public void WhenFieldContentsAreMissing_ThenFieldsAreExtracted()
{
var json = @"
{
'protoPayload': {
'@type': 'type.googleapis.com/google.cloud.audit.AuditLog',
'status': {
'code': 7,
'message': 'Permission Denied.'
},
'authenticationInfo': {
},
'serviceName': 'iap.googleapis.com',
'methodName': 'AuthorizeUser',
'resourceName': '312951312222222222',
'request': {
},
'metadata': {
}
},
'insertId': 'p92rcge2oepz',
'resource': {
'type': 'gce_instance',
'labels': {
'instance_id': '312951312222222222',
'zone': 'us-central1-a',
'project_id': 'project-1'
}
},
'timestamp': '2020-10-01T09:35:50.563179268Z',
'severity': 'ERROR',
'logName': 'projects/project-1/logs/cloudaudit.googleapis.com%2Fdata_access',
'operation': {
'id': '',
'producer': 'iap.googleapis.com'
},
'receiveTimestamp': '2020-10-01T09:35:51.222201769Z'
}";
var r = LogRecord.Deserialize(json);
Assert.IsTrue(AuthorizeUserTunnelEvent.IsAuthorizeUserEvent(r));
var e = (AuthorizeUserTunnelEvent)r.ToEvent();
Assert.AreEqual(312951312222222222, e.InstanceId);
Assert.AreEqual("us-central1-a", e.Zone);
Assert.AreEqual("project-1", e.ProjectId);
Assert.AreEqual("ERROR", e.Severity);
Assert.AreEqual(7, e.Status.Code);
Assert.IsNull(e.SourceHost);
Assert.IsNull(e.UserAgent);
Assert.IsNull(e.DestinationHost);
Assert.IsNull(e.DestinationPort);
Assert.AreEqual("Authorize tunnel from (unknown) to (unknown host):(unknown port) using (unknown agent) [Permission Denied.]", e.Message);
}
public void WhenSeverityIsInfo_ThenFieldsAreExtracted()
{
var json = @"
{
'protoPayload': {
'@type': 'type.googleapis.com/google.cloud.audit.AuditLog',
'status': {},
'authenticationInfo': {
},
'requestMetadata': {
'callerIp': '3.4.5.6',
'callerSuppliedUserAgent': 'IAP-Desktop/1.0.1.0 (Microsoft ...),gzip(gfe)',
'requestAttributes': {
'time': '2020-09-30T09:35:39.114684837Z',
'auth': {}
},
'destinationAttributes': {
'ip': '10.0.0.1',
'port': '3389'
}
},
'serviceName': 'iap.googleapis.com',
'methodName': 'AuthorizeUser',
'authorizationInfo': [
{
'resource': 'projects/111/iap_tunnel/zones/us-central1-a/instances/312951312222222222',
'permission': 'iap.tunnelInstances.accessViaIAP',
'granted': true,
'resourceAttributes': {
'service': 'iap.googleapis.com',
'type': 'iap.googleapis.com/TunnelInstance'
}
}
],
'resourceName': '312951312222222222',
'request': {
'httpRequest': {
'url': ''
},
'@type': 'type.googleapis.com/cloud.security.gatekeeper.AuthorizeUserRequest'
},
'metadata': {
'request_id': '10362245139430470968',
'unsatisfied_access_levels': [
'accessPolicies/1072146573138/accessLevels/Windows_10_in_Germany',
'accessPolicies/1072146573138/accessLevels/mTLS_client_certificate'
],
'device_state': 'Unknown',
'device_id': ''
}
},
'insertId': '822bjve2s5t9',
'resource': {
'type': 'gce_instance',
'labels': {
'instance_id': '312951312222222222',
'project_id': 'project-1',
'zone': 'us-central1-a'
}
},
'timestamp': '2020-09-30T09:35:39.102788424Z',
'severity': 'INFO',
'logName': 'projects/project-1/logs/cloudaudit.googleapis.com%2Fdata_access',
'operation': {
'id': 'C6FU-2MNF-BVJL-2EGL-5MVS-IOMS',
'producer': 'iap.googleapis.com'
},
'receiveTimestamp': '2020-09-30T09:35:39.345791898Z'
}";
var r = LogRecord.Deserialize(json);
Assert.IsTrue(AuthorizeUserTunnelEvent.IsAuthorizeUserEvent(r));
var e = (AuthorizeUserTunnelEvent)r.ToEvent();
Assert.AreEqual(312951312222222222, e.InstanceId);
Assert.AreEqual("us-central1-a", e.Zone);
Assert.AreEqual("project-1", e.ProjectId);
Assert.AreEqual("INFO", e.Severity);
Assert.IsNull(e.Status);
Assert.AreEqual("3.4.5.6", e.SourceHost);
Assert.AreEqual("IAP-Desktop/1.0.1.0 (Microsoft ...),gzip(gfe)", e.UserAgent);
Assert.AreEqual("10.0.0.1", e.DestinationHost);
Assert.AreEqual("3389", e.DestinationPort);
Assert.AreEqual("Authorize tunnel from 3.4.5.6 to 10.0.0.1:3389 using IAP-Desktop/1.0.1.0", e.Message);
}
public void WhenRecordIsFromIapWeb_ThenIsAuthorizeUserEventReturnsFalse()
{
var json = @"
{
'protoPayload': {
'@type': 'type.googleapis.com/google.cloud.audit.AuditLog',
'status': {
'code': 7,
'message': 'Permission Denied.'
