artifact vpcsc entities and relationships added

docs/jupiterone.md

@@ -91,7 +91,6 @@ all of the supported data into JupiterOne:
 | [spanner](https://console.developers.google.com/apis/library/spanner.googleapis.com)                           | spanner.googleapis.com              |
 | [storage](https://console.developers.google.com/apis/library/storage.googleapis.com)                           | storage.googleapis.com              |
 | [websecurityscanner](https://console.developers.google.com/apis/library/websecurityscanner.googleapis.com)     | websecurityscanner.googleapis.com   |
-
 <!-- {J1_APIS_DOCUMENTATION_LINKS_MARKER_END} -->
 
 Google Cloud service APIs can be enabled using one of the following methods:
@@ -116,7 +115,7 @@ integration supports:
 **NOTE**: You can only enable 20 services at a time.
 
 <!-- {J1_APIS_DOCUMENTATION_MARKER_START} -->
-
+    
 ```
 gcloud services enable \
  accesscontextmanager.googleapis.com \
@@ -154,8 +153,7 @@ gcloud services enable \
  spanner.googleapis.com \
  storage.googleapis.com \
  websecurityscanner.googleapis.com
-```
-
+  ```
 <!-- {J1_APIS_DOCUMENTATION_MARKER_END} -->
 
 #### Creating Google Cloud project service account
@@ -746,5 +744,4 @@ permissions can be used to provision only the required ones:
 | `spanner.instances.list`                                |
 | `storage.buckets.getIamPolicy`                          |
 | `storage.buckets.list`                                  |
-
 <!-- {J1_PERMISSIONS_DOCUMENTATION_MARKER_END} -->

src/getStepStartStates.ts

@@ -222,11 +222,13 @@ import {
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_KMS_KEY_RELATIONSHIP,
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_NPM_PACKAGE_RELATIONSHIP,
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_PACKAGE_RELATIONSHIP,
-  STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION,
+  STEP_ARTIFACT_REGISTRY_VPCSC,
   STEP_ARTIFACT_REPOSIOTRY_PACKAGE,
   STEP_ARTIFACT_REPOSITROY_PACKAGE_IS_NPM_PACKAGE_RELATIONSHIP,
+  STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP,
   STEP_PROJECT_HAS_ARTIFACT_REGISTRY_RELATIONSHIP,
   STEP_PROJECT_HAS_ARTIFACT_REGISTRY_REPOSITORY_RELATIONSHIP,
+  STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP,
 } from './steps/artifact-registry/constants';
 import { artifactRegistrySteps } from './steps/artifact-registry';
 
@@ -554,7 +556,7 @@ function getDefaultStepStartStates(params: {
     [STEP_ARTIFACT_REGISTRY]: {
       disabled: false,
     },
-    [STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION]: {
+    [STEP_ARTIFACT_REGISTRY_VPCSC]: {
       disabled: false,
     },
     [STEP_PROJECT_HAS_ARTIFACT_REGISTRY_REPOSITORY_RELATIONSHIP]: {
@@ -575,6 +577,12 @@ function getDefaultStepStartStates(params: {
     [STEP_ARTIFACT_REPOSITROY_PACKAGE_IS_NPM_PACKAGE_RELATIONSHIP]: {
       disabled: false,
     },
+    [STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP]: {
+      disabled: false,
+    },
+    [STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP]: {
+      disabled: false,
+    },
   };
 
   logger.info(
@@ -867,9 +875,13 @@ async function getStepStartStatesUsingServiceEnablements(params: {
     [STEP_ARTIFACT_REGISTRY]: createOrgStepStartState(
       ServiceUsageName.ARTIFACT_REGISTRY,
     ),
-    [STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION]: createOrgStepStartState(
+    [STEP_ARTIFACT_REGISTRY_VPCSC]: createOrgStepStartState(
       ServiceUsageName.ARTIFACT_REGISTRY,
     ),
+    [STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP]:
+      createOrgStepStartState(ServiceUsageName.ARTIFACT_REGISTRY),
+    [STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP]:
+      createOrgStepStartState(ServiceUsageName.ARTIFACT_REGISTRY),
     [STEP_PROJECT_HAS_ARTIFACT_REGISTRY_REPOSITORY_RELATIONSHIP]:
       createOrgStepStartState(ServiceUsageName.ARTIFACT_REGISTRY),
     [STEP_PROJECT_HAS_ARTIFACT_REGISTRY_RELATIONSHIP]: createOrgStepStartState(

