def testAllDisabled(self):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, fake_runnable_scanners.ALL_DISABLED,
mock.MagicMock(), '', FAKE_TIMESTAMP)
runnable_pipelines = builder.build()
self.assertEqual(0, len(runnable_pipelines))
def run(model_name=None,
progress_queue=None,
service_config=None,
scanner_name=None):
"""Run the scanners.
Entry point when the scanner is run as a library.
Args:
model_name (str): The name of the data model.
progress_queue (Queue): The progress queue.
service_config (ServiceConfig): Forseti 2.0 service configs.
scanner_name (str): Name of the scanner that runs separately.
Returns:
int: Status code.
"""
global_configs = service_config.get_global_config()
scanner_configs = service_config.get_scanner_config()
with service_config.scoped_session() as session:
service_config.violation_access = scanner_dao.ViolationAccess(session)
model_description = (
service_config.model_manager.get_description(model_name))
inventory_index_id = (
model_description.get('source_info').get('inventory_index_id'))
scanner_index_id = init_scanner_index(session, inventory_index_id)
runnable_scanners = scanner_builder.ScannerBuilder(
global_configs, scanner_configs, service_config, model_name,
None, scanner_name).build()
succeeded = []
failed = []
progress_queue.put('Scanner Index ID: {} is created'.
format(scanner_index_id))
for scanner in runnable_scanners:
try:
scanner.run()
progress_queue.put('Running {}...'.format(
scanner.__class__.__name__))
except Exception: # pylint: disable=broad-except
log_message = 'Error running scanner: {}'.format(
scanner.__class__.__name__)
progress_queue.put(log_message)
LOGGER.exception(log_message)
failed.append(scanner.__class__.__name__)
else:
succeeded.append(scanner.__class__.__name__)
session.flush()
# pylint: enable=bare-except
log_message = 'Scan completed!'
mark_scanner_index_complete(
session, scanner_index_id, succeeded, failed)
progress_queue.put(log_message)
progress_queue.put(None)
LOGGER.info(log_message)
return 0
def testTwoEnabled(self, mock_bucket_rules_engine, mock_iam_rules_engine):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, fake_runnable_scanners.TWO_ENABLED,
mock.MagicMock(), '', FAKE_TIMESTAMP)
runnable_pipelines = builder.build()
self.assertEqual(2, len(runnable_pipelines))
expected_pipelines = ['BucketsAclScanner', 'IamPolicyScanner']
for pipeline in runnable_pipelines:
self.assertTrue(type(pipeline).__name__ in expected_pipelines)
def testCanBuildOneSpecificScanner(self, mock_rules_engine):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, {}, mock.MagicMock(), '', FAKE_TIMESTAMP,
'external_project_access_scanner')
runnable_pipelines = builder.build()
expected_scanner_name = 'ExternalProjectAccessScanner'
actual_scanner_name = type(runnable_pipelines[0]).__name__
self.assertEqual(expected_scanner_name, actual_scanner_name)
def testConfigValidator(self):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, fake_runnable_scanners.CONFIG_VALIDATOR_ENABLED,
mock.MagicMock(), '', FAKE_TIMESTAMP)
runnable_pipelines = builder.build()
self.assertEqual(1, len(runnable_pipelines))
expected_pipelines = ['ConfigValidatorScanner']
for pipeline in runnable_pipelines:
self.assertTrue(type(pipeline).__name__ in expected_pipelines)
def testNonExistentScannerIsHandled(self, mock_logger):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, fake_runnable_scanners.NONEXISTENT_ENABLED,
mock.MagicMock(), '', FAKE_TIMESTAMP)
runnable_pipelines = builder.build()
mock_logger.error.assert_called_with(
'Configured scanner is undefined '
'in scanner requirements map : %s', 'non_exist_scanner')
self.assertEqual(1, len(runnable_pipelines))
expected_pipelines = ['BucketsAclScanner']
for pipeline in runnable_pipelines:
self.assertTrue(type(pipeline).__name__ in expected_pipelines)
def testAllEnabled(self, mock_bigquery_rules_engine,
mock_bucket_rules_engine, mock_cloudsql_rules_engine,
mock_iam_rules_engine, mock_logger):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS, fake_runnable_scanners.ALL_ENABLED,
mock.MagicMock(), '', FAKE_TIMESTAMP)
runnable_pipelines = builder.build()
self.assertFalse(mock_logger.called)
self.assertEqual(4, len(runnable_pipelines))
expected_pipelines = [
'BigqueryScanner', 'BucketsAclScanner', 'CloudSqlAclScanner',
'IamPolicyScanner'
]
for pipeline in runnable_pipelines:
self.assertTrue(type(pipeline).__name__ in expected_pipelines)
def testNonExistentScannerRulesIsHandled(self, mock_logger):
builder = scanner_builder.ScannerBuilder(
FAKE_GLOBAL_CONFIGS,
fake_runnable_scanners.NONEXISTENT_RULES_ENABLED,
mock.MagicMock(),
'',
FAKE_TIMESTAMP)
runnable_scanners = builder.build()
rules_path = os.path.join(fake_runnable_scanners.test_rules_path,
'firewall_rules.yaml')
mock_logger.error.assert_called_with(
f'Rules file for Scanner firewall_rule does not '
f'exist. Rules path: {rules_path}')
self.assertEqual(0, len(runnable_scanners))
