Esempio n. 1
0
    def test_policy_binding_does_not_match_blacklist_rules(self):
        """Test that a policy binding does not match the blacklist.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a blacklist rule with the test rules.

        Expected results:
            No policy bindings found in the blacklist.
        """
        test_binding = {
            'role': 'roles/owner',
            'members': [
                'user:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:*@company.com',
                'user:abc@*.somewhere.com',
                'group:*@googlegroups.com',
                'serviceAccount:*@*.gserviceaccount.com',
            ]
        }]

        rule = Rule('test rule', 0, rule_bindings, mode='blacklist')
        resource_rule = ResourceRules(rules=[rule])
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(0, len(results))
Esempio n. 2
0
    def test_add_single_rule_builds_correct_map(self):
        """Test that adding a single rule builds the correct map."""
        rule_book = OrgRuleBook(self.RULES1)
        actual_rules = rule_book.resource_rules_map

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
        expected_org_rules = ResourceRules(self.org789,
                                           rules=set([rule]),
                                           applies_to='self_and_children')
        expected_proj1_rules = ResourceRules(self.project1,
                                             rules=set([rule]),
                                             applies_to='self')
        expected_proj2_rules = ResourceRules(self.project2,
                                             rules=set([rule]),
                                             applies_to='self')
        expected_rules = {
            self.org789: expected_org_rules,
            self.project1: expected_proj1_rules,
            self.project2: expected_proj2_rules
        }

        self.assertEqual(expected_rules, actual_rules)
Esempio n. 3
0
    def test_one_member_mismatch(self):
        """Test a policy where one member mismatches the whitelist.

        Setup:
            * Create a RuleBook and add self.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            One policy binding member missing from the whitelist.
        """
        # actual
        rule_book = OrgRuleBook()
        rule_book._add_rules(self.RULES1)
        policy_bindings = [{
            'role':
            'roles/editor',
            'members': ['user:[email protected]', 'user:[email protected]']
        }]

        actual_violations = list(
            rule_book.find_violations(self.project1, policy_bindings[0]))

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_violations = [
            RuleViolation(resource_type=self.project1.resource_type,
                          resource_id=self.project1.resource_id,
                          rule_name=rule.rule_name,
                          rule_index=rule.rule_index,
                          role='roles/editor',
                          violation_type=RULE_VIOLATION_TYPE.get(rule.mode),
                          members=expected_outstanding['roles/editor'])
        ]

        self.assertEqual(expected_violations, actual_violations)
Esempio n. 4
0
    def test_policy_binding_matches_whitelist_rules(self):
        """Test that a policy binding matches the whitelist rules.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a whitelist rule with the test rules.

        Expected results:
            All policy binding members are in the whitelist.
        """
        test_binding = {
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'user:[email protected]',
                'group:[email protected]',
                'serviceAccount:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:*@company.com',
                'user:abc@*.somewhere.com',
                'group:*@googlegroups.com',
                'serviceAccount:*@*.gserviceaccount.com',
            ]
        }]

        rule = Rule('test rule', 0, rule_bindings, mode='whitelist')
        resource_rule = ResourceRules(rules=[rule])
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(0, len(results))
Esempio n. 5
0
    def test_policy_binding_mismatches_required_rules(self):
        """Test that a required list of members mismatches policy binding.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a required rule with the test rules.

        Expected results:
            All required members are found in the policy.
        """
        test_binding = {
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'group:[email protected]',
                'serviceAccount:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'user:[email protected]',
            ]
        }]

        rule = Rule('test rule', 0, rule_bindings, mode='required')
        resource_rule = ResourceRules(resource=self.project1)
        resource_rule.rules.add(rule)
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(1, len(results))
Esempio n. 6
0
 def test_invalid_rule_mode_raises_when_create_rule(self):
     """Test that creating a Rule with invalid rule mode raises error."""
     with self.assertRaises(InvalidRulesSchemaError):
         Rule('exception', 0, [])