feat(cli): add hidden suppressions migrate gcp command (#1120)

* feat: Initial add of GCP suppression migration command

Signed-off-by: Ross <[email protected]>

* chore: fix issues with gcp migrate command

Signed-off-by: Ross <[email protected]>

* chore: Add aws-sdk-go-v2 ARN class to address AWS migration issue

Signed-off-by: Ross <[email protected]>

* chore: Update suppression migration commands and add tests

Signed-off-by: Ross <[email protected]>

* chore: Update unit test

Signed-off-by: Ross <[email protected]>

* chore: Comment convertResourceNamesSupConditions functionality

Signed-off-by: Ross <[email protected]>

* Apply suggestions from code review

Co-authored-by: Darren <[email protected]>

* chore: Add comments for discared AWS suppressions too

Signed-off-by: Ross <[email protected]>

* Update cli/cmd/suppressions_gcp.go

Co-authored-by: Darren <[email protected]>

Signed-off-by: Ross <[email protected]>
Co-authored-by: Darren <[email protected]>

Author: rmoles

cli/cmd/suppressions.go

@@ -19,7 +19,12 @@
 package cmd
 
 import (
+	"github.com/fatih/color"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/lacework/go-sdk/api"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 var (
@@ -63,4 +68,192 @@ func init() {
 	// gcp
 	suppressionsCommand.AddCommand(suppressionsGcpCmd)
 	suppressionsGcpCmd.AddCommand(suppressionsListGcpCmd)
+	suppressionsGcpCmd.AddCommand(suppressionsMigrateGcpCmd)
+}
+
+func autoConvertSuppressions(convertedPolicyExceptions []map[string]api.PolicyException) {
+	cli.StartProgress("Creating policy exceptions...")
+	for _, exceptionMap := range convertedPolicyExceptions {
+		for policyId, exception := range exceptionMap {
+			response, err := cli.LwApi.V2.Policy.Exceptions.Create(policyId, exception)
+			if err != nil {
+				cli.Log.Debug(err, "unable to create exception")
+				cli.OutputHuman(color.RedString(
+					"Error creating policy exception to create exception. %s"),
+					err)
+				continue
+			}
+			cli.OutputHuman("Exception created for PolicyId: %s - ExceptionId: %s\n\n",
+				color.GreenString(policyId), color.BlueString(response.Data.ExceptionID))
+		}
+	}
+
+	cli.StopProgress()
+}
+
+func printPayloadsText(payloadsText []string) {
+	if len(payloadsText) >= 1 {
+		cli.OutputHuman(color.YellowString("#### Legacy Suppressions --> Exceptions payloads\n\n"))
+		for _, payload := range payloadsText {
+			cli.OutputHuman(color.GreenString("%s \n\n", payload))
+		}
+	} else {
+		cli.OutputHuman("No legacy suppressions found that could be migrated\n")
+	}
+}
+
+func printConvertedSuppressions(convertedSuppressions []map[string]api.PolicyException) {
+	if len(convertedSuppressions) >= 1 {
+		cli.OutputHuman(color.YellowString("#### Converted legacy suppressions in Policy Exception" +
+			" format" +
+			"\n"))
+		for _, exception := range convertedSuppressions {
+			err := cli.OutputJSON(exception)
+			if err != nil {
+				return
+			}
+		}
+		colorizeR := color.New(color.FgRed, color.Bold)
+		cli.OutputHuman(colorizeR.Sprintf("WARNING: Before continuing, " +
+			"please thoroughly inspect the above exceptions to ensure they are valid and" +
+			" required. By continuing, you accept liability for any compliance violations" +
+			" missed as a result of the above exceptions!\n\n"))
+
+	}
+}
+
+func printDiscardedSuppressions(discardedSuppressions []map[string]api.SuppressionV2) {
+	if len(discardedSuppressions) >= 1 {
+		cli.OutputHuman(color.YellowString("#### Discarded legacy suppressions\n"))
+		for _, suppression := range discardedSuppressions {
+			err := cli.OutputJSON(suppression)
+			if err != nil {
+				return
+			}
+		}
+	}
+}
+
+func convertSupCondition(supConditions []string, fieldKey string,
+	policyIdExceptionsTemplate []string) api.PolicyExceptionConstraint {
+	if len(supConditions) >= 1 && slices.Contains(
+		policyIdExceptionsTemplate, fieldKey) {
+
+		var condition []any
+		// verify for aws:
+		// if "ALL_ACCOUNTS" OR "ALL_REGIONS" is in the suppression condition slice
+		// verify for gcp:
+		// if "ALL_ORGANIZATIONS" OR "ALL_PROJECTS" is in the suppression condition slice
+		// if so we should ignore the supplied conditions and replace with a wildcard *
