def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
bucket = rule_def.get('bucket')
entity = rule_def.get('entity')
email = rule_def.get('email')
domain = rule_def.get('domain')
role = rule_def.get('role')
if (bucket is None) or (entity is None) or (email is None) or\
(domain is None) or (role is None):
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = bkt_acls.BucketAccessControls(
escape_and_globify(bucket), escape_and_globify(entity),
escape_and_globify(email), escape_and_globify(domain),
escape_and_globify(role.upper()))
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
instance_name = rule_def.get('instance_name')
authorized_networks = rule_def.get('authorized_networks')
ssl_enabled = rule_def.get('ssl_enabled')
if (instance_name is None) or (authorized_networks is None) or\
(ssl_enabled is None):
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = csql_acls.CloudSqlAccessControl(
escape_and_globify(instance_name),
escape_and_globify(authorized_networks),
ssl_enabled)
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
def __init__(self, role_name, members=None):
"""Initialize.
Args:
role_name (str): The string name of the role.
members (list): The role members of the policy binding.
"""
if not role_name or not members:
raise errors.InvalidIamPolicyBindingError(
('Invalid IAM policy binding: '
'role_name={}, members={}'.format(role_name, members)))
self.role_name = role_name
self.members = _get_iam_members(members)
self.role_pattern = re.compile(escape_and_globify(role_name),
flags=re.IGNORECASE)
def __init__(self, member_type, member_name=None):
"""Initialize.
Args:
member_type (str): The string member type (see `member_types`).
member_name (str): The string member name.
"""
if not member_type or not self._member_type_exists(member_type):
raise errors.InvalidIamPolicyMemberError(
'Invalid policy member: {}'.format(member_type))
self.type = member_type
self.name = member_name
self.name_pattern = None
if member_name:
self.name_pattern = re.compile(escape_and_globify(self.name),
flags=re.IGNORECASE)
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
dataset_id = rule_def.get('dataset_id')
special_group = rule_def.get('special_group')
user_email = rule_def.get('user_email')
domain = rule_def.get('domain')
group_email = rule_def.get('group_email')
role = rule_def.get('role')
is_any_none = any(item is None for item in [
dataset_id,
special_group,
user_email,
domain,
group_email,
role])
if is_any_none:
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = bq_acls.BigqueryAccessControls(
escape_and_globify(dataset_id),
escape_and_globify(special_group),
escape_and_globify(user_email),
escape_and_globify(domain),
escape_and_globify(group_email),
escape_and_globify(role.upper()))
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
if not self.resource_rules_map.get(rule_index):
self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): # pylint: disable=too-many-locals
"""Add a rule to the rule book.
Args:
rule_def (dict): rule definition properties
rule_index (int): index of the rule from the rule definitions,
assigned automatically when the rule book is built
"""
self._rules_sema.acquire()
try:
for resource in rule_def.get('resource'):
resource_ids = resource.get('resource_ids')
resource_type = None
try:
resource_type = resource_mod.ResourceType.verify(
resource.get('type'))
except resource_errors.InvalidResourceTypeError:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource type in rule {}'.format(rule_index))
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
allowed_alternate_services = [
regex_util.escape_and_globify(glob) for glob in
rule_def.get('allowed_alternate_services', '').split(',')
if glob
]
allowed_direct_access_sources = [
regex_util.escape_and_globify(glob)
for glob in rule_def.get('allowed_direct_access_sources',
'').split(',') if glob
]
allowed_iap_enabled = regex_util.escape_and_globify(
rule_def.get('allowed_iap_enabled', '*'))
# For each resource id associated with the rule, create a
# mapping of resource => rules.
for resource_id in resource_ids:
gcp_resource = resource_util.create_resource(
resource_id=resource_id, resource_type=resource_type)
rule = Rule(
rule_name=rule_def.get('name'),
rule_index=rule_index,
allowed_alternate_services=allowed_alternate_services,
allowed_direct_access_sources=(
allowed_direct_access_sources),
allowed_iap_enabled=allowed_iap_enabled)
rule_applies_to = resource.get('applies_to')
rule_key = (gcp_resource, rule_applies_to)
# See if we have a mapping of the resource and rule
resource_rules = self.resource_rules_map.get(rule_key)
# If no mapping exists, create it.
if not resource_rules:
resource_rules = ResourceRules(
resource=gcp_resource,
applies_to=rule_applies_to,
inherit_from_parents=rule_def.get(
'inherit_from_parents', False))
self.resource_rules_map[rule_key] = resource_rules
# If the rule isn't in the mapping, add it.
if rule not in resource_rules.rules:
resource_rules.rules.add(rule)
finally:
self._rules_sema.release()
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Add a rule to the rule book.
The rule supplied to this method is the dictionary parsed from
the rules definition file.
For example, this rule...
# rules yaml:
rules:
- name: all networks covered in whitelist
project: '*'
network: '*'
is_external_network: True
whitelist:
master:
- master-1
network:
- network-1
- network-2
default:
- default-1
... gets parsed into:
{
"rules": [
{
"name": "all networks covered in whitelist",
"project": "*",
"network": "*",
"is_external_network": true,
"whitelist": {
"master": [
"master-1"
],
"network": [
"network-1",
"network-2"
],
"default": [
"default-1"
]
}
}
]
}
Args:
rule_def (dict): A dictionary containing rule definition properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
project = rule_def.get('project')
network = rule_def.get('network')
whitelist = rule_def.get('whitelist')
is_external_network = rule_def.get('is_external_network')
if ((whitelist is None) or (project is None) or (network is None)
or (is_external_network is None)):
raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format(
rule_def.get('name')))
rule_def_resource = {
'whitelist': whitelist,
'project': escape_and_globify(project),
'network': escape_and_globify(network),
'is_external_network': is_external_network
}
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
