Merge pull request #31 from JupiterOne/key-support

Support for ingesting KSM crypto key rings and crypto keys
JupiterOne-Archives · Oct 5, 2020 · ef48aa0 · ef48aa0
2 parents d738880 + 533394e
commit ef48aa0
Show file tree

Hide file tree

Showing 16 changed files with 8,915 additions and 0 deletions.
diff --git a/docs/jupiterone.md b/docs/jupiterone.md
@@ -78,6 +78,8 @@ The following entities are created:
 | IAM Service Account     | `google_iam_service_account`     | `User`              |
 | IAM Service Account Key | `google_iam_service_account_key` | `AccessKey`         |
 | IAM User                | `google_user`                    | `User`              |
+| KMS Crypto Key          | `google_kms_crypto_key`          | `Key`, `CryptoKey`  |
+| KMS Key Ring            | `google_kms_key_ring`            | `Vault`             |
 
 ### Relationships
 
@@ -94,6 +96,7 @@ The following relationships are created/mapped:
 | `google_compute_subnetwork`  | **HAS**               | `google_compute_instance`        |
 | `google_iam_service_account` | **ASSIGNED**          | `google_iam_role`                |
 | `google_iam_service_account` | **HAS**               | `google_iam_service_account_key` |
+| `google_kms_key_ring`        | **HAS**               | `google_kms_crypto_key`          |
 | `google_user`                | **ASSIGNED**          | `google_iam_role`                |
 
 <!--

diff --git a/src/getStepStartStates.ts b/src/getStepStartStates.ts
@@ -20,6 +20,7 @@ import {
   STEP_COMPUTE_SUBNETWORKS,
   STEP_COMPUTE_FIREWALLS,
 } from './steps/compute';
+import { STEP_CLOUD_KMS_KEYS, STEP_CLOUD_KMS_KEY_RINGS } from './steps/kms';
 
 async function getEnabledServiceNames(
   config: IntegrationConfig,
@@ -101,5 +102,7 @@ export default async function getStepStartStates(
     [STEP_COMPUTE_FIREWALLS]: createStepStartState(ServiceUsageName.COMPUTE),
     [STEP_COMPUTE_SUBNETWORKS]: createStepStartState(ServiceUsageName.COMPUTE),
     [STEP_COMPUTE_INSTANCES]: createStepStartState(ServiceUsageName.COMPUTE),
+    [STEP_CLOUD_KMS_KEY_RINGS]: createStepStartState(ServiceUsageName.KMS),
+    [STEP_CLOUD_KMS_KEYS]: createStepStartState(ServiceUsageName.KMS),
   };
 }
diff --git a/src/google-cloud/types.ts b/src/google-cloud/types.ts
@@ -10,4 +10,5 @@ export enum ServiceUsageName {
   IAM = 'iam.googleapis.com',
   RESOURCE_MANAGER = 'cloudresourcemanager.googleapis.com',
   COMPUTE = 'compute.googleapis.com',
+  KMS = 'cloudkms.googleapis.com',
 }
diff --git a/src/index.test.ts b/src/index.test.ts
@@ -30,6 +30,7 @@ import {
   STEP_COMPUTE_NETWORKS,
   STEP_COMPUTE_SUBNETWORKS,
 } from './steps/compute';
+import { STEP_CLOUD_KMS_KEYS, STEP_CLOUD_KMS_KEY_RINGS } from './steps/kms';
 
 interface ValidateInvocationInvalidConfigTestParams {
   instanceConfig?: Partial<IntegrationConfig>;
@@ -124,6 +125,12 @@ describe('#getStepStartStates success', () => {
       [STEP_COMPUTE_FIREWALLS]: {
         disabled: false,
       },
+      [STEP_CLOUD_KMS_KEY_RINGS]: {
+        disabled: false,
+      },
+      [STEP_CLOUD_KMS_KEYS]: {
+        disabled: false,
+      },
     };
 
     expect(stepStartStates).toEqual(expectedStepStartStates);

diff --git a/src/index.ts b/src/index.ts
@@ -7,6 +7,7 @@ import { serviceUsageSteps } from './steps/service-usage';
 import { iamSteps } from './steps/iam';
 import { resourceManagerSteps } from './steps/resource-manager';
 import { computeSteps } from './steps/compute';
+import { kmsSteps } from './steps/kms';
 
