def test_org_whitelist_rules_vs_policy_no_violations(self): """Test ruleset on an org with whitelist with no rule violations. Setup: * Create a RulesEngine with RULES1 rule set. * Create policy. Expected result: * Find no rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }] } actual_violations = set( rules_engine.find_policy_violations(self.org789, policy)) self.assertItemsEqual(set(), actual_violations)
def test_empty_policy_with_rules_no_violations(self): """Test an empty policy against the RulesEngine with rules. Setup: * Create a RulesEngine. * Created expected violations list. Expected results: No policy violations found. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock actual_violations = set( rules_engine.find_policy_violations(self.project1, {})) # expected expected_violations = set() self.assertEqual(expected_violations, actual_violations)
def test_build_rule_book_from_gcs_works(self, mock_load_rules_from_gcs): """Test that a RuleBook is built correctly with a mocked gcs file. Setup: * Create a mocked GCS object from a test yaml file. * Get the yaml file content. Expected results: There are 4 resources that have rules, in the rule book. """ bucket_name = 'bucket-name' rules_path = 'input/test_rules_1.yaml' full_rules_path = 'gs://{}/{}'.format(bucket_name, rules_path) rules_engine = ire.IamRulesEngine(rules_file_path=full_rules_path) # Read in the rules file file_content = None with open(get_datafile_path(__file__, 'test_rules_1.yaml'), 'r') as rules_local_file: try: file_content = yaml.safe_load(rules_local_file) except yaml.YAMLError: raise mock_load_rules_from_gcs.return_value = file_content rules_engine.build_rule_book() self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
def test_org_project_inherit_org_rule_violation(self): """Test org with blacklist and child with whitelist, no inherit. Test that the project whitelist rule overrides the org blacklist rule when the project does not inherit from parent. Setup: * Create a RulesEngine with RULES5 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules5 = copy.deepcopy(test_rules.RULES5) rules5['rules'][1]['inherit_from_parents'] = True rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org blacklist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_one_member_mismatch(self): """Test a policy where one member mismatches the whitelist. Setup: * Create a RulesEngine and add test_rules.RULES1. * Create the policy binding. * Create the Rule and rule bindings. * Create the resource association for the Rule. Expected results: One policy binding member missing from the whitelist. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': ['user:[email protected]', 'user:[email protected]'] }] } actual_violations = set( rules_engine.find_policy_violations(self.project1, policy)) # expected rule_bindings = [{ 'role': 'roles/*', 'members': ['user:*@company.com'] }] rule = scanner_rules.Rule( 'my rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='whitelist') expected_outstanding = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( resource_type=self.project1.type, resource_id=self.project1.id, rule_name=rule.rule_name, rule_index=rule.rule_index, role='roles/editor', violation_type=scanner_rules.VIOLATION_TYPE.get(rule.mode), members=tuple(expected_outstanding['roles/editor'])) ]) self.assertEqual(expected_violations, actual_violations)
def test_org_2_child_rules_report_violation(self): """Test org "children" whitelist works with org "children" blacklist. Test that org children whitelist with org children blacklist rules report violation. Setup: * Create a RulesEngine with RULES6 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook( test_rules.RULES6, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=1, rule_name='project blacklist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_folder_rule_whitelist(self): """Test a simple folder whitelist rule.""" rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook({}, test_rules.FOLDER_RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789], [self.folder1, self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock # one violation for folder because of organization 778899 # one violation for project because of project3's parent folder_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.folder1, folder_policy), rules_engine.find_policy_violations(self.project3, project_policy))) # expected expected_outstanding = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='folder rule 1', resource_id=self.folder1.id, resource_type=self.folder1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_org_project_noinherit_project_overrides_org_rule(self): """Test org with blacklist and child with whitelist, no inherit. Test that the project whitelist rule overrides the org blacklist rule when the project does not inherit from parent. Setup: * Create a RulesEngine with RULES5 rule set. * Create policy. Expected result: * Find 0 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook( test_rules.RULES5, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/editor': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([]) self.assertItemsEqual(expected_violations, actual_violations)
def __init__(self, global_configs, scanner_configs, snapshot_timestamp, rules): """Initialization. Args: global_configs (dict): Global configurations. scanner_configs (dict): Scanner configurations. snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ. rules (str): Fully-qualified path and filename of the rules file. """ super(IamPolicyScanner, self).__init__(global_configs, scanner_configs, snapshot_timestamp, rules) self.rules_engine = iam_rules_engine.IamRulesEngine( rules_file_path=self.rules, snapshot_timestamp=self.snapshot_timestamp) self.rules_engine.build_rule_book(self.global_configs)
def test_org_self_bl_proj_noinherit_wl_no_violation(self): """Test proj policy doesn't violate rule b/l user (org), w/l (project). Test that an org with a blacklist on the org level plus a project whitelist with no rule inheritance allows the user blacklisted by the org, on the project level. Setup: * Create a RulesEngine with RULES5 rule set. * Tweak the rules to make the org blacklist apply to "self". * Create policy. Expected result: * Find 0 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules5 = copy.deepcopy(test_rules.RULES5) rules5['rules'][0]['resource'][0]['applies_to'] = 'self' rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [{ 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] }] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_violations = set([]) self.assertItemsEqual(expected_violations, actual_violations)
