Merge pull request #246 from modular-magician/master

Add security policies

docs/resources/google_compute_security_policies.md

@@ -0,0 +1,35 @@
+---
+title: About the google_compute_security_policies resource
+platform: gcp
+---
+
+## Syntax
+A `google_compute_security_policies` is used to test a Google SecurityPolicy resource
+
+
+## Beta Resource
+This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource
+
+## Examples
+```
+describe google_compute_security_policies(project: 'chef-gcp-inspec') do
+  its('count') { should be >= 1 }
+  its('names') { should include 'sec-policy' }
+end
+```
+
+## Properties
+Properties that can be accessed from the `google_compute_security_policies` resource:
+
+See [google_compute_security_policy.md](google_compute_security_policy.md) for more detailed information
+  * `names`: an array of `google_compute_security_policy` name
+  * `ids`: an array of `google_compute_security_policy` id
+  * `rules`: an array of `google_compute_security_policy` rules
+
+## Filter Criteria
+This resource supports all of the above properties as filter criteria, which can be used
+with `where` as a block or a method.
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project.

docs/resources/google_compute_security_policy.md

@@ -0,0 +1,68 @@
+---
+title: About the google_compute_security_policy resource
+platform: gcp
+---
+
+## Syntax
+A `google_compute_security_policy` is used to test a Google SecurityPolicy resource
+
+
+## Beta Resource
+This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource
+
+## Examples
+```
+describe google_compute_security_policy(project: 'chef-gcp-inspec', name: 'sec-policy') do
+  it { should exist }
+  its('rules.size') { should cmp 2 }
+  its('rules.first.priority') { should cmp '1000' }
+  its('rules.first.match.config.src_ip_ranges.first') { should cmp '9.9.9.0/24' }
+end
+
+describe google_compute_security_policy(project: 'chef-gcp-inspec', name: 'nonexistent') do
+  it { should_not exist }
+end
+```
+
+## Properties
+Properties that can be accessed from the `google_compute_security_policy` resource:
+
+
+  * `name`: Name of the security policy.
+
+  * `id`: The unique identifier for the resource.
+
+  * `rules`: A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
+
+    * `description`: A description of the rule.
+
+    * `priority`: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority.
+
+    * `action`: The Action to preform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502.
+
+    * `preview`: If set to true, the specified action is not enforced.
+
+    * `match`: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.
+
+      * `description`: A description of the rule.
+
+      * `expr`: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
+
+        * `expression`: Textual representation of an expression in Common Expression Language syntax.
+
+        * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
+
+        * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+
+        * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+
+      * `versioned_expr`: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: `SRC_IPS_V1` - must specify the corresponding srcIpRange field in config.
+
+      * `config`: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified.
+
+        * `src_ip_ranges`: CIDR IP address range.
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project.

libraries/google/compute/property/securitypolicy_rules.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'google/compute/property/securitypolicy_rules_match'
+require 'google/compute/property/securitypolicy_rules_match_config'
+require 'google/compute/property/securitypolicy_rules_match_expr'
+module GoogleInSpec
+  module Compute
+    module Property
+      class SecurityPolicyRules
+        attr_reader :description
+
+        attr_reader :priority
+
+        attr_reader :action
+
+        attr_reader :preview
+
+        attr_reader :match
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @description = args['description']
+          @priority = args['priority']
+          @action = args['action']
+          @preview = args['preview']
+          @match = GoogleInSpec::Compute::Property::SecurityPolicyRulesMatch.new(args['match'], to_s)
+        end
+
+        def to_s
+          "#{@parent_identifier} SecurityPolicyRules"
+        end
+      end
+
+      class SecurityPolicyRulesArray
+        def self.parse(value, parent_identifier)
+          return if value.nil?
+          return SecurityPolicyRules.new(value, parent_identifier) unless value.is_a?(::Array)
+          value.map { |v| SecurityPolicyRules.new(v, parent_identifier) }
+        end
+      end
+    end
+  end
+end

