def test_query(self):
factory = self.replay_flight_data('bq-dataset-query')
p = self.load_policy({
'name': 'bq-get',
'resource': 'gcp.bq-dataset'},
session_factory=factory)
dataset = p.resource_manager.get_resource(
event_data('bq-dataset-create.json'))
self.assertEqual(
dataset['datasetReference']['datasetId'],
'devxyz')
self.assertTrue('access' in dataset)
self.assertEqual(dataset['labels'], {'env': 'dev'})
def test_api_subscriber_run(self):
factory = self.replay_flight_data('mu-api-subscriber-run')
p = self.load_policy({
'name': 'dataset-created',
'resource': 'gcp.bq-dataset',
'mode': {
'type': 'gcp-audit',
'methods': ['datasetservice.insert']}},
session_factory=factory)
exec_mode = p.get_execution_mode()
self.assertTrue(isinstance(exec_mode, policy.ApiAuditMode))
event = event_data('bq-dataset-create.json')
resources = exec_mode.run(event, None)
self.assertEqual(len(resources), 1)
self.assertEqual(resources[0]['labels'], {'env': 'dev'})
def test_loadbalancer_url_map_get(self):
factory = self.replay_flight_data('lb-url-maps-get')
p = self.load_policy(
{
'name': 'one-lb-url-map',
'resource': 'gcp.loadbalancer-url-map',
'mode': {
'type': 'gcp-audit',
'methods': []
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('lb-url-maps-get.json')
instances = exec_mode.run(event, None)
self.assertEqual(len(instances), 1)
self.assertEqual(instances[0]['kind'], 'compute#urlMap')
self.assertEqual(instances[0]['fingerprint'], 'oA9r95u1zRI=')
self.assertEqual(instances[0]['name'], 'custodian-load-balancer-0')
def test_loadbalancer_target_http_proxy_get(self):
factory = self.replay_flight_data('lb-target-http-proxies-get')
p = self.load_policy(
{
'name': 'one-lb-target-http-proxies',
'resource': 'gcp.loadbalancer-target-http-proxy',
'mode': {
'type': 'gcp-audit',
'methods': []
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('lb-target-http-proxies-get.json')
instances = exec_mode.run(event, None)
self.assertEqual(len(instances), 1)
self.assertEqual(instances[0]['kind'], 'compute#targetHttpProxy')
self.assertEqual(instances[0]['name'],
'custodian-load-balancer-0-target-proxy')
def test_loadbalancer_ssl_certificate_get(self):
factory = self.replay_flight_data('lb-ssl-certificates-get')
p = self.load_policy(
{
'name': 'one-lb-ssl-certificates',
'resource': 'gcp.loadbalancer-ssl-certificate',
'mode': {
'type': 'gcp-audit',
'methods': []
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('lb-ssl-certificate-get.json')
instances = exec_mode.run(event, None)
self.assertEqual(len(instances), 1)
self.assertEqual(instances[0]['kind'], 'compute#sslCertificate')
self.assertEqual(instances[0]['name'],
'comelfo-com-google-certificate')
def test_billingaccount_get(self):
billingaccount_resource_name = 'billingAccounts/CU570D-1A4CU5-70D1A4'
session_factory = self.replay_flight_data(
'cloudbilling-account-get')
policy = self.load_policy(
{'name': 'billing-cloudbilling-account-audit',
'resource': 'gcp.cloudbilling-account',
'mode': {
'type': 'gcp-audit',
'methods': ['AssignProjectToBillingAccount']
}},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('cloudbilling-account-assign.json')
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['name'], billingaccount_resource_name)
def test_instance_template_get(self):
resource_name = 'custodian-instance-template'
session_factory = self.replay_flight_data('instance-template-get')
policy = self.load_policy(
{
'name': 'gcp-instance-template-audit',
'resource': 'gcp.instance-template',
'mode': {
'type': 'gcp-audit',
'methods': ['beta.compute.instanceTemplates.insert']
}
},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('instance-template-create.json')
