Merge pull request #168 from BrunoReboul/bruno/sql_maintenance_day_hour

Bruno/sql maintenance hour and exemption

Author: AdrienWalkowiak

policies/templates/gcp_sql_maintenance_window_v1.yaml

@@ -24,7 +24,17 @@ spec:
         plural: gcpsqlmaintenancewindowconstraintsv1
       validation:
         openAPIV3Schema:
-          properties: {}
+          properties:
+            hours:
+              type: array
+              items: number
+              description: "Array of UTC hours when the maintenance window is authorised. Example night hours
+              Optional, when not specified any hour is authorized from 0 to 23"
+            exemptions:
+              type: array
+              items: string
+              description: "Array of Cloud SQL instances to exempt from maintenance window restriction. String values in the array
+              should correspond to the full name values of exempted Cloud SQL instances. Optional"
   targets:
     validation.gcp.forsetisecurity.org:
       rego: | #INLINE("validator/sql_maintenance_window.rego")
@@ -42,29 +52,56 @@ spec:
         # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
         # See the License for the specific language governing permissions and
         # limitations under the License.
-        #
+        # 
         
         package templates.gcp.GCPSQLMaintenanceWindowConstraintV1
         
         import data.validator.gcp.lib as lib
         
+        # A violation is generated only when the rule body evaluates to true.
         deny[{
         	"msg": message,
         	"details": metadata,
         }] {
+        	# by default any hour accepted
+        	default_hours := {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23}
+        	spec := lib.get_default(input.constraint, "spec", "")
+        	parameters := lib.get_default(spec, "parameters", "")
+        	maintenance_window_hours := lib.get_default(parameters, "hours", default_hours)
+        	desired_maintenance_window_hours := get_default_when_empty(maintenance_window_hours, default_hours)
+        	exempt_list := lib.get_default(parameters, "exemptions", [])
+        
         	# Verify that resource is Cloud SQL instance and is not a first gen
         	# Maintenance window is supported only on 2nd generation instances
         	asset := input.asset
         	asset.asset_type == "sqladmin.googleapis.com/Instance"
         	asset.resource.data.backendType != "FIRST_GEN"
         
-        	# get the maintenance window object
-        	maintenance_window := lib.get_default(asset.resource.data.settings, "maintenanceWindow", {})
+        	# Check if resource is in exempt list
+        	matches := {asset.name} & cast_set(exempt_list)
+        	count(matches) == 0
         
-        	# non compliant when not found
-        	maintenance_window == {}
+        	# get instance settings
+        	settings := lib.get_default(asset.resource.data, "settings", {})
+        	instance_maintenance_window := lib.get_default(settings, "maintenanceWindow", {})
+        	instance_maintenance_window_hour := lib.get_default(instance_maintenance_window, "hour", "")
         
-        	message := sprintf("%v missing maintenance window.", [asset.name])
+        	# check compliance
+        	hour_matches := {instance_maintenance_window_hour} & cast_set(desired_maintenance_window_hours)
+        	count(hour_matches) == 0
+        
+        	message := sprintf("%v missing or incorrect maintenance window. Hour: '%v'", [asset.name, instance_maintenance_window_hour])
         	metadata := {"resource": asset.name}
         }
+        
+        # Rule utilities
+        get_default_when_empty(value, default_value) = output {
+        	count(value) != 0
+        	output := value
+        }
+        
+        get_default_when_empty(value, default_value) = output {
+        	count(value) == 0
+        	output := default_value
+        }
         #ENDINLINE

validator/sql_maintenance_window.rego

@@ -12,28 +12,55 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 
 package templates.gcp.GCPSQLMaintenanceWindowConstraintV1
 
 import data.validator.gcp.lib as lib
 
+# A violation is generated only when the rule body evaluates to true.
 deny[{
 	"msg": message,
 	"details": metadata,
 }] {
+	# by default any hour accepted
+	default_hours := {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23}
+	spec := lib.get_default(input.constraint, "spec", "")
+	parameters := lib.get_default(spec, "parameters", "")
+	maintenance_window_hours := lib.get_default(parameters, "hours", default_hours)
+	desired_maintenance_window_hours := get_default_when_empty(maintenance_window_hours, default_hours)
+	exempt_list := lib.get_default(parameters, "exemptions", [])
+
 	# Verify that resource is Cloud SQL instance and is not a first gen
 	# Maintenance window is supported only on 2nd generation instances
 	asset := input.asset
 	asset.asset_type == "sqladmin.googleapis.com/Instance"
 	asset.resource.data.backendType != "FIRST_GEN"
 
-	# get the maintenance window object
-	maintenance_window := lib.get_default(asset.resource.data.settings, "maintenanceWindow", {})
+	# Check if resource is in exempt list
+	matches := {asset.name} & cast_set(exempt_list)
+	count(matches) == 0
 
-	# non compliant when not found
-	maintenance_window == {}
+	# get instance settings
+	settings := lib.get_default(asset.resource.data, "settings", {})
+	instance_maintenance_window := lib.get_default(settings, "maintenanceWindow", {})
+	instance_maintenance_window_hour := lib.get_default(instance_maintenance_window, "hour", "")
 
-	message := sprintf("%v missing maintenance window.", [asset.name])
+	# check compliance
+	hour_matches := {instance_maintenance_window_hour} & cast_set(desired_maintenance_window_hours)
+	count(hour_matches) == 0
+
+	message := sprintf("%v missing or incorrect maintenance window. Hour: '%v'", [asset.name, instance_maintenance_window_hour])
 	metadata := {"resource": asset.name}
 }
+
+# Rule utilities
+get_default_when_empty(value, default_value) = output {
+	count(value) != 0
+	output := value
+}
+
+get_default_when_empty(value, default_value) = output {
+	count(value) == 0
+	output := default_value
+}

validator/sql_maintenance_window_test.rego

@@ -16,23 +16,86 @@
 
 package templates.gcp.GCPSQLMaintenanceWindowConstraintV1
 
-all_violations[violation] {
-	resource := data.test.fixtures.sql_maintenance_window.assets[_]
-	constraint := data.test.fixtures.sql_maintenance_window.constraints
-
-	issues := deny with input.asset as resource
+import data.test.fixtures.sql_maintenance_window.assets as fixture_assets
+import data.test.fixtures.sql_maintenance_window.constraints as fixture_constraints
 
+find_violations[violation] {
+	asset := data.test_assets[_]
+	constraint := data.test_constraints[_]
+	issues := deny with input.asset as asset with input.constraint as constraint
 	violation := issues[_]
 }
 
-# Confirm total violations count
-test_sql_maintenance_window_violations_count {
-	count(all_violations) == 2
+# without parameters the constraint should still detect sql instances without maintenance window
+no_parameter[violation] {
+	constraints := [fixture_constraints.no_parameter]
+	found_violations := find_violations with data.test_assets as fixture_assets
+		 with data.test_constraints as constraints
+
+	violation := found_violations[_]
 }
 
-test_sql_maintenance_window_violations_basic {
-	found_violations := all_violations
+test_no_parameter_count {
+	count(no_parameter) == 2
+}
 
+test_no_parameter_list {
+	found_violations := no_parameter
 	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/mysqlv2-nomaintenance"
 	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/postgres-nomaintenance"
 }
+
+# with an empty hours field the constraint should detect sql insta nceswithout maintenance window
+no_hour[violation] {
+	constraints := [fixture_constraints.no_hour]
+	found_violations := find_violations with data.test_assets as fixture_assets
+		 with data.test_constraints as constraints
+
+	violation := found_violations[_]
+}
+
+test_no_hour_count {
+	count(no_hour) == 2
+}
+
+test_no_hour_list {
+	found_violations := no_hour
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/mysqlv2-nomaintenance"
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/postgres-nomaintenance"
+}
+
+specific_hours[violation] {
+	constraints := [fixture_constraints.specific_hours]
+	found_violations := find_violations with data.test_assets as fixture_assets
+		 with data.test_constraints as constraints
+
+	violation := found_violations[_]
+}
+
+test_specific_hours_count {
+	count(specific_hours) == 3
+}
+
+test_specific_hours_list {
+	found_violations := specific_hours
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/mysqlv2-nomaintenance"
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/postgres-nomaintenance"
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-cai-test/instances/brunore-mon-3pm"
+}
+
+exemption[violation] {
+	constraints := [fixture_constraints.exemption]
+	found_violations := find_violations with data.test_assets as fixture_assets
+		 with data.test_constraints as constraints
+
+	violation := found_violations[_]
+}
+
+test_exemption_count {
+	count(exemption) == 1
+}
+
+test_exemption_list {
+	found_violations := exemption
+	found_violations[_].details.resource == "//cloudsql.googleapis.com/projects/brunore-db-test/instances/postgres-nomaintenance"
+}

validator/test/fixtures/sql_maintenance_window/constraints/exemption/data.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPSQLMaintenanceWindowConstraintV1
+metadata:
+  name: sql-maintenance-window-test-instance-exemptions
+spec:
+  severity: high
+  match:
+    target: ["organization/*"]
+  parameters:
+    hours: []
+    exemptions:
+      - //cloudsql.googleapis.com/projects/brunore-db-test/instances/mysqlv2-nomaintenance
+    

…maintenance_window/constraints/data.yaml …nce_window/constraints/no_hour/data.yamlvalidator/test/fixtures/sql_maintenance_window/constraints/data.yaml renamed to validator/test/fixtures/sql_maintenance_window/constraints/no_hour/data.yaml validator/test/fixtures/sql_maintenance_window/constraints/data.yaml renamed to validator/test/fixtures/sql_maintenance_window/constraints/no_hour/data.yaml

@@ -17,8 +17,12 @@
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPSQLMaintenanceWindowConstraintV1
 metadata:
-  name: gcp-sql-maintenance-window-v1
+  name: sql-maintenance-window-test-empty-hour-parameter
 spec:
   severity: high
   match:
     target: ["organization/*"]
+  parameters:
+    hours: []
+    exemptions: []
+    

validator/test/fixtures/sql_maintenance_window/constraints/no_parameter/data.yaml

@@ -0,0 +1,25 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPSQLMaintenanceWindowConstraintV1
+metadata:
+  name: sql-maintenance-window-test-missing-parameters-object # this ensure no breaking change with the previous version
+spec:
+  severity: high
+  match:
+    target: ["organization/*"]
+    

validator/test/fixtures/sql_maintenance_window/constraints/specific_hours/data.yaml

@@ -0,0 +1,38 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPSQLMaintenanceWindowConstraintV1
+metadata:
+  name: sql-maintenance-window-test-authorized-maintenance-hours
+spec:
+  severity: high
+  match:
+    target: ["organization/*"]
+  parameters:
+    hours: # UTC time, 
+      - 20
+      - 21
+      - 22
+      - 23
+      - 0
+      - 1
+      - 2
+      - 3
+      - 4
+      - 5
+    exemptions: []
+