From 2779af77872209c313bc80283cefa78dc37f6a93 Mon Sep 17 00:00:00 2001
From: carnal0wnage <chris@carnal0wnage.com>
Date: Wed, 26 Sep 2018 15:58:15 -0400
Subject: [PATCH] iam checks + storage checks

---
 libs/gcp/gcp_iam.py      |  4 ++--
 libs/gcp/gcp_storage.py  | 39 +++++++++++++++++++++++++++++++++++++
 modules/gcp/gcp_recon.py | 42 ++++++++++++++++++++++++++++++++++++----
 weirdAAL.py              |  4 ++--
 4 files changed, 81 insertions(+), 8 deletions(-)
 create mode 100644 libs/gcp/gcp_storage.py

diff --git a/libs/gcp/gcp_iam.py b/libs/gcp/gcp_iam.py
index c8dd65f..32af407 100644
--- a/libs/gcp/gcp_iam.py
+++ b/libs/gcp/gcp_iam.py
@@ -14,7 +14,7 @@ from googleapiclient.errors import HttpError
 
 
 # [START iam_list_keys]
-def gcp_iam_list_keys(service_account_email,service):
+def gcp_iam_list_keys(service_account_email, service):
     """Lists all keys for a service account."""
 
     # pylint: disable=no-member
@@ -27,7 +27,7 @@ def gcp_iam_list_keys(service_account_email,service):
 
 
 # [START iam_list_service_accounts]
-def gcp_iam_list_service_accounts(project_id):
+def gcp_iam_list_service_accounts(project_id, service):
     """Lists all service accounts for the current project."""
 
     # pylint: disable=no-member
diff --git a/libs/gcp/gcp_storage.py b/libs/gcp/gcp_storage.py
new file mode 100644
index 0000000..25ba689
--- /dev/null
+++ b/libs/gcp/gcp_storage.py
@@ -0,0 +1,39 @@
+'''
+GCP Storage functions for WeirdAAL
+'''
+
+import google.auth
+import googleapiclient.discovery
+import os
+import sys
+
+from google.oauth2 import service_account
+
+from googleapiclient.errors import HttpError
+
+from google.cloud import storage, exceptions
+from google.cloud.exceptions import *
+
+
+
+def gcp_storage_list_buckets(credentials):
+    list_of_buckets = []
+    '''list Google storage buckets for account'''
+    storage_client = storage.Client()
+    buckets = storage_client.list_buckets()
+    for buck in buckets:
+        print(buck.name)
+        list_of_buckets.append(buck.name)
+    return list_of_buckets
+
+
+def gcp_storage_list_blobs(credentials, bucket_name):
+    '''Lists all the blobs in the bucket.'''
+    storage_client = storage.Client()
+    bucket = storage_client.get_bucket(bucket_name)
+
+    blobs = bucket.list_blobs()
+
+    for blob in blobs:
+        print(blob.name)
+    print('\n')
\ No newline at end of file
diff --git a/modules/gcp/gcp_recon.py b/modules/gcp/gcp_recon.py
index de7a081..2385518 100644
--- a/modules/gcp/gcp_recon.py
+++ b/modules/gcp/gcp_recon.py
@@ -6,7 +6,7 @@ that have functions that done have arguments if we can access them :-)
 
 
 from libs.gcp.gcp_iam import *
-#from libs.gcp.gcp_storage import *
+from libs.gcp.gcp_storage import *
 
 credentials = service_account.Credentials.from_service_account_file(
     filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
@@ -21,10 +21,24 @@ def module_gcp_recon_all():
     python3 weirdAAL.py -m gcp_recon_all -t demo
     '''
     try:
-        print("IAM List Keys check")
-        #print(credentials)
+        print("GCP IAM List Keys check")
+        # print(credentials)
         gcp_iam_list_keys(credentials.service_account_email, service)
-        #list_service_accounts('best-indian-restaurant-691ad')
+    except HttpError as e:
+        # print(e)
+        if e.resp.status in [403, 500, 503]:
+            print("\tGCP IAM access denied for {}".format(credentials.service_account_email))
+        else:
+            print(e)
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
+        print("Service key is invalid exiting")
+        sys.exit()
+
+    try:
+        print("GCP IAM list service accounts for the current project: {}.".format(credentials.project_id))
+        # print(credentials)
+        gcp_iam_list_service_accounts(credentials.project_id, service)
     except HttpError as e:
         # print(e)
         if e.resp.status in [403, 500, 503]:
@@ -36,3 +50,23 @@ def module_gcp_recon_all():
         print("Service key is invalid exiting")
         sys.exit()
 
+    '''
+    Storage bucket access checks
+    '''
+    try:
+        print("Checking for storage buckets")
+        buckets = gcp_storage_list_buckets(credentials)
+        if buckets:
+            print("\nAttempting to list bucket contents")
+            for a in buckets:
+                print(a)
+                gcp_storage_list_blobs(credentials, a)
+    except googleapiclient.errors.HttpError as e:
+        print(e)
+    except exceptions.Forbidden as e:
+            print("Forbidden")
+            print(e)
+    except exceptions.PermissionDenied as e:
+            print("PermissionDenied")
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
diff --git a/weirdAAL.py b/weirdAAL.py
index 5906600..13cec75 100755
--- a/weirdAAL.py
+++ b/weirdAAL.py
@@ -29,7 +29,7 @@ from google.cloud.exceptions import *
 
 os.environ['AWS_SHARED_CREDENTIALS_FILE'] = '.env'
 
-os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'key.json'
+os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'gcp_keys/4.json'
 
 # If you want to use a transparent + supports SSL proxy you can put it here
 # os.environ['HTTPS_PROXY'] = 'https://127.0.0.1:3128'
@@ -69,7 +69,7 @@ def perform_credential_check():
         sys.exit(1)
     # excepetion to catch the lack of aws cred here - temp fix
     except Exception as e:
-        print('\t {}'.format(e))
+        print('\t -')
 
 def method_create():
     try: