def test_can_compose_scanner_summary(self):
"""Test that the scan summary is built correctly."""
email_pipeline = (
email_scanner_summary_pipeline.EmailScannerSummaryPipeline(111111))
members = [
iam_policy.IamPolicyMember.create_from(u)
for u in ['user:[email protected]', 'group:[email protected]', 'serviceAccount:[email protected]']
]
all_violations = [
audit_rules.RuleViolation(
resource_type='organization',
resource_id='abc111',
rule_name='Abc 111',
rule_index=0,
violation_type=audit_rules.VIOLATION_TYPE['whitelist'],
role='role1',
members=tuple(members)),
audit_rules.RuleViolation(
resource_type='project',
resource_id='def222',
rule_name='Def 123',
rule_index=1,
violation_type=audit_rules.VIOLATION_TYPE['blacklist'],
role='role2',
members=tuple(members)),
]
total_resources = {
resource.ResourceType.ORGANIZATION: 1,
resource.ResourceType.PROJECT: 1,
}
actual = email_pipeline._compose(all_violations, total_resources)
expected_summaries = {
resource.ResourceType.ORGANIZATION: {
'pluralized_resource_type': 'Organizations',
'total': 1,
'violations': {
'abc111': len(members)
}
},
resource.ResourceType.PROJECT: {
'pluralized_resource_type': 'Projects',
'total': 1,
'violations': {
'def222': len(members)
}
},
}
expected_totals = sum([
v for t in expected_summaries.values()
for v in t['violations'].values()
])
expected = (expected_totals, expected_summaries)
self.assertEqual(expected, actual)
def _check_whitelistblacklist_rules(self, resource, rule, policy_bindings):
"""Check whitelist and blacklist rules.
Args:
resource (Resource): The resource that the policy belongs to.
rule (Rule): The rule to check.
policy_bindings (list): The list of IamPolicyBindings.
Yields:
iterable: A generator of RuleViolations.
"""
violation_type = scanner_rules.VIOLATION_TYPE.get(
rule.mode, scanner_rules.VIOLATION_TYPE['UNSPECIFIED'])
for policy_binding in policy_bindings:
for rule_binding in rule.bindings:
# If the rule's role pattern matches the policy binding's
# role pattern, then check the members to see whether they
# match, according to the rule mode.
violating_members = None
if rule_binding.role_pattern.match(policy_binding.role_name):
violating_members = (self._dispatch_rule_mode_check(
mode=rule.mode,
rule_members=rule_binding.members,
policy_members=policy_binding.members))
if violating_members:
yield scanner_rules.RuleViolation(
resource_type=resource.type,
resource_id=resource.id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type=violation_type,
role=policy_binding.role_name,
members=tuple(violating_members))
def test_org_project_inherit_org_rule_violation(self):
"""Test org with blacklist and child with whitelist, no inherit.
Test that the project whitelist rule overrides the org blacklist rule
when the project does not inherit from parent.
Setup:
* Create a RulesEngine with RULES5 rule set.
* Create policy.
Expected result:
* Find 1 rule violation.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules5 = copy.deepcopy(test_rules.RULES5)
rules5['rules'][1]['inherit_from_parents'] = True
rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(
side_effect=[[self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
project_policy = {
'bindings': [
{
'role': 'roles/owner',
'members': [
'user:[email protected]',
]
}
]
}
actual_violations = set(
rules_engine.find_policy_violations(self.project1, project_policy)
)
# expected
expected_outstanding_proj = {
'roles/owner': [
IamPolicyMember.create_from('user:[email protected]')
]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=0,
rule_name='org blacklist',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_proj['roles/owner'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def test_one_member_mismatch(self):
"""Test a policy where one member mismatches the whitelist.
Setup:
* Create a RulesEngine and add test_rules.RULES1.
* Create the policy binding.
* Create the Rule and rule bindings.
* Create the resource association for the Rule.
