diff --git a/security-command-center/snippets/src/main/java/bigqueryexport/CreateBigQueryExport.java b/security-command-center/snippets/src/main/java/bigqueryexport/CreateBigQueryExport.java new file mode 100644 index 00000000000..5a55cf95f7d --- /dev/null +++ b/security-command-center/snippets/src/main/java/bigqueryexport/CreateBigQueryExport.java @@ -0,0 +1,89 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bigqueryexport; + +// [START securitycenter_create_bigquery_export] + +import com.google.cloud.securitycenter.v1.BigQueryExport; +import com.google.cloud.securitycenter.v1.CreateBigQueryExportRequest; +import com.google.cloud.securitycenter.v1.SecurityCenterClient; +import java.io.IOException; +import java.util.UUID; + +public class CreateBigQueryExport { + + public static void main(String[] args) throws IOException { + // TODO(Developer): Modify the following variable values. + + // parent: Use any one of the following resource paths: + // - organizations/{organization_id} + // - folders/{folder_id} + // - projects/{project_id} + String parent = String.format("projects/%s", "your-google-cloud-project-id"); + + // filter: Expression that defines the filter to apply across create/update events of findings. + String filter = + "severity=\"LOW\" OR severity=\"MEDIUM\" AND " + + "category=\"Persistence: IAM Anomalous Grant\" AND " + + "-resource.type:\"compute\""; + + // bigQueryDatasetId: The BigQuery dataset to write findings' updates to. + String bigQueryDatasetId = "your-bigquery-dataset-id"; + + // bigQueryExportId: Unique identifier provided by the client. + // For more info, see: + // https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query#export_findings_from_to + String bigQueryExportId = "default-" + UUID.randomUUID().toString().split("-")[0]; + + createBigQueryExport(parent, filter, bigQueryDatasetId, bigQueryExportId); + } + + // Create export configuration to export findings from a project to a BigQuery dataset. + // Optionally specify filter to export certain findings only. + public static void createBigQueryExport( + String parent, String filter, String bigQueryDatasetId, String bigQueryExportId) + throws IOException { + // Initialize client that will be used to send requests. This client only needs to be created + // once, and can be reused for multiple requests. After completing all of your requests, call + // the "close" method on the client to safely clean up any remaining background resources. + try (SecurityCenterClient client = SecurityCenterClient.create()) { + + // Create the BigQuery export configuration. + BigQueryExport bigQueryExport = + BigQueryExport.newBuilder() + .setDescription( + "Export low and medium findings if the compute resource " + + "has an IAM anomalous grant") + .setFilter(filter) + .setDataset(String.format("%s/datasets/%s", parent, bigQueryDatasetId)) + .build(); + + CreateBigQueryExportRequest bigQueryExportRequest = + CreateBigQueryExportRequest.newBuilder() + .setParent(parent) + .setBigQueryExport(bigQueryExport) + .setBigQueryExportId(bigQueryExportId) + .build(); + + // Create the export request. + BigQueryExport response = client.createBigQueryExport(bigQueryExportRequest); + + System.out.printf("BigQuery export request created successfully: %s\n", response.getName()); + } + } +} +// [END securitycenter_create_bigquery_export] diff --git a/security-command-center/snippets/src/main/java/bigqueryexport/DeleteBigQueryExport.java b/security-command-center/snippets/src/main/java/bigqueryexport/DeleteBigQueryExport.java new file mode 100644 index 00000000000..389ca93cb93 --- /dev/null +++ b/security-command-center/snippets/src/main/java/bigqueryexport/DeleteBigQueryExport.java @@ -0,0 +1,60 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bigqueryexport; + +// [START securitycenter_delete_bigquery_export] + +import com.google.cloud.securitycenter.v1.DeleteBigQueryExportRequest; +import com.google.cloud.securitycenter.v1.SecurityCenterClient; +import java.io.IOException; + +public class DeleteBigQueryExport { + + public static void main(String[] args) throws IOException { + // TODO(Developer): Modify the following variable values. + + // parent: Use any one of the following resource paths: + // - organizations/{organization_id} + // - folders/{folder_id} + // - projects/{project_id} + String parent = String.format("projects/%s", "your-google-cloud-project-id"); + + // bigQueryExportId: Unique identifier that is used to identify the export. + String bigQueryExportId = "export-id"; + + deleteBigQueryExport(parent, bigQueryExportId); + } + + // Delete an existing BigQuery export. + public static void deleteBigQueryExport(String parent, String bigQueryExportId) + throws IOException { + // Initialize client that will be used to send requests. This client only needs to be created + // once, and can be reused for multiple requests. After completing all of your requests, call + // the "close" method on the client to safely clean up any remaining background resources. + try (SecurityCenterClient client = SecurityCenterClient.create()) { + + DeleteBigQueryExportRequest bigQueryExportRequest = + DeleteBigQueryExportRequest.newBuilder() + .setName(String.format("%s/bigQueryExports/%s", parent, bigQueryExportId)) + .build(); + + client.deleteBigQueryExport(bigQueryExportRequest); + System.out.printf("BigQuery export request deleted successfully: %s", bigQueryExportId); + } + } +} +// [END securitycenter_delete_bigquery_export] diff --git a/security-command-center/snippets/src/main/java/bigqueryexport/GetBigQueryExport.java b/security-command-center/snippets/src/main/java/bigqueryexport/GetBigQueryExport.java new file mode 100644 index 00000000000..49d91b710a2 --- /dev/null +++ b/security-command-center/snippets/src/main/java/bigqueryexport/GetBigQueryExport.java @@ -0,0 +1,60 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bigqueryexport; + +// [START securitycenter_get_bigquery_export] + +import com.google.cloud.securitycenter.v1.BigQueryExport; +import com.google.cloud.securitycenter.v1.GetBigQueryExportRequest; +import com.google.cloud.securitycenter.v1.SecurityCenterClient; +import java.io.IOException; + +public class GetBigQueryExport { + + public static void main(String[] args) throws IOException { + // TODO(Developer): Modify the following variable values. + + // parent: Use any one of the following resource paths: + // - organizations/{organization_id} + // - folders/{folder_id} + // - projects/{project_id} + String parent = String.format("projects/%s", "your-google-cloud-project-id"); + + // bigQueryExportId: Unique identifier that is used to identify the export. + String bigQueryExportId = "export-id"; + + getBigQueryExport(parent, bigQueryExportId); + } + + // Retrieve an existing BigQuery export. + public static void getBigQueryExport(String parent, String bigQueryExportId) throws IOException { + // Initialize client that will be used to send requests. This client only needs to be created + // once, and can be reused for multiple requests. After completing all of your requests, call + // the "close" method on the client to safely clean up any remaining background resources. + try (SecurityCenterClient client = SecurityCenterClient.create()) { + + GetBigQueryExportRequest bigQueryExportRequest = + GetBigQueryExportRequest.newBuilder() + .setName(String.format("%s/bigQueryExports/%s", parent, bigQueryExportId)) + .build(); + + BigQueryExport response = client.getBigQueryExport(bigQueryExportRequest); + System.out.printf("Retrieved the BigQuery export: %s", response.getName()); + } + } +} +// [END securitycenter_get_bigquery_export] diff --git a/security-command-center/snippets/src/main/java/bigqueryexport/ListBigQueryExports.java b/security-command-center/snippets/src/main/java/bigqueryexport/ListBigQueryExports.java new file mode 100644 index 00000000000..37bf49b0198 --- /dev/null +++ b/security-command-center/snippets/src/main/java/bigqueryexport/ListBigQueryExports.java @@ -0,0 +1,61 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bigqueryexport; + +// [START securitycenter_list_bigquery_export] + +import com.google.cloud.securitycenter.v1.BigQueryExport; +import com.google.cloud.securitycenter.v1.ListBigQueryExportsRequest; +import com.google.cloud.securitycenter.v1.SecurityCenterClient; +import com.google.cloud.securitycenter.v1.SecurityCenterClient.ListBigQueryExportsPagedResponse; +import java.io.IOException; + +public class ListBigQueryExports { + + public static void main(String[] args) throws IOException { + // TODO(Developer): Modify the following variable values. + + // parent: The parent, which owns the collection of BigQuery exports. + // Use any one of the following resource paths: + // - organizations/{organization_id} + // - folders/{folder_id} + // - projects/{project_id} + String parent = String.format("projects/%s", "your-google-cloud-project-id"); + + listBigQueryExports(parent); + } + + // List BigQuery exports in the