feat: Add table googleworkspace_activity_report Closes (#88)

docs/index.md

@@ -58,8 +58,8 @@ steampipe plugin install googleworkspace
 
 | Item        | Description |
 | :---------- | :-----------|
-| APIs | 1. Go to the [Google API Console](https://console.cloud.google.com/apis/dashboard). <br/> 2. Select the project that contains your credentials. <br/> 3. Click `Enable APIs and Services`. <br/> 4. Enable: `Google Calendar API`, `Google Drive API`, `Gmail API`, `Google People API`.
-| Credentials | 1. To use **domain-wide delegation**, generate your [service account and credentials](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#create_the_service_account_and_credentials) and [delegate domain-wide authority to your service account](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account). Enter the following OAuth 2.0 scopes for the services that the service account can access:<br />`https://www.googleapis.com/auth/calendar.readonly`,<br />`https://www.googleapis.com/auth/contacts.readonly`,<br />`https://www.googleapis.com/auth/contacts.other.readonly`,<br />`https://www.googleapis.com/auth/directory.readonly`,<br />`https://www.googleapis.com/auth/drive.readonly`,<br />`https://www.googleapis.com/auth/gmail.readonly`<br />2. To use **OAuth client**, configure your [credentials](#authenticate-using-oauth-client). |
+| APIs | 1. Go to the [Google API Console](https://console.cloud.google.com/apis/dashboard). <br/> 2. Select the project that contains your credentials. <br/> 3. Click `Enable APIs and Services`. <br/> 4. Enable: `Google Calendar API`, `Google Drive API`, `Gmail API`, `Google People API`, `Google Admin SDK API`.
+| Credentials | 1. To use **domain-wide delegation**, generate your [service account and credentials](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#create_the_service_account_and_credentials) and [delegate domain-wide authority to your service account](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account). Enter the following OAuth 2.0 scopes for the services that the service account can access:<br />`https://www.googleapis.com/auth/admin.reports.audit.readonly`<br />`https://www.googleapis.com/auth/calendar.readonly`,<br />`https://www.googleapis.com/auth/contacts.readonly`,<br />`https://www.googleapis.com/auth/contacts.other.readonly`,<br />`https://www.googleapis.com/auth/directory.readonly`,<br />`https://www.googleapis.com/auth/drive.readonly`,<br />`https://www.googleapis.com/auth/gmail.readonly`<br />2. To use **OAuth client**, configure your [credentials](#authenticate-using-oauth-client). |
 | Radius      | Each connection represents a single Google Workspace account. |
 | Resolution  | 1. Credentials from the JSON file specified by the `credentials` parameter in your Steampipe config.<br />2. Credentials from the JSON file specified by the `token_path` parameter in your Steampipe config.<br />3. Credentials from the default json file location (`~/.config/gcloud/application_default_credentials.json`). |
 
@@ -107,6 +107,7 @@ You can use client secret credentials to protect the user's data by only grantin
   gcloud auth application-default login \
     --client-id-file=client_secret.json \
     --scopes="\
+  https://www.googleapis.com/auth/admin.reports.audit.readonly,\
   https://www.googleapis.com/auth/calendar.readonly,\
   https://www.googleapis.com/auth/contacts.other.readonly,\
   https://www.googleapis.com/auth/contacts.readonly,\

