services

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2019 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package services holds commonly used methods used in security automation.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrUnmarshal thrown when unable to unmarshal.
	ErrUnmarshal = errors.New("failed to unmarshal")
	// ErrParsing thrown when unable to parse.
	ErrParsing = errors.New("not a valid log")
	// ErrValueNotFound thrown when a value is requested but not found.
	ErrValueNotFound = errors.New("value not found")
	// ErrUnsupportedFinding thrown when a finding is not supported by a function.
	ErrUnsupportedFinding = errors.New("unsupported finding")
	// ErrSkipFinding thrown when a finding is not supported by a function.
	ErrSkipFinding = errors.New("unsupported finding")
)

Functions

func CreateAncestors 

func CreateAncestors(members []string) *cloudresourcemanager.GetAncestryResponse

CreateAncestors creates an ancestry response using a provided slice of members.

func GeneratePassword 

func GeneratePassword() (string, error)

GeneratePassword generates a password based on randomly generated numbers that are hashed using SHA256.

func SendTurbinia 

func SendTurbinia(ctx context.Context, turbiniaProjectID, topic, zone string, diskNames []string) error

SendTurbinia will send the disks to Turbinia.

Types

type BigQuery 

type BigQuery struct {
	// contains filtered or unexported fields
}

BigQuery service.

func InitBigQuery 

func InitBigQuery(ctx context.Context, projectID string) (*BigQuery, error)

InitBigQuery creates and initializes a new instance of BigQuery.

func NewBigQuery 

func NewBigQuery(cs BigQueryClient) *BigQuery

NewBigQuery returns a BigQuery service.

func (*BigQuery) RemoveDatasetPublicAccess 

func (bq *BigQuery) RemoveDatasetPublicAccess(ctx context.Context, projectID, datasetID string) error

RemoveDatasetPublicAccess removes public users from a dataset.

type BigQueryClient 

type BigQueryClient interface {
	DatasetMetadata(ctx context.Context, projectID, datasetID string) (*bigquery.DatasetMetadata, error)
	OverwriteDatasetMetadata(ctx context.Context, projectID, datasetID string, dm bigquery.DatasetMetadataToUpdate) (*bigquery.DatasetMetadata, error)
}

BigQueryClient contains minimum interface required by the service.

type CloseBucket 

type CloseBucket struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

CloseBucket contains configuration required for the Cloud Bucket function.

type CloseCloudSQL 

type CloseCloudSQL struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

CloseCloudSQL contains configuration required for the close Cloud SQL function.

type ClosePublicDataset 

type ClosePublicDataset struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

ClosePublicDataset contains configuration required for the close public dataset function.

type CloudSQL 

type CloudSQL struct {
	// contains filtered or unexported fields
}

CloudSQL service.

func NewCloudSQL 

func NewCloudSQL(cc CloudSQLClient) *CloudSQL

NewCloudSQL returns a Cloud SQL service.

func (*CloudSQL) ClosePublicAccess 

func (s *CloudSQL) ClosePublicAccess(ctx context.Context, projectID, instance string, acls []*sqladmin.AclEntry) error

ClosePublicAccess removes all valid IPs the from the authorized networks for an instance.

func (*CloudSQL) InstanceDetails 

func (s *CloudSQL) InstanceDetails(ctx context.Context, projectID string, instance string) (*sqladmin.DatabaseInstance, error)

InstanceDetails get details for an instance.

func (*CloudSQL) IsPublic 

func (s *CloudSQL) IsPublic(acls []*sqladmin.AclEntry) bool

IsPublic checks if the Cloud SQL instance contains public IPs.

func (*CloudSQL) RequireSSL 

func (s *CloudSQL) RequireSSL(ctx context.Context, projectID string, instance string) error

RequireSSL modifies the configuration to require only SSL connections.

func (*CloudSQL) UpdateUserPassword 

func (s *CloudSQL) UpdateUserPassword(ctx context.Context, projectID, instance, host, name, password string) error