src/index.test.ts

@@ -189,11 +189,13 @@ import {
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_KMS_KEY_RELATIONSHIP,
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_NPM_PACKAGE_RELATIONSHIP,
   STEP_ARTIFACT_REGISTRY_REPOSITORY_USES_PACKAGE_RELATIONSHIP,
-  STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION,
+  STEP_ARTIFACT_REGISTRY_VPCSC,
   STEP_ARTIFACT_REPOSIOTRY_PACKAGE,
   STEP_ARTIFACT_REPOSITROY_PACKAGE_IS_NPM_PACKAGE_RELATIONSHIP,
+  STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP,
   STEP_PROJECT_HAS_ARTIFACT_REGISTRY_RELATIONSHIP,
   STEP_PROJECT_HAS_ARTIFACT_REGISTRY_REPOSITORY_RELATIONSHIP,
+  STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP,
 } from './steps/artifact-registry/constants';
 
 describe('#getStepStartStates success', () => {
@@ -670,7 +672,7 @@ describe('#getStepStartStates success', () => {
         [STEP_ARTIFACT_REGISTRY]: {
           disabled: false,
         },
-        [STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION]: {
+        [STEP_ARTIFACT_REGISTRY_VPCSC]: {
           disabled: false,
         },
         [STEP_PROJECT_HAS_ARTIFACT_REGISTRY_REPOSITORY_RELATIONSHIP]: {
@@ -691,6 +693,12 @@ describe('#getStepStartStates success', () => {
         [STEP_ARTIFACT_REPOSITROY_PACKAGE_IS_NPM_PACKAGE_RELATIONSHIP]: {
           disabled: false,
         },
+        [STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP]: {
+          disabled: false,
+        },
+        [STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP]: {
+          disabled: false,
+        },
       };
       expect(stepStartStates).toEqual(expectedStepStartStates);
     },

src/steps/artifact-registry/client.ts

@@ -3,7 +3,7 @@ import { Client } from '../../google-cloud/client';
 import {
   ARTIFACT_REGISTRY_LOCATIONS,
   STEP_ARTIFACT_REGISTRY_REPOSITORY,
-  STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION,
+  STEP_ARTIFACT_REGISTRY_VPCSC,
   STEP_ARTIFACT_REPOSIOTRY_PACKAGE,
   artifactRegistryPermissions,
 } from './constants';
@@ -82,7 +82,7 @@ export class artifactRegistryClient extends Client {
         async (data: artifactregistry_v1.Schema$VPCSCConfig) => {
           await callback(data);
         },
-        STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION,
+        STEP_ARTIFACT_REGISTRY_VPCSC,
         artifactRegistryPermissions.STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION,
       );
     });

src/steps/artifact-registry/constants.ts

@@ -14,8 +14,7 @@ export const STEP_ARTIFACT_REGISTRY = 'fetch-artifact-registry';
 export const ARTIFACT_REGISTRY_CLASS = ['Service'];
 export const ARTIFACT_REGISTRY_TYPE = 'google_cloud_artifact_registry';
 
-export const STEP_ARTIFACT_REGISTRY_VPCSC_CONFIGURATION =
-  'fetch-artifact-registry-vpcsc-configuration';
+export const STEP_ARTIFACT_REGISTRY_VPCSC = 'fetch-artifact-registry-vpcsc';
 export const ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_CLASS = ['Configuration'];
 export const ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_TYPE =
   'google_cloud_artifact_registry_vpcsc_configuration';
@@ -50,6 +49,22 @@ export const STEP_ARTIFACT_REPOSITROY_PACKAGE_IS_NPM_PACKAGE_RELATIONSHIP =
 export const RELATIONSHIP_ARTIFACT_REPOSITORY_PACKAGE_IS_NPM_PACKAGE_TYPE =
   'google_cloud_artifact_registry_package_is_npm_package';
 
