Python IamRulesEngine Exemples

Exemple #1

    def test_org_whitelist_rules_vs_policy_no_violations(self):
        """Test ruleset on an org with whitelist with no rule violations.

        Setup:
            * Create a RulesEngine with RULES1 rule set.
            * Create policy.

        Expected result:
            * Find no rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.org789, policy))

        self.assertItemsEqual(set(), actual_violations)

Exemple #2

    def test_empty_policy_with_rules_no_violations(self):
        """Test an empty policy against the RulesEngine with rules.

        Setup:
            * Create a RulesEngine.
            * Created expected violations list.

        Expected results:
            No policy violations found.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, {}))

        # expected
        expected_violations = set()

        self.assertEqual(expected_violations, actual_violations)

Exemple #3

    def test_build_rule_book_from_gcs_works(self, mock_load_rules_from_gcs):
        """Test that a RuleBook is built correctly with a mocked gcs file.

        Setup:
            * Create a mocked GCS object from a test yaml file.
            * Get the yaml file content.

        Expected results:
            There are 4 resources that have rules, in the rule book.
        """
        bucket_name = 'bucket-name'
        rules_path = 'input/test_rules_1.yaml'
        full_rules_path = 'gs://{}/{}'.format(bucket_name, rules_path)
        rules_engine = ire.IamRulesEngine(rules_file_path=full_rules_path)

        # Read in the rules file
        file_content = None
        with open(get_datafile_path(__file__, 'test_rules_1.yaml'),
                  'r') as rules_local_file:
            try:
                file_content = yaml.safe_load(rules_local_file)
            except yaml.YAMLError:
                raise

        mock_load_rules_from_gcs.return_value = file_content

        rules_engine.build_rule_book()
        self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))

Exemple #4

    def test_org_project_inherit_org_rule_violation(self):
        """Test org with blacklist and child with whitelist, no inherit.

        Test that the project whitelist rule overrides the org blacklist rule
        when the project does not inherit from parent.

        Setup:
            * Create a RulesEngine with RULES5 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules5 = copy.deepcopy(test_rules.RULES5)
        rules5['rules'][1]['inherit_from_parents'] = True
        rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org blacklist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #5

    def test_one_member_mismatch(self):
        """Test a policy where one member mismatches the whitelist.

        Setup:
            * Create a RulesEngine and add test_rules.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            One policy binding member missing from the whitelist.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': ['user:[email protected]', 'user:[email protected]']
            }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, policy))

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = scanner_rules.Rule(
            'my rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='whitelist')
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_violations = set([
            scanner_rules.RuleViolation(
                resource_type=self.project1.type,
                resource_id=self.project1.id,
                rule_name=rule.rule_name,
                rule_index=rule.rule_index,
                role='roles/editor',
                violation_type=scanner_rules.VIOLATION_TYPE.get(rule.mode),
                members=tuple(expected_outstanding['roles/editor']))
        ])

        self.assertEqual(expected_violations, actual_violations)

Exemple #6

    def test_org_2_child_rules_report_violation(self):
        """Test org "children" whitelist works with org "children" blacklist.

        Test that org children whitelist with org children blacklist rules
        report violation.

        Setup:
            * Create a RulesEngine with RULES6 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(
            test_rules.RULES6, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='project blacklist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #7

    def test_folder_rule_whitelist(self):
        """Test a simple folder whitelist rule."""
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook({}, test_rules.FOLDER_RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789], [self.folder1, self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        # one violation for folder because of organization 778899
        # one violation for project because of project3's parent
        folder_policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.folder1,
                                                    folder_policy),
                rules_engine.find_policy_violations(self.project3,
                                                    project_policy)))

        # expected
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='folder rule 1',
                resource_id=self.folder1.id,
                resource_type=self.folder1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding['roles/editor'])),
        ])
        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #8

    def test_org_project_noinherit_project_overrides_org_rule(self):
        """Test org with blacklist and child with whitelist, no inherit.

        Test that the project whitelist rule overrides the org blacklist rule
        when the project does not inherit from parent.

        Setup:
            * Create a RulesEngine with RULES5 rule set.
            * Create policy.

        Expected result:
            * Find 0 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(
            test_rules.RULES5, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/editor': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #9

    def __init__(self, global_configs, scanner_configs, snapshot_timestamp,
                 rules):
        """Initialization.

        Args:
            global_configs (dict): Global configurations.
            scanner_configs (dict): Scanner configurations.
            snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ.
            rules (str): Fully-qualified path and filename of the rules file.
        """
        super(IamPolicyScanner, self).__init__(global_configs, scanner_configs,
                                               snapshot_timestamp, rules)
        self.rules_engine = iam_rules_engine.IamRulesEngine(
            rules_file_path=self.rules,
            snapshot_timestamp=self.snapshot_timestamp)
        self.rules_engine.build_rule_book(self.global_configs)

Exemple #10

    def test_org_self_bl_proj_noinherit_wl_no_violation(self):
        """Test proj policy doesn't violate rule b/l user (org), w/l (project).

        Test that an org with a blacklist on the org level plus a project
        whitelist with no rule inheritance allows the user blacklisted by
        the org, on the project level.

        Setup:
            * Create a RulesEngine with RULES5 rule set.
            * Tweak the rules to make the org blacklist apply to "self".
            * Create policy.

