Merge pull request #304 from nccgroup/refactoring/gcp/cloudstorage

Refactoring/gcp/cloudstorage

ScoutSuite/output/data/html/partials/gcp/services.cloudstorage.buckets.html → ScoutSuite/output/data/html/partials/gcp/services.cloudstorage.projects.id.buckets.html

@@ -1,20 +1,20 @@
 
 <!-- Cloud Storage bucket partial -->
-<script id="services.cloudstorage.buckets.partial" type="text/x-handlebars-template">
+<script id="services.cloudstorage.projects.id.buckets.partial" type="text/x-handlebars-template">
     <div id="resource-name" class="list-group-item active">
         <h4 class="list-group-item-heading">{{name}}</h4>
     </div>
     <div class="list-group-item">
         <h4 class="list-group-item-heading">Information</h4>
-        <div class="list-group-item-text item-margin">Project ID: <span id="cloudstorage.buckets.{{@key}}.project_id">{{project_id}}</span></div>
-        <div class="list-group-item-text item-margin">Creation Date: <span id="cloudstorage.buckets.{{@key}}.creation_date">{{creation_date}}</span></div>
-        <div class="list-group-item-text item-margin">Location: <span id="cloudstorage.buckets.{{@key}}.location">{{location}}</span></div>
-        <div class="list-group-item-text item-margin">Storage Class: <span id="cloudstorage.buckets.{{@key}}.storage_class">{{storage_class}}</span></div>
-        <div class="list-group-item-text item-margin">Logging: <span id="cloudstorage.buckets.{{@key}}.logging_enabled">{{convert_bool_to_enabled logging_enabled}}</span></div>
-        <div class="list-group-item-text item-margin">Versioning: <span id="cloudstorage.buckets.{{@key}}.versioning">{{convert_bool_to_enabled versioning_status}}</span></div>
+        <div class="list-group-item-text item-margin">Project ID: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.project_id">{{project_id}}</span></div>
+        <div class="list-group-item-text item-margin">Creation Date: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.creation_date">{{creation_date}}</span></div>
+        <div class="list-group-item-text item-margin">Location: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.location">{{location}}</span></div>
+        <div class="list-group-item-text item-margin">Storage Class: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.storage_class">{{storage_class}}</span></div>
+        <div class="list-group-item-text item-margin">Logging: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.logging_enabled">{{convert_bool_to_enabled logging_enabled}}</span></div>
+        <div class="list-group-item-text item-margin">Versioning: <span id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.versioning">{{convert_bool_to_enabled versioning_status}}</span></div>
     </div>
     <div class="list-group-item">
-        <h4 id="cloudstorage.buckets.{{@key}}.permissions" class="list-group-item-heading">Permissions</h4>
+        <h4 id="cloudstorage.projects.{{@../key}}.buckets.{{@key}}.permissions" class="list-group-item-heading">Permissions</h4>
         <div class="accordion-inner">
             <ul>
                 {{#each acl_configuration}}
@@ -33,12 +33,12 @@ <h4 id="cloudstorage.buckets.{{@key}}.permissions" class="list-group-item-headin
 </script>
 
 <script>
-    Handlebars.registerPartial("services.cloudstorage.buckets", $("#services\\.cloudstorage\\.buckets\\.partial").html());
+    Handlebars.registerPartial("services.cloudstorage.projects.id.buckets", $("#services\\.cloudstorage\\.projects\\.id\\.buckets\\.partial").html());
 </script>
 
 <!-- Single cloudstorage bucket template -->
 <script id="single_cloudstorage_bucket-template" type="text/x-handlebars-template">
-    {{> modal-template template='services.cloudstorage.buckets'}}
+    {{> modal-template template='services.cloudstorage.projects.id.buckets'}}
 </script>
 <script>
     var single_cloudstorage_bucket_template = Handlebars.compile($("#single_cloudstorage_bucket-template").html());

