From 32cd86b53fbfcc9ab669b52c3eb74ed16855bd4b Mon Sep 17 00:00:00 2001
From: Ross <ross.moles@lacework.net>
Date: Mon, 23 May 2022 12:17:34 +0100
Subject: [PATCH] feat(api): Add S3BucketArn field to allow BYOB for AWS EKS
 Audit Log

Signed-off-by: Ross <ross.moles@lacework.net>
---
 .../cloud-accounts/aws-eks-audit/main.go      |   3 +-
 api/cloud_accounts_aws_eks_audit.go           |   1 +
 api/cloud_accounts_aws_eks_audit_test.go      | 146 ++++++++++++++++++
 3 files changed, 149 insertions(+), 1 deletion(-)

diff --git a/api/_examples/cloud-accounts/aws-eks-audit/main.go b/api/_examples/cloud-accounts/aws-eks-audit/main.go
index 19343ffb7..34acd7f32 100644
--- a/api/_examples/cloud-accounts/aws-eks-audit/main.go
+++ b/api/_examples/cloud-accounts/aws-eks-audit/main.go
@@ -41,7 +41,8 @@ func main() {
 			RoleArn:    "arn:aws:iam::123456789000:role/lw-iam-b8c91298",
 			ExternalID: "abc123",
 		},
-		SnsArn: "arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+		SnsArn:      "arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+		S3BucketArn: "arn:aws:s3:::lacework-example-eks-bucket",
 	}
 
 	awsEksAuditCloudAccount := api.NewCloudAccount(
diff --git a/api/cloud_accounts_aws_eks_audit.go b/api/cloud_accounts_aws_eks_audit.go
index 352f67704..7e62f3007 100644
--- a/api/cloud_accounts_aws_eks_audit.go
+++ b/api/cloud_accounts_aws_eks_audit.go
@@ -48,6 +48,7 @@ type AwsEksAuditIntegration struct {
 type AwsEksAuditData struct {
 	Credentials AwsEksAuditCredentials `json:"crossAccountCredentials"`
 	SnsArn      string                 `json:"snsArn"`
+	S3BucketArn string                 `json:"s3BucketArn"`
 }
 
