Skip to content
This repository was archived by the owner on Jun 25, 2024. It is now read-only.

Support for ingesting KSM crypto key rings and crypto keys #31

Merged
merged 1 commit into from
Oct 5, 2020
Merged

Support for ingesting KSM crypto key rings and crypto keys #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/jupiterone.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ The following entities are created:
| IAM Service Account | `google_iam_service_account` | `User` |
| IAM Service Account Key | `google_iam_service_account_key` | `AccessKey` |
| IAM User | `google_user` | `User` |
| KMS Crypto Key | `google_kms_crypto_key` | `Key`, `CryptoKey` |
| KMS Key Ring | `google_kms_key_ring` | `Vault` |

### Relationships

Expand All @@ -94,6 +96,7 @@ The following relationships are created/mapped:
| `google_compute_subnetwork` | **HAS** | `google_compute_instance` |
| `google_iam_service_account` | **ASSIGNED** | `google_iam_role` |
| `google_iam_service_account` | **HAS** | `google_iam_service_account_key` |
| `google_kms_key_ring` | **HAS** | `google_kms_crypto_key` |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any relationship that should be created between a higher-level account or service and google_kms_key_ring?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no relationship between service account and crypto key/ring. Service account keys are different. We have a google_iam_service_account_key for that. We should consider creating the relationship with the account, but I'll tackle this separately.

| `google_user` | **ASSIGNED** | `google_iam_role` |

<!--
Expand Down
3 changes: 3 additions & 0 deletions src/getStepStartStates.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import {
STEP_COMPUTE_SUBNETWORKS,
STEP_COMPUTE_FIREWALLS,
} from './steps/compute';
import { STEP_CLOUD_KMS_KEYS, STEP_CLOUD_KMS_KEY_RINGS } from './steps/kms';

async function getEnabledServiceNames(
config: IntegrationConfig,
Expand Down Expand Up @@ -101,5 +102,7 @@ export default async function getStepStartStates(
[STEP_COMPUTE_FIREWALLS]: createStepStartState(ServiceUsageName.COMPUTE),
[STEP_COMPUTE_SUBNETWORKS]: createStepStartState(ServiceUsageName.COMPUTE),
[STEP_COMPUTE_INSTANCES]: createStepStartState(ServiceUsageName.COMPUTE),
[STEP_CLOUD_KMS_KEY_RINGS]: createStepStartState(ServiceUsageName.KMS),
[STEP_CLOUD_KMS_KEYS]: createStepStartState(ServiceUsageName.KMS),
};
}
1 change: 1 addition & 0 deletions src/google-cloud/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,5 @@ export enum ServiceUsageName {
IAM = 'iam.googleapis.com',
RESOURCE_MANAGER = 'cloudresourcemanager.googleapis.com',
COMPUTE = 'compute.googleapis.com',
KMS = 'cloudkms.googleapis.com',
}
7 changes: 7 additions & 0 deletions src/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import {
STEP_COMPUTE_NETWORKS,
STEP_COMPUTE_SUBNETWORKS,
} from './steps/compute';
import { STEP_CLOUD_KMS_KEYS, STEP_CLOUD_KMS_KEY_RINGS } from './steps/kms';

interface ValidateInvocationInvalidConfigTestParams {
instanceConfig?: Partial<IntegrationConfig>;
Expand Down Expand Up @@ -124,6 +125,12 @@ describe('#getStepStartStates success', () => {
[STEP_COMPUTE_FIREWALLS]: {
disabled: false,
},
[STEP_CLOUD_KMS_KEY_RINGS]: {
disabled: false,
},
[STEP_CLOUD_KMS_KEYS]: {
disabled: false,
},
};

expect(stepStartStates).toEqual(expectedStepStartStates);
Expand Down
2 changes: 2 additions & 0 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import { serviceUsageSteps } from './steps/service-usage';
import { iamSteps } from './steps/iam';
import { resourceManagerSteps } from './steps/resource-manager';
import { computeSteps } from './steps/compute';
import { kmsSteps } from './steps/kms';

export const invocationConfig: IntegrationInvocationConfig<IntegrationConfig> = {
instanceConfigFields: {
Expand All @@ -23,5 +24,6 @@ export const invocationConfig: IntegrationInvocationConfig<IntegrationConfig> =
...iamSteps,
...resourceManagerSteps,
...computeSteps,
...kmsSteps,
],
};
4,236 changes: 4,236 additions & 0 deletions src/steps/kms/__recordings__/fetchKmsCryptoKeys_2580116173/recording.har
View file
Open in desktop

Large diffs are not rendered by default.

3,880 changes: 3,880 additions & 0 deletions src/steps/kms/__recordings__/fetchKmsKeyRings_3543545506/recording.har
View file
Open in desktop

Large diffs are not rendered by default.