Expected results:
One policy binding member missing from the whitelist.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
policy = {
'bindings': [{
'role':
'roles/editor',
'members': ['user:[email protected]', 'user:[email protected]']
}]
}
actual_violations = set(
rules_engine.find_policy_violations(self.project1, policy))
# expected
rule_bindings = [{
'role': 'roles/*',
'members': ['user:*@company.com']
}]
rule = scanner_rules.Rule(
'my rule',
0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
mode='whitelist')
expected_outstanding = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
resource_type=self.project1.type,
resource_id=self.project1.id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
role='roles/editor',
violation_type=scanner_rules.VIOLATION_TYPE.get(rule.mode),
members=tuple(expected_outstanding['roles/editor']))
])
self.assertEqual(expected_violations, actual_violations)
def test_org_2_child_rules_report_violation(self):
"""Test org "children" whitelist works with org "children" blacklist.
Test that org children whitelist with org children blacklist rules
report violation.
Setup:
* Create a RulesEngine with RULES6 rule set.
* Create policy.
Expected result:
* Find 1 rule violation.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook(
test_rules.RULES6, self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(
side_effect=[[self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
project_policy = {
'bindings': [
{
'role': 'roles/owner',
'members': [
'user:[email protected]',
]
}
]
}
actual_violations = set(
rules_engine.find_policy_violations(self.project1, project_policy)
)
# expected
expected_outstanding_proj = {
'roles/owner': [
IamPolicyMember.create_from('user:[email protected]')
]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=1,
rule_name='project blacklist',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_proj['roles/owner'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def test_folder_rule_whitelist(self):
"""Test a simple folder whitelist rule."""
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook({}, test_rules.FOLDER_RULES1,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(
side_effect=[[self.org789], [self.folder1, self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
# one violation for folder because of organization 778899
# one violation for project because of project3's parent
folder_policy = {
'bindings': [{
'role': 'roles/editor',
'members': [
'user:[email protected]',
]
}]
}
project_policy = {
'bindings': [{
'role': 'roles/editor',
'members': [
'user:[email protected]',
]
}]
}
actual_violations = set(
itertools.chain(
rules_engine.find_policy_violations(self.folder1,
folder_policy),
rules_engine.find_policy_violations(self.project3,
project_policy)))
# expected
expected_outstanding = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=0,
rule_name='folder rule 1',
resource_id=self.folder1.id,
resource_type=self.folder1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding['roles/editor'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def setUp(self, mock_db_connector):
mock_db_connector.return_value = None
self.resource_name = 'violations'
self.dao = violation_dao.ViolationDao()
self.fake_snapshot_timestamp = '12345'
self.fake_table_name = (
'%s_%s' % (self.resource_name, self.fake_snapshot_timestamp))
self.fake_violations = [
rules.RuleViolation(
resource_type='x',
resource_id='1',
rule_name='rule name',
rule_index=0,
violation_type='ADDED',
role='roles/editor',
members=[
iam.IamPolicyMember.create_from(m)
for m in ['user:[email protected]', 'user:[email protected]']
],
),
rules.RuleViolation(
resource_type='%sb' % ('a' * 300),
resource_id='1',
rule_name='%sd' % ('c' * 300),
rule_index=1,
violation_type='REMOVED',
role='%s' % ('e' * 300),
members=[
iam.IamPolicyMember.create_from('user:%sh' % ('g' * 300))
],
),
]
self.expected_fake_violations = [
('x', '1', 'rule name', 0, 'ADDED', 'roles/editor',
'user:[email protected]'),
('x', '1', 'rule name', 0, 'ADDED', 'roles/editor',
'user:[email protected]'),
('a' * 255, '1', 'c' * 255, 1, 'REMOVED', 'e' * 255,
('user:%s' % ('g' * 300))[:255]),
]
def _check_required_rules(self, resource, rule, policy_bindings):
"""Check required rule.
Args:
resource (Resource): The resource that the policy belongs to.
policy_bindings (list): The list of IamPolicyBindings.
rule (Rule): The rule to check.
Yields:
iterable: A generator of RuleViolations.
