def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
with self._lock:
for resource in rule_def.get('resource'):
resource_ids = resource.get('resource_ids')
resource_type = None
try:
resource_type = resource_mod.ResourceType.verify(
resource.get('type'))
except resource_errors.InvalidResourceTypeError:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource type in rule {}'.format(rule_index))
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
check_serverconfig_valid_node_versions = rule_def.get(
'check_serverconfig_valid_node_versions', False)
check_serverconfig_valid_master_versions = rule_def.get(
'check_serverconfig_valid_master_versions', False)
allowed_nodepool_versions = rule_def.get(
'allowed_nodepool_versions', [])
allowed_versions = []
for allowed_version in allowed_nodepool_versions:
allowed_versions.append(VersionRule(**allowed_version))
# For each resource id associated with the rule, create a
# mapping of resource => rules.
for resource_id in resource_ids:
gcp_resource = resource_util.create_resource(
resource_id=resource_id,
resource_type=resource_type)
rule = Rule(
rule_def.get('name'),
rule_index,
check_serverconfig_valid_node_versions,
check_serverconfig_valid_master_versions,
allowed_versions)
resource_rules = self.resource_rules_map.setdefault(
gcp_resource, ResourceRules(resource=gcp_resource))
if rule not in resource_rules.rules:
resource_rules.rules.add(rule)
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
dataset_id = rule_def.get('dataset_id')
special_group = rule_def.get('special_group')
user_email = rule_def.get('user_email')
domain = rule_def.get('domain')
group_email = rule_def.get('group_email')
role = rule_def.get('role')
is_any_none = any(item is None for item in [
dataset_id,
special_group,
user_email,
domain,
group_email,
role])
if is_any_none:
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = bq_acls.BigqueryAccessControls(
escape_and_globify(dataset_id),
escape_and_globify(special_group),
escape_and_globify(user_email),
escape_and_globify(domain),
escape_and_globify(group_email),
escape_and_globify(role.upper()))
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
if not self.resource_rules_map.get(rule_index):
self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def: A dictionary containing rule definition properties.
rule_index: The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
Raises:
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
bucket = rule_def.get('bucket')
entity = rule_def.get('entity')
email = rule_def.get('email')
domain = rule_def.get('domain')
role = rule_def.get('role')
if (bucket is None) or (entity is None) or (email is None) or\
(domain is None) or (role is None):
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = bkt_acls.BucketAccessControls(
escape_and_globify(bucket), escape_and_globify(entity),
escape_and_globify(email), escape_and_globify(domain),
escape_and_globify(role.upper()))
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
instance_name = rule_def.get('instance_name')
authorized_networks = rule_def.get('authorized_networks')
ssl_enabled = rule_def.get('ssl_enabled')
if (instance_name is None) or (authorized_networks is None) or\
(ssl_enabled is None):
raise audit_errors.InvalidRulesSchemaError(
'Faulty rule {}'.format(rule_def.get('name')))
rule_def_resource = csql_acls.CloudSqlAccessControl(
escape_and_globify(instance_name),
escape_and_globify(authorized_networks),
ssl_enabled)
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
def verify(cls, applies_to):
"""Verify whether the applies_to is valid.
Args:
applies_to (str): What the rule applies to.
Returns:
str: The applies_to property.
Raises:
InvalidRulesSchemaError if applies_to is not valid.
"""
if applies_to not in cls.apply_types:
raise audit_errors.InvalidRulesSchemaError(
'Invalid applies_to: {}'.format(applies_to))
return applies_to
def verify(cls, mode):
"""Verify whether the mode is valid.
Args:
mode (str): The rules mode.
Returns:
str: The rules mode property.
Raises:
InvalidRulesSchemaError if mode is not valid.
"""
if mode not in cls.modes:
raise audit_errors.InvalidRulesSchemaError(
'Invalid rule mode: {}'.format(mode))
return mode
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Args:
rule_def (dict): A dictionary containing rule definition
properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
Raises:
InvalidRulesSchemaError: if rule has format error
"""
target = rule_def.get('target')
mode = rule_def.get('mode')
load_balancing_scheme = rule_def.get('load_balancing_scheme')
port_range = rule_def.get('port_range')
port = rule_def.get('port')
ip_address = rule_def.get('ip_address')
ip_protocol = rule_def.get('ip_protocol')
if (target is None) or (mode is None) or \
(load_balancing_scheme is None) or \
(ip_address is None) or (ip_protocol is None):
raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format(
rule_def.get('name')))
rule_def_resource = {
'target': target,
'mode': mode,
'load_balancing_scheme': load_balancing_scheme,
'port_range': port_range,
'ip_address': ip_address,
'ip_protocol': ip_protocol,
'port': port,
}
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
The rule supplied to this method is the dictionary parsed from
the rules definition file.
For example, this rule...
# rules yaml:
rules:
- name: a rule
mode: whitelist
resource:
- type: project
applies_to: self
resource_ids:
- my-project-123
inherit_from_parents: true
bindings:
- role: roles/editor
members:
- users:[email protected]
... gets parsed into:
{
'name': 'a rule',
'mode': 'whitelist',
'resource': {
'type': 'project',
'applies_to': self,
'resource_ids': ['my-project-id']
},
'inherit_from_parents': true,
'bindings': [
{
'role': 'roles/editor',
'members': ['users:[email protected]']
}
]
}
Args:
rule_def (dict): Contains rule definition properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
self._rules_sema.acquire()
try:
resources = rule_def.get('resource')
for resource in resources:
resource_ids = resource.get('resource_ids')
resource_type = None
# TODO: collect these errors and output them in a log.
# TODO: log the error and keep going
try:
resource_type = resource_mod.ResourceType.verify(
resource.get('type'))
except resource_errors.InvalidResourceTypeError:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource type in rule {}'.format(rule_index))
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
# For each resource id associated with the rule, create a
# mapping of resource => rules.
for resource_id in resource_ids:
gcp_resource = resource_util.create_resource(
resource_id=resource_id, resource_type=resource_type)
rule_bindings = [
iam_policy.IamPolicyBinding.create_from(b)
for b in rule_def.get('bindings')
]
rule = scanner_rules.Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
bindings=rule_bindings,
mode=rule_def.get('mode'))
rule_applies_to = resource.get('applies_to')
rule_key = (gcp_resource, rule_applies_to)
# See if we have a mapping of the resource and rule
resource_rules = self.resource_rules_map.get(rule_key)
# If no mapping exists, create it.
if not resource_rules:
resource_rules = ResourceRules(
resource=gcp_resource,
applies_to=rule_applies_to,
inherit_from_parents=rule_def.get(
'inherit_from_parents', False))
self.resource_rules_map[rule_key] = resource_rules
# If the rule isn't in the mapping, add it.
if rule not in resource_rules.rules:
resource_rules.rules.add(rule)
finally:
self._rules_sema.release()
def add_rule(self, rule_def, rule_index): # pylint: disable=too-many-locals
"""Add a rule to the rule book.
Args:
rule_def (dict): rule definition properties
rule_index (int): index of the rule from the rule definitions,
assigned automatically when the rule book is built
"""
self._rules_sema.acquire()
try:
for resource in rule_def.get('resource'):
resource_ids = resource.get('resource_ids')
resource_type = None
try:
resource_type = resource_mod.ResourceType.verify(
resource.get('type'))
except resource_errors.InvalidResourceTypeError:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource type in rule {}'.format(rule_index))
if not resource_ids or len(resource_ids) < 1:
raise audit_errors.InvalidRulesSchemaError(
'Missing resource ids in rule {}'.format(rule_index))
allowed_alternate_services = [
regex_util.escape_and_globify(glob) for glob in
rule_def.get('allowed_alternate_services', '').split(',')
if glob
]
allowed_direct_access_sources = [
regex_util.escape_and_globify(glob)
for glob in rule_def.get('allowed_direct_access_sources',
'').split(',') if glob
]
allowed_iap_enabled = regex_util.escape_and_globify(
rule_def.get('allowed_iap_enabled', '*'))
# For each resource id associated with the rule, create a
# mapping of resource => rules.
for resource_id in resource_ids:
gcp_resource = resource_util.create_resource(
resource_id=resource_id, resource_type=resource_type)
rule = Rule(
rule_name=rule_def.get('name'),
rule_index=rule_index,
allowed_alternate_services=allowed_alternate_services,
allowed_direct_access_sources=(
allowed_direct_access_sources),
allowed_iap_enabled=allowed_iap_enabled)
rule_applies_to = resource.get('applies_to')
rule_key = (gcp_resource, rule_applies_to)
# See if we have a mapping of the resource and rule
resource_rules = self.resource_rules_map.get(rule_key)
# If no mapping exists, create it.
if not resource_rules:
resource_rules = ResourceRules(
resource=gcp_resource,
applies_to=rule_applies_to,
inherit_from_parents=rule_def.get(
'inherit_from_parents', False))
self.resource_rules_map[rule_key] = resource_rules
# If the rule isn't in the mapping, add it.
if rule not in resource_rules.rules:
resource_rules.rules.add(rule)
finally:
self._rules_sema.release()
def verify(cls, applies_to):
"""Verify whether the applies_to is valid."""
if applies_to not in cls.apply_types:
raise audit_errors.InvalidRulesSchemaError(
'Invalid applies_to: {}'.format(applies_to))
return applies_to
def verify(cls, mode):
"""Verify whether the mode is valid."""
if mode not in cls.modes:
raise audit_errors.InvalidRulesSchemaError(
'Invalid rule mode: {}'.format(mode))
return mode
def add_rule(self, rule_def, rule_index):
"""Add a rule to the rule book.
Add a rule to the rule book.
The rule supplied to this method is the dictionary parsed from
the rules definition file.
For example, this rule...
# rules yaml:
rules:
- name: all networks covered in whitelist
project: '*'
network: '*'
is_external_network: True
whitelist:
master:
- master-1
network:
- network-1
- network-2
default:
- default-1
... gets parsed into:
{
"rules": [
{
"name": "all networks covered in whitelist",
"project": "*",
"network": "*",
"is_external_network": true,
"whitelist": {
"master": [
"master-1"
],
"network": [
"network-1",
"network-2"
],
"default": [
"default-1"
]
}
}
]
}
Args:
rule_def (dict): A dictionary containing rule definition properties.
rule_index (int): The index of the rule from the rule definitions.
Assigned automatically when the rule book is built.
"""
project = rule_def.get('project')
network = rule_def.get('network')
whitelist = rule_def.get('whitelist')
is_external_network = rule_def.get('is_external_network')
if ((whitelist is None) or (project is None) or (network is None)
or (is_external_network is None)):
raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format(
rule_def.get('name')))
rule_def_resource = {
'whitelist': whitelist,
'project': escape_and_globify(project),
'network': escape_and_globify(network),
'is_external_network': is_external_network
}
rule = Rule(rule_name=rule_def.get('name'),
rule_index=rule_index,
rules=rule_def_resource)
resource_rules = self.resource_rules_map.get(rule_index)
if not resource_rules:
self.resource_rules_map[rule_index] = rule
