def test_retrieve_resources(self):
iap_resources = dict((resource.backend_service.key, resource)
for resource in self.scanner._retrieve()[0])
self.maxDiff = None
self.assertEquals(
set([bs.key for bs in self.backend_services.values()]),
set(iap_resources.keys()))
self.assertEquals(
iap_scanner.IapResource(
backend_service=self.backend_services['bs1'],
alternate_services=set([
backend_service_type.Key.from_args(
project_id='foo',
name='bs1_same_backend',
),
backend_service_type.Key.from_args(
project_id='foo',
name='bs1_same_instance',
),
]),
direct_access_sources=set([
'10.0.2.0/24', 'tag_match', 'applies_all', 'applies_8080'
]),
iap_enabled=True,
), iap_resources[self.backend_services['bs1'].key])
def test_direct_access_violation(self):
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
direct_source = 'some-tag'
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(backend_service=service,
alternate_services=set(),
direct_access_sources=set(
[direct_source]),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = [
ire.RuleViolation(resource_type='backend_service',
resource_name='bs1',
resource_id=service.resource_id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type='IAP_VIOLATION',
alternate_services_violations=[],
direct_access_sources_violations=[direct_source],
iap_enabled_violation=False),
]
self.assertEquals(expected_violations, results)
def test_no_violations(self):
rule = ire.Rule('my rule', 0, [], [], '^.*$')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(backend_service=service,
alternate_services=set(),
direct_access_sources=set(),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
self.assertEquals([], results)
def test_violations_iap_disabled(self):
"""If IAP is disabled, don't report other violations."""
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
alternate_service = backend_service.Key.from_args(
project_id=self.project1.id, name='bs2')
iap_resource = iap_scanner.IapResource(
backend_service=service,
alternate_services=set([alternate_service]),
direct_access_sources=set(['some-tag']),
iap_enabled=False)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = []
self.assertEquals(expected_violations, results)