        Expected result:
            * Find 0 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules5 = copy.deepcopy(test_rules.RULES5)
        rules5['rules'][0]['resource'][0]['applies_to'] = 'self'
        rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [{
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_violations = set([])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #11

    def test_policy_with_no_rules_has_no_violations(self):
        """Test a policy against an empty RuleBook.

        Setup:
            * Create a Rules Engine
            * Create the policy bindings.
            * Created expected violations list.

        Expected results:
            No policy violations found.
        """
        self.mock_org_rel_dao.find_ancestors = mock.MagicMock(
            side_effect=[self.org789])

        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(
            {}, snapshot_timestamp=self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': ['user:[email protected]', 'user:[email protected]']
            }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, policy))

        # expected
        expected_violations = set()

        self.assertEqual(expected_violations, actual_violations)

Exemple #12

    def test_no_mismatch(self):
        """Test a policy where no members mismatch the whitelist.

        Setup:
            * Create a RulesEngine and add test_rules.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            No policy binding members missing from the whitelist.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': ['user:[email protected]', 'user:[email protected]']
            }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, policy))

        # expected
        expected_violations = set()

        self.assertEqual(expected_violations, actual_violations)

Exemple #13

    def test_org_self_rules_work_with_org_child_rules(self):
        """Test org "self" whitelist works with org "children" whitelist

        Test hierarchical rules.

        Setup:
            * Create a RulesEngine with RULES4 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES4,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        org_policy = {
            'bindings': [{
                'role':
                'roles/owner',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.org789, org_policy),
                rules_engine.find_policy_violations(self.project1,
                                                    project_policy)))

        # expected
        expected_outstanding_org = {
            'roles/owner':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_proj = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.org789.id,
                resource_type=self.org789.type,
                violation_type='ADDED',
                role=org_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_org['roles/owner'])),
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='project whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/editor'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #14

 def test_build_rule_book_from_local_json_file_works(self):
     """Test that a RuleBook is built correctly with a json file."""
     rules_local_path = get_datafile_path(__file__, 'test_rules_1.json')
     rules_engine = ire.IamRulesEngine(rules_file_path=rules_local_path)
     rules_engine.build_rule_book()
     self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))

Exemple #15

    def test_org_proj_rules_vs_policy_has_violations(self):
        """Test rules on org and project with whitelist, blacklist, required.

        Test whitelist, blacklist, and required rules against an org that has
        1 blacklist violation and a project that has 1 whitelist violation and
        1 required violation.

        Setup:
            * Create a RulesEngine with RULES3 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES3,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        org_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.org789, org_policy),
                rules_engine.find_policy_violations(self.project1,
                                                    project_policy),
            ))

        # expected
        expected_outstanding_org = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_project = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')],
            'roles/viewer':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='my blacklist rule',
                resource_id=self.org789.id,
                resource_type=self.org789.type,
                violation_type='ADDED',
                role=org_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_org['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my whitelist rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_project['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=2,
                rule_name='my required rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=tuple(expected_outstanding_project['roles/viewer'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #16

    def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
        """Test a ruleset with whitelist and blacklist violating rules.

        Setup:
            * Mock find_ancestors().
            * Create a RulesEngine with RULES2 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path,
                                          self.fake_timestamp)
        # TODO: mock the rules local path to return RULES2
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES2,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789], []])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]', 'user:[email protected]',
                    'user:[email protected]'
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.project1, policy),
                rules_engine.find_policy_violations(self.project2, policy)))

        # expected
        expected_outstanding1 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding2 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding1['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my rule',
                resource_type=self.project2.type,
                resource_id=self.project2.id,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding1['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='my other rule',
                resource_type=self.project2.type,
                resource_id=self.project2.id,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding2['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=2,
                rule_name='required rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=tuple([
                    IamPolicyMember.create_from(
                        'user:[email protected]')
                ]))
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #17

    def test_wildcard_resources_with_project_whitelist(self):
        """Test whitelisted wildcard resources.

        Setup:
            * Create a RulesEngine with RULES9 rule set.
            * Create policy.

        Expected result:
            * Find 2 rule violations:
               - A policy binding that violates the org whitelist.
               - A policy binding that violates the org whitelist, even though
                 the project whitelist allows it.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook({}, test_rules.RULES9,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        # have to return 2 [self.org789] because the find_ancestors() call is
        # called twice, once for each find_violations().
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role':
                    'roles/owner',
                    'members': [
                        'user:[email protected]',
                        'user:[email protected]',
                        'user:[email protected]',
                    ]
                },
                {
                    'role': 'roles/editor',
                    'members': [
                        'user:[email protected]',
                    ]
                },
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy))

        # expected
        # [email protected] not in any whitelists
        # [email protected] is allowed by the project whitelist
        # but we still alert due to the org whitelist.
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]'),
                IamPolicyMember.create_from(
                    'user:[email protected]'),
            ],
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][1]['role'],
                members=tuple(expected_outstanding_proj['roles/editor'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)

Exemple #18

 def test_build_rule_book_no_resource_type_fails(self):
     """Test that a rule without a resource type cannot be created."""
     rules_local_path = get_datafile_path(__file__, 'test_rules_2.yaml')
     rules_engine = ire.IamRulesEngine(rules_file_path=rules_local_path)
     with self.assertRaises(InvalidRulesSchemaError):
         rules_engine.build_rule_book()