revoke IAM function is broken

[deepakdimri-ce]

revoke IAM function is not removing anomalous IAM grant and failing with the error. The sequence of event is. Editor Role is added to the user -> ETD detect the anomalous IAM grant ->notification is sent to pub/sub topic -> router function is triggered and it ends with below error:

  "textPayload": "Function error: rule \"primitive_roles_used\" not found\n",
  "insertId": "000000-04a48b94-c35c-46c6-992a-3d69008063ac",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "project_id": "contextawaredemo",
      "region": "us-central1",
      "function_name": "Router"
    }
  },
  "timestamp": "2021-04-20T16:52:01.517Z",
  "severity": "ERROR",
  "labels": {
    "execution_id": "3wveqhtzcx7u"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/595dd3806b3d87fc755af0d321519a7d",
  "receiveTimestamp": "2021-04-20T16:52:10.760507042Z"
}{
  "textPayload": "Function execution took 795 ms, finished with status: 'error'",
  "insertId": "000000-9bc7c7f2-94b9-4223-b5a6-152edc834e56",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "region": "us-central1",
      "function_name": "Router",
      "project_id": "contextawaredemo"
    }
  },
  "timestamp": "2021-04-20T16:52:01.518602264Z",
  "severity": "DEBUG",
  "labels": {
    "execution_id": "3wveqhtzcx7u"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/595dd3806b3d87fc755af0d321519a7d",
  "receiveTimestamp": "2021-04-20T16:52:10.760507042Z"
} {
  "textPayload": "2021/04/20 16:52:02 /workspace/serverless_function_source_code/clients/logger.go:60: failed to publish: \"failed to check if project \\\"\\\" is within the target or is excluded: failed to get project ancestry path: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>\\n<html lang=en>\\n  <meta charset=utf-8>\\n  <meta name=viewport content=\\\"initial-scale=1, minimum-scale=1, width=device-width\\\">\\n  <title>Error 404 (Not Found)!!1</title>\\n  <style>\\n    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\\n  </style>\\n  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>\\n  <p><b>404.</b> <ins>That’s an error.</ins>\\n  <p>The requested URL <code>/v1/projects/:getAncestry?alt=json&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>\\n\"",
  "insertId": "000000-c022de2e-061b-4313-877d-2c11626c09b3",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "region": "us-central1",
      "project_id": "contextawaredemo",
      "function_name": "Router"
    }
  },
  "timestamp": "2021-04-20T16:52:02.359Z",
  "labels": {
    "execution_id": "5ec566o4hprl"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/974a900f1a0cf9f0c44f78e81cd36a94",
  "receiveTimestamp": "2021-04-20T16:52:11.218877036Z"
}```

[deepakdimri-ce]

hi @daniel-cit, can you help with issue #207?

[daniel-cit]

Hi @deepakdimri-ce. By your description, your example is triggering a SHA finding, not an ETD finding:

 "textPayload": "Function error: rule \"primitive_roles_used\" not found\n",

which is the SHA finding PRIMITIVE_ROLES_USED

A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer. 
These roles are too permissive and shouldn't be used. 
Instead, they should be assigned per project only.

which is not a SHA finding supported by security-response-automation