Merge pull request #24 from cloudgraphdev/alpha

tyler-dunkel · web-flow · commit 20536dcc3deb · 2022-12-28T09:45:51.000-06:00
Beta release
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,19 @@
+# [0.37.0-alpha.1](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/compare/0.36.0...0.37.0-alpha.1) (2022-12-28)
+
+
+### Features
+
+* **CG-1320:** add gcp access approval service support ([65b8852](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/commit/65b8852463220f902dc65ced2c8b0f798593bda6))
+
+# [0.36.0](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/compare/0.35.1...0.36.0) (2022-12-12)
+
+
+### Features
+
+* **CG-1312:** add essential contacts ([305da4f](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/commit/305da4fa52a319b36a07a141dae2eb1a5572079e))
+* **CG-1312:** remove a debug text ([4bc8b5b](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/commit/4bc8b5bfad7702945d5fe6e8891c53d64c7337a4))
+* **CG-1312:** update fetch data and README ([07d58db](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/commit/07d58db8db3a1e55aaf18a4fd55959170b8012fa))
+
 # [0.36.0-beta.1](https://github.com/cloudgraphdev/cloudgraph-provider-gcp/compare/0.35.1...0.36.0-beta.1) (2022-12-12)
 
 
diff --git a/README.md b/README.md
@@ -64,6 +64,7 @@ CloudGraph GCP Provider will ask you what regions you would like to crawl and wi
 
 | Service                               | Relations                                                                                                                           |
 | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| accessApproval                        | project                                                                                                                             |
 | aiPlatformNotebooks                   | project, kmsCryptoKeys, network, subnet                                                                                             |
 | alertPolicy                           | project                                                                                                                             |
 | apiGatewayGateways                    | project, apiGatewayApis, apiGatewayApiConfigs                                                                                       |
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-gcp",
-  "version": "0.36.0-beta.1",
+  "version": "0.37.0-alpha.1",
   "description": "CloudGraph provider plugin for GCP used to fetch GCP cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",
@@ -32,6 +32,7 @@
   },
   "dependencies": {
     "@cloudgraph/sdk": "0.22.1",
+    "@google-cloud/access-approval": "^2.1.2",
     "@google-cloud/api-gateway": "^1.2.1",
     "@google-cloud/asset": "^3.22.0",
     "@google-cloud/bigquery": "^5.10.0",
diff --git a/src/enums/schemasMap.ts b/src/enums/schemasMap.ts
@@ -54,5 +54,6 @@ export default {
   [services.apiGatewayApiConfig]: 'gcpApiGatewayApiConfig',
   [services.firestoreDatabase]: 'gcpFirestoreDatabase',
   [services.essentialContacts]: 'gcpEssentialContact',
+  [services.accessApproval]: 'gcpAccessApproval',
   tag: 'gcpTag',
 }
diff --git a/src/enums/serviceMap.ts b/src/enums/serviceMap.ts
@@ -51,6 +51,7 @@ import GcpLabel from '../services/label'
 import GcpTag from '../services/tag'
 import GcpBilling from '../services/billing'
 import GcpEssentialContacts from '../services/essentialContacts'
+import GcpAccessApproval from '../services/accessApproval'
 
