def test_direct_access_violation(self): rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') direct_source = 'some-tag' service = backend_service.BackendService(project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource(backend_service=service, alternate_services=set(), direct_access_sources=set( [direct_source]), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [ ire.RuleViolation(resource_type='backend_service', resource_name='bs1', resource_id=service.resource_id, rule_name=rule.rule_name, rule_index=rule.rule_index, violation_type='IAP_VIOLATION', alternate_services_violations=[], direct_access_sources_violations=[direct_source], iap_enabled_violation=False), ] self.assertEquals(expected_violations, results)
def test_no_violations(self): rule = ire.Rule('my rule', 0, [], [], '^.*$') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource(backend_service=service, alternate_services=set(), direct_access_sources=set(), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) self.assertEquals([], results)
def test_add_single_rule_builds_correct_map(self): """Test that adding a single rule builds the correct map.""" rule_book = ire.IapRuleBook({}, test_iap_rules.RULES1, self.fake_timestamp) actual_rules = rule_book.resource_rules_map rule = ire.Rule('my rule', 0, [], [], '^.*$') expected_org_rules = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') expected_proj1_rules = ire.ResourceRules(self.project1, rules=set([rule]), applies_to='self') expected_proj2_rules = ire.ResourceRules(self.project2, rules=set([rule]), applies_to='self') expected_rules = { (self.org789, 'self_and_children'): expected_org_rules, (self.project1, 'self'): expected_proj1_rules, (self.project2, 'self'): expected_proj2_rules } self.assertEqual(expected_rules, actual_rules)
def test_violations_iap_disabled(self): """If IAP is disabled, don't report other violations.""" rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(project_id=self.project1.id, name='bs1') alternate_service = backend_service.Key.from_args( project_id=self.project1.id, name='bs2') iap_resource = iap_scanner.IapResource( backend_service=service, alternate_services=set([alternate_service]), direct_access_sources=set(['some-tag']), iap_enabled=False) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [] self.assertEquals(expected_violations, results)