def test_direct_access_violation(self):
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
direct_source = 'some-tag'
service = backend_service.BackendService(
full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set([direct_source]),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service,
iap_resource))
expected_violations = [
ire.RuleViolation(
resource_type=resource_mod.ResourceType.BACKEND_SERVICE,
resource_name='bs1',
resource_id=service.resource_id,
full_name='fake_full_name111',
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type='IAP_VIOLATION',
alternate_services_violations=[],
direct_access_sources_violations=[direct_source],
iap_enabled_violation=False,
resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'),
]
self.assertEqual(expected_violations, results)
def test_retrieve_resources(self):
iap_resources = {}
for (resources, _) in self.scanner._retrieve():
iap_resources.update(
dict((resource.backend_service.key, resource)
for resource in resources))
self.maxDiff = None
self.assertEquals(set([bs.key for bs in BACKEND_SERVICES.values()]),
set(iap_resources.keys()))
self.assertEquals(
iap_scanner.IapResource(
project_full_name='organization/12345/project/foo/',
backend_service=BACKEND_SERVICES['bs1'],
alternate_services=set([
backend_service_type.Key.from_args(
project_id='foo',
name='bs1_same_backend',
),
backend_service_type.Key.from_args(
project_id='foo',
name='bs1_same_instance',
),
]),
direct_access_sources=set([
'10.0.2.0/24', 'tag_match', 'applies_all', 'applies_8080'
]),
iap_enabled=True,
), iap_resources[BACKEND_SERVICES['bs1'].key])
def test_no_violations(self):
rule = ire.Rule('my rule', 0, [], [], '^.*$')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set(),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
self.assertEquals([], results)
def test_violations_iap_disabled(self):
"""If IAP is disabled, don't report other violations."""
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
alternate_service = backend_service.Key.from_args(
project_id=self.project1.id, name='bs2')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set([alternate_service]),
direct_access_sources=set(['some-tag']),
iap_enabled=False)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = []
self.assertEquals(expected_violations, results)
