def test_invalid_google_service_account_access(valid_service_account_patcher):
"""
Test that when the Google Service Account is invalid, the resulting
GoogleServiceAccountValidity is False-y and contains the expected
information.
Here we're testing when the Google Service Account has external access (
which is not allowed).
"""
patcher = valid_service_account_patcher
patcher["service_account_has_external_access"].return_value = True
google_service_account_validity = GoogleServiceAccountValidity(
"some-account-id", "some-google-project-id")
# should evaluate to true by default
assert google_service_account_validity
google_service_account_validity.check_validity(early_return=False)
# should evaluate to true since all checks should result in valid project
assert not google_service_account_validity
# test that it contains the default error information and it's true
assert "valid_type" in google_service_account_validity
assert google_service_account_validity["valid_type"]
assert "no_external_access" in google_service_account_validity
assert not google_service_account_validity["no_external_access"]
assert "owned_by_project" in google_service_account_validity
assert google_service_account_validity["owned_by_project"]
def test_invalid_google_service_account_ownership(
valid_service_account_patcher):
"""
Test that when the Google Service Account is invalid, the resulting
GoogleServiceAccountValidity is False-y and contains the expected
information.
Here we're testing when the Google Service Account is not owned by the
provided Google Project (which is not allowed).
"""
patcher = valid_service_account_patcher
patcher["is_service_account_from_google_project"].return_value = False
google_service_account_validity = GoogleServiceAccountValidity(
"some-account-id", "some-google-project-id")
# should evaluate to true by default
assert google_service_account_validity
google_service_account_validity.check_validity(early_return=False)
# should evaluate to true since all checks should result in valid project
assert not google_service_account_validity
assert "owned_by_project" in google_service_account_validity
assert not google_service_account_validity["owned_by_project"]
def test_valid_google_service_account(valid_service_account_patcher):
"""
Test that when everything is valid, the GoogleServiceAccountValidity
is valid and has the expected information.
"""
google_service_account_validity = GoogleServiceAccountValidity(
"some-account-id", "some-google-project-id")
# should evaluate to true by default
assert google_service_account_validity
google_service_account_validity.check_validity(early_return=False)
# should evaluate to true since all checks should result in valid project
assert google_service_account_validity
# test that it contains the default error information and it's true
assert "valid_type" in google_service_account_validity
assert google_service_account_validity["valid_type"]
assert "no_external_access" in google_service_account_validity
assert google_service_account_validity["no_external_access"]
assert "owned_by_project" in google_service_account_validity
assert google_service_account_validity["owned_by_project"]
def _is_valid_service_account(sa_email, google_project_id, config=None):
"""
Validate the given registered service account and remove if invalid.
Args:
sa_email(str): service account email
google_project_id(str): google project id
"""
google_project_number = get_google_project_number(google_project_id)
has_access = bool(google_project_number)
if not has_access:
# if our monitor doesn't have access at this point, just don't return any
# information. When the project check runs, it will catch the monitor missing
# error and add it to the removal reasons
return None
try:
sa_validity = GoogleServiceAccountValidity(
sa_email, google_project_id, google_project_number=google_project_number
)
sa_validity.check_validity(early_return=True, config=config)
except Exception:
# any issues, assume invalid
# TODO not sure if this is the right way to handle this...
print("Service Account determined invalid due to unhandled exception:")
traceback.print_exc()
sa_validity = None
return sa_validity
def mock_is_valid(sa_email, *args, **kwargs):
if sa_email == invalid_service_account:
validity = GoogleServiceAccountValidity("account_id", "project_id")
# set overall validity to False
# set policy_accessible to False so the SA is removed from the DB
validity["policy_accessible"] = False
validity._valid = False
return validity
return True
def test_invalid_service_account_does_not_exist_external_access(
valid_service_account_patcher):
"""
Test that when a Service Account that does not exist is requested
for registration, the GoogleServiceAccountValidity is False-y and
no_external_access is NOT SET
"""
patcher = valid_service_account_patcher
patcher["get_service_account_policy"].side_effect = NotFound(
"Test SA Policy Not Found")
google_service_account_validity = GoogleServiceAccountValidity(
"some-account-id", "some-google-project-id")
# true by default
assert google_service_account_validity
google_service_account_validity.check_validity(early_return=False)
# should be invalid due to being unable to get service account policy
assert google_service_account_validity["no_external_access"] is None
def test_invalid_google_service_account_ownership(
valid_service_account_patcher):
"""
Test that when the Google Service Account is invalid, the resulting
GoogleServiceAccountValidity is False-y and contains the expected
information.
Here we're testing when the Google Service Account is not owned by the
provided Google Project (which is not allowed).
"""
patcher = valid_service_account_patcher
patcher["is_service_account_from_google_project"].return_value = False
google_service_account_validity = GoogleServiceAccountValidity(
"some-account-id", "some-google-project-id")
# should evaluate to true by default
assert google_service_account_validity
google_service_account_validity.check_validity(early_return=False)
# should evaluate to true since all checks should result in valid project
assert not google_service_account_validity
# test that it contains the default error information
# valid_type and no_external_access should be NULL
# cannot determine validity of those fields because
# account not owned by project
assert "valid_type" in google_service_account_validity
assert not google_service_account_validity["valid_type"]
assert "no_external_access" in google_service_account_validity
assert not google_service_account_validity["no_external_access"]
assert "owned_by_project" in google_service_account_validity
assert not google_service_account_validity["owned_by_project"]
def _is_valid_service_account(sa_email, google_project_id):
"""
Validate the given registered service account and remove if invalid.
Args:
sa_email(str): service account email
google_project_id(str): google project id
"""
with GoogleCloudManager(google_project_id) as gcm:
google_project_number = get_google_project_number(google_project_id, gcm)
has_access = bool(google_project_number)
if not has_access:
# if our monitor doesn't have access at this point, just don't return any
# information. When the project check runs, it will catch the monitor missing
# error and add it to the removal reasons
raise Unauthorized(
"Google Monitoring SA doesn't have access to Google Project: {}".format(
google_project_id
)
)
try:
sa_validity = GoogleServiceAccountValidity(
sa_email, google_project_id, google_project_number=google_project_number
)
if is_google_managed_service_account(sa_email):
sa_validity.check_validity(
early_return=True,
check_type=True,
check_policy_accessible=True,
check_external_access=False,
)
else:
sa_validity.check_validity(
early_return=True,
check_type=True,
check_policy_accessible=True,
check_external_access=True,
)
except Exception as exc:
# any issues, assume invalid
# TODO not sure if this is the right way to handle this...
logger.warning(
"Service Account {} determined invalid due to unhandled exception: {}. "
"Assuming service account is invalid.".format(sa_email, str(exc))
)
traceback.print_exc()
sa_validity = None
return sa_validity