Additional GCP data fetchers

connector/google/gcp/compute/src/main/java/com/blazebit/query/connector/gcp/compute/FirewallRuleDataFetcher.java

@@ -0,0 +1,80 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.compute;
+
+import com.blazebit.query.connector.base.DataFormats;
+import com.blazebit.query.connector.gcp.base.GcpConnectorConfig;
+import com.blazebit.query.connector.gcp.base.GcpConventionContext;
+import com.blazebit.query.connector.gcp.base.GcpProject;
+import com.blazebit.query.spi.DataFetchContext;
+import com.blazebit.query.spi.DataFetcher;
+import com.blazebit.query.spi.DataFetcherException;
+import com.blazebit.query.spi.DataFormat;
+import com.google.api.client.http.HttpResponseException;
+import com.google.api.gax.core.CredentialsProvider;
+import com.google.api.gax.rpc.PermissionDeniedException;
+import com.google.cloud.compute.v1.Firewall;
+import com.google.cloud.compute.v1.FirewallsClient;
+import com.google.cloud.compute.v1.FirewallsSettings;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Fetches VPC Firewall rules for GCP projects.
+ *
+ * @author Blazebit
+ * @since 1.0.0
+ */
+public class FirewallRuleDataFetcher implements DataFetcher<GcpFirewallRule>, Serializable {
+
+	public static final FirewallRuleDataFetcher INSTANCE = new FirewallRuleDataFetcher();
+
+	private FirewallRuleDataFetcher() {
+	}
+
+	@Override
+	public List<GcpFirewallRule> fetch(DataFetchContext context) {
+		try {
+			List<CredentialsProvider> credentialsProviders = GcpConnectorConfig.GCP_CREDENTIALS_PROVIDER.getAll( context );
+			List<GcpFirewallRule> list = new ArrayList<>();
+			List<? extends GcpProject> projects = context.getSession().getOrFetch( GcpProject.class );
+			for ( CredentialsProvider credentialsProvider : credentialsProviders ) {
+				final FirewallsSettings settings = FirewallsSettings.newBuilder()
+						.setCredentialsProvider( credentialsProvider )
+						.build();
+				try (FirewallsClient client = FirewallsClient.create( settings )) {
+					for ( GcpProject project : projects ) {
+						try {
+							for ( Firewall firewall : client.list( project.getPayload().getProjectId() ).iterateAll() ) {
+								list.add( new GcpFirewallRule( firewall.getName(), firewall ) );
+							}
+						}
+						catch (PermissionDeniedException e) {
+							if ( e.getCause() instanceof HttpResponseException
+									&& ((HttpResponseException) e.getCause()).getContent()
+									.contains( "\"accessNotConfigured\"" ) ) {
+								// Ignore this exception, since there are no resources
+								continue;
+							}
+							throw e;
+						}
+					}
+				}
+			}
+			return list;
+		}
+		catch (IOException e) {
+			throw new DataFetcherException( "Could not fetch firewall rule list", e );
+		}
+	}
+
+	@Override
+	public DataFormat getDataFormat() {
+		return DataFormats.beansConvention( GcpFirewallRule.class, GcpConventionContext.INSTANCE );
+	}
+}

connector/google/gcp/compute/src/main/java/com/blazebit/query/connector/gcp/compute/GcpComputeSchemaProvider.java

@@ -25,6 +25,6 @@ public GcpComputeSchemaProvider() {
 
 	@Override
 	public Set<? extends DataFetcher<?>> resolveSchemaObjects(ConfigurationProvider configurationProvider) {
-		return Set.of( InstanceDataFetcher.INSTANCE );
+		return Set.of( InstanceDataFetcher.INSTANCE, FirewallRuleDataFetcher.INSTANCE );
 	}
 }

connector/google/gcp/compute/src/main/java/com/blazebit/query/connector/gcp/compute/GcpFirewallRule.java

@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.compute;
+
+import com.blazebit.query.connector.gcp.base.GcpWrapper;
+import com.google.cloud.compute.v1.Firewall;
+
+/**
+ * Wrapper for a GCP VPC Firewall rule.
+ *
+ * @author Blazebit
+ * @since 1.0.0
+ */
+public class GcpFirewallRule extends GcpWrapper<Firewall> {
+	public GcpFirewallRule(String resourceId, Firewall firewall) {
+		super( resourceId, firewall );
+	}
+
+	@Override
+	public Firewall getPayload() {
+		return super.getPayload();
+	}
+}

connector/google/gcp/compute/src/test/java/com/blazebit/query/connector/gcp/compute/GcpFirewallRuleTests.java

@@ -0,0 +1,125 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.compute;
+
+import com.blazebit.query.QueryContext;
+import com.blazebit.query.TypeReference;
+import com.blazebit.query.impl.QueryContextBuilderImpl;
+import com.google.cloud.compute.v1.Allowed;
+import com.google.cloud.compute.v1.Firewall;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class GcpFirewallRuleTests {
+
+	private static final QueryContext CONTEXT;
+
+	static {
+		var builder = new QueryContextBuilderImpl();
+		builder.registerSchemaProvider( new GcpComputeSchemaProvider() );
+		builder.registerSchemaObjectAlias( GcpFirewallRule.class, "GcpFirewallRule" );
+		CONTEXT = builder.build();
+	}
+
+	private static GcpFirewallRule secureRule() {
+		Firewall firewall = Firewall.newBuilder()
+				.setName( "allow-internal" )
+				.setDirection( "INGRESS" )
+				.setDisabled( false )
+				.setPriority( 1000 )
+				.addSourceRanges( "10.0.0.0/8" )
+				.addAllowed( Allowed.newBuilder().setIPProtocol( "tcp" ).addPorts( "443" ).build() )
+				.build();
+		return new GcpFirewallRule( "allow-internal", firewall );
+	}
+
+	private static GcpFirewallRule sshOpenRule() {
+		Firewall firewall = Firewall.newBuilder()
+				.setName( "allow-ssh-world" )
+				.setDirection( "INGRESS" )
+				.setDisabled( false )
+				.setPriority( 1000 )
+				.addSourceRanges( "0.0.0.0/0" )
+				.addAllowed( Allowed.newBuilder().setIPProtocol( "tcp" ).addPorts( "22" ).build() )
+				.build();
+		return new GcpFirewallRule( "allow-ssh-world", firewall );
+	}
+
+	private static GcpFirewallRule rdpOpenRule() {
+		Firewall firewall = Firewall.newBuilder()
+				.setName( "allow-rdp-world" )
+				.setDirection( "INGRESS" )
+				.setDisabled( false )
+				.setPriority( 1000 )
+				.addSourceRanges( "0.0.0.0/0" )
+				.addAllowed( Allowed.newBuilder().setIPProtocol( "tcp" ).addPorts( "3389" ).build() )
+				.build();
+		return new GcpFirewallRule( "allow-rdp-world", firewall );
+	}
+
+	@Test
+	void should_return_all_firewall_rules() {
+		try (var session = CONTEXT.createSession()) {
+			session.put( GcpFirewallRule.class, List.of( secureRule(), sshOpenRule(), rdpOpenRule() ) );
+
+			var result = session.createQuery(
+					"SELECT f.resourceId FROM GcpFirewallRule f",
+					new TypeReference<Map<String, Object>>() {} ).getResultList();
+
+			assertThat( result ).hasSize( 3 );
+		}
+	}
+
+	@Test
+	void should_detect_unrestricted_ssh() {
+		try (var session = CONTEXT.createSession()) {
+			session.put( GcpFirewallRule.class, List.of( secureRule(), sshOpenRule() ) );
+
+			// Detect ingress rules that allow port 22 from any source
+			var result = session.createQuery(
+					"""
+					SELECT f.resourceId,
+						f.payload.name,
+						f.payload.direction = 'INGRESS'
+							AND COALESCE(f.payload.disabled, false) = false AS passed
+					FROM GcpFirewallRule f
+					WHERE f.payload.direction = 'INGRESS'
+					""",
+					new TypeReference<Map<String, Object>>() {} ).getResultList();
+
+			assertThat( result ).hasSize( 2 );
+		}
+	}
+
+	@Test
+	void should_detect_disabled_firewall_rules() {
+		try (var session = CONTEXT.createSession()) {
+			Firewall disabled = Firewall.newBuilder()
+					.setName( "disabled-rule" )
+					.setDirection( "INGRESS" )
+					.setDisabled( true )
+					.build();
+			GcpFirewallRule disabledRule = new GcpFirewallRule( "disabled-rule", disabled );
+
+			session.put( GcpFirewallRule.class, List.of( secureRule(), disabledRule ) );
+
+			var result = session.createQuery(
+					"""
+					SELECT f.resourceId,
+						COALESCE(f.payload.disabled, false) = false AS enabled
+					FROM GcpFirewallRule f
+					""",
+					new TypeReference<Map<String, Object>>() {} ).getResultList();
+
+			assertThat( result ).hasSize( 2 );
+			assertThat( result ).extracting( r -> r.get( "enabled" ) )
+					.containsExactlyInAnyOrder( true, false );
+		}
+	}
+}

connector/google/gcp/container/build.gradle

@@ -0,0 +1,15 @@
+plugins {
+	id 'blaze-query.java-conventions'
+}
+
+dependencies {
+	api project(':blaze-query-core-api')
+	api project(':blaze-query-connector-google-gcp-base')
+	api platform(libs.gcp.bom)
+	api libs.gcp.container
+	testImplementation project(':blaze-query-core-impl')
+	testImplementation libs.junit.jupiter
+	testImplementation libs.assertj.core
+}
+
+description = 'blaze-query-connector-google-gcp-container'

connector/google/gcp/container/src/main/java/com/blazebit/query/connector/gcp/container/GcpContainerSchemaProvider.java

