adding changes for ccc_os_c3

src/control-catalog/behave_tests/behave.ini

@@ -0,0 +1,3 @@
+[behave]
+stderr_capture=False
+stdout_capture=False

src/control-catalog/behave_tests/ccc.os.c3/features/ccc_os_c3.feature

@@ -1,6 +1,8 @@
 Feature: (CCC.OS.C3) - Prevent the granting of direct public access to the object storage bucket you own
 
-Scenario: Test Control CCC.OS.C3 - AWS
+Scenario: Test Control CCC.OS.C3
     GIVEN you own the object storage bucket in AWS
+    AND you own the object storage bucket in GCP
     WHEN the access controls on the bucket are updated to grant public access to the AWS bucket
+    AND the access controls on the bucket are updated to grant public access to the GCP bucket
     THEN the request should be denied

src/control-catalog/behave_tests/ccc.os.c3/steps/ccc_os_c3.py

@@ -1,8 +1,8 @@
 import logging
 import boto3
-import time
 
 from botocore.exceptions import ClientError
+from google.api_core.exceptions import PreconditionFailed
 from google.cloud import storage
 from behave import given, then, when
 
@@ -12,15 +12,22 @@
 
 
 @given("you own the object storage bucket in AWS")
-def verify_aws_bucket_exists(context):
+def aws_verify_bucket_exists(context):
     context.s3_client = boto3.client("s3")
     context.s3_client.get_bucket_acl(Bucket=STORAGE_BUCKET_NAME)
 
 
+@given("you own the object storage bucket in GCP")
+def gcp_verify_bucket_exists(context):
+    context.storage_client = storage.Client()
+    context.bucket = context.storage_client.bucket(STORAGE_BUCKET_NAME)
+    context.bucket.get_iam_policy()
+
+
 @when(
     "the access controls on the bucket are updated to grant public access to the AWS bucket"
 )
-def update_acls_on_bucket_to_allow_public_access(context):
+def aws_update_acls_on_bucket_to_allow_public_access(context):
     try:
         context.s3_client.put_bucket_acl(
             ACL="public-read-write", Bucket=STORAGE_BUCKET_NAME
@@ -29,9 +36,28 @@ def update_acls_on_bucket_to_allow_public_access(context):
         context.s3_publish_error = str(err)
 
 
+@when(
+    "the access controls on the bucket are updated to grant public access to the GCP bucket"
+)
+def gcp_update_acls_on_bucket_to_allow_public_access(context):
+    acl = storage.Bucket(context.storage_client, STORAGE_BUCKET_NAME).acl
+
+    # Attempting to modify ACL to allow all users public access
+    acl.all().grant_read()
+    acl.all().grant_write()
+
+    try:
+        acl.save()
+    except PreconditionFailed as err:
+        context.gcp_publish_error = str(err)
+
+
 @then("the request should be denied")
 def validate_request_denied(context):
-    if "AccessDenied" in context.s3_publish_error:
+    if (
+        "AccessDenied" in context.s3_publish_error
+        and "412 PATCH" in context.gcp_publish_error
+    ):
         assert True
     else:
         assert False

src/control-catalog/terraform_modules/storage/main.tf

@@ -16,4 +16,9 @@ module "aws_storage_object_ccc_os_c2" {
 module "aws_storage_object_ccc_os_c3" {
   source      = "./object/ccc.os.c3/aws"
   bucket_name = var.bucket_name
+}
+
+module "gcp_storage_object_ccc_os_c3" {
+  source      = "./object/ccc.os.c3/gcp"
+  bucket_name = var.bucket_name
 }

src/control-catalog/terraform_modules/storage/object/ccc.os.c3/gcp/main.tf

@@ -0,0 +1,13 @@
+resource "google_storage_bucket" "auto-expire" {
+  name          = "${var.bucket_name}-ccc-os-c3"
+  location      = "US"
+  force_destroy = true
+
+  public_access_prevention = "enforced" # Enabling public access
+
+  lifecycle {
+    ignore_changes = [ # Disabling public access to this
+      uniform_bucket_level_access
+    ]
+  }
+}

src/control-catalog/terraform_modules/storage/object/ccc.os.c3/gcp/variables.tf

@@ -0,0 +1,4 @@
+variable "bucket_name" {
+  type        = string
+  description = "Bucket Name"
+}