Initial

.gitignore

@@ -0,0 +1,17 @@
+data
+
+.DS_Store
+
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Crown Copyright (Office for National Statistics)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,111 @@
+# Google Cloud Platform IAM role checker
+
+This tool allows you to gain an insight into what permissions a given user account, service account or group (collectively known as members in GCP) has across the resources within your organisation.
+
+## Prerequisites
+
+- Go 1.8+
+- Python 3.6+
+- Google Cloud SDK
+
+## Installation
+
+```
+go get github.com/ONSdigital/gcp-role-checker
+```
+
+## Basic usage
+
+```
+gcloud auth login
+
+cd ${GOPATH}/src/github.com/ONSdigital/gcp-role-checker
+
+python scripts/audit_service_accounts.py organizations/<my organisation id>
+```
+
+### Functionality
+
+This script will query a collection of Google's APIs to gather:
+
+- All projects in organisation
+- All folders in organisation
+- All built-in IAM roles
+- All custom IAM roles defined on the organisation and any projects and folders within it
+- All permission scopes associated with the roles
+- All IAM bindings (I.e. user/service account -> role) on the organisation and any projects and folders within it
+
+It will output the raw results to JSON files.
+
+The `audit_service_accounts.py` script will then use these files to print out a view of the data.
+
+## Parameters
+
+### --project_labels
+*Optional*
+
+Allows the projects queried to be restricted by labels.
+
+```
+python scripts/audit_service_accounts.py \
+    --project_labels=env:dev,project:foo \
+    organizations/999999999999
+```
+
+Labels are defined as key:value. Multiple labels can be added by comma-separating them; these will be ANDed together.
+
+This may be used to only audit projects used in production.
+
+### --data_dir
+*Optional*
+
+The directory used by the Go script to output the collected data. B
+
+Default: a `data` folder in the package root.
+
+### --limit
+*Optional*
+
+Limits the number of members to print in the output.
+
+Default: `10`
+
+### --member_type
+*Optional*
+
+Filters the members by their type.
+
+Supported values:
+
+- service_account
+- user_account
+- group
+
+
+### --skip_collect
+*Optional*
+
+Specifies whether to skip the data gathering step. Use this to avoid unnecessarily hammering the Google APIs.
+
+Is this is flagged then gathered data must already be available in the `--data_dir` directory.
+
+```
+python scripts/audit_service_accounts.py --skip_collect organizations/999999999999
+```
+
+### --sort_type
+*Optional*
+
+Alters the sort function used to order the members.
+
+Supported values:
+
+#### `total_sum`
+
+Sorts by the sum of all permissions an account holds across all resources. Useful to find members that have broad permissions across the organisation
+
+#### `top_sum`
+
+Sorts by the sum permissions an account has on its most-privileged resource. This will tend to highlight members with roles/owner access so best to use in conjunction with the `--member_type` parameter
+
+Default: `total_sum`

