Merge pull request #23 from cloudgraphdev/feature/CG-1320-support-access-approval

feat(CG-1320): add gcp access approval service support

Author: tyler-dunkel

README.md

@@ -64,6 +64,7 @@ CloudGraph GCP Provider will ask you what regions you would like to crawl and wi
 
 | Service                               | Relations                                                                                                                           |
 | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| accessApproval                        | project                                                                                                                             |
 | aiPlatformNotebooks                   | project, kmsCryptoKeys, network, subnet                                                                                             |
 | alertPolicy                           | project                                                                                                                             |
 | apiGatewayGateways                    | project, apiGatewayApis, apiGatewayApiConfigs                                                                                       |

package.json

@@ -32,6 +32,7 @@
   },
   "dependencies": {
     "@cloudgraph/sdk": "0.22.1",
+    "@google-cloud/access-approval": "^2.1.2",
     "@google-cloud/api-gateway": "^1.2.1",
     "@google-cloud/asset": "^3.22.0",
     "@google-cloud/bigquery": "^5.10.0",

src/enums/schemasMap.ts

@@ -54,5 +54,6 @@ export default {
   [services.apiGatewayApiConfig]: 'gcpApiGatewayApiConfig',
   [services.firestoreDatabase]: 'gcpFirestoreDatabase',
   [services.essentialContacts]: 'gcpEssentialContact',
+  [services.accessApproval]: 'gcpAccessApproval',
   tag: 'gcpTag',
 }

src/enums/serviceMap.ts

@@ -51,6 +51,7 @@ import GcpLabel from '../services/label'
 import GcpTag from '../services/tag'
 import GcpBilling from '../services/billing'
 import GcpEssentialContacts from '../services/essentialContacts'
+import GcpAccessApproval from '../services/accessApproval'
 
 /**
  * serviceMap is an object that contains all currently supported services
@@ -107,6 +108,7 @@ export default {
   [services.apiGatewayApiConfig]: GcpApiGatewayApiConfig,
   [services.firestoreDatabase]: GcpFirestoreDatabase,
   [services.essentialContacts]: GcpEssentialContacts,
+  [services.accessApproval]: GcpAccessApproval,
   label: GcpLabel,
   tag: GcpTag,
 }

src/enums/services.ts

@@ -55,7 +55,7 @@ export default {
   // spanner: 'spanner',
   // activeDirectory: 'active-directory',
   // identity: 'identity',
-  // accessApproval: 'access-approval',
+  accessApproval: 'accessApproval',
   // accessContextManager: 'access-context-manager',
   // auth: 'auth',
   folder: 'folder',

src/services/accessApproval/data.ts

@@ -0,0 +1,55 @@
+import { AccessApprovalClient } from '@google-cloud/access-approval'
+import { google } from '@google-cloud/access-approval/build/protos/protos'
+import CloudGraph from '@cloudgraph/sdk'
+import groupBy from 'lodash/groupBy'
+import gcpLoggerText from '../../properties/logger'
+import { GcpServiceInput } from '../../types'
+import { initTestEndpoint, generateGcpErrorLog } from '../../utils'
+import { GLOBAL_REGION } from '../../config/constants'
+
+const lt = { ...gcpLoggerText }
+const { logger } = CloudGraph
+const serviceName = 'AccessApproval'
+const apiEndpoint = initTestEndpoint(serviceName)
+
+export interface RawGcpAccessApproval extends google.cloud.accessapproval.v1.IApprovalRequest {
+  id: string
+  projectId: string
+  region: string
+}
+
+export default async ({
+  config,
+}: GcpServiceInput): Promise<{
+  [region: string]: RawGcpAccessApproval[]
+}> =>
+  new Promise(async resolve => {
+    const accessApprovalList: RawGcpAccessApproval[] = []
+    const { projectId } = config
+
+    /**
+     * Get all EssentialContacts
+     */
+    try {
+      const accessApprovalClient = new AccessApprovalClient({ ...config, apiEndpoint });
+      const iterable = accessApprovalClient.listApprovalRequestsAsync({
+        parent: `projects/${projectId}`,
+      })
+
+      for await (const response of iterable) {
+        if (response) {
+          accessApprovalList.push({
+            id: response.name,
+            projectId,
+            region: GLOBAL_REGION,
+            ...response,
+          })
+        }
+      }
+    } catch (error) {
+      generateGcpErrorLog(serviceName, 'accessApproval:listApprovalRequestsAsync', error)
+    }
+    
+    logger.debug(lt.foundResources(serviceName, accessApprovalList.length))
+    resolve(groupBy(accessApprovalList, 'region'))
+  })