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['name'], resource_name)
def test_cluster_get(self):
project_id = "cloud-custodian"
name = "standard-cluster-1"
factory = self.replay_flight_data('gke-cluster-get', project_id)
p = self.load_policy({
'name': 'one-gke-cluster',
'resource': 'gcp.gke-cluster',
'mode': {
'type': 'gcp-audit',
'methods': ['io.k8s.core.v1.nodes.create']}},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('k8s_create_cluster.json')
clusters = exec_mode.run(event, None)
self.assertEqual(clusters[0]['name'], name)
def test_pubsub_subscription_get(self):
project_id = 'cloud-custodian'
subscription_name = 'custodian'
resource_name = 'projects/{}/subscriptions/{}'.format(project_id, subscription_name)
session_factory = self.replay_flight_data(
'pubsub-subscription-get', project_id=project_id)
policy = self.load_policy(
{'name': 'gcp-pubsub-subscription-audit',
'resource': 'gcp.pubsub-subscription',
'mode': {
'type': 'gcp-audit',
'methods': ['google.pubsub.v1.Subscriber.CreateSubscription']
}},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('pubsub-subscription-create.json')
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['name'], resource_name)
def test_autoscaler_get(self):
resource_name = 'instance-group-1'
session_factory = self.replay_flight_data('autoscaler-get')
policy = self.load_policy(
{
'name': 'gcp-autoscaler-audit',
'resource': 'gcp.autoscaler',
'mode': {
'type': 'gcp-audit',
'methods': ['v1.compute.autoscalers.insert']
}
},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('autoscaler-insert.json')
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['name'], resource_name)
def test_job_get(self):
project_id = 'cloud-custodian'
job_id = 'bquxjob_4c28c9a7_16958c2791d'
location = 'US'
factory = self.replay_flight_data('bq-job-get', project_id=project_id)
p = self.load_policy({
'name': 'bq-job-get',
'resource': 'gcp.bq-job',
'mode': {
'type': 'gcp-audit',
'methods': ['google.cloud.bigquery.v2.JobService.InsertJob']
}
}, session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('bq-job-create.json')
job = exec_mode.run(event, None)
self.assertEqual(job[0]['jobReference']['jobId'], job_id)
self.assertEqual(job[0]['jobReference']['location'], location)
self.assertEqual(job[0]['jobReference']['projectId'], project_id)
self.assertEqual(job[0]['id'], "{}:{}.{}".format(project_id, location, job_id))
def test_table_get(self):
project_id = 'cloud-custodian'
factory = self.replay_flight_data('bq-table-get',
project_id=project_id)
p = self.load_policy(
{
'name': 'bq-table-get',
'resource': 'gcp.bq-table',
'mode': {
'type':
'gcp-audit',
'methods':
['google.cloud.bigquery.v2.TableService.InsertTable']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('bq-table-create.json')
job = exec_mode.run(event, None)
self.assertIn('tableReference', job[0].keys())
def test_models_get(self):
project_id = 'cloud-custodian'
name = "test_model"
factory = self.replay_flight_data('ml-model-get',
project_id=project_id)
p = self.load_policy(
{
'name': 'ml-model-get',
'resource': 'gcp.ml-model',
'mode': {
'type': 'gcp-audit',
'methods': ['google.cloud.ml.v1.ModelService.CreateModel']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('ml-model-create.json')
models = exec_mode.run(event, None)
self.assertIn(name, models[0]['name'])
def test_spanner_instance_get(self):
session_factory = self.replay_flight_data('spanner-instance-get')
policy = self.load_policy(
{'name': 'one-spanner-instance',
'resource': 'gcp.spanner-instance',
'mode': {
'type': 'gcp-audit',
'methods': []