ScoutSuite/providers/gcp/configs/services.py

@@ -2,10 +2,10 @@
 from ScoutSuite.providers.gcp.facade.gcp import GCPFacade
 from ScoutSuite.providers.gcp.resources.cloudresourcemanager.service import CloudResourceManager
 from ScoutSuite.providers.gcp.resources.cloudsql.service import CloudSQL
+from ScoutSuite.providers.gcp.resources.cloudstorage.service import CloudStorage
 from ScoutSuite.providers.gcp.resources.gce.service import ComputeEngine
 from ScoutSuite.providers.gcp.resources.iam.service import IAM
 from ScoutSuite.providers.gcp.resources.stackdriverlogging.service import StackdriverLogging
-from ScoutSuite.providers.gcp.services.cloudstorage import CloudStorageConfig
 
 # Try to import proprietary services
 try:
@@ -24,8 +24,8 @@ def __init__(self, credentials=None, thread_config=4, projects=None, **kwargs):
         gcp_facade = GCPFacade()
 
         self.cloudresourcemanager = CloudResourceManager(gcp_facade)
-        self.cloudstorage = CloudStorageConfig(thread_config=thread_config)
         self.cloudsql = CloudSQL(gcp_facade)
+        self.cloudstorage = CloudStorage(gcp_facade)
         self.computeengine = ComputeEngine(gcp_facade)
         self.iam = IAM(gcp_facade)
 

ScoutSuite/providers/gcp/facade/cloudstorage.py

@@ -0,0 +1,19 @@
+import asyncio
+from google.cloud import storage
+from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
+
+class CloudStorageFacade:
+    async def get_buckets(self, project_id: str):
+        client = storage.Client(project=project_id)
+        buckets = await run_concurrently(lambda: list(client.list_buckets()))
+        await get_and_set_concurrently([self._get_and_set_bucket_logging, 
+            self._get_and_set_bucket_iam_policy], buckets)
+        return buckets
+
+    async def _get_and_set_bucket_logging(self, bucket):
+        bucket_logging = await run_concurrently(lambda: bucket.get_logging())
+        setattr(bucket, 'logging', bucket_logging)
+
+    async def _get_and_set_bucket_iam_policy(self, bucket):
+        bucket_iam_policy = await run_concurrently(lambda: bucket.get_iam_policy())
+        setattr(bucket, 'iam_policy', bucket_iam_policy)

ScoutSuite/providers/gcp/facade/gcp.py

@@ -1,6 +1,7 @@
 from ScoutSuite.providers.gcp.facade.base import GCPBaseFacade
 from ScoutSuite.providers.gcp.facade.cloudresourcemanager import CloudResourceManagerFacade
 from ScoutSuite.providers.gcp.facade.cloudsql import CloudSQLFacade
+from ScoutSuite.providers.gcp.facade.cloudstorage import CloudStorageFacade
 from ScoutSuite.providers.gcp.facade.gce import GCEFacade
 from ScoutSuite.providers.gcp.facade.iam import IAMFacade
 from ScoutSuite.providers.gcp.facade.stackdriverlogging import StackdriverLoggingFacade
@@ -11,6 +12,7 @@ def __init__(self):
         super(GCPFacade, self).__init__('cloudresourcemanager', 'v1')
         self.cloudresourcemanager = CloudResourceManagerFacade()
         self.cloudsql = CloudSQLFacade()
+        self.cloudstorage = CloudStorageFacade()
         self.gce = GCEFacade()
         self.iam = IAMFacade()
         self.stackdriverlogging = StackdriverLoggingFacade()

ScoutSuite/providers/gcp/metadata.json

@@ -56,7 +56,7 @@
       "resources": {
         "buckets": {
           "cols": 2,
-          "path": "services.cloudstorage.buckets"
+          "path": "services.cloudstorage.projects.id.buckets"
         }
       }
     }

