Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[apps] adding G Suite app for all activity audit reports #426

Merged
merged 8 commits into from
Oct 27, 2017

Conversation

ryandeivert
Copy link
Contributor

@ryandeivert ryandeivert commented Oct 27, 2017

to: @javuto and @austinbyers
cc: @airbnb/streamalert-maintainers
size: large
resolves #348

Background

See #348

tl;dr - Consume all GSuite logs:

https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-admin
https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-login
https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-tokens
https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-drive
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/rules
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gplus
...

Changes

  • Adding initial implementation of G Suite StreamAlertApp
  • This app utilizes the google-api-python-client module, which has been added to the requirements.txt (along with other dependencies) and to the 3rd party libraries that get packaged with the Apps lambda function.
  • All GSuite apps must use a Google service account key which must be configured by an admin, along with access to the Admin SDK api.
    • The service account key type must be in the Google-recommended JSON format (not p12):
      image
    • Attempting to create a GSuite application with a p12 keyfile will fail and inform the user that a JSON keyfile must be provided.

Other Changes

  • Adding an auth property helper to the AppConfig so the auth subdictionary within the config dict can now be accessed via 'AppConfig.auth' instead of requiring apps to do a dictionary lookup of 'auth' any time authentication info needs to be retrieved.
    • Also updating all unit tests to go with the above change.
  • Making the AppIntegration.required_auth_info method a classmethod to the app does not need to be instantiated in the CLI to access this method.
    • Also making corresponding change to the cli's runner.py and config.py so the apps do not get instantiated when prompting the user for required authentication information.
  • Adding support for complex input validation for items that are provided by the user.
    • A function can now be passed to the user_input cli helper that can be used to properly validate input. Previously only a simple x is not in y or regex comparison could be used.

Bug Fixes

  • Marking the AppIntegration._more_to_poll to False if there was nothing returned from an app's gather function. This avoids potentially bad looping in the subclasses.
  • Fixing potential issue where casting auth values to a string could potentially cast dict values. This is meant to only case unicode to str, so checking for unicode first.
  • Fixing bug in validate-schemas command that caused the --test-files flag to not work as expected

Testing

  • Added unit tests for the GSuiteReportsApps.
  • Also added the schema for gsuite:reports and added a test event for validation purposes only to test the schema.
  • All tests passing.

@ryandeivert ryandeivert force-pushed the ryandeivert-gsuite-app-support branch 2 times, most recently from 0f54afb to e362b65 Compare October 27, 2017 17:05
@coveralls
Copy link

Coverage Status

Coverage increased (+0.2%) to 95.769% when pulling e362b65 on ryandeivert-gsuite-app-support into 1372b2b on master.

@airbnb airbnb deleted a comment from coveralls Oct 27, 2017
@ghost
Copy link

ghost commented Oct 27, 2017

@ryandeivert can you add support for https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-mobile? It appears to be the last remaining one per my Google foo: inurl:developers.google.com inurl:manage-audit

@ryandeivert
Copy link
Contributor Author

ryandeivert commented Oct 27, 2017

@mime-frame your google foo is excellent :) however, there are a couple of others we aren't doing. See the applicationName parameter here:

https://developers.google.com/admin-sdk/reports/v1/reference/activities/list

Additional apps:

Do we want to support all of the above ^^ ?

@ghost
Copy link

ghost commented Oct 27, 2017

@ryandeivert - yup, it's worth supporting all of the above - you think its worth doing this in a 2nd PR or this one? There's also a SAML one too it seems: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml

@ryandeivert
Copy link
Contributor Author

Supporting them is a very simple change tbh so it doesn't really matter to me either way. Really annoying that googles docs say one thing one place and other thing somewhere else 🤔

@ghost
Copy link

ghost commented Oct 27, 2017

Supporting them is a very simple change tbh so it doesn't really matter to me either way.

Cool, lets get it into this PR then :)

@ryandeivert
Copy link
Contributor Author

@mime-frame done

@coveralls
Copy link

Coverage Status

Coverage increased (+0.2%) to 95.815% when pulling c89e6ab on ryandeivert-gsuite-app-support into 1372b2b on master.

@ghost ghost changed the title [apps] adding G Suite app for admin, drive, login and token reports [apps] adding G Suite app for all activity audit reports Oct 27, 2017
* The 'auth' subdictionary within the config dict can now be accessed via the 'AppConfig.auth' property instead of requiring apps to do a dictionary lookup of 'auth' any time authentication info needs to be retrieved.
* Marking the `AppIntegration._more_to_poll` to `False` if there was nothing returned from an app's gather function
* Fixing potential issue where casting auth values to a string could potentially cast dict values. This is meant to only case `unicode` to str, so checking for unicode first.
* Fixing bug in `validate-schemas` command that caused the `--test-files` flag to not work as expected
@ryandeivert ryandeivert force-pushed the ryandeivert-gsuite-app-support branch from c89e6ab to 1448066 Compare October 27, 2017 17:59
@coveralls
Copy link

Coverage Status

Coverage increased (+0.2%) to 95.815% when pulling 1448066 on ryandeivert-gsuite-app-support into f7be9e9 on master.

Copy link
Contributor

@austinbyers austinbyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Can you remind me what happens to API tokens? They are encrypted in SSM, correct? The app documentation explains how the user configures the auth token, but not what happens to it

userKey='all',
applicationName=self._type(),
startTime=self._last_timestamp,
pageToken=self._next_page_token if self._next_page_token else None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there some reason that self._next_page_token could be an empty string? If so, you could do simply:

pageToken = self._next_page_token or None

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The case of it potentially being an empty string is exactly why I added this, so good catch :). I don't know for sure if passing '' to pageToken would have a different effect than passing None so I just wanted to guard against it.

I added this because I'm not sure what the default value (if any) is within the response for nextPageToken that gets returned. It's unclear if 1) the key exists at all if there is no value, and 2) what the value would be if it does exist but is empty (is it an empty string or a json null)?

The code where this is set is here, using a .get:

self._next_page_token = results.get('nextPageToken')

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a second set of eyes on the docs would help unearth something I'm not seeing ;)

@ryandeivert
Copy link
Contributor Author

@austinbyers excellent question - the answer is yes, the API tokens/secrets are sent to SSM as a SecureString:

def save(overwrite=False):
ssm_client.put_parameter(
Name=name,
Description=description,
Value=param_value,
Type='SecureString',
Overwrite=overwrite
)

@ryandeivert ryandeivert merged commit b0c016d into master Oct 27, 2017
@ryandeivert ryandeivert deleted the ryandeivert-gsuite-app-support branch October 27, 2017 19:39
@ryandeivert ryandeivert added this to the 1.6.0 milestone Oct 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

App: Create StreamAlert App for GSuite Admin Reports
3 participants