given parent. + public static void listBigQueryExports(String parent) throws IOException { + // Initialize client that will be used to send requests. This client only needs to be created + // once, and can be reused for multiple requests. After completing all of your requests, call + // the "close" method on the client to safely clean up any remaining background resources. + try (SecurityCenterClient client = SecurityCenterClient.create()) { + + ListBigQueryExportsRequest request = + ListBigQueryExportsRequest.newBuilder().setParent(parent).build(); + + ListBigQueryExportsPagedResponse response = client.listBigQueryExports(request); + + System.out.println("Listing BigQuery exports:"); + for (BigQueryExport bigQueryExport : response.iterateAll()) { + System.out.println(bigQueryExport.getName()); + } + } + } +} +// [END securitycenter_list_bigquery_export] diff --git a/security-command-center/snippets/src/main/java/bigqueryexport/UpdateBigQueryExport.java b/security-command-center/snippets/src/main/java/bigqueryexport/UpdateBigQueryExport.java new file mode 100644 index 00000000000..6c2c94b379e --- /dev/null +++ b/security-command-center/snippets/src/main/java/bigqueryexport/UpdateBigQueryExport.java @@ -0,0 +1,86 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bigqueryexport; + +// [START securitycenter_update_bigquery_export] + +import com.google.cloud.securitycenter.v1.BigQueryExport; +import com.google.cloud.securitycenter.v1.SecurityCenterClient; +import com.google.cloud.securitycenter.v1.UpdateBigQueryExportRequest; +import com.google.protobuf.FieldMask; +import java.io.IOException; + +public class UpdateBigQueryExport { + + public static void main(String[] args) throws IOException { + // TODO(Developer): Modify the following variable values. + + // parent: Use any one of the following resource paths: + // - organizations/{organization_id} + // - folders/{folder_id} + // - projects/{project_id} + String parent = String.format("projects/%s", "your-google-cloud-project-id"); + + // filter: Expression that defines the filter to apply across create/update events of findings. + String filter = + "severity=\"LOW\" OR severity=\"MEDIUM\" AND " + + "category=\"Persistence: IAM Anomalous Grant\" AND " + + "-resource.type:\"compute\""; + + // bigQueryExportId: Unique identifier provided by the client. + // For more info, see: + // https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query#export_findings_from_to + String bigQueryExportId = "big-query-export-id"; + + updateBigQueryExport(parent, filter, bigQueryExportId); + } + + // Updates an existing BigQuery export. + public static void updateBigQueryExport(String parent, String filter, String bigQueryExportId) + throws IOException { + // Initialize client that will be used to send requests. This client only needs to be created + // once, and can be reused for multiple requests. After completing all of your requests, call + // the "close" method on the client to safely clean up any remaining background resources. + try (SecurityCenterClient client = SecurityCenterClient.create()) { + + // Set the new values for export configuration. + BigQueryExport bigQueryExport = + BigQueryExport.newBuilder() + .setName(String.format("%s/bigQueryExports/%s", parent, bigQueryExportId)) + .setFilter(filter) + .build(); + + UpdateBigQueryExportRequest request = + UpdateBigQueryExportRequest.newBuilder() + .setBigQueryExport(bigQueryExport) + // Set the update mask to specify which properties should be updated. + // If empty, all mutable fields will be updated. + // For more info on constructing field mask path, see the proto or: + // https://cloud.google.com/java/docs/reference/protobuf/latest/com.google.protobuf.FieldMask + .setUpdateMask(FieldMask.newBuilder().addPaths("filter").build()) + .build(); + + BigQueryExport response = client.updateBigQueryExport(request); + if (!response.getFilter().equalsIgnoreCase(filter)) { + System.out.println("Failed to update BigQueryExport!"); + return; + } + System.out.println("BigQueryExport updated successfully!"); + } + } +} +// [END securitycenter_update_bigquery_export] diff --git a/security-command-center/snippets/src/test/java/BigQueryExportIT.java b/security-command-center/snippets/src/test/java/BigQueryExportIT.java new file mode 100644 index 00000000000..0e1e1c808a9 --- /dev/null +++ b/security-command-center/snippets/src/test/java/BigQueryExportIT.java @@ -0,0 +1,159 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; + +import