-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
29 changed files
with
417 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,6 +26,7 @@ def self.attributes | |
privileged | ||
singular_only | ||
singular_extra_examples | ||
iam_binding | ||
] | ||
end | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Copyright 2020 Google Inc. | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
--- !ruby/object:Provider::Inspec::Config | ||
overrides: !ruby/object:Overrides::ResourceOverrides | ||
Bucket: !ruby/object:Overrides::Inspec::ResourceOverride | ||
iam_policy: !ruby/object:Api::Resource::IamPolicy | ||
base_url: 'b/{{bucket}}' | ||
fetch_iam_policy_method: 'iam' | ||
base_url: b?project={{project}}&projection=full | ||
properties: | ||
name: !ruby/object:Overrides::Inspec::PropertyOverride | ||
override_name: bucket_name | ||
id: !ruby/object:Overrides::Inspec::PropertyOverride | ||
override_name: bucket_id | ||
projectNumber: !ruby/object:Overrides::Inspec::PropertyOverride | ||
override_name: bucket_project_number | ||
location: !ruby/object:Overrides::Inspec::PropertyOverride | ||
override_name: bucket_location | ||
ObjectAccessControl: !ruby/object:Overrides::Inspec::ResourceOverride | ||
name: ObjectACL | ||
singular_only: true | ||
privileged: true | ||
additional_functions: third_party/inspec/custom_functions/bucket_name_from_params.erb | ||
properties: | ||
bucket: !ruby/object:Overrides::Inspec::PropertyOverride | ||
exclude: true | ||
DefaultObjectACL: !ruby/object:Overrides::Inspec::ResourceOverride | ||
singular_only: true | ||
privileged: true | ||
additional_functions: third_party/inspec/custom_functions/bucket_name_from_params.erb | ||
properties: | ||
bucket: !ruby/object:Overrides::Inspec::PropertyOverride | ||
exclude: true | ||
BucketAccessControl: !ruby/object:Overrides::Inspec::ResourceOverride | ||
name: BucketACL | ||
singular_only: true | ||
privileged: true | ||
additional_functions: third_party/inspec/custom_functions/bucket_name_from_params.erb | ||
properties: | ||
bucket: !ruby/object:Overrides::Inspec::PropertyOverride | ||
exclude: true | ||
Object: !ruby/object:Overrides::Inspec::ResourceOverride | ||
name: BucketObject | ||
singular_only: true | ||
privileged: true | ||
additional_functions: third_party/inspec/custom_functions/bucket_name_from_params.erb | ||
properties: | ||
bucket: !ruby/object:Overrides::Inspec::PropertyOverride | ||
exclude: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
templates/inspec/examples/google_storage_bucket/google_storage_bucket.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> | ||
<% gcp_location = "#{external_attribute('gcp_location', doc_generation)}" -%> | ||
describe google_storage_bucket(name: <%= doc_generation ? "bucket-name" : "\"inspec-gcp-static-\#{gcp_project_id}\"" -%>) do | ||
it { should exist } | ||
its('location') { should cmp <%= gcp_location -%>.upcase } | ||
|
||
its('storage_class') { should eq "STANDARD" } | ||
end | ||
|
||
describe google_storage_bucket(name: "nonexistent") do | ||
it { should_not exist } | ||
end |
2 changes: 2 additions & 0 deletions
2
templates/inspec/examples/google_storage_bucket/google_storage_bucket_attributes.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.') | ||
gcp_location = attribute(:gcp_location, default: '<%= external_attribute('gcp_location') -%>', description: 'GCP location') |
5 changes: 5 additions & 0 deletions
5
templates/inspec/examples/google_storage_bucket/google_storage_buckets.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> | ||
<% gcp_location = "#{external_attribute('gcp_location', doc_generation)}" -%> | ||
describe google_storage_buckets(project: <%= gcp_project_id -%>) do | ||
its('bucket_names') { should include <%= doc_generation ? "bucket-name" : "\"inspec-gcp-static-\#{gcp_project_id}\"" -%> } | ||
end |
15 changes: 15 additions & 0 deletions
15
templates/inspec/examples/google_storage_bucket_acl/google_storage_bucket_acl.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> | ||
<% gcp_storage_bucket_acl = "#{external_attribute('gcp_storage_bucket_acl', doc_generation)}" -%> | ||
<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%> | ||
<% gcp_enable_privileged_resources = "#{external_attribute('gcp_enable_privileged_resources', doc_generation)}" -%> | ||
describe google_storage_bucket_acl(bucket: <%= gcp_storage_bucket_acl -%>, entity: <%= doc_generation ? "user-email" : "\"user-\#{gcp_service_account_display_name}@\#{gcp_project_id}.iam.gserviceaccount.com\"" -%>) do | ||
it { should exist } | ||
its('role') { should cmp "OWNER" } | ||
|
||
its('bucket') { should eq <%= gcp_storage_bucket_acl -%> } | ||
its('email') { should include <%= doc_generation ? "entity-email.com" : "\"\#{gcp_service_account_display_name}@\#{gcp_project_id}.iam.gserviceaccount.com\"" -%> } | ||
end | ||
|
||
describe google_storage_bucket_acl(bucket: <%= gcp_storage_bucket_acl -%>, entity: "allUsers") do | ||
