def test_find_required_violation(self): """Test required api rules.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_2.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map)) # Required API is included. violations = rules_engine.find_violations( self.proj_3, ['foo.googleapis.com', 'bar.googleapis.com']) self.assertEquals(0, len(list(violations))) # Required API is missing. violations = list( rules_engine.find_violations(self.proj_3, ['foo.googleapis.com'])) self.assertEquals(1, len(violations)) self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type) self.assertEquals(('bar.googleapis.com', ), violations[0].apis) # Required rule doesn't apply to project. violations = rules_engine.find_violations(self.proj_2, ['foo.googleapis.com']) self.assertEquals(0, len(list(violations)))
def test_find_whitelist_violation(self): """Test whitelist rules.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_1.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map)) # Everything is allowed. violations = rules_engine.find_violations( self.proj_3, ['foo.googleapis.com', 'bar.googleapis.com', 'baz.googleapis.com']) self.assertEquals(0, len(list(violations))) # Non-whitelisted APIs. violations = list( rules_engine.find_violations(self.proj_3, [ 'alpha.googleapis.com', 'bar.googleapis.com', 'other-api.com' ])) self.assertEquals(1, len(violations)) self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type) self.assertEquals(('alpha.googleapis.com', 'other-api.com'), violations[0].apis) # API is whitelisted for Organization, but not globally (wildcard). violations = list( rules_engine.find_violations(self.proj_1, ['qux.googleapis.com'])) self.assertEquals(1, len(violations)) self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type) self.assertEquals(('qux.googleapis.com', ), violations[0].apis)
def test_build_rule_book_invalid_mode_fails(self): """Test that a rule with an inavlid mode cannot be created.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_3.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) with self.assertRaises(InvalidRulesSchemaError): rules_engine.build_rule_book()
def test_build_rule_book_overlapping_resources_works(self): """Test a RuleBook with multiple rules on a single resource.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_2.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 2 difference resources. self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))
def test_build_rule_book_from_local_yaml_file_works(self): """Test that a RuleBook is built correctly with a yaml file.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_1.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 4 difference resources. self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
def __init__(self, global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules): """Initialization. Args: global_configs (dict): Global configurations. scanner_configs (dict): Scanner configurations. service_config (ServiceConfig): Forseti 2.0 service configs model_name (str): name of the data model snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ. rules (str): Fully-qualified path and filename of the rules file. """ super(EnabledApisScanner, self).__init__(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules) self.rules_engine = enabled_apis_rules_engine.EnabledApisRulesEngine( rules_file_path=self.rules, snapshot_timestamp=self.snapshot_timestamp) self.rules_engine.build_rule_book(self.global_configs)
def test_find_blacklist_violation(self): """Test blacklist rules.""" rules_local_path = get_datafile_path(__file__, 'enabled_apis_test_rules_1.yaml') rules_engine = eare.EnabledApisRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map)) # Everything is allowed. violations = rules_engine.find_violations( self.proj_1, ['foo.googleapis.com', 'baz.googleapis.com']) self.assertEquals(0, len(list(violations))) # Blacklisted APIs. violations = list( rules_engine.find_violations(self.proj_1, [ 'foo.googleapis.com', 'bar.googleapis.com', 'baz.googleapis.com' ])) self.assertEquals(1, len(violations)) self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type) self.assertEquals(('bar.googleapis.com', ), violations[0].apis)