feat: add adapter for security policy (#1433)

omerdemirok · actions-user · commit b05257a12f03 · 2025-05-28T13:21:04.000Z
PR for issue: https://github.com/overmindtech/workspace/issues/1402 Features: Implements GCP Security Policy adapter Ensures adapter is tested GitOrigin-RevId: 62a0766d4152ab64e985a3cddd80f112bf1a8083
diff --git a/sources/gcp/adapters/adapters.go b/sources/gcp/adapters/adapters.go
@@ -50,6 +50,11 @@ func Adapters(ctx context.Context, projectID string, regions []string, zones []s
 		return nil, err
 	}
 
+	computeSecurityPolicyCli, err := compute.NewSecurityPoliciesRESTClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	backendServiceCli, err := compute.NewBackendServicesRESTClient(ctx)
 	if err != nil {
 		return nil, err
@@ -89,6 +94,7 @@ func Adapters(ctx context.Context, projectID string, regions []string, zones []s
 		sources.WrapperToAdapter(NewComputeBackendService(shared.NewComputeBackendServiceClient(backendServiceCli), projectID)),
 		sources.WrapperToAdapter(NewComputeImage(shared.NewComputeImagesClient(computeImagesCli), projectID)),
 		sources.WrapperToAdapter(NewComputeHealthCheck(shared.NewComputeHealthCheckClient(computeHealthCheckCli), projectID)),
+		sources.WrapperToAdapter(NewComputeSecurityPolicy(shared.NewComputeSecurityPolicyClient(computeSecurityPolicyCli), projectID)),
 	)
 
 	// Register the metadata for each adapter
diff --git a/sources/gcp/adapters/compute-security-policy.go b/sources/gcp/adapters/compute-security-policy.go
@@ -1,8 +1,150 @@
 package adapters
 
 import (
+	"context"
+	"errors"
+	"strconv"
+
+	"cloud.google.com/go/compute/apiv1/computepb"
+	"google.golang.org/api/iterator"
+
+	"github.com/overmindtech/cli/sdp-go"
+	"github.com/overmindtech/cli/sources"
 	gcpshared "github.com/overmindtech/cli/sources/gcp/shared"
 	"github.com/overmindtech/cli/sources/shared"
 )
 
