WizCLI integration #430
Open
WizCLI integration #430
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Plugin designed for handling provisioning
and deprovisioning of credentials for the WizCLI utility used to interact
with Wiz.
The WizCLI's
authsubcommand takes a--id(56 character alphanumericstring) and a
--secret(64 character alphanumeric string) argument, oralternatively looks for the
WIZ_CLIENT_IDandWIZ_CLIENT_SECRETenvironment variables, which it uses to request a time-limited access token
(Bearer token) from
https://auth.app.wiz.io/oauth/token. The access tokenis written to
$WIZ_DIR/auth.json(defaults to$HOME/wiz/auth.json),along with an expiration date, a data center identifier, tenant id and the
client id.
When a subcommand of the wizcli, that requires authentication (such as
wizcli iac scan --path .orwizcli dir scan --path .) is invoked, itlooks for the
$WIZ_DIR/auth.jsonfile for the access token to include.This plugin implements the functionality of the auth subcommand and writes
the
$WIZ_DIR/auth.jsonfile in the expected format. After the wizcli hascompleted, the
$WIZ_DIR/auth.jsonfile is deleted.The plugin does not support importing, as the client secret is never written
to disk anywhere. Only access token (and a refresh token) is written, and
they will expire fairly quickly.
Note that the plugin doesn't invalidate the access token (or refresh token)
created, because Wiz doesn't seem to expose an API for that.
The plugin also requires the installation of the data center ID of ones Wiz
tenant and the tenant ID. This information can be found under
https://app.wiz.io/user/tenant. The information can alternatively be fetched
via the Wiz API, but this uses GraphQL and would introduce a new dependency
to this project.
Finally, the authentication could also be done by having the plugin invoke
the WizCLI's
authsubcommand with the needed secret and client ID. Callingthe authentication API was chosen as an alternative because calling the
binary could be messy.
A future iteration of this plugin could choose to use the $WIZ_DIR
environment variable to point to a RAMdisk, to ensure the authentication
files are never written to persistent storage.
Unit tests not added as I was unsure what the preferred way of mocking upstream API calls is. Using the provisioning helper
test functions caused the test to reach out to the real API and there was no obvious way to add a mock.
Type of change
Related Issue(s)
How To Test
wizcli iac scan --path . --policy "Default secrets policy"
wizcli iac scan --path .
wizcli dir scan --path . --policy "Default secrets policy"
wizcli dir scan --path .
Changelog
Authenticate the Wiz CLI using Touch ID and other unlock options with the 1Password Shell Plugins.