def test_generate_rules(self):
# Project-specific whitelists are only generated for projects with a
# non-empty list of enabled_apis.
projects = [
scanner_test_utils.create_test_project(
project_id='project_1',
project_num=100000001,
extra_fields={
'enabled_apis': [
'bigquery-json.googleapis.com',
'servicemanagement.googleapis.com',
'monitoring.googleapis.com',
'storage-api.googleapis.com', 'logging.googleapis.com',
'storage-component.googleapis.com'
]
}),
scanner_test_utils.create_test_project(
project_id='project_2',
project_num=100000002,
extra_fields={'enabled_apis': []}),
scanner_test_utils.create_test_project(
project_id='project_3',
project_num=100000003,
extra_fields={'enabled_apis': ['pubsub.googleapis.com']}),
scanner_test_utils.create_test_project(
project_id='project_4',
project_num=100000004,
),
]
got_rules = easr.EnabledApisScannerRules().generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load(_EXPECTED_RULES_YAML)
self.assertEqual(got_rules, want_rules)
def test_generate_rules(self):
projects = [
scanner_test_utils.create_test_project(project_id='project-1',
project_num=123456),
scanner_test_utils.create_test_project(
project_id='project-2',
project_num=789012,
extra_fields={
'audit_logs': {
'logs_bigquery_dataset': {
'name': 'project_2_logs',
'location': 'US',
},
},
},
audit_logs_project={
'project_id': 'audit-logs',
'owners_group': '*****@*****.**',
})
]
got_rules = lssr.LogSinkScannerRules().generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load(_EXPECTED_RULES_YAML)
self.assertEqual(got_rules, want_rules)
def test_generate_rules(self):
projects = [
scanner_test_utils.create_test_project(
project_id='project_1',
project_num=123456,
extra_fields={
'additional_project_permissions': [{
'roles': ['roles/bigquery.dataViewer'],
'members': ['group:[email protected]'],
}],
'data_buckets': [
{
'name_suffix': '-data'
},
{
'name_suffix': '-more-data'
},
{
'name_suffix': '-euro-data'
},
]
}),
scanner_test_utils.create_test_project(
project_id='project_2',
project_num=789012,
extra_fields={
'editors_groups': ['*****@*****.**'],
'data_readwrite_groups':
['*****@*****.**'],
'data_readonly_groups': [
'*****@*****.**',
'*****@*****.**',
],
'data_buckets': [{
'name_suffix': '-data'
}],
'audit_logs': {
'logs_bigquery_dataset': {
'name': 'project_2_logs',
'location': 'US',
},
},
},
audit_logs_project={
'project_id': 'audit-logs',
'owners_group': '*****@*****.**',
}),
]
got_rules = isr.IamScannerRules.generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load(_EXPECTED_RULES_YAML)
self.assertDictEqual(got_rules, want_rules)
def test_generate_rules_local_audit_logs(self):
projects = [
scanner_test_utils.create_test_project(
project_id='project-1',
project_num=123456,
extra_fields={
'bigquery_datasets': [{
'name': 'dataset',
'location': 'US',
}],
},
),
]
got_rules = location_scanner_rules.LocationScannerRules(
).generate_rules(projects,
scanner_test_utils.create_test_global_config())
want_rules = yaml.load(
_EXPECTED_RULES_YAML.format(
global_resource_type='organization',
global_resource_ids=['246801357924'],
audit_logs_project_id='project-1',
audit_logs_bucket_id='project-1-logs',
audit_logs_dataset_id='project-1:audit_logs',
))
self.assertEqual(got_rules, want_rules)
def test_generate_rules_project_with_local_audit_logs(self):
projects = [scanner_test_utils.create_test_project(
project_id='project_1', project_num=123456, extra_fields=TEST_DATASETS)]
got_rules = bq_rules.BigQueryScannerRules().generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load('rules:\n{}\n{}\n{}'.format(
EXPECTED_GLOBAL_RULES_YAML,
EXPECTED_PROJECT_RULES_YAML,
EXPECTED_LOCAL_AUDIT_PROJECT_YAML))
self.assertEqual(got_rules, want_rules)
def test_generate_rules_project_with_remote_audit_logs(self):
expected_audit_project_yaml = """
- name: Whitelist for project project_1 audit logs
mode: whitelist
resource:
- type: project
resource_ids:
- project_1-audit
dataset_ids:
- project_1-audit:audit_logs
bindings:
- role: OWNER
members:
- group_email: '*****@*****.**'
- role: WRITER
members:
- user_email: '*****@*****.**'
- role: READER
members:
- group_email: '*****@*****.**'
"""
extra_fields = {
'audit_logs': {
'logs_bigquery_dataset': {
'name': 'audit_logs',
'location': 'US',
},
}
}
extra_fields.update(TEST_DATASETS)
projects = [
scanner_test_utils.create_test_project(
project_id='project_1',
project_num=123456,
extra_fields=extra_fields,
audit_logs_project={
'project_id': 'project_1-audit',
'owners_group': '*****@*****.**',
})
]
got_rules = bq_rules.BigQueryScannerRules().generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load('rules:\n{}\n{}\n{}'.format(
EXPECTED_GLOBAL_RULES_YAML.format(
global_resource_type='organization',
global_resource_ids=['246801357924']),
EXPECTED_PROJECT_RULES_YAML, expected_audit_project_yaml))
self.assertEqual(got_rules, want_rules)
def test_generate_rules_no_org_id(self):
global_config = scanner_test_utils.create_test_global_config()
