Merge pull request #566 from JupiterOne/INT-6165-permissions-logs

feat(INT-6165): change permissions logs to warnings
JupiterOne-Archives · Jan 9, 2023 · 88cedef · 88cedef
2 parents bbd0a2f + 18c7c00
commit 88cedef
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 13 deletions.
diff --git a/src/steps/app-engine/index.ts b/src/steps/app-engine/index.ts
@@ -103,7 +103,7 @@ export async function fetchAppEngineApplication(
     );
   } catch (err) {
     if (err.code === 403) {
-      logger.info(
+      logger.warn(
         { err },
         'Could not fetch app engine application. Requires additional permission',
       );

diff --git a/src/steps/binary-authorization/index.ts b/src/steps/binary-authorization/index.ts
@@ -36,7 +36,7 @@ export async function fetchBinaryAuthorizationPolicy(
     policy = await client.fetchPolicy();
   } catch (err) {
     if (err.code === 403) {
-      logger.trace(
+      logger.warn(
         { err },
         'Could not fetch binary authorization policy. Requires additional permission',
       );

diff --git a/src/steps/cloud-asset/index.ts b/src/steps/cloud-asset/index.ts
@@ -197,7 +197,7 @@ export async function fetchIamBindings(
     );
   } catch (err) {
     if (err.status === 403) {
-      logger.info(
+      logger.warn(
         {
           err,
         },

diff --git a/src/steps/compute/index.ts b/src/steps/compute/index.ts
@@ -309,7 +309,7 @@ export async function fetchComputeProject(
     computeProject = await client.fetchComputeProject();
   } catch (err) {
     if (err.code === 403) {
-      logger.trace(
+      logger.warn(
         { err },
         'Could not fetch compute project. Requires additional permission',
       );
@@ -478,7 +478,7 @@ export async function buildDiskImageRelationships(
             );
           } catch (err) {
             if (err.code === 403) {
-              logger.trace(
+              logger.warn(
                 { err },
                 'Could not fetch compute image. Requires additional permission',
               );

diff --git a/src/steps/storage/index.ts b/src/steps/storage/index.ts
@@ -4,7 +4,10 @@ import { IntegrationConfig, IntegrationStepContext } from '../../types';
 import { createCloudStorageBucketEntity } from './converters';
 import { StorageStepsSpec, StorageEntitiesSpec } from './constants';
 import { storage_v1 } from 'googleapis';
-import { publishUnprocessedBucketsEvent } from '../../utils/events';
+import {
+  publishMissingPermissionEvent,
+  publishUnprocessedBucketsEvent,
+} from '../../utils/events';
 import { OrgPolicyClient } from '../orgpolicy/client';
 
 export async function fetchStorageBuckets(
@@ -25,13 +28,21 @@ export async function fetchStorageBuckets(
     publicAccessPreventionPolicy =
       await orgPolicyClient.fetchOrganizationPublicAccessPreventionPolicy();
   } catch (err) {
-    logger.warn({ err }, 'Error fetching organization public access prevention policy');
-
-    if (err.code === 403 && (err.message as string).includes(`Permission 'orgpolicy.policy.get' denied on resource`)) {
-      logger.publishEvent({
-        name: 'missing_permission',
-        description:
-          '"orgpolicy.policy.get" is not a required permission to run the Google Cloud integration, but is required for getting organization policy for "storage.publicAccessPrevention"',
+    logger.warn(
+      { err },
+      'Error fetching organization public access prevention policy',
+    );
+
+    if (
+      err.code === 403 &&
+      (err.message as string).includes(
+        `Permission 'orgpolicy.policy.get' denied on resource`,
+      )
+    ) {
+      publishMissingPermissionEvent({
+        logger,
+        permission: 'orgpolicy.policy.get',
+        stepId: StorageStepsSpec.FETCH_STORAGE_BUCKETS.id,
       });
     }
   }