def test_get_billing_account_ancestors(self):
"""Tests getting ancestors from a billing account full name."""
ancestors = resource_util.get_ancestors_from_full_name(
'organization/234/billing_account/000000-111111-222222/')
self.assertEqual(2, len(ancestors))
self.assertEqual('billingAccounts/000000-111111-222222',
ancestors[0].name)
self.assertEqual('organizations/234', ancestors[1].name)
def find_violations(self, ke_cluster):
"""Find violations in the rule book.
Args:
ke_cluster (KeCluster): KE Cluster and ServerConfig data.
Returns:
list: RuleViolation
"""
LOGGER.debug('Looking for KE violations: %r', ke_cluster)
violations = []
resource_ancestors = resource_util.get_ancestors_from_full_name(
ke_cluster.full_name)
LOGGER.debug('Ancestors of resource: %r', resource_ancestors)
checked_wildcards = set()
for curr_resource in resource_ancestors:
if not curr_resource:
# resource_ancestors will contain all the resources including
# the child resource, which has type kebernete cluster and
# cannot be created (return None) as part of the ancestor path,
# we will skip the child as it's not part of the ancestor.
continue
resource_rule = self.get_resource_rules(curr_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(ke_cluster))
wildcard_resource = resource_util.create_resource(
resource_id='*', resource_type=curr_resource.type)
if wildcard_resource in checked_wildcards:
continue
checked_wildcards.add(wildcard_resource)
resource_rule = self.get_resource_rules(wildcard_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(ke_cluster))
LOGGER.debug('Returning violations: %r', violations)
return violations
def find_violations(self, service_account):
"""Find violations in the rule book.
Args:
service_account (ServiceAccount): service account resource.
Returns:
list: RuleViolation
"""
LOGGER.debug('Looking for service account key violations: %s',
service_account.full_name)
violations = []
resource_ancestors = resource_util.get_ancestors_from_full_name(
service_account.full_name)
LOGGER.debug('Ancestors of resource: %r', resource_ancestors)
checked_wildcards = set()
for curr_resource in resource_ancestors:
if not curr_resource:
# The leaf node in the hierarchy
continue
resource_rule = self.get_resource_rules(curr_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(service_account))
wildcard_resource = resource_util.create_resource(
resource_id='*', resource_type=curr_resource.type)
if wildcard_resource in checked_wildcards:
continue
checked_wildcards.add(wildcard_resource)
resource_rule = self.get_resource_rules(wildcard_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(service_account))
LOGGER.debug('Returning violations: %r', violations)
return violations
def find_violations(self, key):
"""Find crypto key violations in the rule book.
Args:
key (CryptoKey): The GCP resource to check for violations.
Returns:
RuleViolation: resource crypto key rule violations.
"""
LOGGER.debug('Looking for crypto key violations: %s',
key.name)
violations = []
resource_ancestors = resource_util.get_ancestors_from_full_name(
key.crypto_key_full_name)
LOGGER.debug('Ancestors of resource: %r', resource_ancestors)
checked_wildcards = set()
for curr_resource in resource_ancestors:
if not curr_resource:
# The leaf node in the hierarchy
continue
resource_rule = self.get_resource_rules(curr_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(key))
wildcard_resource = resource_util.create_resource(
resource_id='*', resource_type=curr_resource.type)
if wildcard_resource in checked_wildcards:
continue
checked_wildcards.add(wildcard_resource)
resource_rule = self.get_resource_rules(wildcard_resource)
if resource_rule:
violations.extend(
resource_rule.find_violations(key))
LOGGER.debug('Returning violations: %r', violations)
return violations
def find_violations(self, iap_resource):
"""Find violations in the rule book.
Args:
iap_resource (IapResource): IAP data
Returns:
list: RuleViolation
"""
LOGGER.debug('Looking for IAP violations: %r', iap_resource)
violations = []
resource = iap_resource.backend_service
resource_ancestors = resource_util.get_ancestors_from_full_name(
iap_resource.project_full_name)
LOGGER.debug('Ancestors of resource: %r', resource_ancestors)
for curr_resource in resource_ancestors:
wildcard_resource = resource_util.create_resource(
resource_id='*', resource_type=curr_resource.type)
resource_rules = self.get_resource_rules(curr_resource)
resource_rules.extend(self.get_resource_rules(wildcard_resource))
LOGGER.debug('Resource rules for %r: %r', curr_resource,
resource_rules)
# Set to None, because if the direct resource (e.g. project)
# doesn't have a specific rule, we still should check the
# ancestry to see if the resource's parents have any rules
# that apply to the children.
inherit_from_parents = None
for resource_rule in resource_rules:
# Check whether rules match if the applies_to condition is met:
# SELF: check rules if the starting resource == current resource
# CHILDREN: check rules if starting resource != current resource
# SELF_AND_CHILDREN: always check rules
applies_to_self = (resource_rule.applies_to
== scanner_rules.RuleAppliesTo.SELF
and resource == curr_resource)
applies_to_children = (resource_rule.applies_to
== scanner_rules.RuleAppliesTo.CHILDREN
and resource != curr_resource)
applies_to_both = (resource_rule.applies_to == scanner_rules.
RuleAppliesTo.SELF_AND_CHILDREN)
rule_applies_to_resource = (applies_to_self
or applies_to_children
or applies_to_both)
LOGGER.debug('Does %r apply to resource? %r', resource_rule,
rule_applies_to_resource)
if not rule_applies_to_resource:
continue
violations.extend(
resource_rule.find_mismatches(resource, iap_resource))
inherit_from_parents = resource_rule.inherit_from_parents
# If the rule does not inherit the parents' rules, stop.
# Due to the way rules are structured, we only define the
# "inherit" property once per rule. So even though a rule
# may apply to multiple resources, it will only have one
# value for "inherit_from_parents".
# TODO: Revisit to remove pylint disable
# pylint: disable=compare-to-zero
if inherit_from_parents is False:
break
# pylint: enable=compare-to-zero
LOGGER.debug('Returning violations: %r', violations)
return violations