libraries/google/compute/property/securitypolicy_rules_match.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'google/compute/property/securitypolicy_rules_match_config'
+require 'google/compute/property/securitypolicy_rules_match_expr'
+module GoogleInSpec
+  module Compute
+    module Property
+      class SecurityPolicyRulesMatch
+        attr_reader :description
+
+        attr_reader :expr
+
+        attr_reader :versioned_expr
+
+        attr_reader :config
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @description = args['description']
+          @expr = GoogleInSpec::Compute::Property::SecurityPolicyRulesMatchExpr.new(args['expr'], to_s)
+          @versioned_expr = args['versionedExpr']
+          @config = GoogleInSpec::Compute::Property::SecurityPolicyRulesMatchConfig.new(args['config'], to_s)
+        end
+
+        def to_s
+          "#{@parent_identifier} SecurityPolicyRulesMatch"
+        end
+      end
+    end
+  end
+end

libraries/google/compute/property/securitypolicy_rules_match_config.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+module GoogleInSpec
+  module Compute
+    module Property
+      class SecurityPolicyRulesMatchConfig
+        attr_reader :src_ip_ranges
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @src_ip_ranges = args['srcIpRanges']
+        end
+
+        def to_s
+          "#{@parent_identifier} SecurityPolicyRulesMatchConfig"
+        end
+      end
+    end
+  end
+end

libraries/google/compute/property/securitypolicy_rules_match_expr.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+module GoogleInSpec
+  module Compute
+    module Property
+      class SecurityPolicyRulesMatchExpr
+        attr_reader :expression
+
+        attr_reader :title
+
+        attr_reader :description
+
+        attr_reader :location
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @expression = args['expression']
+          @title = args['title']
+          @description = args['description']
+          @location = args['location']
+        end
+
+        def to_s
+          "#{@parent_identifier} SecurityPolicyRulesMatchExpr"
+        end
+      end
+    end
+  end
+end

libraries/google_compute_security_policies.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'gcp_backend'
+class ComputeSecurityPolicys < GcpResourceBase
+  name 'google_compute_security_policies'
+  desc 'SecurityPolicy plural resource'
+  supports platform: 'gcp'
+
+  attr_reader :table
+
+  filter_table_config = FilterTable.create
+
+  filter_table_config.add(:names, field: :name)
+  filter_table_config.add(:ids, field: :id)
+  filter_table_config.add(:rules, field: :rules)
+
+  filter_table_config.connect(self, :table)
+
+  def initialize(params = {})
+    super(params.merge({ use_http_transport: true }))
+    @params = params
+    @table = fetch_wrapped_resource('items')
+  end
+
+  def fetch_wrapped_resource(wrap_path)
+    # fetch_resource returns an array of responses (to handle pagination)
+    result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
+    return if result.nil?
+
+    # Conversion of string -> object hash to symbol -> object hash that InSpec needs
+    converted = []
+    result.each do |response|
+      next if response.nil? || !response.key?(wrap_path)
+      response[wrap_path].each do |hash|
+        hash_with_symbols = {}
+        hash.each_key do |key|
+          name, value = transform(key, hash)
+          hash_with_symbols[name] = value
+        end
+        converted.push(hash_with_symbols)
+      end
+    end
+
+    converted
+  end
+
+  def transform(key, value)
+    return transformers[key].call(value) if transformers.key?(key)
+
+    [key.to_sym, value]
+  end
+
+  def transformers
+    {
+      'name' => ->(obj) { return :name, obj['name'] },
+      'id' => ->(obj) { return :id, obj['id'] },
+      'rules' => ->(obj) { return :rules, GoogleInSpec::Compute::Property::SecurityPolicyRulesArray.parse(obj['rules'], to_s) },
+    }
+  end
+
+  private
+
+  def product_url(beta = false)
+    if beta
+      'https://www.googleapis.com/compute/beta/'
+    else
+      'https://www.googleapis.com/compute/v1/'
+    end
+  end
+
+  def resource_base_url
+    'projects/{{project}}/global/securityPolicies'
+  end
+end