 /**
  * serviceMap is an object that contains all currently supported services
@@ -107,6 +108,7 @@ export default {
   [services.apiGatewayApiConfig]: GcpApiGatewayApiConfig,
   [services.firestoreDatabase]: GcpFirestoreDatabase,
   [services.essentialContacts]: GcpEssentialContacts,
+  [services.accessApproval]: GcpAccessApproval,
   label: GcpLabel,
   tag: GcpTag,
 }
diff --git a/src/enums/services.ts b/src/enums/services.ts
@@ -55,7 +55,7 @@ export default {
   // spanner: 'spanner',
   // activeDirectory: 'active-directory',
   // identity: 'identity',
-  // accessApproval: 'access-approval',
+  accessApproval: 'accessApproval',
   // accessContextManager: 'access-context-manager',
   // auth: 'auth',
   folder: 'folder',
diff --git a/src/services/accessApproval/data.ts b/src/services/accessApproval/data.ts
@@ -0,0 +1,55 @@
+import { AccessApprovalClient } from '@google-cloud/access-approval'
+import { google } from '@google-cloud/access-approval/build/protos/protos'
+import CloudGraph from '@cloudgraph/sdk'
+import groupBy from 'lodash/groupBy'
+import gcpLoggerText from '../../properties/logger'
+import { GcpServiceInput } from '../../types'
+import { initTestEndpoint, generateGcpErrorLog } from '../../utils'
+import { GLOBAL_REGION } from '../../config/constants'
+
+const lt = { ...gcpLoggerText }
+const { logger } = CloudGraph
+const serviceName = 'AccessApproval'
+const apiEndpoint = initTestEndpoint(serviceName)
+
+export interface RawGcpAccessApproval extends google.cloud.accessapproval.v1.IApprovalRequest {
+  id: string
+  projectId: string
+  region: string
+}
+
+export default async ({
+  config,
+}: GcpServiceInput): Promise<{
+  [region: string]: RawGcpAccessApproval[]
+}> =>
+  new Promise(async resolve => {
+    const accessApprovalList: RawGcpAccessApproval[] = []
+    const { projectId } = config
+
+    /**
+     * Get all EssentialContacts
+     */
+    try {
+      const accessApprovalClient = new AccessApprovalClient({ ...config, apiEndpoint });
+      const iterable = accessApprovalClient.listApprovalRequestsAsync({
+        parent: `projects/${projectId}`,
+      })
+
+      for await (const response of iterable) {
+        if (response) {
+          accessApprovalList.push({
+            id: response.name,
+            projectId,
+            region: GLOBAL_REGION,
+            ...response,
+          })
+        }
+      }
+    } catch (error) {
+      generateGcpErrorLog(serviceName, 'accessApproval:listApprovalRequestsAsync', error)
+    }
+    
+    logger.debug(lt.foundResources(serviceName, accessApprovalList.length))
+    resolve(groupBy(accessApprovalList, 'region'))
+  })
diff --git a/src/services/accessApproval/format.ts b/src/services/accessApproval/format.ts
@@ -0,0 +1,63 @@
+import { google } from '@google-cloud/access-approval/build/protos/protos'
+import { GcpAccessApproval } from '../../types/generated'
+import { RawGcpAccessApproval } from './data'
+import { toISOString } from '../../utils/dateutils'
+import { enumKeyToString } from '../../utils/format'
+
+export default ({
+  service,
+}: {
+  service: RawGcpAccessApproval
+  region: string
+}): GcpAccessApproval => {
+  const {
+    id,
+    projectId,
+    region,
+    name,
+    requestedResourceName,
+    requestedResourceProperties,
+    requestedReason,
+    requestedLocations,
+    requestTime,
+    requestedExpiration,
+    approve,
+    dismiss,
+  } = service
+
+  return {
+    id,
+    projectId,
+    region,
+    name,
+    requestedResourceName,
+    requestedResourceProperties: {
+      excludesDescendants: requestedResourceProperties?.excludesDescendants,
+    },
+    requestedReason: {
+      type: enumKeyToString(google.cloud.accessapproval.v1.AccessReason.Type, requestedReason?.type),
+      detail: requestedReason?.detail,
+    },
+    requestedLocations: {
+      principalOfficeCountry: requestedLocations?.principalOfficeCountry,
+      principalPhysicalLocationCountry: requestedLocations?.principalPhysicalLocationCountry,
+    },
+    requestTime: toISOString(requestTime?.seconds?.toString()),
+    requestedExpiration: toISOString(requestedExpiration?.seconds?.toString()),
+    approve: {
+      approveTime: toISOString(approve.approveTime?.seconds?.toString()),
+      expireTime: toISOString(approve.expireTime?.seconds?.toString()),
+      invalidateTime: toISOString(approve.invalidateTime?.seconds?.toString()),
+      signatureInfo: {
+        signature: approve?.signatureInfo?.signature ? String.fromCharCode.apply(approve?.signatureInfo?.signature) : '',
+        googlePublicKeyPem: approve?.signatureInfo?.googlePublicKeyPem,
+        customerKmsKeyVersion: approve?.signatureInfo?.customerKmsKeyVersion,
+      },
+      autoApproved: approve?.autoApproved,
+    },
+    dismiss: {
+      dismissTime: toISOString(dismiss.dismissTime?.seconds?.toString()),
+      implicit: dismiss.implicit,
+    },
+  }
+}
diff --git a/src/services/accessApproval/index.ts b/src/services/accessApproval/index.ts
@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class GcpAccessApproval extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}
diff --git a/src/services/accessApproval/mutation.ts b/src/services/accessApproval/mutation.ts
@@ -0,0 +1,5 @@
+export default `mutation($input: [AddgcpAccessApprovalInput!]!) {
+  addgcpAccessApproval(input: $input, upsert: true) {
+    numUids
+  }
+}`;
diff --git a/src/services/accessApproval/schema.graphql b/src/services/accessApproval/schema.graphql
@@ -0,0 +1,81 @@
+type gcpAccessApprovalRequestedResourceProperties
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    excludesDescendants: Boolean @search
+  }
+
+type gcpAccessApprovalRequestedReason
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    type: String @search(by: [hash, regexp])
+    detail: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalRequestedLocations
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    principalOfficeCountry: String @search(by: [hash, regexp])
+    principalPhysicalLocationCountry: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalApproveSignatureInfo
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    signature: String @search(by: [hash, regexp])
+    googlePublicKeyPem: String @search(by: [hash, regexp])
+    customerKmsKeyVersion: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalApprove
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    approveTime: String @search(by: [hash, regexp])
+    expireTime: String @search(by: [hash, regexp])
+    invalidateTime: String @search(by: [hash, regexp])
+    signatureInfo: gcpAccessApprovalApproveSignatureInfo
+    autoApproved: Boolean @search
+  }
+
+type gcpAccessApprovalDismiss
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    dismissTime: String @search(by: [hash, regexp])
+    implicit: Boolean @search
+  }
+
+type gcpAccessApproval implements gcpBaseResource
+  @generate(
+    query: { get: true, query: true, aggregate: true }
+    mutation: { add: true, delete: false }
+    subscription: false
+  )
+  @key(fields: "id") {
+    name: String @search(by: [hash, regexp])
+    requestedResourceName: String @search(by: [hash, regexp])
+    requestedResourceProperties: gcpAccessApprovalRequestedResourceProperties
+    requestedReason: gcpAccessApprovalRequestedReason
+    requestedLocations: gcpAccessApprovalRequestedLocations
+    requestTime: String @search(by: [hash, regexp])
+    requestedExpiration: String @search(by: [hash, regexp])
+    approve: gcpAccessApprovalApprove
+    dismiss: gcpAccessApprovalDismiss
+    project: [gcpProject] @hasInverse(field: accessApprovals)
+  }
diff --git a/src/services/project/schema.graphql b/src/services/project/schema.graphql
@@ -62,4 +62,5 @@ type gcpProject @key(fields: "id") {
   apiGatewayApiConfigs: [gcpApiGatewayApiConfig] @hasInverse(field: project)
   firestoreDatabases: [gcpFirestoreDatabase] @hasInverse(field: project)
   essentialContacts: [gcpEssentialContact] @hasInverse(field: project)
+  accessApprovals: [gcpAccessApproval] @hasInverse(field: project)
 }
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -18,6 +18,52 @@ export type GcpAcceleratorConfig = {
   id: Scalars['String'];
 };
 
