def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ with self._lock: for resource in rule_def.get('resource'): resource_ids = resource.get('resource_ids') resource_type = None try: resource_type = resource_mod.ResourceType.verify( resource.get('type')) except resource_errors.InvalidResourceTypeError: raise audit_errors.InvalidRulesSchemaError( 'Missing resource type in rule {}'.format(rule_index)) if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) check_serverconfig_valid_node_versions = rule_def.get( 'check_serverconfig_valid_node_versions', False) check_serverconfig_valid_master_versions = rule_def.get( 'check_serverconfig_valid_master_versions', False) allowed_nodepool_versions = rule_def.get( 'allowed_nodepool_versions', []) allowed_versions = [] for allowed_version in allowed_nodepool_versions: allowed_versions.append(VersionRule(**allowed_version)) # For each resource id associated with the rule, create a # mapping of resource => rules. for resource_id in resource_ids: gcp_resource = resource_util.create_resource( resource_id=resource_id, resource_type=resource_type) rule = Rule( rule_def.get('name'), rule_index, check_serverconfig_valid_node_versions, check_serverconfig_valid_master_versions, allowed_versions) resource_rules = self.resource_rules_map.setdefault( gcp_resource, ResourceRules(resource=gcp_resource)) if rule not in resource_rules.rules: resource_rules.rules.add(rule)
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) dataset_id = rule_def.get('dataset_id') special_group = rule_def.get('special_group') user_email = rule_def.get('user_email') domain = rule_def.get('domain') group_email = rule_def.get('group_email') role = rule_def.get('role') is_any_none = any(item is None for item in [ dataset_id, special_group, user_email, domain, group_email, role]) if is_any_none: raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = bq_acls.BigqueryAccessControls( escape_and_globify(dataset_id), escape_and_globify(special_group), escape_and_globify(user_email), escape_and_globify(domain), escape_and_globify(group_email), escape_and_globify(role.upper())) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) if not self.resource_rules_map.get(rule_index): self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def: A dictionary containing rule definition properties. rule_index: The index of the rule from the rule definitions. Assigned automatically when the rule book is built. Raises: """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) bucket = rule_def.get('bucket') entity = rule_def.get('entity') email = rule_def.get('email') domain = rule_def.get('domain') role = rule_def.get('role') if (bucket is None) or (entity is None) or (email is None) or\ (domain is None) or (role is None): raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = bkt_acls.BucketAccessControls( escape_and_globify(bucket), escape_and_globify(entity), escape_and_globify(email), escape_and_globify(domain), escape_and_globify(role.upper())) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) instance_name = rule_def.get('instance_name') authorized_networks = rule_def.get('authorized_networks') ssl_enabled = rule_def.get('ssl_enabled') if (instance_name is None) or (authorized_networks is None) or\ (ssl_enabled is None): raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = csql_acls.CloudSqlAccessControl( escape_and_globify(instance_name), escape_and_globify(authorized_networks), ssl_enabled) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule
def verify(cls, applies_to): """Verify whether the applies_to is valid. Args: applies_to (str): What the rule applies to. Returns: str: The applies_to property. Raises: InvalidRulesSchemaError if applies_to is not valid. """ if applies_to not in cls.apply_types: raise audit_errors.InvalidRulesSchemaError( 'Invalid applies_to: {}'.format(applies_to)) return applies_to
def verify(cls, mode): """Verify whether the mode is valid. Args: mode (str): The rules mode. Returns: str: The rules mode property. Raises: InvalidRulesSchemaError if mode is not valid. """ if mode not in cls.modes: raise audit_errors.InvalidRulesSchemaError( 'Invalid rule mode: {}'.format(mode)) return mode
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. Raises: InvalidRulesSchemaError: if rule has format error """ target = rule_def.get('target') mode = rule_def.get('mode') load_balancing_scheme = rule_def.get('load_balancing_scheme') port_range = rule_def.get('port_range') port = rule_def.get('port') ip_address = rule_def.get('ip_address') ip_protocol = rule_def.get('ip_protocol') if (target is None) or (mode is None) or \ (load_balancing_scheme is None) or \ (ip_address is None) or (ip_protocol is None): raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format( rule_def.get('name'))) rule_def_resource = { 'target': target, 'mode': mode, 'load_balancing_scheme': load_balancing_scheme, 'port_range': port_range, 'ip_address': ip_address, 'ip_protocol': ip_protocol, 'port': port, } rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. The rule supplied to this method is the dictionary parsed from the rules definition file. For example, this rule... # rules yaml: rules: - name: a rule mode: whitelist resource: - type: project applies_to: self resource_ids: - my-project-123 inherit_from_parents: true bindings: - role: roles/editor members: - users:[email protected] ... gets parsed into: { 'name': 'a rule', 'mode': 'whitelist', 'resource': { 'type': 'project', 'applies_to': self, 'resource_ids': ['my-project-id'] }, 'inherit_from_parents': true, 'bindings': [ { 'role': 'roles/editor', 'members': ['users:[email protected]'] } ] } Args: rule_def (dict): Contains rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ self._rules_sema.acquire() try: resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') resource_type = None # TODO: collect these errors and output them in a log. # TODO: log the error and keep going try: resource_type = resource_mod.ResourceType.verify( resource.get('type')) except resource_errors.InvalidResourceTypeError: raise audit_errors.InvalidRulesSchemaError( 'Missing resource type in rule {}'.format(rule_index)) if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) # For each resource id associated with the rule, create a # mapping of resource => rules. for resource_id in resource_ids: gcp_resource = resource_util.create_resource( resource_id=resource_id, resource_type=resource_type) rule_bindings = [ iam_policy.IamPolicyBinding.create_from(b) for b in rule_def.get('bindings') ] rule = scanner_rules.Rule(rule_name=rule_def.get('name'), rule_index=rule_index, bindings=rule_bindings, mode=rule_def.get('mode')) rule_applies_to = resource.get('applies_to') rule_key = (gcp_resource, rule_applies_to) # See if we have a mapping of the resource and rule resource_rules = self.resource_rules_map.get(rule_key) # If no mapping exists, create it. if not resource_rules: resource_rules = ResourceRules( resource=gcp_resource, applies_to=rule_applies_to, inherit_from_parents=rule_def.get( 'inherit_from_parents', False)) self.resource_rules_map[rule_key] = resource_rules # If the rule isn't in the mapping, add it. if rule not in resource_rules.rules: resource_rules.rules.add(rule) finally: self._rules_sema.release()
def add_rule(self, rule_def, rule_index): # pylint: disable=too-many-locals """Add a rule to the rule book. Args: rule_def (dict): rule definition properties rule_index (int): index of the rule from the rule definitions, assigned automatically when the rule book is built """ self._rules_sema.acquire() try: for resource in rule_def.get('resource'): resource_ids = resource.get('resource_ids') resource_type = None try: resource_type = resource_mod.ResourceType.verify( resource.get('type')) except resource_errors.InvalidResourceTypeError: raise audit_errors.InvalidRulesSchemaError( 'Missing resource type in rule {}'.format(rule_index)) if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) allowed_alternate_services = [ regex_util.escape_and_globify(glob) for glob in rule_def.get('allowed_alternate_services', '').split(',') if glob ] allowed_direct_access_sources = [ regex_util.escape_and_globify(glob) for glob in rule_def.get('allowed_direct_access_sources', '').split(',') if glob ] allowed_iap_enabled = regex_util.escape_and_globify( rule_def.get('allowed_iap_enabled', '*')) # For each resource id associated with the rule, create a # mapping of resource => rules. for resource_id in resource_ids: gcp_resource = resource_util.create_resource( resource_id=resource_id, resource_type=resource_type) rule = Rule( rule_name=rule_def.get('name'), rule_index=rule_index, allowed_alternate_services=allowed_alternate_services, allowed_direct_access_sources=( allowed_direct_access_sources), allowed_iap_enabled=allowed_iap_enabled) rule_applies_to = resource.get('applies_to') rule_key = (gcp_resource, rule_applies_to) # See if we have a mapping of the resource and rule resource_rules = self.resource_rules_map.get(rule_key) # If no mapping exists, create it. if not resource_rules: resource_rules = ResourceRules( resource=gcp_resource, applies_to=rule_applies_to, inherit_from_parents=rule_def.get( 'inherit_from_parents', False)) self.resource_rules_map[rule_key] = resource_rules # If the rule isn't in the mapping, add it. if rule not in resource_rules.rules: resource_rules.rules.add(rule) finally: self._rules_sema.release()
def verify(cls, applies_to): """Verify whether the applies_to is valid.""" if applies_to not in cls.apply_types: raise audit_errors.InvalidRulesSchemaError( 'Invalid applies_to: {}'.format(applies_to)) return applies_to
def verify(cls, mode): """Verify whether the mode is valid.""" if mode not in cls.modes: raise audit_errors.InvalidRulesSchemaError( 'Invalid rule mode: {}'.format(mode)) return mode
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Add a rule to the rule book. The rule supplied to this method is the dictionary parsed from the rules definition file. For example, this rule... # rules yaml: rules: - name: all networks covered in whitelist project: '*' network: '*' is_external_network: True whitelist: master: - master-1 network: - network-1 - network-2 default: - default-1 ... gets parsed into: { "rules": [ { "name": "all networks covered in whitelist", "project": "*", "network": "*", "is_external_network": true, "whitelist": { "master": [ "master-1" ], "network": [ "network-1", "network-2" ], "default": [ "default-1" ] } } ] } Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ project = rule_def.get('project') network = rule_def.get('network') whitelist = rule_def.get('whitelist') is_external_network = rule_def.get('is_external_network') if ((whitelist is None) or (project is None) or (network is None) or (is_external_network is None)): raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format( rule_def.get('name'))) rule_def_resource = { 'whitelist': whitelist, 'project': escape_and_globify(project), 'network': escape_and_globify(network), 'is_external_network': is_external_network } rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule