VPC SC #7: whitelist/blacklist for project<>perimeter combo (#220)

Author: charliewolf

policies/templates/gcp_vpc_sc_project_perimeter_v1.yaml

@@ -0,0 +1,101 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: templates.gatekeeper.sh/v1alpha1
+kind: ConstraintTemplate
+metadata:
+  name: gcp-vpc-sc-project-perimeter-v1
+spec:
+  crd:
+    spec:
+      names:
+        kind: GCPVPCSCProjectPerimeterConstraintV1
+        plural: gcpvpcscprojectperimeterconstraintsv1
+      validation:
+        openAPIV3Schema:
+          properties:
+            mode:
+              type: string
+              enum: [whitelist, blacklist]
+              description: "String identifying the operational mode,
+              whitelist or blacklist. In the whitelist mode, only perimeters
+              from the service_perimeters list will be allowed (all others
+              will raise a violation). In the blacklist mode, any service perimeter
+              not in the service_perimeters will not raise a violation."
+            service_perimeters:
+              type: array
+              items: string
+              description: "Array of service perimeters that will be allowed/denied (based on mode)
+              for this project."
+            project_id:
+              type: string
+              description: "The project ID you are matching"
+  targets:
+    validation.gcp.forsetisecurity.org:
+      rego: | #INLINE("validator/vpc_sc_project_perimeter.rego")
+             # Copyright 2019 Google LLC
+             #
+             # Licensed under the Apache License, Version 2.0 (the "License");
+             # you may not use this file except in compliance with the License.
+             # You may obtain a copy of the License at
+             #
+             #      http://www.apache.org/licenses/LICENSE-2.0
+             #
+             # Unless required by applicable law or agreed to in writing, software
+             # distributed under the License is distributed on an "AS IS" BASIS,
+             # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+             # See the License for the specific language governing permissions and
+             # limitations under the License.
+             #
+             
+             package templates.gcp.GCPVPCSCProjectPerimeterConstraintV1
+             
+             import data.validator.gcp.lib as lib
+             
+             deny[{
+             	"msg": message,
+             	"details": metadata,
+             }] {
+             	constraint := input.constraint
+             	asset := input.asset
+             
+             	asset.asset_type == "cloudresourcemanager.googleapis.com/Organization"
+             	lib.has_field(asset, "service_perimeter")
+             
+             	lib.get_constraint_params(constraint, params)
+             
+             	mode := params.mode
+             
+             	project_id := params.project_id
+             	service_perimeters := {p | p = params.service_perimeters[_]}
+             
+             	sprintf("projects/%v", [project_id]) == asset.service_perimeter.status.resources[_]
+             
+             	perimeter_is_forbidden(mode, asset.service_perimeter.title, service_perimeters)
+             
+             	message := sprintf("Project %v not allowed in service perimeter %v.", [project_id, asset.service_perimeter.name])
+             	metadata := {"resource": asset.name, "service_perimeter_name": asset.service_perimeter.name, "project_id": project_id}
+             }
+             
+             perimeter_is_forbidden(mode, evaluating_service_perimeter, specified_service_perimeters) {
+             	mode == "blacklist"
+             	evaluating_service_perimeter == specified_service_perimeters[_]
+             }
+             
+             perimeter_is_forbidden(mode, evaluating_service_perimeter, specified_service_perimeters) {
+             	mode == "whitelist"
+             	count(specified_service_perimeters) == count(specified_service_perimeters - {evaluating_service_perimeter})
+             }
+             #ENDINLINE

samples/vpc_sc_project_perimeter_blacklist.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCProjectPerimeterConstraintV1
+metadata:
+  name: vpc_sc_project_perimeter_blacklist
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+    mode: blacklist
+    project_id: 179891054368
+    service_perimeters:
+      - Test Service Perimeter 1

samples/vpc_sc_project_perimeter_whitelist.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCProjectPerimeterConstraintV1
+metadata:
+  name: vpc_sc_project_perimeter_whitelist
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+    mode: whitelist
+    project_id: 179891054368
+    service_perimeters:
+      - Test Service Perimeter 1