bigqueryexport.CreateBigQueryExport; +import bigqueryexport.DeleteBigQueryExport; +import bigqueryexport.GetBigQueryExport; +import bigqueryexport.ListBigQueryExports; +import bigqueryexport.UpdateBigQueryExport; +import com.google.cloud.bigquery.BigQuery; +import com.google.cloud.bigquery.BigQueryException; +import com.google.cloud.bigquery.BigQueryOptions; +import com.google.cloud.bigquery.Dataset; +import com.google.cloud.bigquery.DatasetInfo; +import com.google.cloud.testing.junit4.MultipleAttemptsRule; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.PrintStream; +import java.util.UUID; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +@RunWith(JUnit4.class) +public class BigQueryExportIT { + @Rule public final MultipleAttemptsRule multipleAttemptsRule = new MultipleAttemptsRule(5); + + // TODO(Developer): Replace the below variables. + private static final String PROJECT_ID = System.getenv("GOOGLE_CLOUD_PROJECT"); + private static final String BQ_DATASET_NAME = + "sampledataset_" + UUID.randomUUID().toString().split("-")[0]; + private static final String BQ_EXPORT_ID = + "default-" + UUID.randomUUID().toString().split("-")[0]; + + private static ByteArrayOutputStream stdOut; + + // Check if the required environment variables are set. + public static void requireEnvVar(String envVarName) { + assertWithMessage(String.format("Missing environment variable '%s' ", envVarName)) + .that(System.getenv(envVarName)) + .isNotEmpty(); + } + + @BeforeClass + public static void setUp() throws IOException { + final PrintStream out = System.out; + stdOut = new ByteArrayOutputStream(); + System.setOut(new PrintStream(stdOut)); + + requireEnvVar("GOOGLE_APPLICATION_CREDENTIALS"); + requireEnvVar("GOOGLE_CLOUD_PROJECT"); + + // Create a BigQuery dataset. + createBigQueryDataset(BQ_DATASET_NAME); + // Create export request. + String filter = "severity=\"LOW\" OR severity=\"MEDIUM\""; + CreateBigQueryExport.createBigQueryExport( + String.format("projects/%s", PROJECT_ID), filter, BQ_DATASET_NAME, BQ_EXPORT_ID); + + stdOut = null; + System.setOut(out); + } + + @AfterClass + public static void cleanUp() throws IOException { + final PrintStream out = System.out; + stdOut = new ByteArrayOutputStream(); + System.setOut(new PrintStream(stdOut)); + + // Delete BigQuery Dataset and export request. + deleteBigQueryDataset(BQ_DATASET_NAME); + DeleteBigQueryExport.deleteBigQueryExport( + String.format("projects/%s", PROJECT_ID), BQ_EXPORT_ID); + assertThat(stdOut.toString()) + .contains(String.format("BigQuery export request deleted successfully: %s", BQ_EXPORT_ID)); + + stdOut = null; + System.setOut(out); + } + + private static void createBigQueryDataset(String datasetName) { + try { + BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService(); + + DatasetInfo datasetInfo = DatasetInfo.newBuilder(datasetName).build(); + + Dataset newDataset = bigquery.create(datasetInfo); + String newDatasetName = newDataset.getDatasetId().getDataset(); + System.out.println(newDatasetName + " created successfully"); + } catch (BigQueryException e) { + if (e.toString().contains("Already Exists: Dataset")) { + return; + } + Assert.fail("Dataset was not created. \n" + e); + } + } + + private static void deleteBigQueryDataset(String datasetName) { + try { + BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService(); + Assert.assertTrue("Deleted BigQuery dataset", bigquery.delete(datasetName)); + } catch (BigQueryException e) { + Assert.fail("Dataset was not deleted. \n" + e); + } + } + + @Before + public void beforeEach() { + stdOut = new ByteArrayOutputStream(); + System.setOut(new PrintStream(stdOut)); + } + + @After + public void afterEach() { + stdOut = null; + System.setOut(null); + } + + @Test + public void testGetBigQueryExport() throws IOException { + GetBigQueryExport.getBigQueryExport(String.format("projects/%s", PROJECT_ID), BQ_EXPORT_ID); + assertThat(stdOut.toString()).contains(BQ_EXPORT_ID); + } + + @Test + public void testListBigQueryExports() throws IOException { + ListBigQueryExports.listBigQueryExports(String.format("projects/%s", PROJECT_ID)); + assertThat(stdOut.toString()).contains(BQ_EXPORT_ID); + } + + @Test + public void testUpdateBigQueryExport() throws IOException { + String filter = "severity=\"MEDIUM\""; + UpdateBigQueryExport.updateBigQueryExport( + String.format("projects/%s", PROJECT_ID), filter, BQ_EXPORT_ID); + assertThat(stdOut.toString()).contains("BigQueryExport updated successfully!"); + } +}