def test_get_audit_logs_bigquery_bindings_local(self):
yaml_dict = yaml.load(TEST_PROJECT_YAML)
project = ProjectConfig(project=yaml_dict['projects'][0],
audit_logs_project=None,
forseti=yaml_dict['forseti'])
got_bindings = project.get_audit_logs_bigquery_bindings()
want_bindings = [
{
'role': 'OWNER',
'members': [{
'group_email': '*****@*****.**'
}],
},
{
'role':
'WRITER',
'members': [{
'user_email':
'*****@*****.**'
}],
},
{
'role': 'READER',
'members': [{
'group_email': '*****@*****.**'
}],
},
]
self.assertEqual(got_bindings, want_bindings)
def get_all_project_configs(config_dict):
"""Returns a list of ProjectConfigs and an overall config dictionary."""
# audit_logs_project is omitted if projects use local audit logs.
audit_logs_project = config_dict.get('audit_logs_project')
project_configs = []
if audit_logs_project:
project_configs.append(
ProjectConfig(
project=audit_logs_project,
audit_logs_project=None,
generated_fields=config_dict.get(
field_generation.GENERATED_FIELDS_NAME)))
project_dicts = config_dict.get('projects', [])
forseti_project = config_dict.get('forseti', {}).get('project')
if forseti_project:
# insert forseti project before regular projects so that the forseti rules
# show up first
project_dicts.insert(0, forseti_project)
for project in project_dicts:
project_configs.append(
ProjectConfig(
project=project,
audit_logs_project=audit_logs_project,
generated_fields=config_dict.get(
field_generation.GENERATED_FIELDS_NAME)))
return project_configs, config_dict['overall']
def get_all_project_configs(config_dict):
"""Returns a list of ProjectConfigs and an overall config dictionary."""
# forseti is omitted if there is no forseti config
forseti = config_dict.get('forseti')
# audit_logs_project is omitted if projects use local audit logs.
audit_logs_project = config_dict.get('audit_logs_project')
project_configs = []
if audit_logs_project:
project_configs.append(
ProjectConfig(
project=audit_logs_project,
audit_logs_project=None,
forseti=forseti))
project_dicts = config_dict.get('projects', [])
forseti_project = config_dict.get('forseti', {}).get('project')
if forseti_project:
# insert forseti project before regular projects so that the forseti rules
# show up first
project_dicts.insert(0, forseti_project)
for project in project_dicts:
project_configs.append(
ProjectConfig(
project=project,
audit_logs_project=audit_logs_project,
forseti=forseti))
return project_configs, config_dict['overall']
def test_get_project_bigquery_bindings(self):
yaml_dict = yaml.load(TEST_PROJECT_YAML)
project = ProjectConfig(
project=yaml_dict['projects'][0],
audit_logs_project=None,
generated_fields=yaml_dict['generated_fields'])
got_bindings = project.get_project_bigquery_bindings()
default_bindings = [
{
'role': 'OWNER',
'members': [{'group_email': '*****@*****.**'}],
},
{
'role': 'WRITER',
'members': [{'group_email': '*****@*****.**'}],
},
{
'role': 'READER',
'members': [
{'group_email': '*****@*****.**'},
{'group_email': '*****@*****.**'},
],
},
]
# Dataset more_data has an additional writer account.
custom_bindings = copy.deepcopy(default_bindings)
custom_bindings[1]['members'].append(
{'user_email': '*****@*****.**'})
want_bindings = [
(['sample-data:data', 'sample-data:euro_data'], default_bindings),
(['sample-data:more_data'], custom_bindings)
]
self.assertEqual(got_bindings, want_bindings)
def test_get_audit_logs_bigquery_bindings_remote(self):
yaml_dict = yaml.load(TEST_PROJECT_YAML)
project_dict = yaml_dict['projects'][0]