+		if (slices.Contains(supConditions, "ALL_ACCOUNTS") && fieldKey == "accountIds") ||
+			(slices.Contains(supConditions, "ALL_REGIONS") && fieldKey == "regionNames") {
+			condition = append(condition, "*")
+		} else if (slices.Contains(supConditions, "ALL_ORGANIZATIONS") && fieldKey == "organizations") ||
+			(slices.Contains(supConditions, "ALL_PROJECTS") && fieldKey == "projects") {
+			condition = append(condition, "*")
+		} else if fieldKey == "resourceNames" {
+			condition = convertResourceNamesSupConditions(supConditions)
+		} else if fieldKey == "resourceName" {
+			// resourceName singular is specific to GCP
+			condition = convertGcpResourceNameSupConditions(supConditions)
+		} else {
+			condition = convertToAnySlice(supConditions)
+		}
+
+		return api.PolicyExceptionConstraint{
+			FieldKey:    fieldKey,
+			FieldValues: condition,
+		}
+	}
+	return api.PolicyExceptionConstraint{}
+}
+
+func convertResourceNamesSupConditions(supConditions []string) []any {
+	var conditions []any
+	for _, condition := range supConditions {
+		ok := arn.IsARN(condition)
+		// If the legacy suppression resourceNames field contains an ARN, we should parse and pull
+		// out the resource name. ARNs are not supported in policy exceptions
+		if ok {
+			parsedEntry, _ := arn.Parse(condition)
+			condition = parsedEntry.Resource
+		}
+		conditions = append(conditions, condition)
+	}
+	return conditions
+}
+
+func convertGcpResourceNameSupConditions(supConditions []string) []any {
+	var conditions []any
+	for _, condition := range supConditions {
+		// skip this logic if we already have a wildcard
+		if condition != "*" {
+			// It appears that for GCP, the resourceName field for policy exceptions is in fact expecting
+			// users to provider the full GCP resource_id.
+			// Example resourceId: //compute.googleapis.com/projects/gke-project-01-c8403ba1/zones/us-central1-a/instances/squid-proxy
+			// This was not the case for legacy suppressions and in most cases it's unlikely that the
+			// users will have provided this. Instead, we are more likely to have
+			// the resource name provided. To cover this scenario we prepend the resource name
+			// from the legacy suppression with "*/" to make it match the resource name while
+			// wildcarding the rest of the resourceId
+			condition = "*/" + condition
+		}
+		conditions = append(conditions, condition)
+	}
+	return conditions
+}
+
+func convertSupConditionTags(supCondition []map[string]string, fieldKey string,
+	policyIdExceptionsTemplate []string) api.PolicyExceptionConstraint {
+	if len(supCondition) >= 1 && slices.Contains(
+		policyIdExceptionsTemplate, fieldKey) {
+
+		// api.PolicyExceptionConstraint expects []any for the FieldValues
+		// Therefore we need to take the supCondition []map[string]string and append each map to
+		// the new convertedTags []any var
+		var convertedTags []any
+		for _, tagMap := range supCondition {
+			convertedTags = append(convertedTags, tagMap)
+		}
+
+		return api.PolicyExceptionConstraint{
+			FieldKey:    fieldKey,
+			FieldValues: convertedTags,
+		}
+	}
+	return api.PolicyExceptionConstraint{}
+}
+
+func getPoliciesExceptionConstraintsMap() map[string][]string {
+	// get a list of all policies and parse the valid exception constraints and return a map of
+	// {"<policyId>": [<validPolicyConstraints>]}
+	policies, err := cli.LwApi.V2.Policy.List()
+	if err != nil {
+		return nil
+	}
+
+	policiesSupportedConstraints := make(map[string][]string)
+	for _, policy := range policies.Data {
+		exceptionConstraints := getPolicyExceptionConstraintsSlice(policy.ExceptionConfiguration)
+		policiesSupportedConstraints[policy.PolicyID] = exceptionConstraints
+	}
+
+	return policiesSupportedConstraints
+}
+
+func convertToAnySlice(slice []string) []any {
+	s := make([]interface{}, len(slice))
+	for i, v := range slice {
+		s[i] = v
+	}
+	return s
+}
+
+func updateDiscardedSupConditionsComments(suppressionInfo api.SuppressionV2, comment string) api.SuppressionV2 {
+	var updatedSupInfo api.SuppressionV2
+	for _, suppression := range suppressionInfo.SuppressionConditions {
+		suppression.Comment = comment
+		updatedSupInfo.SuppressionConditions = append(updatedSupInfo.SuppressionConditions, suppression)
+	}
+	return updatedSupInfo
 }

