def test_direct_access_violation(self):
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
direct_source = 'some-tag'
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(backend_service=service,
alternate_services=set(),
direct_access_sources=set(
[direct_source]),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = [
ire.RuleViolation(resource_type='backend_service',
resource_name='bs1',
resource_id=service.resource_id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type='IAP_VIOLATION',
alternate_services_violations=[],
direct_access_sources_violations=[direct_source],
iap_enabled_violation=False),
]
self.assertEquals(expected_violations, results)
def test_no_violations(self):
rule = ire.Rule('my rule', 0, [], [], '^.*$')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(backend_service=service,
alternate_services=set(),
direct_access_sources=set(),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
self.assertEquals([], results)
def test_violations_iap_disabled(self):
"""If IAP is disabled, don't report other violations."""
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
alternate_service = backend_service.Key.from_args(
project_id=self.project1.id, name='bs2')
iap_resource = iap_scanner.IapResource(
backend_service=service,
alternate_services=set([alternate_service]),
direct_access_sources=set(['some-tag']),
iap_enabled=False)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = []
self.assertEquals(expected_violations, results)
def test_add_single_rule_builds_correct_map(self):
"""Test that adding a single rule builds the correct map."""
rule_book = ire.IapRuleBook({}, test_iap_rules.RULES1,
self.fake_timestamp)
actual_rules = rule_book.resource_rules_map
rule = ire.Rule('my rule', 0, [], [], '^.*$')
expected_org_rules = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
expected_proj1_rules = ire.ResourceRules(self.project1,
rules=set([rule]),
applies_to='self')
expected_proj2_rules = ire.ResourceRules(self.project2,
rules=set([rule]),
applies_to='self')
expected_rules = {
(self.org789, 'self_and_children'): expected_org_rules,
(self.project1, 'self'): expected_proj1_rules,
(self.project2, 'self'): expected_proj2_rules
}
self.assertEqual(expected_rules, actual_rules)