Skip to content

Check if GCP bucket is publicly accessible #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
edops973 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Check if GCP bucket is publicly accessible #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gcp/commands/bigquery.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
)

var GCPBigQueryCommand = &cobra.Command{
Use: "bigquery",
Use: globals.GCP_BIGQUERY_MODULE_NAME,
Aliases: []string{},
Short: "Display Bigquery datasets and tables information",
Args: cobra.MinimumNArgs(0),
Expand Down
4 changes: 4 additions & 0 deletions gcp/commands/buckets.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func (g GCPBucketsResults) TableFiles() []internal.TableFile {
"Name",
"Location",
"ProjectID",
"IsPublic?",
}

var body [][]string
Expand All @@ -46,6 +47,7 @@ func (g GCPBucketsResults) TableFiles() []internal.TableFile {
value.Name,
value.Location,
value.ProjectID,
value.IsPublic,
},
)
}
Expand Down Expand Up @@ -87,6 +89,8 @@ func runGCPBucketsCommand(cmd *cobra.Command, args []string) {

// Get the bucket info using the projectIDs and CloudStorageService
cs := CloudStorageService.New()
defer cs.Close()

var results []CloudStorageService.BucketInfo

// Set output params leveraging parent (gcp) pflag values
Expand Down
81 changes: 67 additions & 14 deletions gcp/services/cloudStorageService/cloudStorageService.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,20 @@ import (
)

type CloudStorageService struct {
// DataStoreService datastoreservice.DataStoreService
ctx context.Context
client *storage.Client
}

func New() *CloudStorageService {
return &CloudStorageService{}
ctx := context.Background()
client, err := storage.NewClient(ctx)
if err != nil {
panic(fmt.Sprintf("failed to create client: %v", err))
}
return &CloudStorageService{
ctx: ctx,
client: client,
}
}

// type ObjectInfo struct {
Expand All @@ -23,21 +32,16 @@ func New() *CloudStorageService {
// }

type BucketInfo struct {
Name string `json:"name"`
Location string `json:"location"`
ProjectID string `json:"projectID"`
Name string
Location string
ProjectID string
IsPublic string
}

// Buckets retrieves all buckets in the specified project.
func (cs *CloudStorageService) Buckets(projectID string) ([]BucketInfo, error) {
ctx := context.Background()
client, err := storage.NewClient(ctx)
if err != nil {
return nil, fmt.Errorf("Failed to create client: %v", err)
}
defer client.Close()

var buckets []BucketInfo
bucketIterator := client.Buckets(ctx, projectID)
bucketIterator := cs.client.Buckets(cs.ctx, projectID)
for {
battrs, err := bucketIterator.Next()
if err == iterator.Done {
Expand All @@ -46,12 +50,61 @@ func (cs *CloudStorageService) Buckets(projectID string) ([]BucketInfo, error) {
if err != nil {
return nil, err
}
bucket := BucketInfo{Name: battrs.Name, Location: battrs.Location, ProjectID: projectID}
bucket := BucketInfo{
Name: battrs.Name,
Location: battrs.Location,
ProjectID: projectID,
IsPublic: cs.isBucketPublic(battrs),
}
buckets = append(buckets, bucket)
}
return buckets, nil
}

// Close closes the Cloud Storage client.
func (cs *CloudStorageService) Close() error {
return cs.client.Close()
}

// isBucketPublic checks if a bucket is publicly accessible.
func (cs *CloudStorageService) isBucketPublic(bucketAttrs *storage.BucketAttrs) string {
if bucketAttrs.PublicAccessPrevention == storage.PublicAccessPreventionEnforced {
return "No"
}

if bucketAttrs.UniformBucketLevelAccess.Enabled {
// With Uniform Bucket-Level Access enabled, ACLs are disabled.
policy, err := cs.client.Bucket(bucketAttrs.Name).IAM().V3().Policy(cs.ctx)
if err != nil {
panic(err)
}

for _, binding := range policy.Bindings {
for _, member := range binding.Members {
if member == "allUsers" || member == "allAuthenticatedUsers" {
return fmt.Sprintf("Yes - IAM (%v)", member)
}
}
}
} else {
acls := bucketAttrs.ACL
for _, acl := range acls {
if acl.Entity == storage.AllUsers || acl.Entity == storage.AllAuthenticatedUsers {
return fmt.Sprintf("Yes - ACL (%v)", acl.Entity)
}
}

defaultAcls := bucketAttrs.DefaultObjectACL
for _, acl := range defaultAcls {
if acl.Entity == storage.AllUsers || acl.Entity == storage.AllAuthenticatedUsers {
return fmt.Sprintf("Yes - Default ACL (%v)", acl.Entity)
}
}
}

return "No"
}

// func (cs *CloudStorageService) BucketsWithMetaData(projectID string) (map[string][]BucketInfo, error) {
// buckets, _ := cs.Buckets(projectID)
// bucketInfos := make(map[string][]BucketInfo)
Expand Down