global_config.pop('organization_id')
projects = [
scanner_test_utils.create_test_project(project_id='project_1',
project_num=123456)
]
got_rules = lien_scanner_rules.LienScannerRules().generate_rules(
projects, global_config)
want_rules = yaml.load(
_EXPECTED_RULES_YAML.format(global_resource_type='folder',
global_resource_ids=['357801357924']))
self.assertEqual(got_rules, want_rules)
def test_generate_rules_no_org_id(self):
global_config = scanner_test_utils.create_test_global_config()
global_config.pop('organization_id')
projects = [
scanner_test_utils.create_test_project(project_id='project_1',
project_num=123456,
extra_fields=TEST_DATASETS)
]
got_rules = bq_rules.BigQueryScannerRules().generate_rules(
projects, global_config)
want_rules = yaml.load('rules:\n{}\n{}\n{}'.format(
EXPECTED_GLOBAL_RULES_YAML.format(
global_resource_type='folder',
global_resource_ids=['357801357924']),
EXPECTED_PROJECT_RULES_YAML, EXPECTED_LOCAL_AUDIT_PROJECT_YAML))
self.assertEqual(got_rules, want_rules)
def test_generate_rules(self):
projects = [
scanner_test_utils.create_test_project(
project_id='project-1',
project_num=123456,
extra_fields={
'bigquery_datasets': [{
'name': 'dataset',
'location': 'US',
}],
},
),
]
got_rules = resource_scanner_rules.ResourceScannerRules(
).generate_rules(projects,
scanner_test_utils.create_test_global_config())
want_rules = yaml.load(_EXPECTED_RULES_YAML)
self.assertEqual(got_rules, want_rules)
def test_generate_rules_local_remote_logs(self):
projects = [
scanner_test_utils.create_test_project(
project_id='project-1',
project_num=123456,
extra_fields={
'bigquery_datasets': [{
'name': 'dataset',
'location': 'US',
}],
'audit_logs': {
'logs_gcs_bucket': {
'name': 'project-1-remote-logs',
'location': 'US',
},
'logs_bigquery_dataset': {
'name': 'project-1-remote-dataset',
'location': 'US',
},
},
},
audit_logs_project={
'project_id': 'project-1-audit',
'owners_group': '*****@*****.**',
}),
]
got_rules = location_scanner_rules.LocationScannerRules(
).generate_rules(projects,
scanner_test_utils.create_test_global_config())
want_rules = yaml.load(
_EXPECTED_RULES_YAML.format(
audit_logs_project_id='project-1-audit',
audit_logs_bucket_id='project-1-remote-logs',
audit_logs_dataset_id=
'project-1-audit:project-1-remote-dataset',
))
self.assertEqual(got_rules, want_rules)
members:
- group:[email protected]
- group:[email protected]
"""
_PROJECTS = [
scanner_test_utils.create_test_project(
project_id='project_1',
project_num=123456,
extra_fields={
'additional_project_permissions': [{
'roles': ['roles/bigquery.dataViewer'],
'members': ['group:[email protected]'],
}],
'data_buckets': [
{
'name_suffix': '-data'
},
{
'name_suffix': '-more-data'
},
{
'name_suffix': '-euro-data'
},
]
}),
scanner_test_utils.create_test_project(
project_id='project_2',
project_num=789012,
extra_fields={
'editors_groups': ['*****@*****.**'],
'data_readwrite_groups': ['*****@*****.**'],
- name: 'Whitelist Log sink for project project-2.'
mode: whitelist
resource:
- type: project
applies_to: self
resource_ids:
- project-2
sink:
destination: >-
bigquery.googleapis.com/projects/audit-logs/datasets/project_2_logs
filter: '*'
include_children: '*'
"""
_PROJECTS = [
scanner_test_utils.create_test_project(project_id='project-1',
project_num=123456),
scanner_test_utils.create_test_project(project_id='project-2',
project_num=789012,
extra_fields={
'audit_logs': {
'logs_bigquery_dataset': {
'name':
'project_2_logs',
'location': 'US',
},
},
},
audit_logs_project={
'project_id':
'audit-logs',
'owners_group':
def test_generate_rules_project_with_additional_permissions(self):
extra_permissions_rule_yaml = """
- name: 'Whitelist for dataset(s): project_1:extra_data'
mode: whitelist
resource:
- type: project
resource_ids:
- project_1
dataset_ids:
- project_1:extra_data
bindings:
- role: OWNER
members:
- group_email: '*****@*****.**'
- group_email: '*****@*****.**'
- role: WRITER
members:
- group_email: '*****@*****.**'
- user_email: '*****@*****.**'
- user_email: '*****@*****.**'
- role: READER
members:
- group_email: '*****@*****.**'
- group_email: '*****@*****.**'
"""
datasets = {
'bigquery_datasets': [
{
'name': 'us_data',
'location': 'US'
},
{
'name': 'extra_data',
'location': 'US',
'additional_dataset_permissions': {
'owners': ['group:[email protected]'],
'readwrite': [
'serviceAccount:[email protected]',
'user:[email protected]'],
}
},
{
'name': 'euro_data',
'location': 'EU'
},
]
}
projects = [scanner_test_utils.create_test_project(
project_id='project_1', project_num=123456, extra_fields=datasets)]
got_rules = bq_rules.BigQueryScannerRules().generate_rules(
projects, scanner_test_utils.create_test_global_config())
want_rules = yaml.load('rules:\n{}\n{}\n{}\n{}'.format(
EXPECTED_GLOBAL_RULES_YAML,
EXPECTED_PROJECT_RULES_YAML,
extra_permissions_rule_yaml,
EXPECTED_LOCAL_AUDIT_PROJECT_YAML))
self.assertEqual(got_rules, want_rules)
