def test_policy_binding_does_not_match_blacklist_rules(self):
"""Test that a policy binding does not match the blacklist.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a blacklist rule with the test rules.
Expected results:
No policy bindings found in the blacklist.
"""
test_binding = {
'role': 'roles/owner',
'members': [
'user:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:*@company.com',
'user:abc@*.somewhere.com',
'group:*@googlegroups.com',
'serviceAccount:*@*.gserviceaccount.com',
]
}]
rule = Rule('test rule', 0, rule_bindings, mode='blacklist')
resource_rule = ResourceRules(rules=[rule])
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(0, len(results))
def test_add_single_rule_builds_correct_map(self):
"""Test that adding a single rule builds the correct map."""
rule_book = OrgRuleBook(self.RULES1)
actual_rules = rule_book.resource_rules_map
# expected
rule_bindings = [{
'role': 'roles/*',
'members': ['user:*@company.com']
}]
rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
expected_org_rules = ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
expected_proj1_rules = ResourceRules(self.project1,
rules=set([rule]),
applies_to='self')
expected_proj2_rules = ResourceRules(self.project2,
rules=set([rule]),
applies_to='self')
expected_rules = {
self.org789: expected_org_rules,
self.project1: expected_proj1_rules,
self.project2: expected_proj2_rules
}
self.assertEqual(expected_rules, actual_rules)
def test_policy_binding_matches_whitelist_rules(self):
"""Test that a policy binding matches the whitelist rules.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a whitelist rule with the test rules.
Expected results:
All policy binding members are in the whitelist.
"""
test_binding = {
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
'group:[email protected]',
'serviceAccount:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:*@company.com',
'user:abc@*.somewhere.com',
'group:*@googlegroups.com',
'serviceAccount:*@*.gserviceaccount.com',
]
}]
rule = Rule('test rule', 0, rule_bindings, mode='whitelist')
resource_rule = ResourceRules(rules=[rule])
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(0, len(results))
def test_policy_binding_mismatches_required_rules(self):
"""Test that a required list of members mismatches policy binding.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a required rule with the test rules.
Expected results:
All required members are found in the policy.
"""
test_binding = {
'role':
'roles/owner',
'members': [
'user:[email protected]',
'group:[email protected]',
'serviceAccount:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
rule = Rule('test rule', 0, rule_bindings, mode='required')
resource_rule = ResourceRules(resource=self.project1)
resource_rule.rules.add(rule)
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(1, len(results))