Merge pull request #1522 from saez0pub/fix/gcp_audit

Fix(gcp): update cloudsql api and edge case configurations
nccgroup · Jun 5, 2023 · acf7bda · acf7bda
2 parents d6cf479 + b1d9602
commit acf7bda
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 5 deletions.
diff --git a/ScoutSuite/providers/gcp/facade/base.py b/ScoutSuite/providers/gcp/facade/base.py
@@ -210,7 +210,7 @@ async def is_api_enabled(self, project_id, service):
         elif service == 'CloudStorage':
             endpoint = 'storage-component'
         elif service == 'CloudSQL':
-            endpoint = 'sql-component'
+            endpoint = 'sqladmin'
         elif service == 'ComputeEngine':
             endpoint = 'compute'
         elif service == 'Functions':

diff --git a/ScoutSuite/providers/gcp/facade/gke.py b/ScoutSuite/providers/gcp/facade/gke.py
@@ -27,7 +27,8 @@ async def get_clusters(self, project_id):
     async def _get_and_set_private_google_access_enabled(self, cluster, project_id):
         try:
             region = self._get_cluster_region(cluster)
-            subnetwork = await self._gce_facade.get_subnetwork(project_id, region, cluster['subnetwork'])
+            subnetwork_project_id = self._get_cluster_subnetwork_project(cluster)
+            subnetwork = await self._gce_facade.get_subnetwork(subnetwork_project_id, region, cluster['subnetwork'])
             if subnetwork:
                 cluster['privateIpGoogleAccess'] = subnetwork.get('privateIpGoogleAccess')
             else:
@@ -42,3 +43,8 @@ def _get_cluster_region(self, cluster):
         region_regex = re.compile("^([\\w]+-[\\w]+)")
         result = region_regex.search(cluster['location'])
         return result.group(1)
+
+    # Subnetwork can be in different project
+    # networkConfig.subnetwork is like projects/{project}/regions/{region}/subnetworks/{subnetworkname}
+    def _get_cluster_subnetwork_project(self, cluster):
+        return cluster['networkConfig']['subnetwork'].split('/')[1]
diff --git a/ScoutSuite/providers/gcp/resources/functions/functions_v1.py b/ScoutSuite/providers/gcp/resources/functions/functions_v1.py
@@ -31,12 +31,12 @@ def _parse_function(self, raw_function):
             function_dict['max_instances'] = raw_function['maxInstances']
         function_dict['docker_registry'] = raw_function['dockerRegistry']
         function_dict['url'] = raw_function.get('httpsTrigger', {}).get('url')
-        function_dict['security_level'] = raw_function.get('httpsTrigger', {}).get('securityLevel')
+        function_dict['security_level'] = 'SECURE_ALWAYS' if function_dict['url'] is None else raw_function.get('httpsTrigger', {}).get('securityLevel')
         function_dict['ingress_settings'] = raw_function['ingressSettings']
 
         function_dict['bindings'] = raw_function['bindings']
 
-        function_dict['environment_variables'] = raw_function['environmentVariables']
+        function_dict['environment_variables'] = raw_function.get('environmentVariables', {})
         function_dict['environment_variables_secrets'] = get_environment_secrets(function_dict['environment_variables'])
 
         function_dict['labels'] = raw_function['labels']

diff --git a/ScoutSuite/providers/gcp/resources/functions/functions_v2.py b/ScoutSuite/providers/gcp/resources/functions/functions_v2.py
@@ -35,7 +35,7 @@ def _parse_function(self, raw_function):
         function_dict['service_account'] = raw_function.get('serviceConfig', {}).get('serviceAccountEmail')
         function_dict['bindings'] = raw_function['bindings']
 
-        function_dict['environment_variables'] = raw_function.get('serviceConfig', {}).get('environmentVariables')
+        function_dict['environment_variables'] = raw_function.get('serviceConfig', {}).get('environmentVariables', {})
         function_dict['environment_variables_secrets'] = get_environment_secrets(function_dict['environment_variables'])
 
         function_dict['labels'] = raw_function['labels']