78 changes: 78 additions & 0 deletions src/steps/kms/__snapshots__/converters.test.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`#createKmsCryptoKeyEntity should convert to entity 1`] = `
Object {
"_class": Array [
"Key",
"CryptoKey",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:59:59.513564921Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"nextRotationTime": "2020-10-04T19:01:14.428484Z",
"primary": Object {
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"createTime": "2020-10-03T19:01:13.428484662Z",
"generateTime": "2020-10-03T19:01:13.428484662Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
"protectionLevel": "SOFTWARE",
"state": "ENABLED",
},
"purpose": "ENCRYPT_DECRYPT",
"rotationPeriod": "86401s",
"versionTemplate": Object {
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"protectionLevel": "SOFTWARE",
},
},
},
],
"_type": "google_kms_crypto_key",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"createdOn": 1595962799513,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"keyUsage": "ENCRYPT_DECRYPT",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"nextRotationTime": 1601838074428,
"primaryAlgorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"primaryCreateTime": 1601751673428,
"primaryGenerateTime": 1601751673428,
"primaryName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
"primaryProtectionLevel": "SOFTWARE",
"primaryState": "ENABLED",
"protectionLevel": "SOFTWARE",
"purpose": "ENCRYPT_DECRYPT",
"rotationPeriod": 86401,
"webLink": "https://console.cloud.google.com/security/kms/key/manage/us/j1-gc-integration-dev-bucket-ring/projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key?project=j1-gc-integration-dev",
}
`;

exports[`#createKmsKeyRingEntity should convert to entity 1`] = `
Object {
"_class": Array [
"Vault",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:34:26.034565002Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
},
},
],
"_type": "google_kms_key_ring",
"createdOn": 1595961266034,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"location": "us",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"projectId": "j1-gc-integration-dev",
"shortName": "j1-gc-integration-dev-bucket-ring",
"webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
}
`;
178 changes: 178 additions & 0 deletions src/steps/kms/__snapshots__/index.test.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`#fetchKmsCryptoKeys should collect data 1`] = `
Object {
"collectedEntities": Array [
Object {
"_class": Array [
"Vault",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:34:26.034565002Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
},
},
],
"_type": "google_kms_key_ring",
"createdOn": 1595961266034,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"location": "us",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"projectId": "j1-gc-integration-dev",
"shortName": "j1-gc-integration-dev-bucket-ring",
"webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
},
Object {
"_class": Array [
"Vault",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:30:53.453045041Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
},
},
],
"_type": "google_kms_key_ring",
"createdOn": 1595961053453,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"location": "us",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"projectId": "j1-gc-integration-dev",
"shortName": "j1dev-bucket-ring",
"webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1dev-bucket-ring/key?project=j1-gc-integration-dev",
},
Object {
"_class": Array [
"Key",
"CryptoKey",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:59:59.513564921Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"nextRotationTime": "2020-10-04T19:01:14.428484Z",
"primary": Object {
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"createTime": "2020-10-03T19:01:13.428484662Z",
"generateTime": "2020-10-03T19:01:13.428484662Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
"protectionLevel": "SOFTWARE",
"state": "ENABLED",
},
"purpose": "ENCRYPT_DECRYPT",
"rotationPeriod": "86401s",
"versionTemplate": Object {
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"protectionLevel": "SOFTWARE",
},
},
},
],
"_type": "google_kms_crypto_key",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"createdOn": 1595962799513,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"keyUsage": "ENCRYPT_DECRYPT",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"nextRotationTime": 1601838074428,
"primaryAlgorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"primaryCreateTime": 1601751673428,
"primaryGenerateTime": 1601751673428,
"primaryName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key/cryptoKeyVersions/68",
"primaryProtectionLevel": "SOFTWARE",
"primaryState": "ENABLED",
"protectionLevel": "SOFTWARE",
"purpose": "ENCRYPT_DECRYPT",
"rotationPeriod": 86401,
"webLink": "https://console.cloud.google.com/security/kms/key/manage/us/j1-gc-integration-dev-bucket-ring/projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key?project=j1-gc-integration-dev",
},
],
"collectedRelationships": Array [
Object {
"_class": "HAS",
"_fromEntityKey": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring|has|projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"_toEntityKey": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring/cryptoKeys/j1-gc-integration-dev-bucket-key",
"_type": "google_kms_key_ring_has_crypto_key",
"displayName": "HAS",
},
],
"encounteredTypes": Array [
"google_kms_key_ring",
"google_kms_crypto_key",
"google_kms_key_ring_has_crypto_key",
],
"numCollectedEntities": 3,
"numCollectedRelationships": 1,
}
`;

exports[`#fetchKmsKeyRings should collect data 1`] = `
Object {
"collectedEntities": Array [
Object {
"_class": Array [
"Vault",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:34:26.034565002Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
},
},
],
"_type": "google_kms_key_ring",
"createdOn": 1595961266034,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"location": "us",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1-gc-integration-dev-bucket-ring",
"projectId": "j1-gc-integration-dev",
"shortName": "j1-gc-integration-dev-bucket-ring",
"webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1-gc-integration-dev-bucket-ring/key?project=j1-gc-integration-dev",
},
Object {
"_class": Array [
"Vault",
],
"_key": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"_rawData": Array [
Object {
"name": "default",
"rawData": Object {
"createTime": "2020-07-28T18:30:53.453045041Z",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
},
},
],
"_type": "google_kms_key_ring",
"createdOn": 1595961053453,
"displayName": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"location": "us",
"name": "projects/j1-gc-integration-dev/locations/us/keyRings/j1dev-bucket-ring",
"projectId": "j1-gc-integration-dev",
"shortName": "j1dev-bucket-ring",
"webLink": "https://console.cloud.google.com/security/kms/keyring/manage/us/j1dev-bucket-ring/key?project=j1-gc-integration-dev",
},
],
"collectedRelationships": Array [],
"encounteredTypes": Array [
"google_kms_key_ring",
],
"numCollectedEntities": 2,
"numCollectedRelationships": 0,
}
`;
Loading