-var ComputeSecurityPolicy = shared.NewItemType(gcpshared.GCP, gcpshared.Compute, gcpshared.SecurityPolicy)
+var (
+	ComputeSecurityPolicy = shared.NewItemType(gcpshared.GCP, gcpshared.Compute, gcpshared.SecurityPolicy)
+	ComputeRule           = shared.NewItemType(gcpshared.GCP, gcpshared.Compute, gcpshared.Rule)
+
+	ComputeSecurityPolicyLookupByName = shared.NewItemTypeLookup("name", ComputeSecurityPolicy)
+)
+
+type computeSecurityPolicyWrapper struct {
+	client gcpshared.ComputeSecurityPolicyClient
+
+	*gcpshared.ProjectBase
+}
+
+// NewComputeSecurityPolicy creates a new computeSecurityPolicyWrapper instance
+func NewComputeSecurityPolicy(client gcpshared.ComputeSecurityPolicyClient, projectID string) sources.ListableWrapper {
+	return &computeSecurityPolicyWrapper{
+		client: client,
+		ProjectBase: gcpshared.NewProjectBase(
+			projectID,
+			sdp.AdapterCategory_ADAPTER_CATEGORY_SECURITY,
+			ComputeSecurityPolicy,
+		),
+	}
+}
+
+// PotentialLinks returns the potential links for the compute forwarding rule wrapper
+func (c computeSecurityPolicyWrapper) PotentialLinks() map[shared.ItemType]bool {
+	return shared.NewItemTypesSet(
+		ComputeRule,
+	)
+}
+
+// TerraformMappings returns the Terraform mappings for the compute security policy wrapper
+func (c computeSecurityPolicyWrapper) TerraformMappings() []*sdp.TerraformMapping {
+	return []*sdp.TerraformMapping{
+		{
+			TerraformMethod:   sdp.QueryMethod_GET,
+			TerraformQueryMap: "google_compute_security_policy.name",
+		},
+	}
+}
+
+// GetLookups returns the lookups for the compute security policy wrapper
+func (c computeSecurityPolicyWrapper) GetLookups() sources.ItemTypeLookups {
+	return sources.ItemTypeLookups{
+		ComputeSecurityPolicyLookupByName,
+	}
+}
+
+// Get retrieves a compute security policy by its name
+func (c computeSecurityPolicyWrapper) Get(ctx context.Context, queryParts ...string) (*sdp.Item, *sdp.QueryError) {
+	req := &computepb.GetSecurityPolicyRequest{
+		Project:        c.ProjectID(),
+		SecurityPolicy: queryParts[0],
+	}
+
+	securityPolicy, err := c.client.Get(ctx, req)
+	if err != nil {
+		return nil, gcpshared.QueryError(err)
+	}
+
+	item, sdpErr := c.gcpComputeSecurityPolicyToSDPItem(securityPolicy)
+	if sdpErr != nil {
+		return nil, sdpErr
+	}
+
+	return item, nil
+}
+
+// List lists compute security policies and converts them to sdp.Items.
+func (c computeSecurityPolicyWrapper) List(ctx context.Context) ([]*sdp.Item, *sdp.QueryError) {
+	it := c.client.List(ctx, &computepb.ListSecurityPoliciesRequest{
+		Project: c.ProjectID(),
+	})
+
+	var items []*sdp.Item
+	for {
+		securityPolicy, err := it.Next()
+		if errors.Is(err, iterator.Done) {
+			break
+		}
+		if err != nil {
+			return nil, gcpshared.QueryError(err)
+		}
+
+		item, sdpErr := c.gcpComputeSecurityPolicyToSDPItem(securityPolicy)
+		if sdpErr != nil {
+			return nil, sdpErr
+		}
+
+		items = append(items, item)
+	}
+
+	return items, nil
+}
+
+// gcpComputeSecurityPolicyToSDPItem converts a GCP Security Policy to an SDP Item
+func (c computeSecurityPolicyWrapper) gcpComputeSecurityPolicyToSDPItem(securityPolicy *computepb.SecurityPolicy) (*sdp.Item, *sdp.QueryError) {
+	attributes, err := shared.ToAttributesWithExclude(securityPolicy, "labels")
+	if err != nil {
+		return nil, &sdp.QueryError{
+			ErrorType:   sdp.QueryError_OTHER,
+			ErrorString: err.Error(),
+		}
+	}
+
+	sdpItem := &sdp.Item{
+		Type:            ComputeSecurityPolicy.String(),
+		UniqueAttribute: "name",
+		Attributes:      attributes,
+		Scope:           c.DefaultScope(),
+		Tags:            securityPolicy.GetLabels(),
+	}
+
+	// Link to associated rules
+	// API Reference: https://cloud.google.com/compute/docs/reference/rest/v1/securityPolicies/getRule
+	// Rules can be inserted into a security policy using the following API call:
+	// GET https://compute.googleapis.com/compute/v1/projects/{project}/global/securityPolicies/{securityPolicy}/getRule
+	for _, rule := range securityPolicy.GetRules() {
+		policyName := securityPolicy.GetName()
+		rulePriority := strconv.Itoa(int(rule.GetPriority()))
+		sdpItem.LinkedItemQueries = append(sdpItem.LinkedItemQueries, &sdp.LinkedItemQuery{
+			Query: &sdp.Query{
+				Type:   ComputeRule.String(),
+				Method: sdp.QueryMethod_GET,
+				Query:  shared.CompositeLookupKey(policyName, rulePriority),
+				Scope:  c.ProjectID(),
+			},
+			BlastPropagation: &sdp.BlastPropagation{In: false, Out: true},
+		})
+
+	}
+	return sdpItem, nil
+}
diff --git a/sources/gcp/adapters/compute-security-policy_test.go b/sources/gcp/adapters/compute-security-policy_test.go
@@ -0,0 +1,106 @@
+package adapters_test
+
+import (
+	"context"
+	"testing"
+
+	"cloud.google.com/go/compute/apiv1/computepb"
+	"go.uber.org/mock/gomock"
+	"google.golang.org/api/iterator"
+	"k8s.io/utils/ptr"
+
+	"github.com/overmindtech/cli/sdp-go"
+	"github.com/overmindtech/cli/sources"
