jdyke/main.py Secret

## main.py
## Determine if project or organization and perform logic based on bound resource layer
    properties = log_entry['jsonPayload']['properties']
    for entry in properties:
        if 'project_id' in entry:
            resource = properties['project_id']
            print(f"The Project ID is {resource}")

            resource_bindings = retrieve_bindings(service, resource)
            check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings)

            if check_if_member_exists is True:
                bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings)
                set_iam_binding_resource(resource, service, bindings_removed)
            else:
                logging.debug("Member does not exist.")
                sys.exit(0)
        elif 'organization_id' in entry:
                resource = 'organizations/' + properties['organization_id']
                print(f"The Organization is {resource}")

                resource_bindings = retrieve_bindings(service, resource)
                check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings)

                if check_if_member_exists is True:
                    bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings)
                    set_iam_binding_resource(resource, service, bindings_removed)
                else:
                    logging.debug("Member does not exist.")
                    sys.exit(0)

## Resources have IAM bindings. We need to return those to parse through.
def retrieve_bindings(service, resource):
    if 'organizations' in resource:
        request = service.organizations().getIamPolicy(resource=f"{resource}")
        response = request.execute()
        resource_bindings = response.pop("bindings")
        print(f"Current organization bindings: {resource_bindings}")
    else:
        request = service.projects().getIamPolicy(resource=resource)
        response = request.execute()
        resource_bindings = response.pop("bindings")
        print(f"Current project bindings: {resource_bindings}")

    return resource_bindings

## Looks for our anomalous IAM member and removes from resource bindings
def remove_anomalous_iam_resource(outside_member_ids, resource_bindings):
    bindings_removed = resource_bindings
    for dic in bindings_removed:
        if 'members' in dic:
            for values in dic.values():
                for member in outside_member_ids:
                    if member in values:
                        try:
                            values.remove(member)
                            print(f"Member removed: {member}")
                        except:
                            logging.info(f"{member} not found.")
                            continue
                    else:
                        logging.debug(f"{member} not found.")
    print(f"New bindings after anomalous member(s) removed: {bindings_removed}")

    return bindings_removed

## Set our new resource IAM bindings
def set_iam_binding_resource(resource, service, bindings_removed):
    set_iam_policy_request_body = {
        "policy": {
            "bindings": [
                bindings_removed
            ]
        }
    }
    if 'organizations' in resource:
        request = service.organizations().setIamPolicy(resource=f"{resource}", body=set_iam_policy_request_body)
        binding_response = request.execute()
        print(f"New policy attached to the organization: {binding_response}")
    else:
        request = service.projects().setIamPolicy(resource=resource, body=set_iam_policy_request_body)
        binding_response = request.execute()
        print(f"New policy attached to the project: {binding_response}")
	## Determine if project or organization and perform logic based on bound resource layer
	properties = log_entry['jsonPayload']['properties']
	for entry in properties:
	if 'project_id' in entry:
	resource = properties['project_id']
	print(f"The Project ID is {resource}")

	resource_bindings = retrieve_bindings(service, resource)
	check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings)

	if check_if_member_exists is True:
	bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings)
	set_iam_binding_resource(resource, service, bindings_removed)
	else:
	logging.debug("Member does not exist.")
	sys.exit(0)
	elif 'organization_id' in entry:
	resource = 'organizations/' + properties['organization_id']
	print(f"The Organization is {resource}")

	resource_bindings = retrieve_bindings(service, resource)
	check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings)

	if check_if_member_exists is True:
	bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings)
	set_iam_binding_resource(resource, service, bindings_removed)
	else:
	logging.debug("Member does not exist.")
	sys.exit(0)

	## Resources have IAM bindings. We need to return those to parse through.
	def retrieve_bindings(service, resource):
	if 'organizations' in resource:
	request = service.organizations().getIamPolicy(resource=f"{resource}")
	response = request.execute()
	resource_bindings = response.pop("bindings")
	print(f"Current organization bindings: {resource_bindings}")
	else:
	request = service.projects().getIamPolicy(resource=resource)
	response = request.execute()
	resource_bindings = response.pop("bindings")
	print(f"Current project bindings: {resource_bindings}")

	return resource_bindings

	## Looks for our anomalous IAM member and removes from resource bindings
	def remove_anomalous_iam_resource(outside_member_ids, resource_bindings):
	bindings_removed = resource_bindings
	for dic in bindings_removed:
	if 'members' in dic:
	for values in dic.values():
	for member in outside_member_ids:
	if member in values:
	try:
	values.remove(member)
	print(f"Member removed: {member}")
	except:
	logging.info(f"{member} not found.")
	continue
	else:
	logging.debug(f"{member} not found.")
	print(f"New bindings after anomalous member(s) removed: {bindings_removed}")

	return bindings_removed

	## Set our new resource IAM bindings
	def set_iam_binding_resource(resource, service, bindings_removed):
	set_iam_policy_request_body = {
	"policy": {
	"bindings": [
	bindings_removed
	]
	}
	}
	if 'organizations' in resource:
	request = service.organizations().setIamPolicy(resource=f"{resource}", body=set_iam_policy_request_body)
	binding_response = request.execute()
	print(f"New policy attached to the organization: {binding_response}")
	else:
	request = service.projects().setIamPolicy(resource=resource, body=set_iam_policy_request_body)
	binding_response = request.execute()
	print(f"New policy attached to the project: {binding_response}")