src/services/accessApproval/format.ts

@@ -0,0 +1,63 @@
+import { google } from '@google-cloud/access-approval/build/protos/protos'
+import { GcpAccessApproval } from '../../types/generated'
+import { RawGcpAccessApproval } from './data'
+import { toISOString } from '../../utils/dateutils'
+import { enumKeyToString } from '../../utils/format'
+
+export default ({
+  service,
+}: {
+  service: RawGcpAccessApproval
+  region: string
+}): GcpAccessApproval => {
+  const {
+    id,
+    projectId,
+    region,
+    name,
+    requestedResourceName,
+    requestedResourceProperties,
+    requestedReason,
+    requestedLocations,
+    requestTime,
+    requestedExpiration,
+    approve,
+    dismiss,
+  } = service
+
+  return {
+    id,
+    projectId,
+    region,
+    name,
+    requestedResourceName,
+    requestedResourceProperties: {
+      excludesDescendants: requestedResourceProperties?.excludesDescendants,
+    },
+    requestedReason: {
+      type: enumKeyToString(google.cloud.accessapproval.v1.AccessReason.Type, requestedReason?.type),
+      detail: requestedReason?.detail,
+    },
+    requestedLocations: {
+      principalOfficeCountry: requestedLocations?.principalOfficeCountry,
+      principalPhysicalLocationCountry: requestedLocations?.principalPhysicalLocationCountry,
+    },
+    requestTime: toISOString(requestTime?.seconds?.toString()),
+    requestedExpiration: toISOString(requestedExpiration?.seconds?.toString()),
+    approve: {
+      approveTime: toISOString(approve.approveTime?.seconds?.toString()),
+      expireTime: toISOString(approve.expireTime?.seconds?.toString()),
+      invalidateTime: toISOString(approve.invalidateTime?.seconds?.toString()),
+      signatureInfo: {
+        signature: approve?.signatureInfo?.signature ? String.fromCharCode.apply(approve?.signatureInfo?.signature) : '',
+        googlePublicKeyPem: approve?.signatureInfo?.googlePublicKeyPem,
+        customerKmsKeyVersion: approve?.signatureInfo?.customerKmsKeyVersion,
+      },
+      autoApproved: approve?.autoApproved,
+    },
+    dismiss: {
+      dismissTime: toISOString(dismiss.dismissTime?.seconds?.toString()),
+      implicit: dismiss.implicit,
+    },
+  }
+}

src/services/accessApproval/index.ts

@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class GcpAccessApproval extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}

src/services/accessApproval/mutation.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [AddgcpAccessApprovalInput!]!) {
+  addgcpAccessApproval(input: $input, upsert: true) {
+    numUids
+  }
+}`;

src/services/accessApproval/schema.graphql

@@ -0,0 +1,81 @@
+type gcpAccessApprovalRequestedResourceProperties
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    excludesDescendants: Boolean @search
+  }
+
+type gcpAccessApprovalRequestedReason
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    type: String @search(by: [hash, regexp])
+    detail: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalRequestedLocations
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    principalOfficeCountry: String @search(by: [hash, regexp])
+    principalPhysicalLocationCountry: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalApproveSignatureInfo
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    signature: String @search(by: [hash, regexp])
+    googlePublicKeyPem: String @search(by: [hash, regexp])
+    customerKmsKeyVersion: String @search(by: [hash, regexp])
+  }
+
+type gcpAccessApprovalApprove
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    approveTime: String @search(by: [hash, regexp])
+    expireTime: String @search(by: [hash, regexp])
+    invalidateTime: String @search(by: [hash, regexp])
+    signatureInfo: gcpAccessApprovalApproveSignatureInfo
+    autoApproved: Boolean @search
+  }
+
+type gcpAccessApprovalDismiss
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+    dismissTime: String @search(by: [hash, regexp])
+    implicit: Boolean @search
+  }
+
+type gcpAccessApproval implements gcpBaseResource
+  @generate(
+    query: { get: true, query: true, aggregate: true }
+    mutation: { add: true, delete: false }
+    subscription: false
+  )
+  @key(fields: "id") {
+    name: String @search(by: [hash, regexp])
+    requestedResourceName: String @search(by: [hash, regexp])
+    requestedResourceProperties: gcpAccessApprovalRequestedResourceProperties
+    requestedReason: gcpAccessApprovalRequestedReason
+    requestedLocations: gcpAccessApprovalRequestedLocations
+    requestTime: String @search(by: [hash, regexp])
+    requestedExpiration: String @search(by: [hash, regexp])
+    approve: gcpAccessApprovalApprove
+    dismiss: gcpAccessApprovalDismiss
+    project: [gcpProject] @hasInverse(field: accessApprovals)
+  }