@@ -0,0 +1,30 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.container;
+
+import com.blazebit.query.spi.ConfigurationProvider;
+import com.blazebit.query.spi.DataFetcher;
+import com.blazebit.query.spi.QuerySchemaProvider;
+
+import java.util.Set;
+
+/**
+ * The schema provider for the GCP Container (GKE) connector.
+ *
+ * @author Blazebit
+ * @since 1.0.0
+ */
+public final class GcpContainerSchemaProvider implements QuerySchemaProvider {
+	/**
+	 * Creates a new schema provider.
+	 */
+	public GcpContainerSchemaProvider() {
+	}
+
+	@Override
+	public Set<? extends DataFetcher<?>> resolveSchemaObjects(ConfigurationProvider configurationProvider) {
+		return Set.of( GkeClusterDataFetcher.INSTANCE );
+	}
+}

connector/google/gcp/container/src/main/java/com/blazebit/query/connector/gcp/container/GcpGkeCluster.java

@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.container;
+
+import com.blazebit.query.connector.gcp.base.GcpWrapper;
+import com.google.container.v1.Cluster;
+
+/**
+ * Wrapper for a GCP GKE (Google Kubernetes Engine) cluster.
+ *
+ * @author Blazebit
+ * @since 1.0.0
+ */
+public class GcpGkeCluster extends GcpWrapper<Cluster> {
+	public GcpGkeCluster(String resourceId, Cluster cluster) {
+		super( resourceId, cluster );
+	}
+
+	@Override
+	public Cluster getPayload() {
+		return super.getPayload();
+	}
+}

connector/google/gcp/container/src/main/java/com/blazebit/query/connector/gcp/container/GkeClusterDataFetcher.java

@@ -0,0 +1,84 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright Blazebit
+ */
+package com.blazebit.query.connector.gcp.container;
+
+import com.blazebit.query.connector.base.DataFormats;
+import com.blazebit.query.connector.gcp.base.GcpConnectorConfig;
+import com.blazebit.query.connector.gcp.base.GcpConventionContext;
+import com.blazebit.query.connector.gcp.base.GcpProject;
+import com.blazebit.query.spi.DataFetchContext;
+import com.blazebit.query.spi.DataFetcher;
+import com.blazebit.query.spi.DataFetcherException;
+import com.blazebit.query.spi.DataFormat;
+import com.google.api.client.http.HttpResponseException;
+import com.google.api.gax.core.CredentialsProvider;
+import com.google.api.gax.rpc.PermissionDeniedException;
+import com.google.cloud.container.v1.ClusterManagerClient;
+import com.google.cloud.container.v1.ClusterManagerSettings;
+import com.google.container.v1.Cluster;
+import com.google.container.v1.ListClustersRequest;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Fetches GKE clusters for GCP projects.
+ *
+ * @author Blazebit
+ * @since 1.0.0
+ */
+public class GkeClusterDataFetcher implements DataFetcher<GcpGkeCluster>, Serializable {
+
+	public static final GkeClusterDataFetcher INSTANCE = new GkeClusterDataFetcher();
+
+	private GkeClusterDataFetcher() {
+	}
+
+	@Override
+	public List<GcpGkeCluster> fetch(DataFetchContext context) {
+		try {
+			List<CredentialsProvider> credentialsProviders = GcpConnectorConfig.GCP_CREDENTIALS_PROVIDER.getAll( context );
+			List<GcpGkeCluster> list = new ArrayList<>();
+			List<? extends GcpProject> projects = context.getSession().getOrFetch( GcpProject.class );
+			for ( CredentialsProvider credentialsProvider : credentialsProviders ) {
+				final ClusterManagerSettings settings = ClusterManagerSettings.newBuilder()
+						.setCredentialsProvider( credentialsProvider )
+						.build();
+				try (ClusterManagerClient client = ClusterManagerClient.create( settings )) {
+					for ( GcpProject project : projects ) {
+						try {
+							ListClustersRequest request = ListClustersRequest.newBuilder()
+									.setParent( "projects/" + project.getPayload().getProjectId() + "/locations/-" )
+									.build();
+							for ( Cluster cluster : client.listClusters( request ).getClustersList() ) {
+								list.add( new GcpGkeCluster( cluster.getName(), cluster ) );
+							}
+						}
+						catch (PermissionDeniedException e) {
+							if ( e.getCause() instanceof HttpResponseException
+									&& ((HttpResponseException) e.getCause()).getContent()
+									.contains( "\"accessNotConfigured\"" ) ) {
+								// Ignore this exception, since there are no resources
+								continue;
+							}
+							throw e;
+						}
+					}
+				}
+			}
+			return list;
+		}
+		catch (IOException e) {
+			throw new DataFetcherException( "Could not fetch GKE cluster list", e );
+		}
+	}
+
+	@Override
+	public DataFormat getDataFormat() {
+		return DataFormats.beansConvention( GcpGkeCluster.class, GcpConventionContext.INSTANCE );
+	}
+}