+export type GcpAccessApproval = GcpBaseResource & {
+  approve?: Maybe<GcpAccessApprovalApprove>;
+  dismiss?: Maybe<GcpAccessApprovalDismiss>;
+  name?: Maybe<Scalars['String']>;
+  project?: Maybe<Array<Maybe<GcpProject>>>;
+  requestTime?: Maybe<Scalars['String']>;
+  requestedExpiration?: Maybe<Scalars['String']>;
+  requestedLocations?: Maybe<GcpAccessApprovalRequestedLocations>;
+  requestedReason?: Maybe<GcpAccessApprovalRequestedReason>;
+  requestedResourceName?: Maybe<Scalars['String']>;
+  requestedResourceProperties?: Maybe<GcpAccessApprovalRequestedResourceProperties>;
+};
+
+export type GcpAccessApprovalApprove = {
+  approveTime?: Maybe<Scalars['String']>;
+  autoApproved?: Maybe<Scalars['Boolean']>;
+  expireTime?: Maybe<Scalars['String']>;
+  invalidateTime?: Maybe<Scalars['String']>;
+  signatureInfo?: Maybe<GcpAccessApprovalApproveSignatureInfo>;
+};
+
+export type GcpAccessApprovalApproveSignatureInfo = {
+  customerKmsKeyVersion?: Maybe<Scalars['String']>;
+  googlePublicKeyPem?: Maybe<Scalars['String']>;
+  signature?: Maybe<Scalars['String']>;
+};
+
+export type GcpAccessApprovalDismiss = {
+  dismissTime?: Maybe<Scalars['String']>;
+  implicit?: Maybe<Scalars['Boolean']>;
+};
+
+export type GcpAccessApprovalRequestedLocations = {
+  principalOfficeCountry?: Maybe<Scalars['String']>;
+  principalPhysicalLocationCountry?: Maybe<Scalars['String']>;
+};
+
+export type GcpAccessApprovalRequestedReason = {
+  detail?: Maybe<Scalars['String']>;
+  type?: Maybe<Scalars['String']>;
+};
+
+export type GcpAccessApprovalRequestedResourceProperties = {
+  excludesDescendants?: Maybe<Scalars['Boolean']>;
+};
+
 export type GcpAdvancedMachineFeatures = {
   enableNestedVirtualization?: Maybe<Scalars['Boolean']>;
   threadsPerCore?: Maybe<Scalars['Int']>;
@@ -2204,6 +2250,7 @@ export type GcpOrganization = GcpBaseResource & {
 };
 