}},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('spanner-instance-get.json')
instances = exec_mode.run(event, None)
self.assertEqual(instances[0]['state'], 'READY')
self.assertEqual(instances[0]['config'],
'projects/custodian-test-project-0/instanceConfigs/regional-asia-east1')
self.assertEqual(instances[0]['name'],
'projects/custodian-test-project-0/instances/custodian-spanner-1')
def test_get(self):
factory = self.replay_flight_data('iam-project-role')
p = self.load_policy(
{
'name': 'role-get',
'resource': 'gcp.project-role',
'mode': {
'type': 'gcp-audit',
'methods': ['google.iam.admin.v1.CreateRole']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('iam-role-create.json')
roles = exec_mode.run(event, None)
self.assertEqual(len(roles), 1)
self.assertEqual(roles[0]['name'],
'projects/cloud-custodian/roles/CustomRole1')
def test_job_get(self):
project_id = 'cloud-custodian'
jod_id = "2019-05-16_04_24_18-6110555549864901093"
factory = self.replay_flight_data('dataflow-get-resource', project_id)
p = self.load_policy(
{
'name': 'job',
'resource': 'gcp.dataflow-job',
'mode': {
'type': 'gcp-audit',
'methods': ['storage.buckets.update']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('df-job-create.json')
resource = exec_mode.run(event, None)
self.assertEqual(resource[0]['id'], jod_id)
self.assertEqual(resource[0]['name'], 'test1')
self.assertEqual(resource[0]['projectId'], project_id)
self.assertEqual(resource[0]['location'], 'us-central1')
def test_handler_run(self, from_data):
func_cwd = self.get_temp_dir()
output_temp = self.get_temp_dir()
pdata = {
'name': 'dataset-created',
'resource': 'gcp.bq-dataset',
'mode': {
'type': 'gcp-audit',
'methods': ['datasetservice.insert']}}
with open(os.path.join(func_cwd, 'config.json'), 'w') as fh:
fh.write(json.dumps({'policies': [pdata]}))
event = event_data('bq-dataset-create.json')
p = self.load_policy(pdata)
self.patch(p, 'push', lambda evt, ctx: None)
self.patch(handler, 'get_tmp_output_dir', lambda: output_temp)
from_data.return_value = [p]
self.change_cwd(func_cwd)
self.assertEqual(handler.run(event), True)
def test_route_get(self):
project_id = 'cloud-custodian'
factory = self.replay_flight_data('route-get', project_id=project_id)
p = self.load_policy(
{
'name': 'route-created',
'resource': 'gcp.route',
'mode': {
'type': 'gcp-audit',
'methods': ['v1.compute.routes.insert']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('route-create.json')
routes = exec_mode.run(event, None)
self.assertEqual(len(routes), 1)
self.assertEqual(routes[0]['destRange'], '10.0.0.0/24')
def test_get_log_sink(self):
project_id = 'cloud-custodian'
sink_name = "testqqqqqqqqqqqqqqqqq"
factory = self.replay_flight_data('log-project-sink-resource',
project_id)
p = self.load_policy(
{
'name': 'logsink',
'resource': 'gcp.logsink',
'mode': {
'type': 'gcp-audit',
'methods':
['google.logging.v2.ConfigServiceV2.CreateSink']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('log-create-project-sink.json')
resource = exec_mode.run(event, None)
self.assertEqual(resource[0]['name'], sink_name)
def test_router_get(self):
project_id = 'cloud-custodian'
factory = self.replay_flight_data('router-get', project_id=project_id)
p = self.load_policy(
{
'name': 'router-created',
'resource': 'gcp.router',
'mode': {
'type': 'gcp-audit',
'methods': ['beta.compute.routers.insert']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('router-create.json')
routers = exec_mode.run(event, None)
self.assertEqual(len(routers), 1)
self.assertEqual(routers[0]['bgp']['asn'], 65001)
def test_get_project_exclusion(self):
project_id = 'cloud-custodian'
exclusion_name = "qwerty"
