks.list`                              |
+| `compute.targetHttpProxies.list`                        |
+| `compute.targetHttpsProxies.list`                       |
+| `compute.targetSslProxies.list`                         |
+| `compute.urlMaps.list`                                  |
+| `container.clusters.list`                               |
+| `dataproc.clusters.list`                                |
+| `dns.managedZones.list`                                 |
+| `dns.policies.list`                                     |
+| `iam.roles.list`                                        |
+| `iam.serviceAccountKeys.list`                           |
+| `iam.serviceAccounts.list`                              |
+| `logging.logMetrics.list`                               |
+| `logging.sinks.list`                                    |
+| `memcache.instances.list`                               |
+| `monitoring.alertPolicies.list`                         |
+| `orgpolicy.policies.list`                               |
+| `orgpolicy.policy.get`                                  |
+| `privateca.certificateAuthorities.getIamPolicy`         |
+| `privateca.certificateAuthorities.list`                 |
+| `privateca.certificates.list`                           |
+| `pubsub.subscriptions.list`                             |
+| `pubsub.topics.getIamPolicy`                            |
+| `pubsub.topics.list`                                    |
+| `redis.instances.list`                                  |
+| `resourcemanager.folders.list`                          |
+| `resourcemanager.organizations.get`                     |
+| `resourcemanager.projects.get`                          |
+| `resourcemanager.projects.getIamPolicy`                 |
+| `resourcemanager.projects.list`                         |
+| `run.configurations.list`                               |
+| `run.routes.list`                                       |
+| `run.services.list`                                     |
+| `secretmanager.secrets.list`                            |
+| `secretmanager.versions.list`                           |
+| `serviceusage.services.list`                            |
+| `source.repos.list`                                     |
+| `spanner.databases.getIamPolicy`                        |
+| `spanner.databases.list`                                |
+| `spanner.instanceConfigs.list`                          |
+| `spanner.instances.list`                                |
+| `storage.buckets.getIamPolicy`                          |
+| `storage.buckets.list`                                  |
 <!-- {J1_PERMISSIONS_DOCUMENTATION_MARKER_END} -->
diff --git a/husky.config.js b/husky.config.js
@@ -1 +1,8 @@
-module.exports = require('@jupiterone/integration-sdk-dev-tools/config/husky');
+const huskyConfig = require('@jupiterone/integration-sdk-dev-tools/config/husky');
+
+module.exports = {
+  hooks: {
+    ...huskyConfig.hooks,
+    'pre-commit': `${huskyConfig.hooks['pre-commit']} && yarn document:permissions && git add docs/jupiterone.md`,
+  },
+};
diff --git a/src/steps/access-context-manager/index.ts b/src/steps/access-context-manager/index.ts
@@ -399,6 +399,7 @@ export const accessPoliciesSteps: GoogleCloudIntegrationStep[] = [
     relationships: [],
     dependsOn: [],
     executionHandler: fetchAccessPolicies,
+    permissions: ['accesscontextmanager.accessPolicies.list'],
   },
   {
     id: STEP_ACCESS_CONTEXT_MANAGER_ACCESS_LEVELS,
@@ -420,6 +421,7 @@ export const accessPoliciesSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_ACCESS_CONTEXT_MANAGER_ACCESS_POLICIES],
     executionHandler: fetchAccessLevels,
+    permissions: ['accesscontextmanager.accessLevels.list'],
   },
   {
     id: STEP_ACCESS_CONTEXT_MANAGER_SERVICE_PERIMETERS,
@@ -523,5 +525,6 @@ export const accessPoliciesSteps: GoogleCloudIntegrationStep[] = [
       STEP_ACCESS_CONTEXT_MANAGER_ACCESS_POLICIES,
     ],
     executionHandler: fetchServicePerimeters,
+    permissions: ['accesscontextmanager.servicePerimeters.list'],
   },
 ];
diff --git a/src/steps/api-gateway/index.ts b/src/steps/api-gateway/index.ts
@@ -197,6 +197,7 @@ export const apiGatewaySteps: GoogleCloudIntegrationStep[] = [
     relationships: [],
     dependsOn: [],
