def test_org_whitelist_rules_vs_policy_no_violations(self):
"""Test ruleset on an org with whitelist with no rule violations.
Setup:
* Create a RulesEngine with RULES1 rule set.
* Create policy.
Expected result:
* Find no rule violations.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = OrgRulesEngine(rules_local_path)
rules_engine.rule_book = OrgRuleBook(self.RULES1)
policy = {
'bindings': [{
'role': 'roles/editor',
'members': [
'user:[email protected]',
]
}]
}
actual_violations = []
actual_violations.extend(
rules_engine.find_policy_violations(self.org789, policy))
self.assertItemsEqual([], actual_violations)
def test_empty_policy_with_rules_no_violations(self):
"""Test an empty policy against the RulesEngine with rules.
Setup:
* Create a RulesEngine.
* Created expected violations list.
Expected results:
No policy violations found.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = OrgRulesEngine(rules_local_path)
rules_engine.rule_book = OrgRuleBook(self.RULES1)
actual_violations = rules_engine.find_policy_violations(
self.project1, {})
# expected
expected_violations = []
self.assertEqual(expected_violations, actual_violations)
def test_org_proj_rules_vs_policy_has_violations(self):
"""Test rules on org and project with whitelist, blacklist, required.
Test whitelist, blacklist, and required rules against an org that has
1 blacklist violation and a project that has 1 whitelist violation and
1 required violation.
Setup:
* Create a RulesEngine with RULES3 rule set.
* Create policy.
Expected result:
* Find 3 rule violations.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = OrgRulesEngine(rules_local_path)
rules_engine.rule_book = OrgRuleBook(self.RULES3)
org_policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
project_policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
actual_violations = []
actual_violations.extend(
rules_engine.find_policy_violations(self.org789, org_policy))
actual_violations.extend(
rules_engine.find_policy_violations(self.project1, project_policy))
# expected
expected_outstanding_org = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_outstanding_project = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')],
'roles/viewer':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = [
RuleViolation(rule_index=1,
rule_name='my blacklist rule',
resource_id=self.org789.resource_id,
resource_type=self.org789.resource_type,
violation_type='ADDED',
role=org_policy['bindings'][0]['role'],
members=expected_outstanding_org['roles/editor']),
RuleViolation(
rule_index=0,
rule_name='my whitelist rule',
resource_id=self.project1.resource_id,
resource_type=self.project1.resource_type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=expected_outstanding_project['roles/editor']),
RuleViolation(
rule_index=2,
rule_name='my required rule',
resource_id=self.project1.resource_id,
resource_type=self.project1.resource_type,
violation_type='REMOVED',
role='roles/viewer',
members=expected_outstanding_project['roles/viewer']),
]
self.assertItemsEqual(expected_violations, actual_violations)
def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
"""Test a ruleset with whitelist and blacklist violating rules.
Setup:
* Create a RulesEngine with RULES2 rule set.
* Create policy.
Expected result:
* Find 1 rule violation.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = OrgRulesEngine(rules_local_path)
rules_engine.rule_book = OrgRuleBook(self.RULES2)
policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]', 'user:[email protected]',
'user:[email protected]'
]
}]
}
actual_violations = []
actual_violations.extend(
rules_engine.find_policy_violations(self.project1, policy))
actual_violations.extend(
rules_engine.find_policy_violations(self.project2, policy))
# expected
expected_outstanding1 = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_outstanding2 = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = [
RuleViolation(rule_index=0,
rule_name='my rule',
resource_id=self.project1.resource_id,
resource_type=self.project1.resource_type,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=expected_outstanding1['roles/editor']),
RuleViolation(rule_index=0,
rule_name='my rule',
resource_type=self.project2.resource_type,
resource_id=self.project2.resource_id,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=expected_outstanding1['roles/editor']),
RuleViolation(rule_index=1,
rule_name='my other rule',
resource_type=self.project2.resource_type,
resource_id=self.project2.resource_id,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=expected_outstanding2['roles/editor']),
RuleViolation(rule_index=2,
rule_name='required rule',
resource_id=self.project1.resource_id,
resource_type=self.project1.resource_type,
violation_type='REMOVED',
role='roles/viewer',
members=[
IamPolicyMember.create_from(
'user:[email protected]')
])
]
self.assertItemsEqual(expected_violations, actual_violations)