UpdateUserPassword updates a user's password.

type CloudSQLClient 

type CloudSQLClient interface {
	PatchInstance(context.Context, string, string, *sqladmin.DatabaseInstance) (*sqladmin.Operation, error)
	WaitSQL(string, *sqladmin.Operation) []error
	InstanceDetails(context.Context, string, string) (*sqladmin.DatabaseInstance, error)
	UpdateUser(context.Context, string, string, string, string, *sqladmin.User) (*sqladmin.Operation, error)
}

CloudSQLClient contains minimum interface required by the Cloud SQL service.

type CloudSQLRequireSSL 

type CloudSQLRequireSSL struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

CloudSQLRequireSSL contains configuration required for the Cloud SQL require SSL function.

type CommandCenter 

type CommandCenter struct {
	// contains filtered or unexported fields
}

CommandCenter service.

func NewCommandCenter 

func NewCommandCenter(cc CommandCenterClient) *CommandCenter

NewCommandCenter returns a commmand center service.

func (*CommandCenter) AddSecurityMarks 

func (r *CommandCenter) AddSecurityMarks(ctx context.Context, serviceID string, securityMarks map[string]string) (*crm.SecurityMarks, error)

AddSecurityMarks to a finding or asset.

type CommandCenterClient 

type CommandCenterClient interface {
	AddSecurityMarks(context.Context, *crm.UpdateSecurityMarksRequest) (*crm.SecurityMarks, error)
}

CommandCenterClient contains minimum interface required by the command center service.

type ComputeClient 

type ComputeClient interface {
	DiskInsert(context.Context, string, string, *compute.Disk) (*compute.Operation, error)
	CreateSnapshot(context.Context, string, string, string, *compute.Snapshot) (*compute.Operation, error)
	DeleteAccessConfig(ctx context.Context, project, zone, instance, accessConfig, networkInterface string) (*compute.Operation, error)
	DeleteDiskSnapshot(context.Context, string, string) (*compute.Operation, error)
	DeleteInstance(context.Context, string, string, string) (*compute.Operation, error)
	GetInstance(ctx context.Context, project, zone, instance string) (*compute.Instance, error)
	ListDisks(context.Context, string, string) (*compute.DiskList, error)
	ListProjectSnapshots(context.Context, string) (*compute.SnapshotList, error)
	SetLabels(context.Context, string, string, *compute.GlobalSetLabelsRequest) (*compute.Operation, error)
	StartInstance(context.Context, string, string, string) (*compute.Operation, error)
	StopInstance(context.Context, string, string, string) (*compute.Operation, error)
	WaitGlobal(string, *compute.Operation) []error
	WaitZone(string, string, *compute.Operation) []error
}

ComputeClient contains minimum interface required by the host service.

type Configuration 

type Configuration struct {
	PagerDuty              *PagerDutyConfiguration `json:"pager_duty"`
	CloseBucket            *CloseBucket            `json:"close_bucket"`
	DisableFirewall        *DisableFirewall        `json:"open_firewall"`
	RemovePublicIP         *RemovePublicIP         `json:"remove_public_ip"`
	ClosePublicDataset     *ClosePublicDataset     `json:"close_public_dataset"`
	CloseCloudSQL          *CloseCloudSQL          `json:"close_cloud_sql"`
	CloudSQLRequireSSL     *CloudSQLRequireSSL     `json:"cloud_sql_require_ssl"`
	DisableDashboard       *DisableDashboard       `json:"disable_dashboard"`
	EnableBucketOnlyPolicy *EnableBucketOnlyPolicy `json:"enable_bucket_only_policy"`
	EnableAuditLogs        *EnableAuditLogs        `json:"enable_audit_logs"`
	UpdatePassword         *UpdatePassword         `json:"cloud_sql_update_password"`
	RemoveNonOrgMembers    *RemoveNonOrgMembers    `json:"remove_non_org_members"`
	Router                 *Router
}

Configuration contains the ID(s) to apply actions to.