     executionHandler: fetchApiGatewayApis,
+    permissions: ['apigateway.apis.getIamPolicy', 'apigateway.apis.list'],
   },
   {
     id: STEP_API_GATEWAY_API_CONFIGS,
@@ -224,6 +225,10 @@ export const apiGatewaySteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_API_GATEWAY_APIS, STEP_IAM_SERVICE_ACCOUNTS],
     executionHandler: fetchApiGatewayApiConfigs,
+    permissions: [
+      'apigateway.apiconfigs.list',
+      'apigateway.apiconfigs.getIamPolicy',
+    ],
   },
   {
     id: STEP_API_GATEWAY_GATEWAYS,
@@ -245,5 +250,9 @@ export const apiGatewaySteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_API_GATEWAY_APIS],
     executionHandler: fetchApiGatewayGateways,
+    permissions: [
+      'apigateway.gateways.list',
+      'apigateway.gateways.getIamPolicy',
+    ],
   },
 ];
diff --git a/src/steps/app-engine/index.ts b/src/steps/app-engine/index.ts
@@ -393,6 +393,7 @@ export const appEngineSteps: GoogleCloudIntegrationStep[] = [
     relationships: [],
     dependsOn: [],
     executionHandler: fetchAppEngineApplication,
+    permissions: ['appengine.applications.get'],
   },
   {
     id: STEP_CREATE_APP_ENGINE_BUCKET_RELATIONSHIPS,
@@ -432,6 +433,7 @@ export const appEngineSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_APP_ENGINE_APPLICATION],
     executionHandler: fetchAppEngineServices,
+    permissions: ['appengine.services.list'],
   },
   {
     id: STEP_APP_ENGINE_VERSIONS,
@@ -465,6 +467,7 @@ export const appEngineSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_APP_ENGINE_SERVICES, STEP_IAM_SERVICE_ACCOUNTS],
     executionHandler: fetchAppEngineServiceVersions,
+    permissions: ['appengine.versions.list'],
   },
   {
     id: STEP_APP_ENGINE_INSTANCES,
@@ -486,5 +489,6 @@ export const appEngineSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_APP_ENGINE_VERSIONS],
     executionHandler: fetchAppEngineVersionInstances,
+    permissions: ['appengine.instances.list'],
   },
 ];
diff --git a/src/steps/big-query/index.ts b/src/steps/big-query/index.ts
@@ -236,6 +236,7 @@ export const bigQuerySteps: GoogleCloudIntegrationStep[] = [
     relationships: [],
     dependsOn: [],
     executionHandler: fetchBigQueryDatasets,
+    permissions: ['bigquery.datasets.get'],
   },
   {
     id: STEP_BUILD_BIG_QUERY_DATASET_KMS_RELATIONSHIPS,
@@ -272,6 +273,11 @@ export const bigQuerySteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_BIG_QUERY_DATASETS],
     executionHandler: fetchBigQueryModels,
+    permissions: [
+      'bigquery.models.list',
+      'bigquery.models.getData',
+      'bigquery.models.getMetadata',
+    ],
   },
   {
     id: STEP_BIG_QUERY_TABLES,
@@ -293,5 +299,10 @@ export const bigQuerySteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_BIG_QUERY_DATASETS],
     executionHandler: fetchBigQueryTables,
+    permissions: [
+      'bigquery.tables.list',
+      'bigquery.tables.getIamPolicy',
+      'bigquery.tables.get',
+    ],
   },
 ];
diff --git a/src/steps/big-table/index.ts b/src/steps/big-table/index.ts
@@ -235,6 +235,7 @@ export const bigTableSteps: GoogleCloudIntegrationStep[] = [
     relationships: [],
     dependsOn: [],
     executionHandler: fetchInstances,
+    permissions: ['bigtable.instances.list'],
   },
   {
     id: STEP_BIG_TABLE_APP_PROFILES,
@@ -256,6 +257,7 @@ export const bigTableSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_BIG_TABLE_INSTANCES],
     executionHandler: fetchAppProfiles,
+    permissions: ['bigtable.appProfiles.list'],
   },
   {
     id: STEP_BIG_TABLE_CLUSTERS,
@@ -283,6 +285,7 @@ export const bigTableSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_BIG_TABLE_INSTANCES],
     executionHandler: fetchClusters,
+    permissions: ['bigtable.clusters.list'],
   },
   {
     id: STEP_BIG_TABLE_BACKUPS,
@@ -315,6 +318,7 @@ export const bigTableSteps: GoogleCloudIntegrationStep[] = [
       STEP_CLOUD_KMS_KEYS,
     ],
     executionHandler: fetchBackups,
+    permissions: ['bigtable.backups.list'],
   },
   {
     id: STEP_BIG_TABLE_TABLES,
@@ -336,5 +340,6 @@ export const bigTableSteps: GoogleCloudIntegrationStep[] = [
     ],
     dependsOn: [STEP_BIG_TABLE_INSTANCES],
     executionHandler: fetchTables,
+    permissions: ['bigtable.tables.list'],
   },
 ];