def test_audit_config_create_from_is_correct(self):
audit_configs_json = [{
'service': 'allServices',
'auditLogConfigs': [{
'logType': 'DATA_READ',
}]
}, {
'service':
'storage.googleapis.com',
'auditLogConfigs': [{
'logType': 'DATA_READ',
}, {
'logType':
'DATA_WRITE',
'exemptedMembers':
['user:[email protected]', 'user:[email protected]']
}]
}]
audit_config = IamAuditConfig.create_from(audit_configs_json)
expected_service_configs = {
'allServices': {
'DATA_READ': set(),
},
'storage.googleapis.com': {
'DATA_READ': set(),
'DATA_WRITE': set(['user:[email protected]',
'user:[email protected]']),
},
}
expected_audit_config = IamAuditConfig(expected_service_configs)
self.assertEqual(expected_service_configs,
audit_config.service_configs)
self.assertEqual(expected_audit_config, audit_config)
def test_project_with_no_violations(self):
"""Tests that no violations are produced for a correct project."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-1 needs ADMIN_READ for allServices, and all three log types
# for compute and cloudsql.
service_configs = {
'allServices': {
'ADMIN_READ': set(),
'DATA_READ': set(),
},
'compute.googleapis.com': {
'DATA_WRITE': set(['user:[email protected]']),
},
'cloudsql.googleapis.com': {
'DATA_WRITE': set(),
},
'logging.googleapis.com': {
'DATA_READ': set(['user:[email protected]']),
}
}
actual_violations = rules_engine.find_violations(
self.proj_1, IamAuditConfig(service_configs))
self.assertEqual(set(), actual_violations)
def test_audit_config_create_from_bad_config(self):
# Log configs without a service service name.
audit_configs_json = [
{
'auditLogConfigs': [{
'logType': 'DATA_READ',
}]
},
]
with self.assertRaises(InvalidIamAuditConfigError):
audit_config = IamAuditConfig.create_from(audit_configs_json)
def test_audit_config_merge_succeeds(self):
configs1 = {
'allServices': {
'ADMIN_READ': set(['user:[email protected]',
'user:[email protected]']),
'DATA_READ': set(),
},
'storage.googleapis.com': {
'DATA_READ': set(),
'DATA_WRITE': set(['user:[email protected]',
'user:[email protected]']),
},
}
configs2 = {
'allServices': {
'ADMIN_READ': set(['user:[email protected]',
'user:[email protected]']),
'DATA_WRITE': set(),
},
'cloudsql.googleapis.com': {
'DATA_READ': set(),
'DATA_WRITE': set(['user:[email protected]',
'user:[email protected]']),
},
}
expected_configs = {
'allServices': {
'ADMIN_READ':
set([
'user:[email protected]', 'user:[email protected]',
'user:[email protected]'
]),
'DATA_READ':
set(),
'DATA_WRITE':
set(),
},
'cloudsql.googleapis.com': {
'DATA_READ': set(),
'DATA_WRITE': set(['user:[email protected]',
'user:[email protected]']),
},
'storage.googleapis.com': {
'DATA_READ': set(),
'DATA_WRITE': set(['user:[email protected]',
'user:[email protected]']),
},
}
audit_config1 = IamAuditConfig(configs1)
audit_config2 = IamAuditConfig(configs2)
expected_audit_config = IamAuditConfig(expected_configs)
audit_config1.merge_configs(audit_config2)
# Modify audit_config2 to make sure merge used a deep copy.
audit_config2.service_configs['cloudsql.googleapis.com'][
'DATA_READ'].add('user:[email protected]')
self.assertEqual(expected_audit_config, audit_config1)
def test_project_with_missing_log_configs(self):
"""Tests rules catch missing log types."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-2 requires all 3 log types for compute, and ADMIN_READ+DATA_WRITE
# for everything.
service_configs = {
'allServices': {
'ADMIN_READ': set(),
},
'compute.googleapis.com': {
'DATA_WRITE': set(),
},
'cloudsql.googleapis.com': {
'DATA_WRITE': set(),
}
}
actual_violations = rules_engine.find_violations(
self.proj_2, IamAuditConfig(service_configs))
expected_violations = set([
alre.Rule.RuleViolation(
resource_type='project',
resource_id='proj-2',
resource_name='My project 2',
full_name='organization/234/folder/56/project/proj-2/',
rule_name='Require DATA_WRITE logging in folder 56',
rule_index=1,
violation_type='AUDIT_LOGGING_VIOLATION',
service='allServices',
log_type='DATA_WRITE',
unexpected_exemptions=None,
resource_data='fake_project_data_4562'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='proj-2',
resource_name='My project 2',
full_name='organization/234/folder/56/project/proj-2/',
rule_name='Require all logging for compute, with exemptions.',
rule_index=2,
violation_type='AUDIT_LOGGING_VIOLATION',
service='compute.googleapis.com',
log_type='DATA_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_4562'),
])
self.assertEqual(expected_violations, actual_violations)
def test_project_with_no_configs(self):
"""Tests rules catch missing log types if a project has no config."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-3 needs ADMIN_READ for allServices (user1 & 3 exempted), and all
# three log types for cloudsql (no exemptions).
service_configs = {}
actual_violations = rules_engine.find_violations(
self.proj_3, IamAuditConfig(service_configs))
expected_violations = set([
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require AUDIT_READ on all services, with exmptions.',
rule_index=0,
violation_type='AUDIT_LOGGING_VIOLATION',
service='allServices',
log_type='ADMIN_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='ADMIN_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='DATA_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='DATA_WRITE',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
])
self.assertEqual(expected_violations, actual_violations)