 export type GcpProject = {
+  accessApprovals?: Maybe<Array<Maybe<GcpAccessApproval>>>;
   aiPlatformNotebooks?: Maybe<Array<Maybe<GcpAiPlatformNotebook>>>;
   alertPolicies?: Maybe<Array<Maybe<GcpAlertPolicy>>>;
   apiGatewayApiConfigs?: Maybe<Array<Maybe<GcpApiGatewayApiConfig>>>;
diff --git a/yarn.lock b/yarn.lock
@@ -645,6 +645,13 @@
   resolved "https://registry.yarnpkg.com/@gar/promisify/-/promisify-1.1.3.tgz#555193ab2e3bb3b6adc3d551c9c030d9e860daf6"
   integrity sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==
 
+"@google-cloud/access-approval@^2.1.2":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/@google-cloud/access-approval/-/access-approval-2.1.2.tgz#c0edc2c08f3a4943d0896654249763d48cf7d47d"
+  integrity sha512-9npC5KZP98uB/MRgMM7aNRZvfXHUwD1oAi6NgClJAiP17bz7yTUYUYK/6VU4oS8M2rQ+u5onOUK+EwPZulaF0A==
+  dependencies:
+    google-gax "^3.5.2"
+
 "@google-cloud/api-gateway@^1.2.1":
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/@google-cloud/api-gateway/-/api-gateway-1.2.1.tgz#0b04962c9ef433eb0f2fbad650251c0dd421bffe"

Original file line number	Diff line number	Diff line change
`@@ -54,5 +54,6 @@ export default {`
`54`	`54`	`[services.apiGatewayApiConfig]: 'gcpApiGatewayApiConfig',`
`55`	`55`	`[services.firestoreDatabase]: 'gcpFirestoreDatabase',`
`56`	`56`	`[services.essentialContacts]: 'gcpEssentialContact',`
	`57`	`+ [services.accessApproval]: 'gcpAccessApproval',`
`57`	`58`	`tag: 'gcpTag',`
`58`	`59`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +export default `mutation($input: [AddgcpAccessApprovalInput!]!) {
 +  addgcpAccessApproval(input: $input, upsert: true) {
 +    numUids
 +  }
 +}`;