factory = self.replay_flight_data('log-exclusion-get', project_id)
p = self.load_policy(
{
'name': 'log-exclusion-get',
'resource': 'gcp.log-exclusion',
'mode': {
'type':
'gcp-audit',
'methods':
['google.logging.v2.ConfigServiceV2.CreateExclusion']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('log-create-project-exclusion.json')
resource = exec_mode.run(event, None)
self.assertEqual(resource[0]['name'], exclusion_name)
def test_get_project_metric(self):
project_id = 'cloud-custodian'
metric_name = "test_name"
factory = self.replay_flight_data('log-project-metric-query',
project_id)
p = self.load_policy(
{
'name': 'log-project-metric',
'resource': 'gcp.log-project-metric',
'mode': {
'type':
'gcp-audit',
'methods':
['google.logging.v2.MetricsServiceV2.CreateLogMetric']
}
},
session_factory=factory)
exec_mode = p.get_execution_mode()
event = event_data('log-create-project-metric.json')
resource = exec_mode.run(event, None)
self.assertEqual(resource[0]['name'], metric_name)
def test_sqlbackuprun_get(self):
backup_run_id = '1557489381417'
instance_name = 'custodian-postgres'
project_id = 'cloud-custodian'
session_factory = self.replay_flight_data('sqlbackuprun-get', project_id=project_id)
policy = self.load_policy(
{'name': 'gcp-sql-backup-run-audit',
'resource': 'gcp.sql-backup-run',
'mode': {
'type': 'gcp-audit',
'methods': ['cloudsql.backupRuns.create']
}},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('sql-backup-create.json')
parent_annotation_key = policy.resource_manager.resource_type.get_parent_annotation_key()
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['id'], backup_run_id)
self.assertEqual(resources[0][parent_annotation_key]['name'], instance_name)
def test_policy_get(self):
project_id = 'cloud-custodian'
policy_name = 'custodian'
session_factory = self.replay_flight_data('dns-policy-get',
project_id=project_id)
policy = self.load_policy(
{
'name': 'gcp-dns-policy-dryrun',
'resource': 'gcp.dns-policy',
'mode': {
'type': 'gcp-audit',
'methods': ['dns.policies.create']
}
},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('dns-policy-create.json')
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['name'], policy_name)
def test_sqlsslcet_get(self):
ssl_cert_sha = '49a10ed7135e3171ce5e448cc785bc63b5b81e6c'
instance_name = 'custodian-postgres'
project_id = 'cloud-custodian'
session_factory = self.replay_flight_data('sqlsslcert-get', project_id=project_id)
policy = self.load_policy(
{'name': 'gcp-sql-ssl-cert-audit',
'resource': 'gcp.sql-ssl-cert',
'mode': {
'type': 'gcp-audit',
'methods': ['cloudsql.sslCerts.create']
}},
session_factory=session_factory)
exec_mode = policy.get_execution_mode()
event = event_data('sql-ssl-cert-create.json')
parent_annotation_key = policy.resource_manager.resource_type.get_parent_annotation_key()
resources = exec_mode.run(event, None)
self.assertEqual(resources[0]['sha1Fingerprint'], ssl_cert_sha)
self.assertEqual(resources[0][parent_annotation_key]['name'], instance_name)
def test_handler_run(self, from_data):
func_cwd = self.get_temp_dir()
output_temp = self.get_temp_dir()
pdata = {
'name': 'dataset-created',
'resource': 'gcp.bq-dataset',
'mode': {
'type': 'gcp-audit',
'methods': ['datasetservice.insert']
}
}
with open(os.path.join(func_cwd, 'config.json'), 'w') as fh:
fh.write(json.dumps({'policies': [pdata]}))
event = event_data('bq-dataset-create.json')
p = self.load_policy(pdata)
self.patch(p, 'push', lambda evt, ctx: None)
self.patch(handler, 'get_tmp_output_dir', lambda: output_temp)
from_data.return_value = [p]
self.change_cwd(func_cwd)
self.assertEqual(handler.run(event), True)