 export const invocationConfig: IntegrationInvocationConfig<IntegrationConfig> = {
   instanceConfigFields: {
@@ -23,5 +24,6 @@ export const invocationConfig: IntegrationInvocationConfig<IntegrationConfig> =
     ...iamSteps,
     ...resourceManagerSteps,
     ...computeSteps,
+    ...kmsSteps,
   ],
 };
diff --git a/src/steps/kms/__recordings__/fetchKmsCryptoKeys_2580116173/recording.har b/src/steps/kms/__recordings__/fetchKmsCryptoKeys_2580116173/recording.har
diff --git a/src/steps/kms/__recordings__/fetchKmsKeyRings_3543545506/recording.har b/src/steps/kms/__recordings__/fetchKmsKeyRings_3543545506/recording.har
diff --git a/src/steps/kms/__snapshots__/converters.test.ts.snap b/src/steps/kms/__snapshots__/converters.test.ts.snap
@@ -0,0 +1,78 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#createKmsCryptoKeyEntity should convert to entity 1`] = `
+Object {
+  "_class": Array [
+    "Key",
+    "CryptoKey",
+  ],
+  "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+  "_rawData": Array [
+    Object {
+      "name": "default",
+      "rawData": Object {
+        "createTime": "2020-07-28T18:59:59.513564921Z",
+        "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+        "nextRotationTime": "2020-10-04T19:01:14.428484Z",
+        "primary": Object {
+          "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+          "createTime": "2020-10-03T19:01:13.428484662Z",
+          "generateTime": "2020-10-03T19:01:13.428484662Z",
+          "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
+          "protectionLevel": "SOFTWARE",
+          "state": "ENABLED",
+        },
+        "purpose": "ENCRYPT_DECRYPT",
+        "rotationPeriod": "86401s",
+        "versionTemplate": Object {
+          "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+          "protectionLevel": "SOFTWARE",
+        },
+      },
+    },
+  ],
+  "_type": "google_kms_crypto_key",
+  "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+  "createdOn": 1595962799513,
+  "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+  "keyUsage": "ENCRYPT_DECRYPT",
+  "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+  "nextRotationTime": 1601838074428,
+  "primaryAlgorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+  "primaryCreateTime": 1601751673428,
+  "primaryGenerateTime": 1601751673428,
+  "primaryName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
+  "primaryProtectionLevel": "SOFTWARE",
+  "primaryState": "ENABLED",
+  "protectionLevel": "SOFTWARE",
+  "purpose": "ENCRYPT_DECRYPT",
+  "rotationPeriod": 86401,
+  "webLink": "https://console.cloud.google.com/security/kms/key/manage/us/j1-gc-integration-dev-bucket-ring/projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key?project=j1-gc-integration-dev",
+}
+`;
+
+exports[`#createKmsKeyRingEntity should convert to entity 1`] = `
+Object {
+  "_class": Array [
+    "Vault",
+  ],
+  "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+  "_rawData": Array [
+    Object {
+      "name": "default",
+      "rawData": Object {
+        "createTime": "2020-07-28T18:34:26.034565002Z",
+        "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      },
+    },
+  ],
+  "_type": "google_kms_key_ring",
+  "createdOn": 1595961266034,
+  "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+  "location": "us",
+  "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+  "projectId": "j1-gc-integration-dev",
+  "shortName": "j1-gc-integration-dev-bucket-ring",
+  "webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
+}
+`;
diff --git a/src/steps/kms/__snapshots__/index.test.ts.snap b/src/steps/kms/__snapshots__/index.test.ts.snap
@@ -0,0 +1,178 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#fetchKmsCryptoKeys should collect data 1`] = `
+Object {
+  "collectedEntities": Array [
+    Object {
+      "_class": Array [
+        "Vault",
+      ],
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "_rawData": Array [
+        Object {
+          "name": "default",
+          "rawData": Object {
+            "createTime": "2020-07-28T18:34:26.034565002Z",
+            "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+          },
+        },
+      ],
+      "_type": "google_kms_key_ring",
+      "createdOn": 1595961266034,
+      "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "location": "us",
+      "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "projectId": "j1-gc-integration-dev",
+      "shortName": "j1-gc-integration-dev-bucket-ring",
+      "webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
+    },
+    Object {
+      "_class": Array [
+        "Vault",
+      ],
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "_rawData": Array [
+        Object {
+          "name": "default",
+          "rawData": Object {
+            "createTime": "2020-07-28T18:30:53.453045041Z",
+            "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+          },
+        },
+      ],
