fix(gcp): honour org-level aggregated sinks in logging_sink_created check (#11355)

Signed-off-by: Oleksandr Sanin <alexaaander.sanin@gmail.com>
Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>
This commit is contained in:
Oleksandr_Sanin
2026-06-04 12:07:01 +02:00
committed by GitHub
parent eb7949c884
commit bcd282d3d0
5 changed files with 336 additions and 18 deletions
@@ -1,4 +1,4 @@
from unittest.mock import patch
from unittest.mock import MagicMock, patch
from prowler.providers.gcp.services.logging.logging_service import Logging
from tests.providers.gcp.gcp_fixtures import (
@@ -66,3 +66,74 @@ class TestLoggingService:
== "resource.type=gae_app AND severity>=ERROR"
)
assert logging_client.metrics[1].project_id == GCP_PROJECT_ID
def test_org_sinks_fetched_when_project_has_organization(self):
"""_get_org_sinks() appends org-level sinks when projects have an org."""
from prowler.providers.gcp.models import GCPOrganization, GCPProject
org_id = "999888777"
provider = set_mocked_gcp_provider(project_ids=[GCP_PROJECT_ID])
provider.projects = {
GCP_PROJECT_ID: GCPProject(
id=GCP_PROJECT_ID,
number="123456789012",
name="test",
labels={},
lifecycle_state="ACTIVE",
organization=GCPOrganization(id=org_id, name=f"organizations/{org_id}"),
)
}
mock_client = MagicMock()
mock_client.sinks().list().execute.return_value = {
"sinks": [
{
"name": "org-sink",
"destination": "storage.googleapis.com/org-bucket",
"filter": "all",
"includeChildren": True,
}
]
}
mock_client.sinks().list_next.return_value = None
mock_client.projects().metrics().list().execute.return_value = {"metrics": []}
mock_client.projects().metrics().list_next.return_value = None
with (
patch(
"prowler.providers.gcp.lib.service.service.GCPService.__is_api_active__",
new=mock_is_api_active,
),
patch(
"prowler.providers.gcp.lib.service.service.GCPService.__generate_client__",
return_value=mock_client,
),
):
logging_svc = Logging(provider)
org_sinks = [
s for s in logging_svc.sinks if s.project_id == f"organizations/{org_id}"
]
assert len(org_sinks) == 1
assert org_sinks[0].name == "org-sink"
assert org_sinks[0].include_children is True
assert org_sinks[0].filter == "all"
def test_org_sinks_skipped_when_no_organization(self):
"""_get_org_sinks() adds nothing when projects have no organization."""
with (
patch(
"prowler.providers.gcp.lib.service.service.GCPService.__is_api_active__",
new=mock_is_api_active,
),
patch(
"prowler.providers.gcp.lib.service.service.GCPService.__generate_client__",
new=mock_api_client,
),
):
logging_svc = Logging(set_mocked_gcp_provider(project_ids=[GCP_PROJECT_ID]))
org_sinks = [
s for s in logging_svc.sinks if s.project_id.startswith("organizations/")
]
assert org_sinks == []
@@ -1,6 +1,6 @@
from unittest.mock import MagicMock, patch
from prowler.providers.gcp.models import GCPProject
from prowler.providers.gcp.models import GCPOrganization, GCPProject
from tests.providers.gcp.gcp_fixtures import (
GCP_EU1_LOCATION,
GCP_PROJECT_ID,
@@ -268,6 +268,7 @@ class Test_logging_sink_created:
sink.name = None
sink.filter = "all"
sink.project_id = GCP_PROJECT_ID
sink.include_children = False
logging_client.project_ids = [GCP_PROJECT_ID]
logging_client.region = GCP_EU1_LOCATION
@@ -311,9 +312,10 @@ class Test_logging_sink_created:
)
# Create a MagicMock sink object without name attribute
sink = MagicMock(spec=["filter", "project_id"])
sink = MagicMock(spec=["filter", "project_id", "include_children"])
sink.filter = "all"
sink.project_id = GCP_PROJECT_ID
sink.include_children = False
logging_client.project_ids = [GCP_PROJECT_ID]
logging_client.region = GCP_EU1_LOCATION
@@ -336,3 +338,175 @@ class Test_logging_sink_created:
assert result[0].resource_id == "unknown"
assert result[0].project_id == GCP_PROJECT_ID
assert result[0].location == GCP_EU1_LOCATION
def test_org_level_sink_with_include_children_passes(self):
"""Projects covered by an org-level sink with includeChildren=True should PASS."""