ScoutSuite/providers/gcp/resources/cloudstorage/buckets.py

@@ -0,0 +1,41 @@
+from ScoutSuite.core.console import print_exception
+from ScoutSuite.providers.base.configs.resources import Resources
+from ScoutSuite.providers.gcp.facade.gcp import GCPFacade
+from ScoutSuite.providers.utils import get_non_provider_id
+
+class Buckets(Resources):
+    def __init__(self, gcp_facade: GCPFacade, project_id: str):
+        self.gcp_facade = gcp_facade
+        self.project_id = project_id
+
+    async def fetch_all(self):
+        raw_buckets = await self.gcp_facade.cloudstorage.get_buckets(self.project_id)
+        for raw_bucket in raw_buckets:
+            bucket_id, bucket = self._parse_bucket(raw_bucket)
+            self[bucket_id] = bucket
+
+    def _parse_bucket(self, raw_bucket):
+        bucket_dict = {}
+        bucket_dict['id'] = get_non_provider_id(raw_bucket.id)
+        bucket_dict['name'] = raw_bucket.name
+        bucket_dict['project_id'] = self.project_id
+        bucket_dict['project_number'] = raw_bucket.project_number
+        bucket_dict['creation_date'] = raw_bucket.time_created
+        bucket_dict['location'] = raw_bucket.location
+        bucket_dict['storage_class'] = raw_bucket.storage_class.lower()
+        bucket_dict['versioning_status_enabled'] = raw_bucket.versioning_enabled
+        bucket_dict['logging_enabled'] = raw_bucket.logging is not None
+        bucket_dict['acl_configuration'] = self._get_cloudstorage_bucket_acl(raw_bucket)
+        return bucket_dict['id'], bucket_dict
+
+    def _get_cloudstorage_bucket_acl(self, raw_bucket):
+        bucket_acls = raw_bucket.iam_policy      
+        acl_config = {}
+        for role in bucket_acls._bindings:
+            for member in bucket_acls[role]:
+                if member.split(':')[0] not in ['projectEditor', 'projectViewer', 'projectOwner']:
+                    if member not in acl_config:
+                        acl_config[member] = [role]
+                    else:
+                        acl_config[member].append(role)
+        return acl_config

ScoutSuite/providers/gcp/resources/cloudstorage/service.py

@@ -0,0 +1,8 @@
+from ScoutSuite.providers.gcp.facade.gcp import GCPFacade
+from ScoutSuite.providers.gcp.resources.projects import Projects
+from ScoutSuite.providers.gcp.resources.cloudstorage.buckets import Buckets
+
+class CloudStorage(Projects):
+    _children = [ 
+        (Buckets, 'buckets')
+    ]

ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-member.json

@@ -4,10 +4,10 @@
   "description": "_ARG_1_",
   "rationale": "Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed (CIS 5.1).",
   "dashboard_name": "Buckets",
-  "display_path": "cloudstorage.buckets.id",
-  "path": "cloudstorage.buckets.id.acl_configuration",
+  "display_path": "cloudstorage.projects.id.buckets.id",
+  "path": "cloudstorage.projects.id.buckets.id.acl_configuration",
   "conditions": [ "and",
-    [ "cloudstorage.buckets.id.acl_configuration", "withKey", "_ARG_0_"]
+    [ "cloudstorage.projects.id.buckets.id.acl_configuration", "withKey", "_ARG_0_"]
   ],
   "id_suffix": "permissions"
 }

ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-no-logging.json

@@ -2,9 +2,9 @@
     "dashboard_name": "Buckets",
     "description": "Buckets should have logging enabled",
     "rationale": "By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets (CIS 5.3).",
-    "path": "cloudstorage.buckets.id",
+    "path": "cloudstorage.projects.id.buckets.id",
     "conditions": [ "and",
-        [ "cloudstorage.buckets.id.logging_enabled", "false", "" ]
+        [ "cloudstorage.projects.id.buckets.id.logging_enabled", "false", "" ]
     ],
-    "id_suffix": "logging"
+    "id_suffix": "logging_enabled"
 }

ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-no-versioning.json

@@ -1,9 +1,9 @@
 {
     "dashboard_name": "Buckets",
     "description": "Bucket without versioning",
-    "path": "cloudstorage.buckets.id",
+    "path": "cloudstorage.projects.id.buckets.id",
     "conditions": [ "and",
-        [ "cloudstorage.buckets.id.versioning_status_enabled", "false", "" ]
+        [ "cloudstorage.projects.id.buckets.id.versioning_status_enabled", "false", "" ]
     ],
     "id_suffix": "versioning"
 }