# Set remote audit logs instead of local audit logs.
project_dict['audit_logs'] = {
'logs_bigquery_dataset': {
'name': 'some_data_logs'
},
}
audit_logs_project = {
'project_id': 'audit-logs',
'owners_group': '*****@*****.**',
}
forseti = yaml_dict['forseti']
project = ProjectConfig(project=project_dict,
audit_logs_project=audit_logs_project,
forseti=forseti)
got_bindings = project.get_audit_logs_bigquery_bindings()
want_bindings = [
{
'role': 'OWNER',
'members': [{
'group_email': '*****@*****.**'
}],
},
{
'role':
'WRITER',
'members': [{
'user_email':
'*****@*****.**'
}],
},
{
'role': 'READER',
'members': [{
'group_email': '*****@*****.**'
}],
},
]
self.assertEqual(got_bindings, want_bindings)
def test_get_audit_log_sink_destination(self):
# Local audit logs.
yaml_dict = yaml.load(TEST_PROJECT_YAML)
project_dict = yaml_dict['projects'][0]
forseti = yaml_dict['forseti']
project = ProjectConfig(project=project_dict,
audit_logs_project=None,
forseti=forseti)
self.assertEqual(
'bigquery.googleapis.com/projects/sample-data/datasets/audit_logs',
project.get_audit_log_sink_destination())
# Remote audit logs.
project_dict['audit_logs'] = {
'logs_bigquery_dataset': {
'name': 'some_data_logs'
},
}
audit_logs_project = {
'project_id': 'audit-logs',
'owners_group': '*****@*****.**',
}
project = ProjectConfig(project=project_dict,
audit_logs_project=audit_logs_project,
forseti=forseti)
self.assertEqual(
'bigquery.googleapis.com/projects/audit-logs/datasets/some_data_logs',
project.get_audit_log_sink_destination())
def test_load_valid_config(self):
yaml_dict = yaml.load(TEST_PROJECT_YAML)
project = ProjectConfig(project=yaml_dict['projects'][0],
audit_logs_project=None,
forseti=yaml_dict['forseti'])
self.assertIsNotNone(project)
self.assertEqual('sample-data', project.project_id)
self.assertEqual(
['monitoring.googleapis.com', 'logging.googleapis.com'],
project.enabled_apis)
expected_proj_bindings = {
'roles/owner': ['group:[email protected]'],
'roles/editors': [
'serviceAccount:[email protected]',
'serviceAccount:[email protected]',
('serviceAccount:service-123546879123@'
'containerregistry.iam.gserviceaccount.com'),
],
'roles/iam.securityReviewer': [
'group:[email protected]',
'serviceAccount:[email protected]',
],
'roles/bigquery.dataViewer': [
'group:[email protected]',
'group:[email protected]',
'group:[email protected]',
],
'roles/ml.developer': [
'group:[email protected]',
'group:[email protected]',
'group:[email protected]',
],
}
self.assertDictEqual(expected_proj_bindings,
project.get_project_bindings())
expected_log_bindings = {
'roles/storage.admin': ['group:[email protected]'],
'roles/storage.objectAdmin': [],
'roles/storage.objectViewer':
['group:[email protected]'],
'roles/storage.objectCreator':
['group:[email protected]'],
}
expected_raw_data_bindings = {
'roles/storage.admin': [
'group:[email protected]',
],
'roles/storage.objectAdmin': [
'group:[email protected]',
],
'roles/storage.objectCreator': [],
'roles/storage.objectViewer': [
'group:[email protected]',
'group:[email protected]',
],
}
expected_processed_data_bindings = copy.deepcopy(
expected_raw_data_bindings)
expected_processed_data_bindings['roles/storage.admin'].append(
'serviceAccount:[email protected]')
expected_bucket_bindings = [
(['sample-data-logs'], expected_log_bindings),
(['sample-data-processed'], expected_processed_data_bindings),
(['sample-data-raw'], expected_raw_data_bindings),
]
self.assertEqual(expected_bucket_bindings,
project.get_bucket_bindings())
self.assertEqual(
'bigquery.googleapis.com/projects/sample-data/datasets/audit_logs',
project.get_audit_log_sink_destination())