logging_client = MagicMock()
org_id = "111222333"
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_gcp_provider(),
),
patch(
"prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
new=logging_client,
),
):
from prowler.providers.gcp.services.logging.logging_service import Sink
from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
logging_sink_created,
)
logging_client.project_ids = [GCP_PROJECT_ID]
logging_client.region = GCP_EU1_LOCATION
logging_client.sinks = [
Sink(
name="org-sink",
destination="storage.googleapis.com/org-bucket",
filter="all",
project_id=f"organizations/{org_id}",
include_children=True,
)
]
logging_client.projects = {
GCP_PROJECT_ID: GCPProject(
id=GCP_PROJECT_ID,
number="123456789012",
name="test",
labels={},
lifecycle_state="ACTIVE",
organization=GCPOrganization(
id=org_id, name=f"organizations/{org_id}"
),
)
}
check = logging_sink_created()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Sink org-sink at organization level is exporting copies of all the log entries in project {GCP_PROJECT_ID}."
)
assert result[0].resource_id == "org-sink"
assert result[0].project_id == GCP_PROJECT_ID
assert result[0].location == GCP_EU1_LOCATION
def test_org_level_sink_without_include_children_fails(self):
"""Projects NOT covered by includeChildren should still FAIL if no direct project sink."""
logging_client = MagicMock()
org_id = "111222333"
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_gcp_provider(),
),
patch(
"prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
new=logging_client,
),
):
from prowler.providers.gcp.services.logging.logging_service import Sink
from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
logging_sink_created,
)
logging_client.project_ids = [GCP_PROJECT_ID]
logging_client.region = GCP_EU1_LOCATION
logging_client.sinks = [
Sink(
name="org-sink-no-children",
destination="storage.googleapis.com/org-bucket",
filter="all",
project_id=f"organizations/{org_id}",
include_children=False,
)
]
logging_client.projects = {
GCP_PROJECT_ID: GCPProject(
id=GCP_PROJECT_ID,
number="123456789012",
name="test",
labels={},
lifecycle_state="ACTIVE",
organization=GCPOrganization(
id=org_id, name=f"organizations/{org_id}"
),
)
}
check = logging_sink_created()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"There are no logging sinks to export copies of all the log entries in project {GCP_PROJECT_ID}."
)
assert result[0].resource_id == GCP_PROJECT_ID
assert result[0].project_id == GCP_PROJECT_ID
def test_project_sink_takes_precedence_over_org_sink(self):
"""A direct project sink should be reported even when an org-level sink also covers the project."""
logging_client = MagicMock()
org_id = "111222333"
with (
patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_gcp_provider(),
),
patch(
"prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
new=logging_client,
),
):
from prowler.providers.gcp.services.logging.logging_service import Sink
from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
logging_sink_created,
)
logging_client.project_ids = [GCP_PROJECT_ID]
logging_client.region = GCP_EU1_LOCATION
logging_client.sinks = [
Sink(
name="project-sink",
destination="storage.googleapis.com/project-bucket",
filter="all",
project_id=GCP_PROJECT_ID,
),
Sink(
name="org-sink",
destination="storage.googleapis.com/org-bucket",
filter="all",
project_id=f"organizations/{org_id}",
include_children=True,
),
]
logging_client.projects = {
GCP_PROJECT_ID: GCPProject(
id=GCP_PROJECT_ID,
number="123456789012",
name="test",
labels={},
lifecycle_state="ACTIVE",
organization=GCPOrganization(
id=org_id, name=f"organizations/{org_id}"
),
)
}
check = logging_sink_created()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Sink project-sink is enabled exporting copies of all the log entries in project {GCP_PROJECT_ID}."
)
assert result[0].resource_id == "project-sink"
assert result[0].project_id == GCP_PROJECT_ID