OCI - Key Rotation Plugin

celsogbezerra · Jul 15, 2022 · cc046e6 · cc046e6
1 parent 034998e
commit cc046e6
Show file tree

Hide file tree

Showing 7 changed files with 386 additions and 3 deletions.
diff --git a/collectors/oracle/collector.js b/collectors/oracle/collector.js
@@ -464,6 +464,26 @@ var finalcalls = {
             restVersion: '',
         }
     },
+    keys: {
+        get: {
+            api: 'kms',
+            reliesOnService: ['keys'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'id'],
+            filterValue: ['compartmentId', 'id'],
+            restVersion: '/20180608'
+        }
+    },
+    keyVersions: {
+        list: {
+            api: 'kms',
+            reliesOnService: ['keys'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'id'],
+            filterValue: ['compartmentId', 'id'],
+            restVersion: '/20180608'
+        }
+    },
     exprt: {
         get: {
             api: 'fileStorage',

diff --git a/exports.js b/exports.js
@@ -910,6 +910,9 @@ module.exports = {
         'okePrivateEndpoint'            : require(__dirname + '/plugins/oracle/oke/okePrivateEndpoint.js'),
         'okeSecretsEncrypted'           : require(__dirname + '/plugins/oracle/oke/okeSecretsEncrypted.js'),
         'okeSecurityGroups'            : require(__dirname + '/plugins/oracle/oke/okeSecurityGroups.js'),
+
+        'keyRotation'                  : require(__dirname + '/plugins/oracle/vaults/keyRotation.js'),
+
     },
     google: {
         'excessiveFirewallRules'        : require(__dirname + '/plugins/google/vpcnetwork/excessiveFirewallRules.js'),

diff --git a/helpers/oracle/regions.js b/helpers/oracle/regions.js
@@ -83,5 +83,6 @@ module.exports = {
     customerSecretKey: ['default'],
     vault: regions,
     keys: regions,
+    keyVersions: regions,
     cluster: regions
 };
diff --git a/other_modules/oci/index.js b/other_modules/oci/index.js
@@ -7,11 +7,15 @@ module.exports = function(api, service, key, OracleConfig, parameters, callback)
         !services[api][service][key]) return callback({code: 'Invalid API'});
 
     var localService = services[api][service][key];
-
+   
     //replacing endpoint with managementRndpoint value from vault for keys api
     if (api === 'kms' && localService.path === 'keys') {
-        localService.endpoint = parameters.managementEndpoint.replace('https://', '');
-        delete parameters['managementEndpoint'];
+        if (!localService.secondaryPath && key === 'list') {
+            localService.endpoint = parameters.managementEndpoint.replace('https://', '');
+            delete parameters['managementEndpoint'];
+        } else if (key === 'get' || (localService.secondaryPath && localService.secondaryPath === 'keyVersions')) {
+            localService.endpoint = localService.endpoint.replace(/^[^\s-]*(?=-)/, parameters.id.split('.')[4]);
+        }
     }
 
     var suffix = '';

diff --git a/other_modules/oci/services.json b/other_modules/oci/services.json
@@ -473,6 +473,27 @@
                 "method": "GET",
                 "path": "keys",
                 "endpoint": "{{managementEndpoint}}"
+            },
+            "get": {
+                "allowedQueryStrings": [
+                    "compartmentId", "page", "limit"
+                ],
+                "encodedGet": "id",
+                "method": "GET",
+                "path": "keys",
+                "endpoint": "-management.kms.{{region}}.oraclecloud.com"
+            }
+        },
+        "keyVersions": {
+            "list": {
+                "allowedQueryStrings": [
+                    "compartmentId", "page", "limit"
+                ],
+                "encodedGet": "id",
+                "method": "GET",
+                "path": "keys",
+                "secondaryPath": "keyVersions",
+                "endpoint": "-management.kms.{{region}}.oraclecloud.com"
             }
         }
     },

diff --git a/plugins/oracle/vaults/keyRotation.js b/plugins/oracle/vaults/keyRotation.js
@@ -0,0 +1,88 @@
+var async = require('async');
+var helpers = require('../../../helpers/oracle');
+
+module.exports = {
+    title: 'Key Rotation',
+    category: 'Vaults',
+    domain: 'Management and Governance',
+    description: 'Ensure that your OCI Vault Keys are periodically rotated.',
+    more_info: 'Rotating keys periodically limits the data encrypted under one key version. Key rotation thereby reduces the risk in case a key is ever compromised.',
+    link: 'https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm',
+    recommended_action: 'Ensure that all your cryptographic keys are regenerated (rotated) after a specific period.',
+    apis: ['vault:list', 'keys:list', 'keys:get', 'keyVersions:list'],
+    settings: {
+        key_rotation_interval: {
+            name: 'Key Rotation Interval',
+            description: 'Return a failing result when keys exceed this number of days without being rotated',
+            regex: '^[1-9]{1}[0-9]{0,3}$',
+            default: '365'
+        }
+    },
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings.govcloud);
+
+        var keyRotationInterval = parseInt(settings.key_rotation_interval || this.settings.key_rotation_interval.default);
+
+        async.each(regions.keys, function(region, rcb){
+
+            if (helpers.checkRegionSubscription(cache, source, results, region)) {
+
+                var keys = helpers.addSource(cache, source,
+                    ['keys', 'get', region]);
+
+                if (!keys) return rcb();
+
+                if (keys.err || !keys.data) {
+                    helpers.addResult(results, 3,
+                        'Unable to query for cryptographic keys: ' + helpers.addError(keys), region);
+                    return rcb();
+                }
+
+                if (!keys.data.length) {
+                    helpers.addResult(results, 0, 'No cryptographic keys found', region);
+                    return rcb();
+                }
+
+                var keyVersions = helpers.addSource(cache, source,
+                    ['keyVersions', 'list', region]);
+
+                if (!keyVersions) return rcb();
+
+                if (keyVersions.err || !keyVersions.data) {
+                    helpers.addResult(results, 3,
+                        'Unable to query for cryptographic key versions: ' + helpers.addError(keyVersions), region);
+                    return rcb();
+                }
+
+                if (!keyVersions.data.length) {
+                    helpers.addResult(results, 0, 'No key versions found', region);
+                    return rcb();
+                }
+
+                keys.data.forEach(key => {  
+                    const currentKeyVersion = keyVersions.data.find(version => version.id === key.currentKeyVersion);
+
+                    let timeCreated = currentKeyVersion ? currentKeyVersion.timeCreated : key.timeCreated;
+                    var diffInDays = helpers.daysBetween(timeCreated, new Date());
+
+                    if (diffInDays > keyRotationInterval) {
+                        helpers.addResult(results, 2,
+                            `Cryptographic Key was last rotated ${diffInDays} days ago which is greater than ${keyRotationInterval}`, region, key.id);
+                    } else {
+                        helpers.addResult(results, 0,
+                            `Cryptographic Key was last rotated ${diffInDays} days ago which is equal to or less than ${keyRotationInterval}`, region, key.id);
+                    }
+                });
+
+
+            }
+            rcb();
+        }, function(){
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};