 type AwsEksAuditCredentials struct {
diff --git a/api/cloud_accounts_aws_eks_audit_test.go b/api/cloud_accounts_aws_eks_audit_test.go
index 8ef21e015..194136cad 100644
--- a/api/cloud_accounts_aws_eks_audit_test.go
+++ b/api/cloud_accounts_aws_eks_audit_test.go
@@ -160,3 +160,149 @@ func singleAwsEksAuditCloudAccount(id string) string {
   }
   `
 }
+
+func TestCloudAccountsAwsEksAuditByobGet(t *testing.T) {
+	var (
+		intgGUID   = intgguid.New()
+		apiPath    = fmt.Sprintf("CloudAccounts/%s", intgGUID)
+		fakeServer = lacework.MockServer()
+	)
+	fakeServer.UseApiV2()
+	fakeServer.MockToken("TOKEN")
+	defer fakeServer.Close()
+
+	fakeServer.MockAPI(apiPath, func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "GET", r.Method, "GetAwsEksAudit() should be a GET method")
+		fmt.Fprintf(w, generateCloudAccountResponse(singleAwsEksAuditCloudAccountByob(intgGUID)))
+	})
+
+	c, err := api.NewClient("test",
+		api.WithApiV2(),
+		api.WithToken("TOKEN"),
+		api.WithURL(fakeServer.URL()),
+	)
+	assert.Nil(t, err)
+
+	response, err := c.V2.CloudAccounts.GetAwsEksAudit(intgGUID)
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+	assert.Equal(t, intgGUID, response.Data.IntgGuid)
+	assert.Equal(t, "integration_name", response.Data.Name)
+	assert.True(t, response.Data.State.Ok)
+	assert.Equal(t, "arn:foo:bar", response.Data.Data.Credentials.RoleArn)
+	assert.Equal(t, "0123456789", response.Data.Data.Credentials.ExternalID)
+	assert.Equal(
+		t,
+		"arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+		response.Data.Data.SnsArn,
+	)
+	assert.Equal(
+		t,
+		"arn:aws:s3:::lacework-example-eks-bucket",
+		response.Data.Data.S3BucketArn,
+	)
+}
+
+func TestCloudAccountsAwsEksAuditByobUpdate(t *testing.T) {
+	var (
+		intgGUID   = intgguid.New()
+		apiPath    = fmt.Sprintf("CloudAccounts/%s", intgGUID)
+		fakeServer = lacework.MockServer()
+	)
+	fakeServer.UseApiV2()
+	fakeServer.MockToken("TOKEN")
+	defer fakeServer.Close()
+
+	fakeServer.MockAPI(apiPath, func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "PATCH", r.Method, "UpdateAwsEksAudit() should be a PATCH method")
+
+		if assert.NotNil(t, r.Body) {
+			body := httpBodySniffer(r)
+			assert.Contains(t, body, intgGUID, "INTG_GUID missing")
+			assert.Contains(t, body, "integration_name", "cloud account name is missing")
+			assert.Contains(t, body, "AwsEksAudit", "wrong cloud account type")
+			assert.Contains(t, body, "arn:bubu:lubu", "wrong role arn")
+			assert.Contains(t, body, "abc123", "wrong external ID")
+			assert.Contains(
+				t,
+				body,
+				"arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+				"wrong sns arn")
+			assert.Contains(
+				t,
+				body,
+				"arn:aws:s3:::lacework-example-eks-bucket",
+				"wrong s3 bucket arn")
+			assert.Contains(t, body, "enabled\":1", "cloud account is not enabled")
+		}
+
+		fmt.Fprintf(w, generateCloudAccountResponse(singleAwsEksAuditCloudAccountByob(intgGUID)))
+	})
+
+	c, err := api.NewClient("test",
+		api.WithApiV2(),
+		api.WithToken("TOKEN"),
+		api.WithURL(fakeServer.URL()),
+	)
+	assert.Nil(t, err)
+
+	cloudAccount := api.NewCloudAccount("integration_name",
+		api.AwsEksAuditCloudAccount,
+		api.AwsEksAuditData{
+			SnsArn:      "arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+			S3BucketArn: "arn:aws:s3:::lacework-example-eks-bucket",
+			Credentials: api.AwsEksAuditCredentials{
+				RoleArn:    "arn:bubu:lubu",
+				ExternalID: "abc123",
+			},
+		},
+	)
+	assert.Equal(t, "integration_name", cloudAccount.Name, "AwsEksAudit cloud account name mismatch")
+	assert.Equal(t, "AwsEksAudit", cloudAccount.Type, "a new AwsEksAudit cloud account should match its type")
+	assert.Equal(t, 1, cloudAccount.Enabled, "a new AwsEksAudit cloud account should be enabled")
+	cloudAccount.IntgGuid = intgGUID
+
+	response, err := c.V2.CloudAccounts.UpdateAwsEksAudit(cloudAccount)
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+	assert.Equal(t, intgGUID, response.Data.IntgGuid)
+	assert.Equal(t,
+		"arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+		response.Data.Data.SnsArn)
+	assert.Equal(t,
+		"arn:aws:s3:::lacework-example-eks-bucket",
+		response.Data.Data.S3BucketArn)
+}
+
+func singleAwsEksAuditCloudAccountByob(id string) string {
+	return `
+  {
+    "createdOrUpdatedBy": "salim.afiunemaya@lacework.net",
+    "createdOrUpdatedTime": "2021-06-01T19:28:00.092Z",
+	"enabled": 1,
+    "intgGuid": "` + id + `",
+    "isOrg": 0,
+    "name": "integration_name",
+    "state": {
+      "details": {
+        "complianceOpsDeniedAccess": [
+          "GetBucketAcl",
+          "GetBucketLogging"
+        ]
+      },
+      "lastSuccessfulTime": 1624456896915,
+      "lastUpdatedTime": 1624456896915,
+      "ok": true
+    },
+	"type": "AwsEksAudit",
+    "data": {
+      "snsArn":      "arn:aws:sns:us-west-2:0123456789:foo-lacework-eks:00777777-ab77-1234-a123-a12ab1d12c1d",
+      "s3BucketArn": "arn:aws:s3:::lacework-example-eks-bucket",
+      "crossAccountCredentials": {
+        "externalId": "0123456789",
+        "roleArn": "arn:foo:bar"
+      }
+    }
+  }
+  `
+}