def test_legacy_networks(self):
""" Test legacy networks without a subnet works."""
network_interfaces = (instance.Instance(
**fake_instance.FAKE_INSTANCE_RESPONSE_LEGACY)
.create_network_interfaces())
self.assertEqual(len(network_interfaces), 1)
network_interface = network_interfaces[0]
self.assertEqual('compute#networkInterface', network_interface.kind)
self.assertEqual('nic0', network_interface.name)
self.assertEqual('https://www.googleapis.com/compute/v1/projects/'
'project-1/global/networks/network-1',
network_interface.network)
self.assertEqual('000.000.000.000', network_interface.network_ip)
self.assertEqual([{u'kind': u'compute#accessConfig',
u'type': u'ONE_TO_ONE_NAT', u'name': u'External NAT',
u'natIP': u'000.000.000.001'}],
network_interface.access_configs)
def test_network_interface_creation(self):
"""Test that network_interface creation is correct."""
network_interfaces = (instance.Instance(
**fake_instance.FAKE_INSTANCE_RESPONSE_1)
.create_network_interfaces())
self.assertEqual(len(network_interfaces), 1)
network_interface = network_interfaces[0]
self.assertEqual('compute#networkInterface', network_interface.kind)
self.assertEqual('nic0', network_interface.name)
self.assertEqual('https://www.googleapis.com/compute/v1/projects/'
'project-1/global/networks/network-1',
network_interface.network)
self.assertEqual('000.000.000.000', network_interface.network_ip)
self.assertEqual('https://www.googleapis.com/compute/v1/projects'
'/project-1/regions/datacenter'
'/subnetworks/subnetwork-1',
network_interface.subnetwork)
self.assertEqual([{u'kind': u'compute#accessConfig',
u'type': u'ONE_TO_ONE_NAT', u'name': u'External NAT',
u'natIP': u'000.000.000.001'}],
network_interface.access_configs)
def test_instance(self):
"""Test instance.Key."""
url_1 = ('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/us-central1-a/instances/bar')
obj_1 = instance.Instance(project_id='foo',
zone='us-central1-a',
name='bar')
key_1 = key.Key(instance.KEY_OBJECT_KIND, {
'project_id': 'foo',
'zone': 'us-central1-a',
'name': 'bar'
})
self.assertEqual(key_1, obj_1.key)
self.assertEqual(key_1, instance.Key.from_url(url_1))
url_invalid_1 = ('https://www.googleapis.com/compute/v1/'
'zones/bar/instances/baz')
url_invalid_2 = ('https://www.googleapis.com/compute/v1/'
'projects/foo/instances/bar')
url_invalid_3 = ('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/bar')
self.assertRaises(ValueError, instance.Key.from_url, url_invalid_1)
self.assertRaises(ValueError, instance.Key.from_url, url_invalid_2)
self.assertRaises(ValueError, instance.Key.from_url, url_invalid_3)
def setUp(self):
self.fake_utcnow = datetime(year=1900,
month=1,
day=1,
hour=0,
minute=0,
second=0,
microsecond=0)
# patch the daos
self.org_patcher = mock.patch(
'google.cloud.security.common.data_access.'
'org_resource_rel_dao.OrgResourceRelDao')
self.mock_org_rel_dao = self.org_patcher.start()
self.mock_org_rel_dao.return_value = FakeOrgDao()
self.project_patcher = mock.patch(
'google.cloud.security.common.data_access.'
'project_dao.ProjectDao')
self.mock_project_dao = self.project_patcher.start()
self.mock_project_dao.return_value = FakeProjectDao()
self.fake_scanner_configs = {'output_path': 'gs://fake/output/path'}
self.scanner = iap_scanner.IapScanner(
{}, {}, '',
get_datafile_path(__file__, 'iap_scanner_test_data.yaml'))
self.scanner.scanner_configs = self.fake_scanner_configs
self.scanner._get_backend_services = lambda: self.backend_services.values(
)
self.scanner._get_firewall_rules = lambda: self.firewall_rules.values()
self.scanner._get_instances = lambda: self.instances.values()
self.scanner._get_instance_groups = lambda: self.instance_groups.values(
)
self.scanner._get_instance_group_managers = lambda: self.instance_group_managers.values(
)
self.scanner._get_instance_templates = lambda: self.instance_templates.values(
)
self.backend_services = {
# The main backend service.
'bs1':
backend_service_type.BackendService(
project_id='foo',
name='bs1',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_unmanaged')
},
]),
iap=json.dumps({'enabled': True}),
port=80,
port_name='http',
),
# Another backend service that connects to the same backend.
'bs1_same_backend':
backend_service_type.BackendService(
project_id='foo',
name='bs1_same_backend',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
]),
port=80,
),
# A backend service with a different port (so, not an alternate).
'bs1_different_port':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_port',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
},
]),
port=81,
),
# Various backend services that should or shouldn't be alts.
'bs1_same_instance':
backend_service_type.BackendService(
project_id='foo',
name='bs1_same_instance',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_same_instance')
},
]),
port=80,
),
'bs1_different_network':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_network',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_different_network')
},
]),
port=80,
),
'bs1_different_instance':
backend_service_type.BackendService(
project_id='foo',
name='bs1_different_instance',
backends=json.dumps([
{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_different_instance')
},
]),
port=80,
),
}
self.firewall_rules = {
# Doesn't apply because of IPProtocol mismatch.
'proto_mismatch':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='proto_mismatch',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['proto_mismatch']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'udp',
}]),
),
# Preempted by allow.
'deny_applies_all_preempted':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='deny_applies_all_preempted',
firewall_rule_priority=60000,
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['applies_all']),
firewall_rule_denied=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Applies to all ports, tags.
