def create_rules(policies):
"""Creates FirewallRules from policies.
Args:
policies (list): A list of policy dictionaries.
Returns:
list: A list of FirewallRule.
"""
match_rules = []
for policy in policies:
rule = firewall_rule.FirewallRule(**policy)
match_rules.append(rule)
return match_rules
def setUp(self):
self.fake_utcnow = datetime(year=1900,
month=1,
day=1,
hour=0,
minute=0,
second=0,
microsecond=0)
# patch the daos
self.org_patcher = mock.patch(
'google.cloud.security.common.data_access.'
'org_resource_rel_dao.OrgResourceRelDao')
self.mock_org_rel_dao = self.org_patcher.start()
self.mock_org_rel_dao.return_value = FakeOrgDao()
self.project_patcher = mock.patch(
'google.cloud.security.common.data_access.'
'project_dao.ProjectDao')
self.mock_project_dao = self.project_patcher.start()
self.mock_project_dao.return_value = FakeProjectDao()
self.fake_scanner_configs = {'output_path': 'gs://fake/output/path'}
self.scanner = iap_scanner.IapScanner(
{}, {}, '',
get_datafile_path(__file__, 'iap_scanner_test_data.yaml'))
self.scanner.scanner_configs = self.fake_scanner_configs
self.scanner._get_backend_services = lambda: self.backend_services.values(
)
self.scanner._get_firewall_rules = lambda: self.firewall_rules.values()
self.scanner._get_instances = lambda: self.instances.values()
self.scanner._get_instance_groups = lambda: self.instance_groups.values(
)
self.scanner._get_instance_group_managers = lambda: self.instance_group_managers.values(
)
self.scanner._get_instance_templates = lambda: self.instance_templates.values(
)
self.backend_services = {
# The main backend service.
'bs1':
backend_service_type.BackendService(
project_id='foo',
name='bs1',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_unmanaged')
},
]),
iap=json.dumps({'enabled': True}),
port=80,
port_name='http',
),
# Another backend service that connects to the same backend.
'bs1_same_backend':
backend_service_type.BackendService(
project_id='foo',
name='bs1_same_backend',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
]),
port=80,
),
# A backend service with a different port (so, not an alternate).
'bs1_different_port':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_port',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
]),
port=81,
),
# Various backend services that should or shouldn't be alts.
'bs1_same_instance':
backend_service_type.BackendService(
project_id='foo',
name='bs1_same_instance',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_same_instance')
},
]),
port=80,
),
'bs1_different_network':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_network',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_different_network')
},
]),
port=80,
),
'bs1_different_instance':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_instance',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_different_instance')
},
]),
port=80,
),
}
self.firewall_rules = {
# Doesn't apply because of IPProtocol mismatch.
'proto_mismatch':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='proto_mismatch',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['proto_mismatch']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'udp',
}]),
),
# Preempted by allow.
'deny_applies_all_preempted':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='deny_applies_all_preempted',
firewall_rule_priority=60000,
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['applies_all']),
firewall_rule_denied=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Applies to all ports, tags.
'applies_all':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_all',
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['10.0.2.0/24']),
firewall_rule_source_tags=json.dumps(['applies_all']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Applies to only port 8080.
'applies_8080':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_8080',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['applies_8080']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
'ports': [8080],
}]),
),
# Applies to a multi-port range.
'applies_8081_8083':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_8081_8083',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['applies_8081_8083']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
'ports': ['8081-8083'],
}]),
),
# Doesn't apply because of direction mismatch.
'direction':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='direction',
firewall_rule_direction='EGRESS',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['direction']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Doesn't apply because of network mismatch.
'network':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='network',
firewall_rule_network='global/networks/social',
firewall_rule_source_tags=json.dumps(['network']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Doesn't apply because of tags.
'tag_mismatch':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='tag_mismatch',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['tag_mismatch']),
firewall_rule_target_tags=json.dumps(
['im_gonna_pop_some_tags']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Tag-specific rule *does* apply.
'tag_match':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='tag_match',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['tag_match']),
firewall_rule_target_tags=json.dumps(['tag_i1']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Preempted by deny rule.
'preempted':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='preempted',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['preempted']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Preempted by deny rule.
'preempted_deny':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='preempted_deny',
firewall_rule_priority=1,
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['preempted']),
firewall_rule_denied=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
}
self.instances = {
'i1':
instance_type.Instance(
project_id='foo',
name='i1',
tags=json.dumps({'items': ['tag_i1']}),
zone='wl-redqueen1-a',
),
'i2':
instance_type.Instance(
project_id='foo',
name='i2',
tags=json.dumps([]),
zone='wl-redqueen1-a',
),
}
self.instance_groups = {
# Managed
'ig_managed':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_managed',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; overrides port mapping
'ig_unmanaged':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_unmanaged',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([]),
named_ports=json.dumps([{
'name': 'foo',
'port': 80
}, {
'name': 'http',
'port': 8080
}]),
),
# Unmanaged; same instance as ig_managed
'ig_same_instance':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_same_instance',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; different network than ig_managed
'ig_different_network':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_different_network',
network='global/networks/nondefault',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; different instance than ig_managed
'ig_different_instance':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig5',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i2')
]),
),
}
self.instance_group_managers = {
'igm1':
instance_group_manager_type.InstanceGroupManager(
project_id='foo',
name='igm1',
instance_group=
('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/instanceGroups/ig_managed'
),
instance_template=(
'https://www.googleapis.com/compute/v1/'
'projects/foo/global/instanceTemplates/it1'),
region='wl-redqueen1',
),
}
self.instance_templates = {
'it1':
instance_template_type.InstanceTemplate(
project_id='foo',
name='it1',
properties=json.dumps({
'tags': {
'items': ['tag_it1']
},
}),
),
}
self.data = iap_scanner._RunData(
self.backend_services.values(),
self.firewall_rules.values(),
self.instances.values(),
self.instance_groups.values(),
self.instance_group_managers.values(),
self.instance_templates.values(),
)
def test_firewall_rule_is_equivalent(self, rule_1_dict, rule_2_dict,
expected):
"""Tests that rule 1 == rule 2 returns the correct value."""
rule_1 = firewall_rule.FirewallRule(**rule_1_dict)
rule_2 = firewall_rule.FirewallRule(**rule_2_dict)
self.assertEqual(expected, rule_1.is_equivalent(rule_2))