def test_policy_with_no_rules_has_no_violations(self): """Test a policy against an empty RuleBook. Setup: * Create a Rules Engine * Create the policy bindings. * Created expected violations list. Expected results: No policy violations found. """ self.mock_org_rel_dao.find_ancestors = mock.MagicMock( side_effect=[self.org789]) # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook( {}, snapshot_timestamp=self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': ['user:[email protected]', 'user:[email protected]'] }] } actual_violations = set( rules_engine.find_policy_violations(self.project1, policy)) # expected expected_violations = set() self.assertEqual(expected_violations, actual_violations)
def test_no_mismatch(self): """Test a policy where no members mismatch the whitelist. Setup: * Create a RulesEngine and add test_rules.RULES1. * Create the policy binding. * Create the Rule and rule bindings. * Create the resource association for the Rule. Expected results: No policy binding members missing from the whitelist. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': ['user:[email protected]', 'user:[email protected]'] }] } actual_violations = set( rules_engine.find_policy_violations(self.project1, policy)) # expected expected_violations = set() self.assertEqual(expected_violations, actual_violations)
def test_org_self_rules_work_with_org_child_rules(self): """Test org "self" whitelist works with org "children" whitelist Test hierarchical rules. Setup: * Create a RulesEngine with RULES4 rule set. * Create policy. Expected result: * Find 3 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES4, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock org_policy = { 'bindings': [{ 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.org789, org_policy), rules_engine.find_policy_violations(self.project1, project_policy))) # expected expected_outstanding_org = { 'roles/owner': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding_proj = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.org789.id, resource_type=self.org789.type, violation_type='ADDED', role=org_policy['bindings'][0]['role'], members=tuple(expected_outstanding_org['roles/owner'])), scanner_rules.RuleViolation( rule_index=1, rule_name='project whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_build_rule_book_from_local_json_file_works(self): """Test that a RuleBook is built correctly with a json file.""" rules_local_path = get_datafile_path(__file__, 'test_rules_1.json') rules_engine = ire.IamRulesEngine(rules_file_path=rules_local_path) rules_engine.build_rule_book() self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
def test_org_proj_rules_vs_policy_has_violations(self): """Test rules on org and project with whitelist, blacklist, required. Test whitelist, blacklist, and required rules against an org that has 1 blacklist violation and a project that has 1 whitelist violation and 1 required violation. Setup: * Create a RulesEngine with RULES3 rule set. * Create policy. Expected result: * Find 3 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES3, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock org_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.org789, org_policy), rules_engine.find_policy_violations(self.project1, project_policy), )) # expected expected_outstanding_org = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding_project = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')], 'roles/viewer': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=1, rule_name='my blacklist rule', resource_id=self.org789.id, resource_type=self.org789.type, violation_type='ADDED', role=org_policy['bindings'][0]['role'], members=tuple(expected_outstanding_org['roles/editor'])), scanner_rules.RuleViolation( rule_index=0, rule_name='my whitelist rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_project['roles/editor'])), scanner_rules.RuleViolation( rule_index=2, rule_name='my required rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='REMOVED', role='roles/viewer', members=tuple(expected_outstanding_project['roles/viewer'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_whitelist_blacklist_rules_vs_policy_has_violations(self): """Test a ruleset with whitelist and blacklist violating rules. Setup: * Mock find_ancestors(). * Create a RulesEngine with RULES2 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path, self.fake_timestamp) # TODO: mock the rules local path to return RULES2 rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES2, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789], []]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', 'user:[email protected]' ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.project1, policy), rules_engine.find_policy_violations(self.project2, policy))) # expected expected_outstanding1 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding2 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='my rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding1['roles/editor'])), scanner_rules.RuleViolation( rule_index=0, rule_name='my rule', resource_type=self.project2.type, resource_id=self.project2.id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding1['roles/editor'])), scanner_rules.RuleViolation( rule_index=1, rule_name='my other rule', resource_type=self.project2.type, resource_id=self.project2.id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding2['roles/editor'])), scanner_rules.RuleViolation( rule_index=2, rule_name='required rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='REMOVED', role='roles/viewer', members=tuple([ IamPolicyMember.create_from( 'user:[email protected]') ])) ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_wildcard_resources_with_project_whitelist(self): """Test whitelisted wildcard resources. Setup: * Create a RulesEngine with RULES9 rule set. * Create policy. Expected result: * Find 2 rule violations: - A policy binding that violates the org whitelist. - A policy binding that violates the org whitelist, even though the project whitelist allows it. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook({}, test_rules.RULES9, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() # have to return 2 [self.org789] because the find_ancestors() call is # called twice, once for each find_violations(). find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', 'user:[email protected]', ] }, { 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }, ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy)) # expected # [email protected] not in any whitelists # [email protected] is allowed by the project whitelist # but we still alert due to the org whitelist. expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]'), IamPolicyMember.create_from( 'user:[email protected]'), ], 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][1]['role'], members=tuple(expected_outstanding_proj['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_build_rule_book_no_resource_type_fails(self): """Test that a rule without a resource type cannot be created.""" rules_local_path = get_datafile_path(__file__, 'test_rules_2.yaml') rules_engine = ire.IamRulesEngine(rules_file_path=rules_local_path) with self.assertRaises(InvalidRulesSchemaError): rules_engine.build_rule_book()