cli/cmd/suppressions_aws.go

@@ -29,7 +29,6 @@ import (
 	"github.com/lacework/go-sdk/api"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )
 
 var (
@@ -297,7 +296,7 @@ func suppressionsAwsMigrate(_ *cobra.Command, _ []string) error {
 			return err
 		}
 		if confirm {
-			autoConvertAwsSuppressions(convertedPolicyExceptions)
+			autoConvertSuppressions(convertedPolicyExceptions)
 			printDiscardedSuppressions(discardedSuppressions)
 			cli.OutputHuman(color.GreenString("To view the newly created Exceptions, " +
 				"try running `lacework policy-exceptions list <policyId>"))
@@ -309,26 +308,6 @@ func suppressionsAwsMigrate(_ *cobra.Command, _ []string) error {
 	return nil
 }
 
-func autoConvertAwsSuppressions(convertedPolicyExceptions []map[string]api.PolicyException) {
-	cli.StartProgress("Creating policy exceptions ...")
-	for _, exceptionMap := range convertedPolicyExceptions {
-		for policyId, exception := range exceptionMap {
-			response, err := cli.LwApi.V2.Policy.Exceptions.Create(policyId, exception)
-			if err != nil {
-				cli.Log.Debug(err, "unable to create exception")
-				cli.OutputHuman(color.RedString(
-					"Error creating policy exception to create exception. %e"),
-					err)
-				continue
-			}
-			cli.OutputHuman("Exception created for PolicyId: %s - ExceptionId: %s\n\n",
-				color.GreenString(policyId), color.BlueString(response.Data.ExceptionID))
-		}
-	}
-
-	cli.StopProgress()
-}
-
 func convertAwsSuppressions(
 	suppressionsMap map[string]api.SuppressionV2,
 	policyExceptionsConstraintsMap map[string][]string,
@@ -348,6 +327,8 @@ func convertAwsSuppressions(
 		if !ok {
 			// when we don't have a mapped policy, add the legacy suppression info
 			if suppressionInfo.SuppressionConditions != nil {
+				suppressionInfo = updateDiscardedSupConditionsComments(suppressionInfo,
+					"Legacy suppression discarded as there is no equivalent policy")
 				discardedSuppressions = append(
 					discardedSuppressions,
 					map[string]api.SuppressionV2{id: suppressionInfo},
@@ -362,6 +343,20 @@ func convertAwsSuppressions(
 		// We then parse this into a list of constraints
 		policyIdExceptionsTemplate := policyExceptionsConstraintsMap[mappedPolicyId]
 		if policyIdExceptionsTemplate == nil {
+			// Updating the suppression conditions comments to make it clear why these were
+			// discarded
+			if len(suppressionInfo.SuppressionConditions) >= 1 {
+				suppressionInfo = updateDiscardedSupConditionsComments(suppressionInfo,
+					fmt.Sprintf("Legacy suppression discarded as the new policy: %s does not"+
+						" support exception conditions", mappedPolicyId))
+
+				// if the list of supported constraints is empty for a policy,
+				// we should let the customers know that we have discarded this suppression
+				discardedSuppressions = append(
+					discardedSuppressions,
+					map[string]api.SuppressionV2{id: suppressionInfo},
+				)
+			}
 			continue
 		}
 		if len(suppressionInfo.SuppressionConditions) >= 1 {
@@ -440,115 +435,3 @@ func convertAwsSuppressions(
 