'applies_all':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_all',
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['10.0.2.0/24']),
firewall_rule_source_tags=json.dumps(['applies_all']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Applies to only port 8080.
'applies_8080':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_8080',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['applies_8080']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
'ports': [8080],
}]),
),
# Applies to a multi-port range.
'applies_8081_8083':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='applies_8081_8083',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['applies_8081_8083']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
'ports': ['8081-8083'],
}]),
),
# Doesn't apply because of direction mismatch.
'direction':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='direction',
firewall_rule_direction='EGRESS',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['direction']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Doesn't apply because of network mismatch.
'network':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='network',
firewall_rule_network='global/networks/social',
firewall_rule_source_tags=json.dumps(['network']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Doesn't apply because of tags.
'tag_mismatch':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='tag_mismatch',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['tag_mismatch']),
firewall_rule_target_tags=json.dumps(
['im_gonna_pop_some_tags']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Tag-specific rule *does* apply.
'tag_match':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='tag_match',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['tag_match']),
firewall_rule_target_tags=json.dumps(['tag_i1']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Preempted by deny rule.
'preempted':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='preempted',
firewall_rule_network='global/networks/default',
firewall_rule_source_tags=json.dumps(['preempted']),
firewall_rule_allowed=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
# Preempted by deny rule.
'preempted_deny':
firewall_rule_type.FirewallRule(
project_id='foo',
firewall_rule_name='preempted_deny',
firewall_rule_priority=1,
firewall_rule_network='global/networks/default',
firewall_rule_source_ranges=json.dumps(['preempted']),
firewall_rule_denied=json.dumps([{
'IPProtocol': 'tcp',
}]),
),
}
self.instances = {
'i1':
instance_type.Instance(
project_id='foo',
name='i1',
tags=json.dumps({'items': ['tag_i1']}),
zone='wl-redqueen1-a',
),
'i2':
instance_type.Instance(
project_id='foo',
name='i2',
tags=json.dumps([]),
zone='wl-redqueen1-a',
),
}
self.instance_groups = {
# Managed
'ig_managed':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_managed',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; overrides port mapping
'ig_unmanaged':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_unmanaged',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([]),
named_ports=json.dumps([{
'name': 'foo',
'port': 80
}, {
'name': 'http',
'port': 8080
}]),
),
# Unmanaged; same instance as ig_managed
'ig_same_instance':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_same_instance',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; different network than ig_managed
'ig_different_network':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig_different_network',
network='global/networks/nondefault',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i1')
]),
),
# Unmanaged; different instance than ig_managed
'ig_different_instance':
instance_group_type.InstanceGroup(
project_id='foo',
name='ig5',
network='global/networks/default',
region='wl-redqueen1',
instance_urls=json.dumps([
('https://www.googleapis.com/compute/v1/'
'projects/foo/zones/wl-redqueen1-a/instances/i2')
]),
),
}
self.instance_group_managers = {
'igm1':
instance_group_manager_type.InstanceGroupManager(
project_id='foo',
name='igm1',
instance_group=
('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/instanceGroups/ig_managed'
),
instance_template=(
'https://www.googleapis.com/compute/v1/'
'projects/foo/global/instanceTemplates/it1'),
region='wl-redqueen1',
),
}
self.instance_templates = {
'it1':
instance_template_type.InstanceTemplate(
project_id='foo',
name='it1',
properties=json.dumps({
'tags': {
'items': ['tag_it1']
},
}),
),
}
self.data = iap_scanner._RunData(
self.backend_services.values(),
self.firewall_rules.values(),
self.instances.values(),
self.instance_groups.values(),
self.instance_group_managers.values(),
self.instance_templates.values(),
)
def create_list_of_instence_network_interface_obj_from_data():
fake_instance_scanner_list = []
for data in fake_instance_scanner_data.INSTANCE_DATA:
fake_instance_scanner_list.append(
instance.Instance(**data).create_network_interfaces())
return fake_instance_scanner_list
def test_recognize_two_network_interfaces(self):
"""Test that it recognizes two network_interfaces."""
network_interfaces = (instance.Instance(
**fake_instance.FAKE_INSTANCE_RESPONSE_2)
.create_network_interfaces())
self.assertEqual(len(network_interfaces), 2)