func NewConfiguration 

func NewConfiguration(file string) (*Configuration, error)

NewConfiguration returns a new configuration.

type Container 

type Container struct {
	// contains filtered or unexported fields
}

Container Service.

func NewContainer 

func NewContainer(client ContainerClient) *Container

NewContainer returns a new Container service.

func (*Container) DisableDashboard 

func (c *Container) DisableDashboard(ctx context.Context, projectID, zone, clusterID string) (*container.Operation, error)

DisableDashboard disables the Kubernetes Dashboard for a given cluster.

type ContainerClient 

type ContainerClient interface {
	UpdateAddonsConfig(context.Context, string, string, string, *container.SetAddonsConfigRequest) (*container.Operation, error)
}

ContainerClient holds the minimum interface required by the Container service.

type DisableDashboard 

type DisableDashboard struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

DisableDashboard contains configuration required for the disable dashboard function.

type DisableFirewall 

type DisableFirewall struct {
	Resources          *Resources
	RemediationAction  string   `json:"remediation_action"`
	SourceRanges       []string `json:"source_ranges"`
	DryRun             bool     `json:"dry_run"`
	OutputDestinations []string `json:"output_destinations"`
}

DisableFirewall contains configuration required for the disable firewall function.

type Email 

type Email struct {
	// contains filtered or unexported fields
}

Email is the service used to send emails.

func NewEmail 

func NewEmail(service EmailClient) *Email

NewEmail creates a new email service.

func (*Email) RenderTemplate 

func (m *Email) RenderTemplate(templateName string, templateContent interface{}) (string, error)

RenderTemplate parses the content based on template.

func (*Email) Send 

func (m *Email) Send(subject, from, body string, to []string) (*rest.Response, error)

Send will send an email.

type EmailClient 

type EmailClient interface {
	Send(subject, from, body string, to []string) (*rest.Response, error)
}

EmailClient is the interface used for sending emails.

type EmailResponse 

type EmailResponse struct {
	StatusCode int
	Body       string
}

EmailResponse contains the response from sending an email.

type EnableAuditLogs 

type EnableAuditLogs struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

EnableAuditLogs configuration required to enable data access audit logs

type EnableBucketOnlyPolicy 

type EnableBucketOnlyPolicy struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

EnableBucketOnlyPolicy contains configuration required for the enable bucket only policy function.

type Firewall 

type Firewall struct {
	// contains filtered or unexported fields
}

Firewall service.

func NewFirewall 

func NewFirewall(client FirewallClient) *Firewall

NewFirewall returns a new firewall service.

func (*Firewall) BlockSSH 

func (f *Firewall) BlockSSH(ctx context.Context, projectID string, sourceRanges []string) error

BlockSSH will add a firewall rule that blocks SSH for the given project.

func (*Firewall) DeleteFirewallRule 

func (f *Firewall) DeleteFirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Operation, error)

DeleteFirewallRule delete the firewall rule.

func (*Firewall) DisableFirewallRule 

func (f *Firewall) DisableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)

DisableFirewallRule sets the firewall rule to disabled.

func (*Firewall) EnableFirewallRule 

func (f *Firewall) EnableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)

EnableFirewallRule sets the firewall rule to enabled.

func (*Firewall) FirewallRule 

func (f *Firewall) FirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Firewall, error)

FirewallRule get a firewall rule

func (*Firewall) UpdateFirewallRuleSourceRange 

func (f *Firewall) UpdateFirewallRuleSourceRange(ctx context.Context, projectID string, ruleID string, name string, sourceRanges []string) error

UpdateFirewallRuleSourceRange updates the firewall source ranges

func (*Firewall) WaitGlobal 

func (f *Firewall) WaitGlobal(project string, op *compute.Operation) []error

WaitGlobal will wait for the global operation to complete.

