fix(gcp-project-policies): Use correct API to get Policy v3, fix policy 2.1 query (#7053)

erezrokah · kodiakhq[bot] · web-flow · commit 2f17a4dccc69 · 2023-01-24T11:19:28.000+02:00
#### Summary Reported on Discord https://discord.com/channels/872925471417962546/1065556442800734268/1065871250225909791 `projectsClient.GetIamPolicy` returns `v1.Policy` which has `log_type` as an enum, and as a result evaluated to an int in the destination database. Our query needs the strings, as they appear in `v3.Policy` (configured by the table). To get the `v3.Policy` we need the protobuf API. Additionally the check was wrong. We should verify all logging types are enabled for `allServices`. This is how it looks in GCP: ![image](https://user-images.githubusercontent.com/26760571/214112370-0badc1b4-4465-4b7e-973b-7f08f2a7fa57.png)  Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
diff --git a/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql b/plugins/source/gcp/policies/queries/logging/not_configured_across_services_and_users.sql
@@ -29,7 +29,13 @@ WITH project_policy_audit_configs AS (SELECT project_id,
                           audit_config ->> 'service'                                                    AS "service",
                           jsonb_array_elements(audit_config -> 'auditLogConfigs') ->> 'logType'         AS logs,
                           jsonb_array_elements(audit_config -> 'auditLogConfigs') ->> 'exemptedMembers' AS exempted
-                   FROM project_policy_audit_configs)
+                   FROM project_policy_audit_configs),
+     valid_log_types AS (SELECT project_id, service, count(*) as valid_types
+                        FROM log_types
+                        WHERE exempted IS NULL
+                        AND logs IN ('ADMIN_READ', 'DATA_READ', 'DATA_WRITE')
+                        AND service = 'allServices'
+                        GROUP BY project_id, service)
 SELECT service                                                                                                               AS resource_id,
        :'execution_time'::timestamp                                                                                          AS execution_time,
        :'framework'                                                                                                          AS framework,
@@ -38,10 +44,8 @@ SELECT service
        "project_id"                                                                                                          AS project_id,
        CASE
            WHEN
-                   exempted IS NULL
-                   AND logs IN ('DATA_READ', 'DATA_WRITE')
-                   AND service = 'allServices'
-               THEN 'fail'
-           ELSE 'pass'
+                   valid_types = 3
+               THEN 'pass'
+           ELSE 'fail'
            END                                                                                                               AS status
-FROM log_types;
+FROM valid_log_types;
diff --git a/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go b/plugins/source/gcp/resources/services/resourcemanager/project_policies_fetch.go
@@ -3,24 +3,19 @@ package resourcemanager
 import (
 	"context"
 
-	"cloud.google.com/go/iam/apiv1/iampb"
-	resourcemanager "cloud.google.com/go/resourcemanager/apiv3"
 	"github.com/cloudquery/plugin-sdk/schema"
 	"github.com/cloudquery/plugins/source/gcp/client"
+	pb "google.golang.org/api/cloudresourcemanager/v3"
 )
 
 func fetchProjectPolicies(ctx context.Context, meta schema.ClientMeta, r *schema.Resource, res chan<- any) error {
 	c := meta.(*client.Client)
-	projectsClient, err := resourcemanager.NewProjectsClient(ctx, c.ClientOptions...)
+	projectsClient, err := pb.NewService(ctx, c.ClientOptions...)
 	if err != nil {
 		return err
 	}
-	output, err := projectsClient.GetIamPolicy(
-		ctx,
-		&iampb.GetIamPolicyRequest{
-			Resource: "projects/" + c.ProjectId,
-		},
-	)
+	// We need to use the protobut client to get the current version of the policy struct (v3)
+	output, err := projectsClient.Projects.GetIamPolicy("projects/"+c.ProjectId, &pb.GetIamPolicyRequest{}).Context(ctx).Do()
 	if err != nil {
 		return err
 	}
diff --git a/plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go b/plugins/source/gcp/resources/services/resourcemanager/project_policies_mock_test.go
@@ -0,0 +1,35 @@
+package resourcemanager
+
+import (
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/cloudquery/plugin-sdk/faker"
+	"github.com/cloudquery/plugins/source/gcp/client"
+	"github.com/julienschmidt/httprouter"
+	pb "google.golang.org/api/cloudresourcemanager/v3"
+)
+
+func createProjectPolicies(mux *httprouter.Router) error {
+	var item pb.Policy
+	if err := faker.FakeObject(&item); err != nil {
+		return err
+	}
+	mux.POST("/v3/projects/testProject:getIamPolicy", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+		b, err := json.Marshal(&item)
+		if err != nil {
+			http.Error(w, "unable to marshal request: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		if _, err := w.Write(b); err != nil {
+			http.Error(w, "failed to write", http.StatusBadRequest)
+			return
+		}
+	})
+	return nil
+}
+
+func TestProjectPolicies(t *testing.T) {
+	client.MockTestRestHelper(t, ProjectPolicies(), createProjectPolicies, client.TestOptions{})
+}