},
'authenticationInfo': {},
'requestMetadata': {
'callerIp': '3.4.5.6',
'callerSuppliedUserAgent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)',
'requestAttributes': {
'path': '/',
'host': 'foo.appspot.com',
'time': '2020-09-30T22:06:42.512958636Z',
'auth': {}
},
'destinationAttributes': {}
},
'serviceName': 'iap.googleapis.com',
'methodName': 'AuthorizeUser',
'authorizationInfo': [
{
'resource': 'projects/111/iap_web/compute/services/3154384839111111111/versions/bs_0',
'permission': 'iap.webServiceVersions.accessViaIAP',
'resourceAttributes': {
'service': 'iap.googleapis.com',
'type': 'iap.googleapis.com/WebServiceVersion'
}
}
],
'resourceName': '3154384839111111111',
'request': {
'httpRequest': {
'url': 'https://foo.appspot.com/'
},
'@type': 'type.googleapis.com/cloud.security.gatekeeper.AuthorizeUserRequest'
},
'metadata': {
'device_state': 'Unknown',
'device_id': '',
'request_id': '111'
}
},
'insertId': '1ei33r8dzkm3',
'resource': {
'type': 'gce_backend_service',
'labels': {
'project_id': 'project-1',
'backend_service_id': '',
'location': ''
}
},
'timestamp': '2020-09-30T22:06:42.508061205Z',
'severity': 'ERROR',
'logName': 'projects/project-1/logs/cloudaudit.googleapis.com%2Fdata_access',
'receiveTimestamp': '2020-09-30T22:06:43.571840925Z'
}";
var r = LogRecord.Deserialize(json);
Assert.IsFalse(AuthorizeUserTunnelEvent.IsAuthorizeUserEvent(r));
}
public void WhenSeverityIsError_ThenFieldsAreExtracted()
{
var json = @"
{
'protoPayload': {
'@type': 'type.googleapis.com/google.cloud.audit.AuditLog',
'status': {
'code': 7,
'message': 'Permission Denied.'
},
'authenticationInfo': {
},
'requestMetadata': {
'callerIp': '3.4.5.6',
'callerSuppliedUserAgent': 'gzip(gfe)',
'requestAttributes': {
'time': '2020-10-01T09:35:50.570492291Z',
'auth': {}
},
'destinationAttributes': {
'ip': '10.0.0.1',
'port': '3389'
}
},
'serviceName': 'iap.googleapis.com',
'methodName': 'AuthorizeUser',
'authorizationInfo': [
{
'resource': 'projects/111/iap_tunnel/zones/us-central1-a/instances/312951312222222222',
'permission': 'iap.tunnelInstances.accessViaIAP',
'resourceAttributes': {
'service': 'iap.googleapis.com',
'type': 'iap.googleapis.com/TunnelInstance'
}
}
],
'resourceName': '312951312222222222',
'request': {
'httpRequest': {
'url': ''
},
'@type': 'type.googleapis.com/cloud.security.gatekeeper.AuthorizeUserRequest'
},
'metadata': {
'device_state': 'Unknown',
'unsatisfied_access_levels': [],
'device_id': '',
'request_id': '6220373645367465577'
}
},
'insertId': 'p92rcge2oepz',
'resource': {
'type': 'gce_instance',
'labels': {
'instance_id': '312951312222222222',
'zone': 'us-central1-a',
'project_id': 'project-1'
}
},
'timestamp': '2020-10-01T09:35:50.563179268Z',
'severity': 'ERROR',
'logName': 'projects/project-1/logs/cloudaudit.googleapis.com%2Fdata_access',
'operation': {
'id': '',
'producer': 'iap.googleapis.com'
},
'receiveTimestamp': '2020-10-01T09:35:51.222201769Z'
}";
var r = LogRecord.Deserialize(json);
Assert.IsTrue(AuthorizeUserTunnelEvent.IsAuthorizeUserEvent(r));
var e = (AuthorizeUserTunnelEvent)r.ToEvent();
Assert.AreEqual(312951312222222222, e.InstanceId);
Assert.AreEqual("us-central1-a", e.Zone);
Assert.AreEqual("project-1", e.ProjectId);
Assert.AreEqual("ERROR", e.Severity);
Assert.AreEqual(7, e.Status.Code);
Assert.AreEqual("3.4.5.6", e.SourceHost);
Assert.AreEqual("gzip(gfe)", e.UserAgent);
Assert.AreEqual("10.0.0.1", e.DestinationHost);
Assert.AreEqual("3389", e.DestinationPort);
Assert.AreEqual("Authorize tunnel from 3.4.5.6 to 10.0.0.1:3389 using gzip [Permission Denied.]", e.Message);
}