checker/bindings.go

@@ -0,0 +1,209 @@
+package checker
+
+import (
+	"fmt"
+	"log"
+	"sync"
+
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/cloudresourcemanager/v1"
+	cloudresourcemanagerv2 "google.golang.org/api/cloudresourcemanager/v2"
+)
+
+// Role ...
+type Role struct {
+	Name            string `json:"name"`
+	PermissionCount int    `json:"permission_count"`
+}
+
+// Resource ...
+type Resource struct {
+	Name  string `json:"name"`
+	Roles []Role `json:"roles"`
+}
+
+// Member ...
+type Member struct {
+	Resources []Resource `json:"resources"`
+}
+
+// Merge ...
+func (member *Member) Merge(fromMember Member) {
+	member.Resources = append(member.Resources, fromMember.Resources...)
+}
+
+// AddResourceRole ...
+func (member *Member) AddResourceRole(resourceName string, role string, allRoles map[string][]string) {
+	permissionCount := 0
+	permissions, permOk := allRoles[role]
+	if permOk {
+		permissionCount = len(permissions)
+	}
+
+	resourceOk, resource := member.GetResourceByName(resourceName)
+
+	resource.Roles = append(resource.Roles, Role{Name: role, PermissionCount: permissionCount})
+	if !resourceOk {
+		member.Resources = append(member.Resources, *resource)
+	}
+}
+
+// GetResourceByName ...
+func (member *Member) GetResourceByName(resourceName string) (bool, *Resource) {
+	for _, resource := range member.Resources {
+		if resource.Name == resourceName {
+			return true, &resource
+		}
+	}
+	return false, &Resource{Name: resourceName}
+}
+
+func getAllBindings(ctx context.Context, organizationResource string, projects []cloudresourcemanager.Project, folderNames []string, allRoles map[string][]string) map[string]Member {
+	orgBindings := getOrgBindings(ctx, organizationResource, allRoles)
+	projectBindings := getProjectBindings(ctx, projects, allRoles)
+	folderBindings := getFolderBindings(folderNames, allRoles)
+
+	return mergeRoleMaps(map[string]Member{}, orgBindings, projectBindings, folderBindings)
+}
+
+func getProjectBindings(ctx context.Context, projects []cloudresourcemanager.Project, allRoles map[string][]string) map[string]Member {
+	cloudresourcemanagerService := getResourceServiceFromContext(ctx)
+
+	ch := make(chan map[string]Member, 16384)
+
+	var wg sync.WaitGroup
+	wg.Add(len(projects))
+	for _, project := range projects {
+		go func(project cloudresourcemanager.Project) {
+			rb := &cloudresourcemanager.GetIamPolicyRequest{}
+
+			resp, err := cloudresourcemanagerService.Projects.GetIamPolicy(project.ProjectId, rb).Context(ctx).Do()
+			if err != nil {
+				log.Printf("Error on project: %v", project.Name)
+				log.Fatal(err)
+			}
+
+			resourceName := fmt.Sprintf("projects/%s", project.ProjectId)
+			memberRoleMap := processPolicyResponse(resourceName, *resp, allRoles)
+
+			ch <- memberRoleMap
+
+			wg.Done()
+		}(project)
+	}
+
+	wg.Wait()
+	close(ch)
+
+	allMembers := map[string]Member{}
+	for memberRoleMap := range ch {
+		allMembers = mergeRoleMaps(allMembers, memberRoleMap)
+	}
+
+	return allMembers
+}
+
+func getOrgBindings(ctx context.Context, resource string, allRoles map[string][]string) map[string]Member {
+	cloudresourcemanagerService := getResourceServiceFromContext(ctx)
+	rb := &cloudresourcemanager.GetIamPolicyRequest{}
+
+	resp, err := cloudresourcemanagerService.Organizations.GetIamPolicy(resource, rb).Context(ctx).Do()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return processPolicyResponse(resource, *resp, allRoles)
+}
+
+func getFolderBindings(folderNames []string, allRoles map[string][]string) map[string]Member {
+	ctx := context.Background()
+
+	c, err := google.DefaultClient(ctx, cloudresourcemanagerv2.CloudPlatformScope)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	cloudresourcemanagerService, err := cloudresourcemanagerv2.New(c)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	ch := make(chan map[string]Member, 16384)
+
+	var wg sync.WaitGroup
+	wg.Add(len(folderNames))
+
+	for _, folderName := range folderNames {
+		go func(folderName string) {
+			rb := &cloudresourcemanagerv2.GetIamPolicyRequest{}
+			resp, err := cloudresourcemanagerService.Folders.GetIamPolicy(folderName, rb).Context(ctx).Do()
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			memberMap := processPolicyV2Response(folderName, *resp, allRoles)
+
+			ch <- memberMap
+
+			wg.Done()
+		}(folderName)
+	}
+	wg.Wait()
+	close(ch)
+
+	allMembers := map[string]Member{}
+	for memberMap := range ch {
+		allMembers = mergeRoleMaps(allMembers, memberMap)
+	}
+
+	return allMembers
+}
+
+func mergeRoleMaps(toMembers map[string]Member, fromMembers ...map[string]Member) map[string]Member {
+	for _, fromMember := range fromMembers {
+		for memberEmail, fromMember := range fromMember {
+			toMember, ok := toMembers[memberEmail]
+			if !ok {
+				toMember = Member{}
+			}
+			toMember.Merge(fromMember)
+			toMembers[memberEmail] = toMember
+		}
+	}
+
+	return toMembers
+}
+
+func processPolicyResponse(resourceName string, policy cloudresourcemanager.Policy, allRoles map[string][]string) map[string]Member {
+	memberMap := map[string]Member{}
+	for _, binding := range policy.Bindings {
+		for _, memberEmail := range binding.Members {
+			member, ok := memberMap[memberEmail]
+			if !ok {
+				member = Member{}
+			}
+			member.AddResourceRole(resourceName, binding.Role, allRoles)
+			memberMap[memberEmail] = member
+		}
+	}
+
+	return memberMap
+}
+
+// TODO: there must be a better way to do this
+func processPolicyV2Response(resourceName string, policy cloudresourcemanagerv2.Policy, allRoles map[string][]string) map[string]Member {
+	memberMap := map[string]Member{}
+	for _, binding := range policy.Bindings {
+		for _, memberEmail := range binding.Members {
+			member, ok := memberMap[memberEmail]
+			if !ok {
+				member = Member{}
+			}
+			member.AddResourceRole(resourceName, binding.Role, allRoles)
+			memberMap[memberEmail] = member
+		}
+	}
+
+	return memberMap
+}