docs/tables/googleworkspace_activity_report.md

@@ -0,0 +1,179 @@
+---
+title: "Steampipe Table: googleworkspace_activity_report - Query Google Workspace Admin Reports Activity using SQL"
+description: "Allows users to query the Google Workspace Admin Reports API to retrieve detailed audit activity logs across various Google Workspace applications."
+---
+
+# Table: googleworkspace_activity_report - Query Google Workspace Admin Reports Activity using SQL
+
+Google Workspace Activity Report provides visibility into user and administrator activity across your Google Workspace environment. You can query activity data from various Workspace applications—such as Drive, Gmail, and Login—to monitor usage patterns, security events, and administrative actions.
+
+## Table Usage Guide
+
+The `googleworkspace_activity_report` table in Steampipe provides a unified interface to query the Google Workspace Admin Reports API. It surfaces detailed audit logs across all Workspace applications (Drive, Calendar, Keep, Admin console, and more). You can use this table to investigate user actions, system events, and security-related activities within your Workspace environment.
+
+**Important Notes**
+- You must `application_name` in a `where` clause in order to use this table ([List of all applications](https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list?hl=fr#applicationname)).
+- You must have the [Admin Reports API scopes access](https://developers.google.com/workspace/admin/reports/auth#scopes) to use this table.
+- For improved performance, it is advised that you use the optional qual `time` to limit the result set to a specific time period.
+- This table supports optional quals. Queries with optional quals are optimised to use Activity filters. Optional quals are supported for the following columns:
+  - `actor_email`
+  - `ip_address`
+  - `event_name`
+
+## Examples
+
+### List all Google drive events in the last hour
+Retrieve audit events for Google Drive that occurred in the past hour.
+
+```sql+postgres
+select
+  time,
+  actor_email,
+  event_names,
+  param->>'value' as file_name,
+  ip_address,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param
+where
+  application_name = 'drive'
+  and param->>'name' = 'doc_title'
+  and time > now() - interval '1 hour';
+```
+
+```sql+sqlite
+select
+  time,
+  actor_email,
+  event_names,
+  param->>'value' as file_name,
+  ip_address,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param
+where
+  application_name = 'drive'
+  and param->>'name' = 'doc_title'
+  and time > datetime('now', '-1 hour');
+```
+
+### List all password changes performed by administrators on users
+Show all changes of password performed by administrators on users in the last month.
+
+```sql+postgres
+select
+  time,
+  actor_email,
+  event_names,
+  param->>'value' as user_email,
+  ip_address,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param
+where
+  application_name = 'admin'
+  and event_name = 'CHANGE_PASSWORD'
+  and param->>'name' = 'USER_EMAIL'
+  and time > now() - interval '1 month';
+```
+
+```sql+sqlite
+select
+  time,
+  actor_email,
+  event_names,
+  param->>'value' as user_email,
+  ip_address,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param
+where
+  application_name = 'admin'
+  and event_name = 'CHANGE_PASSWORD'
+  and param->>'name' = 'USER_EMAIL'
+  and time > datetime('now', '-1 month');
+```
+
+### Show login failures by specific user
+Show all failed login attempts by a specific user in the last week.
+
+```sql+postgres
+select
+  time,
+  event_names,
+  ip_address
+from
+  googleworkspace_activity_report
+where
+  application_name = 'login'
+  and actor_email = 'john@gmail.com'
+  and event_name = 'login_failure'
+  and time > now() - '1 week'::interval;
+```
+
+```sql+sqlite
+select
+  time,
+  event_names,
+  ip_address
+from
+  googleworkspace_activity_report
+where
+  application_name = 'login'
+  and actor_email = 'john@gmail.com'
+  and event_name = 'login_failure'
+  and time > datetime('now', '-1 week');
+```
+
+### Show all connections from a new device
+Identify all connections from a new device in the last week.
+
+```sql+postgres
+select
+  time,
+  actor_email,
+  event_names,
+  param1->>'value' as device_id,
+  param2->>'value' as device_model,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param1
+  cross join lateral jsonb_array_elements(evt->'parameters') as param2
+where
+  application_name = 'mobile'
+  and event_name = 'DEVICE_REGISTER_UNREGISTER_EVENT'
+  and param1->>'name' = 'DEVICE_ID'
+  and param2->>'name' = 'DEVICE_MODEL'
+  and time > now() - interval '1 day';
+```
+
+```sql+sqlite
+select
+  time,
+  actor_email,
+  event_names,
+  param1->>'value' as device_id,
+  param2->>'value' as device_model,
+  events
+from
+  googleworkspace_activity_report as a
+  cross join lateral jsonb_array_elements(a.events) as evt
+  cross join lateral jsonb_array_elements(evt->'parameters') as param1
+  cross join lateral jsonb_array_elements(evt->'parameters') as param2
+where
+  application_name = 'mobile'
+  and event_names = 'DEVICE_REGISTER_UNREGISTER_EVENT'
+  and param1->>'name' = 'DEVICE_ID'
+  and param2->>'name' = 'DEVICE_MODEL'
+  and time > datetime('now', '-1 day');
+```

googleworkspace/plugin.go

@@ -27,6 +27,7 @@ func Plugin(ctx context.Context) *plugin.Plugin {
 			NewInstance: ConfigInstance,
 		},
 		TableMap: map[string]*plugin.Table{
+			"googleworkspace_activity_report":         tableGoogleworkspaceActivityReport(ctx),
 			"googleworkspace_calendar":                tableGoogleWorkspaceCalendar(ctx),
 			"googleworkspace_calendar_event":          tableGoogleWorkspaceCalendarEvent(ctx),
 			"googleworkspace_calendar_my_event":       tableGoogleWorkspaceCalendarMyEvent(ctx),

googleworkspace/service.go

@@ -11,6 +11,7 @@ import (
 	"google.golang.org/api/gmail/v1"
 	"google.golang.org/api/option"
 	"google.golang.org/api/people/v1"
+	"google.golang.org/api/admin/reports/v1"
 
 	"github.com/turbot/steampipe-plugin-sdk/v5/plugin"
 )
@@ -115,6 +116,30 @@ func GmailService(ctx context.Context, d *plugin.QueryData) (*gmail.Service, err
 	return svc, nil
 }
 
+func ReportsService(ctx context.Context, d *plugin.QueryData) (*admin.Service, error) {
+	// have we already created and cached the service?
+    serviceCacheKey := "googleworkspace.reports"
+    if cached, ok := d.ConnectionManager.Cache.Get(serviceCacheKey); ok {
+        return cached.(*admin.Service), nil
+    }
+
+    // so it was not in cache - create service
+    opts, err := getSessionConfig(ctx, d)
+    if err != nil {
+        return nil, err
+    }
+
+    // Create service
+    svc, err := admin.NewService(ctx, opts...)
+    if err != nil {
+        return nil, err
+    }
+
+    // cache the service
+    d.ConnectionManager.Cache.Set(serviceCacheKey, svc)
+    return svc, nil
+}
+
 func getSessionConfig(ctx context.Context, d *plugin.QueryData) ([]option.ClientOption, error) {
 	opts := []option.ClientOption{}
 
@@ -199,6 +224,7 @@ func getTokenSource(ctx context.Context, d *plugin.QueryData) (oauth2.TokenSourc
 	// Authorize the request
 	config, err := google.JWTConfigFromJSON(
 		[]byte(credentialContent),
+		admin.AdminReportsAuditReadonlyScope,
 		calendar.CalendarReadonlyScope,
 		drive.DriveReadonlyScope,
 		gmail.GmailReadonlyScope,