+      "_type": "google_kms_key_ring",
+      "createdOn": 1595961053453,
+      "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "location": "us",
+      "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "projectId": "j1-gc-integration-dev",
+      "shortName": "j1dev-bucket-ring",
+      "webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1dev-bucket-ring/key?project=j1-gc-integration-dev",
+    },
+    Object {
+      "_class": Array [
+        "Key",
+        "CryptoKey",
+      ],
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+      "_rawData": Array [
+        Object {
+          "name": "default",
+          "rawData": Object {
+            "createTime": "2020-07-28T18:59:59.513564921Z",
+            "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+            "nextRotationTime": "2020-10-04T19:01:14.428484Z",
+            "primary": Object {
+              "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+              "createTime": "2020-10-03T19:01:13.428484662Z",
+              "generateTime": "2020-10-03T19:01:13.428484662Z",
+              "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
+              "protectionLevel": "SOFTWARE",
+              "state": "ENABLED",
+            },
+            "purpose": "ENCRYPT_DECRYPT",
+            "rotationPeriod": "86401s",
+            "versionTemplate": Object {
+              "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+              "protectionLevel": "SOFTWARE",
+            },
+          },
+        },
+      ],
+      "_type": "google_kms_crypto_key",
+      "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+      "createdOn": 1595962799513,
+      "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+      "keyUsage": "ENCRYPT_DECRYPT",
+      "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+      "nextRotationTime": 1601838074428,
+      "primaryAlgorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
+      "primaryCreateTime": 1601751673428,
+      "primaryGenerateTime": 1601751673428,
+      "primaryName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
+      "primaryProtectionLevel": "SOFTWARE",
+      "primaryState": "ENABLED",
+      "protectionLevel": "SOFTWARE",
+      "purpose": "ENCRYPT_DECRYPT",
+      "rotationPeriod": 86401,
+      "webLink": "https://console.cloud.google.com/security/kms/key/manage/us/j1-gc-integration-dev-bucket-ring/projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key?project=j1-gc-integration-dev",
+    },
+  ],
+  "collectedRelationships": Array [
+    Object {
+      "_class": "HAS",
+      "_fromEntityKey": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring|has|projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+      "_toEntityKey": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
+      "_type": "google_kms_key_ring_has_crypto_key",
+      "displayName": "HAS",
+    },
+  ],
+  "encounteredTypes": Array [
+    "google_kms_key_ring",
+    "google_kms_crypto_key",
+    "google_kms_key_ring_has_crypto_key",
+  ],
+  "numCollectedEntities": 3,
+  "numCollectedRelationships": 1,
+}
+`;
+
+exports[`#fetchKmsKeyRings should collect data 1`] = `
+Object {
+  "collectedEntities": Array [
+    Object {
+      "_class": Array [
+        "Vault",
+      ],
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "_rawData": Array [
+        Object {
+          "name": "default",
+          "rawData": Object {
+            "createTime": "2020-07-28T18:34:26.034565002Z",
+            "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+          },
+        },
+      ],
+      "_type": "google_kms_key_ring",
+      "createdOn": 1595961266034,
+      "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "location": "us",
+      "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
+      "projectId": "j1-gc-integration-dev",
+      "shortName": "j1-gc-integration-dev-bucket-ring",
+      "webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
+    },
+    Object {
+      "_class": Array [
+        "Vault",
+      ],
+      "_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "_rawData": Array [
+        Object {
+          "name": "default",
+          "rawData": Object {
+            "createTime": "2020-07-28T18:30:53.453045041Z",
+            "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+          },
+        },
+      ],
+      "_type": "google_kms_key_ring",
+      "createdOn": 1595961053453,
+      "displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "location": "us",
+      "name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
+      "projectId": "j1-gc-integration-dev",
+      "shortName": "j1dev-bucket-ring",
+      "webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1dev-bucket-ring/key?project=j1-gc-integration-dev",
+    },
+  ],
+  "collectedRelationships": Array [],
+  "encounteredTypes": Array [
+    "google_kms_key_ring",
+  ],
+  "numCollectedEntities": 2,
+  "numCollectedRelationships": 0,
+}
+`;