type FirewallClient 

type FirewallClient interface {
	InsertFirewallRule(context.Context, string, *compute.Firewall) (*compute.Operation, error)
	PatchFirewallRule(context.Context, string, string, *compute.Firewall) (*compute.Operation, error)
	FirewallRule(context.Context, string, string) (*compute.Firewall, error)
	DeleteFirewallRule(context.Context, string, string) (*compute.Operation, error)
	WaitGlobal(string, *compute.Operation) []error
}

FirewallClient holds the minimum interface required by the firewall service.

type Global 

type Global struct {
	Configuration *Configuration
	Logger        *Logger
	Resource      *Resource
	Host          *Host
	Firewall      *Firewall
	Container     *Container
	CloudSQL      *CloudSQL
}

Global holds all initialized services.

func New 

func New(ctx context.Context) (*Global, error)

New returns an initialized Global struct.

type GoogleCloudDisk 

type GoogleCloudDisk struct {
	Project  string `json:"project"`
	Zone     string `json:"zone"`
	DiskName string `json:"disk_name"`
}

GoogleCloudDisk represents a GCP disk.

type Host 

type Host struct {
	// contains filtered or unexported fields
}

Host service.

func NewHost 

func NewHost(cs ComputeClient) *Host

NewHost returns a host service.

func (*Host) CopyDiskSnapshot 

func (h *Host) CopyDiskSnapshot(ctx context.Context, srcProjectID, dstProjectID, zone, name string) error

CopyDiskSnapshot creates a disk from a snapshot and moves it to another project.

func (*Host) CreateDiskSnapshot 

func (h *Host) CreateDiskSnapshot(ctx context.Context, projectID, zone, disk, name string) error

CreateDiskSnapshot creates a snapshot.

func (*Host) DeleteDiskSnapshot 

func (h *Host) DeleteDiskSnapshot(ctx context.Context, projectID, snapshot string) error

DeleteDiskSnapshot deletes the given snapshot from the project.

func (*Host) DeleteInstance 

func (h *Host) DeleteInstance(ctx context.Context, projectID, zone, instance string) (*compute.Operation, error)

DeleteInstance starts a given instance in given zone.

func (*Host) DiskSnapshot 

func (h *Host) DiskSnapshot(ctx context.Context, snapshotName, projectID string, disk *compute.Disk) (*compute.Snapshot, error)

DiskSnapshot gets a snapshot by name associated with a given disk.

func (*Host) ListInstanceDisks 

func (h *Host) ListInstanceDisks(ctx context.Context, projectID, zone, instance string) ([]*compute.Disk, error)

ListInstanceDisks returns a list of disk names for a given instance.

func (*Host) ListProjectSnapshots 

func (h *Host) ListProjectSnapshots(ctx context.Context, projectID string) (*compute.SnapshotList, error)

ListProjectSnapshots returns a list of snapshots.

func (*Host) RemoveExternalIPs 

func (h *Host) RemoveExternalIPs(ctx context.Context, project, zone, instance string) error

RemoveExternalIPs iterates on all network interfaces of an instance and deletes its accessConfigs, actually removing the external IP addresses of the instance.

func (*Host) SetSnapshotLabels 

func (h *Host) SetSnapshotLabels(ctx context.Context, projectID, snapshotName string, disk *compute.Disk, labels map[string]string) error

SetSnapshotLabels sets the labels on a snapshot.

func (*Host) StartInstance 

func (h *Host) StartInstance(ctx context.Context, projectID, zone, instance string) error

StartInstance starts a given instance in given zone.

func (*Host) StopInstance 

func (h *Host) StopInstance(ctx context.Context, projectID, zone, instance string) error

StopInstance stops the provided instance.

func (*Host) WaitGlobal 

func (h *Host) WaitGlobal(project string, op *compute.Operation) []error

WaitGlobal will wait for the global operation to complete.

func (*Host) WaitZone 

func (h *Host) WaitZone(project, zone string, op *compute.Operation) []error

WaitZone will wait for the zonal operation to complete.

type Logger 

type Logger struct {
	// contains filtered or unexported fields
}

Logger client.

func NewLogger 

func NewLogger(l LoggerClient) *Logger

NewLogger initializes and returns a Logger struct.