validator/test/fixtures/vpc_sc_project_perimeter/assets/data.json

@@ -0,0 +1,44 @@
+[
+    {
+        "name": "//cloudresourcemanager.googleapis.com/organizations/660570133860",
+        "asset_type": "cloudresourcemanager.googleapis.com/Organization",
+        "service_perimeter": {
+            "name": "accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_1",
+            "title": "Test Service Perimeter 1",
+            "status": {
+                "resources": ["projects/179891054368", "projects/179891054369"],
+                "access_levels": ["accessPolicies/1008882730433/accessLevels/abcd", "accessPolicies/1008882730433/accessLevels/efgh"],
+                "restricted_services": ["container.googleapis.com"]
+            }
+        },
+        "ancestors": ["organizations/660570133860"]
+    },
+    {
+        "name": "//cloudresourcemanager.googleapis.com/organizations/660570133860",
+        "asset_type": "cloudresourcemanager.googleapis.com/Organization",
+        "service_perimeter": {
+            "name": "accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_2",
+            "title": "Test Service Perimeter 2",
+            "status": {
+                "resources": ["projects/179891054368"],
+                "access_levels": ["accessPolicies/1008882730433/accessLevels/abcd", "accessPolicies/1008882730433/accessLevels/efgh"],
+                "restricted_services": ["container.googleapis.com"]
+            }
+        },
+        "ancestors": ["organizations/660570133860"]
+    },
+    {
+        "name": "//cloudresourcemanager.googleapis.com/organizations/660570133860",
+        "asset_type": "cloudresourcemanager.googleapis.com/Organization",
+        "service_perimeter": {
+            "name": "accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_3",
+            "title": "Test Service Perimeter 3",
+            "status": {
+                "resources": ["projects/179891054369"],
+                "access_levels": ["accessPolicies/1008882730433/accessLevels/abcd", "accessPolicies/1008882730433/accessLevels/efgh"],
+                "restricted_services": ["container.googleapis.com"]
+            }
+        },
+        "ancestors": ["organizations/660570133860"]
+    }
+]

validator/test/fixtures/vpc_sc_project_perimeter/constraints/blacklist/data.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCProjectPerimeterConstraintV1
+metadata:
+  name: vpc_sc_project_perimeter_blacklist
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+    mode: blacklist
+    project_id: 179891054368
+    service_perimeters:
+      - Test Service Perimeter 1

validator/test/fixtures/vpc_sc_project_perimeter/constraints/whitelist/data.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCProjectPerimeterConstraintV1
+metadata:
+  name: vpc_sc_project_perimeter_whitelist
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+    mode: whitelist
+    project_id: 179891054368
+    service_perimeters:
+      - Test Service Perimeter 1

validator/vpc_sc_project_perimeter.rego

@@ -0,0 +1,53 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package templates.gcp.GCPVPCSCProjectPerimeterConstraintV1
+
+import data.validator.gcp.lib as lib
+
+deny[{
+	"msg": message,
+	"details": metadata,
+}] {
+	constraint := input.constraint
+	asset := input.asset
+
+	asset.asset_type == "cloudresourcemanager.googleapis.com/Organization"
+	lib.has_field(asset, "service_perimeter")
+
+	lib.get_constraint_params(constraint, params)
+
+	mode := params.mode
+
+	project_id := params.project_id
+	service_perimeters := {p | p = params.service_perimeters[_]}
+
+	sprintf("projects/%v", [project_id]) == asset.service_perimeter.status.resources[_]
+
+	perimeter_is_forbidden(mode, asset.service_perimeter.title, service_perimeters)
+
+	message := sprintf("Project %v not allowed in service perimeter %v.", [project_id, asset.service_perimeter.name])
+	metadata := {"resource": asset.name, "service_perimeter_name": asset.service_perimeter.name, "project_id": project_id}
+}
+
+perimeter_is_forbidden(mode, evaluating_service_perimeter, specified_service_perimeters) {
+	mode == "blacklist"
+	evaluating_service_perimeter == specified_service_perimeters[_]
+}
+
+perimeter_is_forbidden(mode, evaluating_service_perimeter, specified_service_perimeters) {
+	mode == "whitelist"
+	count(specified_service_perimeters) == count(specified_service_perimeters - {evaluating_service_perimeter})
+}

validator/vpc_sc_project_perimeter_test.rego

@@ -0,0 +1,49 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package templates.gcp.GCPVPCSCProjectPerimeterConstraintV1
+
+import data.validator.gcp.lib as lib
+
+whitelist_violations[violation] {
+	resource := data.test.fixtures.vpc_sc_project_perimeter.assets[_]
+	constraint := data.test.fixtures.vpc_sc_project_perimeter.constraints.whitelist
+
+	issues := deny with input.asset as resource
+		 with input.constraint as constraint
+
+	violation := issues[_]
+}
+
+blacklist_violations[violation] {
+	resource := data.test.fixtures.vpc_sc_project_perimeter.assets[_]
+	constraint := data.test.fixtures.vpc_sc_project_perimeter.constraints.blacklist
+
+	issues := deny with input.asset as resource
+		 with input.constraint as constraint
+
+	violation := issues[_]
+}
+
+test_violations_whitelist {
+	violation_resources := {r | r = whitelist_violations[_].details.service_perimeter_name}
+	violation_resources == {"accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_2"}
+}
+
+test_violations_blacklist {
+	violation_resources := {r | r = blacklist_violations[_].details.service_perimeter_name}
+	violation_resources == {"accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_1"}
+}