it { should_not exist } | ||
end |
4 changes: 4 additions & 0 deletions
4
templates/inspec/examples/google_storage_bucket_acl/google_storage_bucket_acl_attributes.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.') | ||
gcp_storage_bucket_acl = attribute(:gcp_storage_bucket_acl, default: '<%= external_attribute('gcp_storage_bucket_acl') -%>', description: 'The name of the storage bucket with ACLs attached') | ||
gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default: '<%= external_attribute('gcp_service_account_display_name') -%>', description: 'The name of the service account assigned permissions') | ||
gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default: '<%= external_attribute('gcp_enable_privileged_resources') -%>', description: 'If we are running tests with escalated permissions(required for this test)') |
16 changes: 16 additions & 0 deletions
16
templates/inspec/examples/google_storage_bucket_object/google_storage_bucket_object.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> | ||
<% gcp_storage_bucket_object = "#{external_attribute('gcp_storage_bucket_object', doc_generation)}" -%> | ||
<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%> | ||
<% gcp_storage_bucket_object_name = "#{external_attribute('gcp_storage_bucket_object_name', doc_generation)}" -%> | ||
<% gcp_enable_privileged_resources = "#{external_attribute('gcp_enable_privileged_resources', doc_generation)}" -%> | ||
describe google_storage_bucket_object(bucket: <%= gcp_storage_bucket_object -%>, object: <%= gcp_storage_bucket_object_name -%>) do | ||
it { should exist } | ||
its('size.to_i') { should be > 0 } | ||
|
||
its('time_created') { should be > Time.now - 60*60*24*10 } | ||
its('time_updated') { should be > Time.now - 60*60*24*10 } | ||
end | ||
|
||
describe google_storage_bucket_object(bucket: <%= gcp_storage_bucket_object -%>, object: "nonexistent") do | ||
it { should_not exist } | ||
end |
5 changes: 5 additions & 0 deletions
5
.../inspec/examples/google_storage_bucket_object/google_storage_bucket_object_attributes.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.') | ||
gcp_storage_bucket_object = attribute(:gcp_storage_bucket_object, default: '<%= external_attribute('gcp_storage_bucket_object') -%>', description: 'The name of the storage bucket with an object') | ||
gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default: '<%= external_attribute('gcp_service_account_display_name') -%>', description: 'The name of the service account assigned permissions') | ||
gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default: '<%= external_attribute('gcp_enable_privileged_resources') -%>', description: 'If we are running tests with escalated permissions(required for this test)') | ||
gcp_storage_bucket_object_name = attribute(:gcp_storage_bucket_object_name, default: '<%= external_attribute('gcp_storage_bucket_object_name') -%>', description: 'The name of the object') |
15 changes: 15 additions & 0 deletions
15
...s/inspec/examples/google_storage_default_object_acl/google_storage_default_object_acl.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> | ||
<% gcp_storage_bucket_name = "#{external_attribute('gcp_storage_bucket_name', doc_generation)}" -%> | ||
<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%> | ||
<% gcp_enable_privileged_resources = "#{external_attribute('gcp_enable_privileged_resources', doc_generation)}" -%> | ||
describe google_storage_default_object_acl(bucket: <%= gcp_storage_bucket_name -%>, entity: <%= doc_generation ? "user-email" : "\"user-\#{gcp_service_account_display_name}@\#{gcp_project_id}.iam.gserviceaccount.com\"" -%>) do | ||
it { should exist } | ||
its('role') { should cmp "OWNER" } | ||
|
||
its('bucket') { should eq <%= gcp_storage_bucket_name -%> } | ||
its('email') { should include <%= doc_generation ? "entity-email.com" : "\"\#{gcp_service_account_display_name}@\#{gcp_project_id}.iam.gserviceaccount.com\"" -%> } | ||
end | ||
|
||
describe google_storage_default_object_acl(bucket: <%= gcp_storage_bucket_name -%>, entity: "allUsers") do | ||
it { should_not exist } | ||
end |
4 changes: 4 additions & 0 deletions
4
...amples/google_storage_default_object_acl/google_storage_default_object_acl_attributes.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.') | ||
gcp_storage_bucket_name = attribute(:gcp_storage_bucket_name, default: '<%= external_attribute('gcp_storage_bucket_name') -%>', description: 'The name of the storage bucket with the default object ACL') | ||
gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default: '<%= external_attribute('gcp_service_account_display_name') -%>', description: 'The name of the service account assigned permissions') | ||
gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default: '<%= external_attribute('gcp_enable_privileged_resources') -%>', description: 'If we are running tests with escalated permissions(required for this test)') |
Oops, something went wrong.