func (*Logger) Close 

func (l *Logger) Close()

Close buffer and send messages to stackdriver.

func (*Logger) Debug 

func (l *Logger) Debug(message string, a ...interface{})

Debug sends a message to the logger using debug as the severity.

func (*Logger) Error 

func (l *Logger) Error(message string, a ...interface{})

Error sends a message to the logger using error as the severity.

func (*Logger) Info 

func (l *Logger) Info(message string, a ...interface{})

Info sends a message to the logger using info as the severity.

func (*Logger) Warning 

func (l *Logger) Warning(message string, a ...interface{})

Warning sends a message to the logger using warning as the severity.

type LoggerClient 

type LoggerClient interface {
	Info(message string, a ...interface{})
	Warning(message string, a ...interface{})
	Error(message string, a ...interface{})
	Debug(message string, a ...interface{})
	Close()
}

LoggerClient contains minimum interface required by the logger service.

type Match added in v0.0.2 

type Match struct {
	Target  []MatchResource
	Exclude []MatchResource
}

type MatchResource added in v0.0.2 

type MatchResource string

type PagerDuty 

type PagerDuty struct {
	// contains filtered or unexported fields
}

PagerDuty service.

func InitPagerDuty 

func InitPagerDuty(apiKey string) *PagerDuty

InitPagerDuty creates and initializes a new instance of PagerDuty.

func NewPagerDuty 

func NewPagerDuty(cs PagerDutyClient) *PagerDuty

NewPagerDuty returns a PagerDuty service.

func (*PagerDuty) CreateIncident 

func (p *PagerDuty) CreateIncident(ctx context.Context, from, serviceID, title, body string) error

CreateIncident will create an incident within PagerDuty.

type PagerDutyClient 

type PagerDutyClient interface {
	CreateIncident(from, serviceID, title, body string) (*pagerduty.Incident, error)
}

PagerDutyClient contains methods used by the PagerDuty service.

type PagerDutyConfiguration 

type PagerDutyConfiguration struct {
	APIKey  string `json:"api_key"`
	Enabled bool   `json:"enabled"`
	// ServiceID of the affected service within PagerDuty.
	ServiceID string `json:"service_id"`
	// From is the email address that sends the incident. This must be a valid user within PagerDuty.
	From string `json:"from"`
}

PagerDutyConfiguration contains configuration for the PagerDuty client.

type PubSub 

type PubSub struct {
	// contains filtered or unexported fields
}

PubSub service.

func InitPubSub 

func InitPubSub(ctx context.Context, projectID string) (*PubSub, error)

InitPubSub creates and initializes a new instance of PubSub.

func NewPubSub 

func NewPubSub(client PubSubClient) *PubSub

NewPubSub returns a PubSub service.

func (*PubSub) Publish 

func (e *PubSub) Publish(ctx context.Context, topicID string, message *pubsub.Message) (string, error)

Publish will publish a message to a PubSub topic.

type PubSubClient 

type PubSubClient interface {
	Topic(string) *pubsub.Topic
	Publish(context.Context, *pubsub.Topic, *pubsub.Message) (string, error)
}

PubSubClient contains minimum interface required by the service.

type RemoveNonOrgMembers 

type RemoveNonOrgMembers struct {
	Resources    *Resources
	AllowDomains []string `json:"allow_domains"`
	DryRun       bool     `json:"dry_run"`
}

RemoveNonOrgMembers contains configuration required for remove non-org members function.

type RemovePublicIP 

type RemovePublicIP struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

RemovePublicIP contains configuration required for the remove public IP function.

type Resource 

type Resource struct {
	// contains filtered or unexported fields
}

Resource service.

func NewResource 

func NewResource(crm crmClient, s storageClient) *Resource

NewResource returns a new resource service.

func (*Resource) CheckMatches 

func (r *Resource) CheckMatches(ctx context.Context, projectID string, target, ignore []string) (bool, error)

CheckMatches checks if a project is included in the target and not included in ignore.