+export const ARTIFACT_REGISTRY_VPCSC_POLICY_TYPE =
+  'google_cloud_artifact_registry_vpcsc_policy';
+export const ARTIFACT_REGISTRY_VPCSC_POLICY_CLASS = ['Configuration'];
+
+export const RELATIONSHIP_TYPE_VPCSC_CONFIG_ASSIGNED_POLICY =
+  'google_cloud_artifact_registry_vpcsc_configuration_assigned_policy';
+
+export const STEP_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP =
+  'build-project-uses-artifact-registry-vpcsc-config-relationship';
+export const RELATIONSHIP_TYPE_PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG =
+  'google_cloud_project_uses_artifact_registry_vpcsc_configuration';
+export const STEP_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP =
+  'build-project-assigned-artifact-registry-vpcsc-policy-relationship';
+export const RELATIONSHIP_TYPE_PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_Policy =
+  'google_cloud_project_assigned_artifact_registry_vpcsc_policy';
+
 export const IngestionSources = {
   ARTIFACT_REGISTRY_REPOSITORY: 'artifact_registry_repositories',
   ARTIFACT_REPOSITORY_PACKAGE: 'artifact_repository_packages',
@@ -68,6 +83,10 @@ export const IngestionSources = {
     'artifact_registry_repository_uses_npm_package_relationship',
   ARTIFACT_REPOSITORY_PACKAGE_IS_NPM_PACKAGE_REALTIONSHIP:
     'artifact_repository_package_is_npm_package_relationship',
+  PROJECT_USES_ARTIFACT_REGISTRY_VPCSC_CONFIG_RELATIONSHIP:
+    'project_uses_artifact_registry_vpcsc_config_relationship',
+  PROJECT_ASSIGNED_ARTIFACT_REGISTRY_VPCSC_POLICY_RELATIONSHIP:
+    'project_assigned_artifact_registry_vpcsc_policy_relationship',
 };
 
 export const MonitoringIngestionConfig = {

src/steps/artifact-registry/converters.ts

@@ -7,6 +7,8 @@ import {
   ARTIFACT_REGISTRY_TYPE,
   ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_CLASS,
   ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_TYPE,
+  ARTIFACT_REGISTRY_VPCSC_POLICY_CLASS,
+  ARTIFACT_REGISTRY_VPCSC_POLICY_TYPE,
   ARTIFACT_REPOSITORY_PACKAGE_CLASS,
   ARTIFACT_REPOSITORY_PACKAGE_TYPE,
 } from './constants';
@@ -74,19 +76,54 @@ export function createArtifactRegistryEntity(
   });
 }
 
+function getVpcscPolicyStatus(data) {
+  if (
+    data.spec.restrictedServices.includes('artifactregistry.googleapis.com')
+  ) {
+    return 'DENY';
+  } else if (
+    data.spec?.vpcAccessibleServices?.allowedServices?.includes(
+      'artifactregistry.googleapis.com',
+    )
+  ) {
+    return 'ALLOW';
+  } else {
+    return 'VPCSC_POLICY_UNSPECIFIED';
+  }
+}
+
 export function createArtifactRegistryVpcscConfigEntity(
-  data: artifactregistry_v1.Schema$VPCSCConfig,
+  data,
   projectId: string,
 ) {
+  const vpcPolicyStatus = getVpcscPolicyStatus(data);
   return createGoogleCloudIntegrationEntity(data, {
     entityData: {
       source: data,
       assign: {
-        _key: data.name as string,
+        _key: `Artifact_VPC_SC_CONFIG:${data.title}`,
         _type: ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_TYPE,
         _class: ARTIFACT_REGISTRY_VPCSC_CONFIGURATION_CLASS,
-        name: data.name,
-        vpcsc: data.vpcscPolicy,
+        name: data.title,
+        VPCSCPolicy: vpcPolicyStatus,
+        projectId: projectId,
+      },
+    },
+  });
+}
+
+export function createArtifactRegistryVpcPolicyEntity(data, projectId: string) {
+  const vpcPolicyStatus = getVpcscPolicyStatus(data);
+  return createGoogleCloudIntegrationEntity(data, {
+    entityData: {
+      source: data,
+      assign: {
+        _key: `Artifact_VPC_SC_Policy:${data.name.split('/')[1]}`,
+        _type: ARTIFACT_REGISTRY_VPCSC_POLICY_TYPE,
+        _class: ARTIFACT_REGISTRY_VPCSC_POLICY_CLASS,
+        name: `Artifact Policy: ${data.name.split('/')[1]}`,
+        VPCSCPolicy: vpcPolicyStatus,
+        projectId: projectId,
       },
     },
   });