def test_direct_access_violation(self): rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') direct_source = 'some-tag' service = backend_service.BackendService( full_name='fake_full_name111', project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set([direct_source]), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [ ire.RuleViolation( resource_type=resource_mod.ResourceType.BACKEND_SERVICE, resource_name='bs1', resource_id=service.resource_id, full_name='fake_full_name111', rule_name=rule.rule_name, rule_index=rule.rule_index, violation_type='IAP_VIOLATION', alternate_services_violations=[], direct_access_sources_violations=[direct_source], iap_enabled_violation=False, resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'), ] self.assertEqual(expected_violations, results)
def test_retrieve_resources(self): iap_resources = {} for (resources, _) in self.scanner._retrieve(): iap_resources.update( dict((resource.backend_service.key, resource) for resource in resources)) self.maxDiff = None self.assertEquals(set([bs.key for bs in BACKEND_SERVICES.values()]), set(iap_resources.keys())) self.assertEquals( iap_scanner.IapResource( project_full_name='organization/12345/project/foo/', backend_service=BACKEND_SERVICES['bs1'], alternate_services=set([ backend_service_type.Key.from_args( project_id='foo', name='bs1_same_backend', ), backend_service_type.Key.from_args( project_id='foo', name='bs1_same_instance', ), ]), direct_access_sources=set([ '10.0.2.0/24', 'tag_match', 'applies_all', 'applies_8080' ]), iap_enabled=True, ), iap_resources[BACKEND_SERVICES['bs1'].key])
def test_no_violations(self): rule = ire.Rule('my rule', 0, [], [], '^.*$') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource(project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set(), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) self.assertEquals([], results)
def test_violations_iap_disabled(self): """If IAP is disabled, don't report other violations.""" rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(full_name='fake_full_name111', project_id=self.project1.id, name='bs1') alternate_service = backend_service.Key.from_args( project_id=self.project1.id, name='bs2') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set([alternate_service]), direct_access_sources=set(['some-tag']), iap_enabled=False) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [] self.assertEquals(expected_violations, results)