+	"github.com/overmindtech/cli/sources/gcp/adapters"
+	"github.com/overmindtech/cli/sources/gcp/shared/mocks"
+	"github.com/overmindtech/cli/sources/shared"
+)
+
+func TestComputeSecurityPolicy(t *testing.T) {
+	ctx := context.Background()
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockClient := mocks.NewMockComputeSecurityPolicyClient(ctrl)
+	projectID := "test-project-id"
+
+	t.Run("Get", func(t *testing.T) {
+		wrapper := adapters.NewComputeSecurityPolicy(mockClient, projectID)
+
+		mockClient.EXPECT().Get(ctx, gomock.Any()).Return(createComputeSecurityPolicy("test-security-policy"), nil)
+
+		adapter := sources.WrapperToAdapter(wrapper)
+
+		sdpItem, qErr := adapter.Get(ctx, wrapper.Scopes()[0], "test-security-policy", true)
+		if qErr != nil {
+			t.Fatalf("Expected no error, got: %v", qErr)
+		}
+
+		if sdpItem.GetTags()["env"] != "test" {
+			t.Fatalf("Expected tag 'env=test', got: %v", sdpItem.GetTags()["env"])
+		}
+
+		t.Run("StaticTests", func(t *testing.T) {
+			queryTests := shared.QueryTests{
+				{
+					ExpectedType:   adapters.ComputeRule.String(),
+					ExpectedMethod: sdp.QueryMethod_GET,
+					ExpectedQuery:  "test-security-policy|1000",
+					ExpectedScope:  projectID,
+					ExpectedBlastPropagation: &sdp.BlastPropagation{
+						In:  false,
+						Out: true,
+					},
+				},
+			}
+
+			shared.RunStaticTests(t, adapter, sdpItem, queryTests)
+		})
+	})
+
+	t.Run("List", func(t *testing.T) {
+		wrapper := adapters.NewComputeSecurityPolicy(mockClient, projectID)
+
+		adapter := sources.WrapperToAdapter(wrapper)
+
+		mockComputeIterator := mocks.NewMockComputeSecurityPolicyIterator(ctrl)
+
+		mockComputeIterator.EXPECT().Next().Return(createComputeSecurityPolicy("test-security-policy-1"), nil)
+		mockComputeIterator.EXPECT().Next().Return(createComputeSecurityPolicy("test-security-policy-2"), nil)
+		mockComputeIterator.EXPECT().Next().Return(nil, iterator.Done)
+
+		mockClient.EXPECT().List(ctx, gomock.Any()).Return(mockComputeIterator)
+
+		sdpItems, err := adapter.List(ctx, wrapper.Scopes()[0], true)
+		if err != nil {
+			t.Fatalf("Expected no error, got: %v", err)
+		}
+
+		if len(sdpItems) != 2 {
+			t.Fatalf("Expected 2 items, got: %d", len(sdpItems))
+		}
+
+		for _, item := range sdpItems {
+			if item.Validate() != nil {
+				t.Fatalf("Expected no validation error, got: %v", item.Validate())
+			}
+
+			if item.GetTags()["env"] != "test" {
+				t.Fatalf("Expected tag 'env=test', got: %s", item.GetTags()["env"])
+			}
+		}
+	})
+}
+
+func createComputeSecurityPolicy(policyName string) *computepb.SecurityPolicy {
+	return &computepb.SecurityPolicy{
+		Name:   ptr.To(policyName),
+		Labels: map[string]string{"env": "test"},
+		Rules: []*computepb.SecurityPolicyRule{
+			{
+				Priority: ptr.To(int32(1000)),
+			},
+		},
+		Region: ptr.To("us-central1"),
+	}
+}
diff --git a/sources/gcp/shared/compute-clients.go b/sources/gcp/shared/compute-clients.go
@@ -383,3 +383,35 @@ func (c computeReservationClient) Get(ctx context.Context, req *computepb.GetRes
 func (c computeReservationClient) List(ctx context.Context, req *computepb.ListReservationsRequest, opts ...gax.CallOption) ComputeReservationIterator {
 	return c.client.List(ctx, req, opts...)
 }
+
+// ComputeSecurityPolicyIterator is an interface for iterating over compute security policies
+type ComputeSecurityPolicyIterator interface {
+	Next() (*computepb.SecurityPolicy, error)
+}
+
+// ComputeSecurityPolicyClient is an interface for the Compute Security Policies client
+type ComputeSecurityPolicyClient interface {
+	Get(ctx context.Context, req *computepb.GetSecurityPolicyRequest, opts ...gax.CallOption) (*computepb.SecurityPolicy, error)
+	List(ctx context.Context, req *computepb.ListSecurityPoliciesRequest, opts ...gax.CallOption) ComputeSecurityPolicyIterator
+}
+
+type computeSecurityPolicyClient struct {
+	client *compute.SecurityPoliciesClient
+}
+
+// NewComputeSecurityPolicyClient creates a new ComputeSecurityPolicyClient
+func NewComputeSecurityPolicyClient(securityPolicyClient *compute.SecurityPoliciesClient) ComputeSecurityPolicyClient {
+	return &computeSecurityPolicyClient{
+		client: securityPolicyClient,
+	}
+}
+
+// Get retrieves a compute security policy
+func (c computeSecurityPolicyClient) Get(ctx context.Context, req *computepb.GetSecurityPolicyRequest, opts ...gax.CallOption) (*computepb.SecurityPolicy, error) {
+	return c.client.Get(ctx, req, opts...)
+}
+
+// List lists compute security policies and returns an iterator
+func (c computeSecurityPolicyClient) List(ctx context.Context, req *computepb.ListSecurityPoliciesRequest, opts ...gax.CallOption) ComputeSecurityPolicyIterator {
+	return c.client.List(ctx, req, opts...)
+}
diff --git a/sources/gcp/shared/mocks/mock_compute_instance_client.go b/sources/gcp/shared/mocks/mock_compute_instance_client.go
diff --git a/sources/gcp/shared/models.go b/sources/gcp/shared/models.go