func (*Resource) EnableAuditLogs 

func (r *Resource) EnableAuditLogs(ctx context.Context, projectID string) (*crm.Policy, error)

EnableAuditLogs enable audit logs to all services and LogTypes.

func (*Resource) EnableBucketOnlyPolicy 

func (r *Resource) EnableBucketOnlyPolicy(ctx context.Context, bucketName string) error

EnableBucketOnlyPolicy enable bucket only policy for the given bucket

func (*Resource) GetProjectAncestry 

func (r *Resource) GetProjectAncestry(ctx context.Context, projectID string) ([]string, error)

GetProjectAncestry returns a slice of the project's ancestry.

func (*Resource) IfProjectInFolders 

func (r *Resource) IfProjectInFolders(ctx context.Context, ids []string, projectID string, fn func() error) error

IfProjectInFolders will apply the function if the project ID is within the folder IDs.

func (*Resource) IfProjectInOrg 

func (r *Resource) IfProjectInOrg(ctx context.Context, orgID, projectID string, fn func() error) error

IfProjectInOrg will apply the function if the project ID is within the organization.

func (*Resource) IfProjectInProjects 

func (r *Resource) IfProjectInProjects(ctx context.Context, ids []string, projectID string, fn func() error) error

IfProjectInProjects will apply the function if the project ID is within the project IDs.

func (*Resource) IfProjectWithinResources 

func (r *Resource) IfProjectWithinResources(ctx context.Context, conf *Resources, projectID string, fn func() error) error

IfProjectWithinResources executes the provided function if the project ID is an ancestor of any provided resources.

func (*Resource) Organization 

func (r *Resource) Organization(ctx context.Context, orgID string) (*crm.Organization, error)

Organization returns the organization name for the given organization resource.

func (*Resource) OrganizationOnlyKeepUsersFromDomains 

func (r *Resource) OrganizationOnlyKeepUsersFromDomains(ctx context.Context, orgID string, allowDomains []string) ([]string, error)

OrganizationOnlyKeepUsersFromDomains removes all users from an organization except where the user matches allowed domains.

func (*Resource) PolicyOrganization 

func (r *Resource) PolicyOrganization(ctx context.Context, name string) (*crm.Policy, error)

PolicyOrganization returns the IAM policy for the given resource name.

func (*Resource) ProjectOnlyKeepUsersFromDomains 

func (r *Resource) ProjectOnlyKeepUsersFromDomains(ctx context.Context, projectID string, allowDomains []string) ([]string, error)

ProjectOnlyKeepUsersFromDomains removes users from the policy if they do not match the domain. (Non-users are not affected.)

func (*Resource) RemoveMembersFromBucket 

func (r *Resource) RemoveMembersFromBucket(ctx context.Context, bucketName string, members []string) error

RemoveMembersFromBucket removes members from the bucket.

func (*Resource) RemoveUsersProject 

func (r *Resource) RemoveUsersProject(ctx context.Context, projectID string, remove []string) error

RemoveUsersProject removes a slice of users from a project.

type Resources 

type Resources struct {
	FolderIDs      []string `json:"folder_ids"`
	ProjectIDs     []string `json:"project_ids"`
	OrganizationID string   `json:"organization_id"`
}

Resources represents common resource IDs used for configuration.

type Router added in v0.0.2 

type Router struct {
	ProjectID string
}

type StackDriverLog 

type StackDriverLog struct {
	InsertID string `json:"insertId"`
	LogName  string `json:"logName"`
}

StackDriverLog struct fits StackDriver logs.

type TurbiniaRequest 

type TurbiniaRequest struct {
	RequestID string            `json:"request_id"`
	Type      string            `json:"type"`
	Evidence  []GoogleCloudDisk `json:"evidence"`
}

TurbiniaRequest is a request to send to Turbinia.

type UpdatePassword 

type UpdatePassword struct {
	Resources *Resources
	DryRun    bool `json:"dry_run"`
}

UpdatePassword contains configuration required for the update password function.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.