def test_find_required_violation(self):
"""Test required api rules."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_2.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))
# Required API is included.
violations = rules_engine.find_violations(
self.proj_3, ['foo.googleapis.com', 'bar.googleapis.com'])
self.assertEquals(0, len(list(violations)))
# Required API is missing.
violations = list(
rules_engine.find_violations(self.proj_3, ['foo.googleapis.com']))
self.assertEquals(1, len(violations))
self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type)
self.assertEquals(('bar.googleapis.com', ), violations[0].apis)
# Required rule doesn't apply to project.
violations = rules_engine.find_violations(self.proj_2,
['foo.googleapis.com'])
self.assertEquals(0, len(list(violations)))
def test_find_whitelist_violation(self):
"""Test whitelist rules."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_1.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
# Everything is allowed.
violations = rules_engine.find_violations(
self.proj_3,
['foo.googleapis.com', 'bar.googleapis.com', 'baz.googleapis.com'])
self.assertEquals(0, len(list(violations)))
# Non-whitelisted APIs.
violations = list(
rules_engine.find_violations(self.proj_3, [
'alpha.googleapis.com', 'bar.googleapis.com', 'other-api.com'
]))
self.assertEquals(1, len(violations))
self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type)
self.assertEquals(('alpha.googleapis.com', 'other-api.com'),
violations[0].apis)
# API is whitelisted for Organization, but not globally (wildcard).
violations = list(
rules_engine.find_violations(self.proj_1, ['qux.googleapis.com']))
self.assertEquals(1, len(violations))
self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type)
self.assertEquals(('qux.googleapis.com', ), violations[0].apis)
def test_build_rule_book_invalid_mode_fails(self):
"""Test that a rule with an inavlid mode cannot be created."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_3.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
with self.assertRaises(InvalidRulesSchemaError):
rules_engine.build_rule_book()
def test_build_rule_book_overlapping_resources_works(self):
"""Test a RuleBook with multiple rules on a single resource."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_2.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 2 difference resources.
self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))
def test_build_rule_book_from_local_yaml_file_works(self):
"""Test that a RuleBook is built correctly with a yaml file."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_1.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 4 difference resources.
self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
def __init__(self, global_configs, scanner_configs, service_config,
model_name, snapshot_timestamp, rules):
"""Initialization.
Args:
global_configs (dict): Global configurations.
scanner_configs (dict): Scanner configurations.
service_config (ServiceConfig): Forseti 2.0 service configs
model_name (str): name of the data model
snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ.
rules (str): Fully-qualified path and filename of the rules file.
"""
super(EnabledApisScanner,
self).__init__(global_configs, scanner_configs, service_config,
model_name, snapshot_timestamp, rules)
self.rules_engine = enabled_apis_rules_engine.EnabledApisRulesEngine(
rules_file_path=self.rules,
snapshot_timestamp=self.snapshot_timestamp)
self.rules_engine.build_rule_book(self.global_configs)
def test_find_blacklist_violation(self):
"""Test blacklist rules."""
rules_local_path = get_datafile_path(__file__,
'enabled_apis_test_rules_1.yaml')
rules_engine = eare.EnabledApisRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
self.assertEqual(4, len(rules_engine.rule_book.resource_rules_map))
# Everything is allowed.
violations = rules_engine.find_violations(
self.proj_1, ['foo.googleapis.com', 'baz.googleapis.com'])
self.assertEquals(0, len(list(violations)))
# Blacklisted APIs.
violations = list(
rules_engine.find_violations(self.proj_1, [
'foo.googleapis.com', 'bar.googleapis.com',
'baz.googleapis.com'
]))
self.assertEquals(1, len(violations))
self.assertEquals(eare.VIOLATION_TYPE, violations[0].violation_type)
self.assertEquals(('bar.googleapis.com', ), violations[0].apis)