 	return convertedPolicyExceptions, payloadsText, discardedSuppressions
 }
-
-func printPayloadsText(payloadsText []string) {
-	if len(payloadsText) >= 1 {
-		cli.OutputHuman(color.YellowString("#### Legacy Suppressions --> Exceptions payloads\n\n"))
-		for _, payload := range payloadsText {
-			cli.OutputHuman(color.GreenString("%s \n\n", payload))
-		}
-	} else {
-		cli.OutputHuman("No legacy suppressions found that could be migrated\n")
-	}
-}
-
-func printConvertedSuppressions(convertedSuppressions []map[string]api.PolicyException) {
-	if len(convertedSuppressions) >= 1 {
-		cli.OutputHuman(color.YellowString("#### Converted legacy suppressions in Policy Exception" +
-			" format" +
-			"\n"))
-		for _, exception := range convertedSuppressions {
-			err := cli.OutputJSON(exception)
-			if err != nil {
-				return
-			}
-		}
-		colorizeR := color.New(color.FgRed, color.Bold)
-		cli.OutputHuman(colorizeR.Sprintf("WARNING: Before continuing, " +
-			"please thoroughly inspect the above exceptions to ensure they are valid and" +
-			" required. By continuing, you accept liability for any compliance violations" +
-			" missed as a result of the above exceptions!\n\n"))
-
-	}
-}
-
-func printDiscardedSuppressions(discardedSuppressions []map[string]api.SuppressionV2) {
-	if len(discardedSuppressions) >= 1 {
-		cli.OutputHuman(color.YellowString("#### Discarded legacy suppressions\n"))
-		for _, suppression := range discardedSuppressions {
-			err := cli.OutputJSON(suppression)
-			if err != nil {
-				return
-			}
-		}
-	}
-}
-
-func convertSupCondition(supCondition []string, fieldKey string,
-	policyIdExceptionsTemplate []string) api.PolicyExceptionConstraint {
-	if len(supCondition) >= 1 && slices.Contains(
-		policyIdExceptionsTemplate, fieldKey) {
-
-		var condition []any
-		// verify if "ALL_ACCOUNTS" OR "ALL_REGIONS" is in the suppression condition slice
-		// if so we should ignore the supplied conditions and replace with a wildcard *
-		if (slices.Contains(supCondition, "ALL_ACCOUNTS") && fieldKey == "accountIds") ||
-			(slices.Contains(supCondition, "ALL_REGIONS") && fieldKey == "regionNames") {
-			condition = append(condition, "*")
-		} else {
-			condition = convertToAnySlice(supCondition)
-		}
-
-		return api.PolicyExceptionConstraint{
-			FieldKey:    fieldKey,
-			FieldValues: condition,
-		}
-	}
-	return api.PolicyExceptionConstraint{}
-}
-
-func convertSupConditionTags(supCondition []map[string]string, fieldKey string,
-	policyIdExceptionsTemplate []string) api.PolicyExceptionConstraint {
-	if len(supCondition) >= 1 && slices.Contains(
-		policyIdExceptionsTemplate, fieldKey) {
-
-		// api.PolicyExceptionConstraint expects []any for the FieldValues
-		// Therefore we need to take the supCondition []map[string]string and append each map to
-		// the new convertedTags []any var
-		var convertedTags []any
-		for _, tagMap := range supCondition {
-			convertedTags = append(convertedTags, tagMap)
-		}
-
-		return api.PolicyExceptionConstraint{
-			FieldKey:    fieldKey,
-			FieldValues: convertedTags,
-		}
-	}
-	return api.PolicyExceptionConstraint{}
-}
-
-func getPoliciesExceptionConstraintsMap() map[string][]string {
-	// get a list of all policies and parse the valid exception constraints and return a map of
-	// {"<policyId>": [<validPolicyConstraints>]}
-	policies, err := cli.LwApi.V2.Policy.List()
-	if err != nil {
-		return nil
-	}
-
-	policiesSupportedConstraints := make(map[string][]string)
-	for _, policy := range policies.Data {
-		exceptionConstraints := getPolicyExceptionConstraintsSlice(policy.ExceptionConfiguration)
-		policiesSupportedConstraints[policy.PolicyID] = exceptionConstraints
-	}
-
-	return policiesSupportedConstraints
-}
-
-func convertToAnySlice(slice []string) []any {
-	s := make([]interface{}, len(slice))
-	for i, v := range slice {
-		s[i] = v
-	}
-	return s
-}