"""
violation_type = scanner_rules.VIOLATION_TYPE.get(
rule.mode, scanner_rules.VIOLATION_TYPE['UNSPECIFIED'])
found_role = False
violating_bindings = {}
# If the rule's binding role is found in the policy,
# check the policy members to see if all rule binding
# members are found.
# Any outstanding rule bindings (role => members) should be reported.
for rule_binding in rule.bindings:
for policy_binding in policy_bindings:
violating_members = None
if rule_binding.role_pattern.match(policy_binding.role_name):
found_role = True
violating_members = (self._dispatch_rule_mode_check(
mode=rule.mode,
rule_members=rule_binding.members,
policy_members=policy_binding.members))
if violating_members:
violating_bindings[
rule_binding.role_name] = violating_members
if not found_role:
violating_bindings = {
b.role_name: b.members
for b in rule.bindings
}
if violating_bindings:
for (role_name, members) in violating_bindings.iteritems():
yield scanner_rules.RuleViolation(
resource_type=resource.type,
resource_id=resource.id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type=violation_type,
role=role_name,
members=tuple(members))
def find_mismatches(self, policy_resource, binding_to_match):
"""Determine if the policy binding matches this rule's criteria.
How the member matching operates:
1. Whitelist: policy members match at least one rule member
2. Blacklist: policy members must not match any rule members
3. Require: rule members must all match policy members
Args:
policy_resource (Resource): The resource that the policy belongs to.
binding_to_match (IamPolicyBinding): The IamPolicyBinding binding
to compare to this rule's bindings.
Yields:
iterable: A generator of RuleViolations.
"""
policy_binding = iam_policy.IamPolicyBinding.create_from(
binding_to_match)
for rule in self.rules:
found_role = False
for binding in rule.bindings:
policy_role_name = policy_binding.role_name
if not policy_binding.role_name.startswith('roles'):
policy_role_name = 'roles/{}'.format(
policy_binding.role_name)
# If the rule's role pattern matches the policy binding's role
# pattern, then check the members to see whether they match,
# according to the rule mode.
if binding.role_pattern.match(policy_role_name):
if rule.mode == scanner_rules.RuleMode.REQUIRED:
role_name = binding.role_name
else:
role_name = policy_role_name
found_role = True
violating_members = (self._dispatch_rule_mode_check(
mode=rule.mode,
rule_members=binding.members,
policy_members=policy_binding.members))
if violating_members:
yield scanner_rules.RuleViolation(
resource_type=policy_resource.type,
resource_id=policy_resource.id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type=scanner_rules.VIOLATION_TYPE.get(
rule.mode,
scanner_rules.VIOLATION_TYPE['UNSPECIFIED']),
role=role_name,
members=tuple(violating_members))
# Extra check if the role did not match in the REQUIRED case.
if not found_role and rule.mode == scanner_rules.RuleMode.REQUIRED:
for binding in rule.bindings:
yield scanner_rules.RuleViolation(
resource_type=policy_resource.type,
resource_id=policy_resource.id,
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type=scanner_rules.VIOLATION_TYPE.get(
rule.mode,
scanner_rules.VIOLATION_TYPE['UNSPECIFIED']),
role=binding.role_name,
members=tuple(binding.members))
def setUp(self, mock_db_connector):
mock_db_connector.return_value = None
self.resource_name = 'violations'
self.dao = violation_dao.ViolationDao()
self.fake_snapshot_timestamp = '12345'
self.fake_table_name = (
'%s_%s' % (self.resource_name, self.fake_snapshot_timestamp))
self.fake_violations = [
rules.RuleViolation(
resource_type='x',
resource_id='1',
rule_name='rule name',
rule_index=0,
violation_type='ADDED',
role='roles/editor',
members=[
iam.IamPolicyMember.create_from(m)
for m in ['user:[email protected]', 'user:[email protected]']
],
),
rules.RuleViolation(
resource_type='%se' % ('a' * 300),
resource_id='1',
rule_name='%sh' % ('b' * 300),
rule_index=1,
violation_type='REMOVED',
role='%s' % ('c' * 300),
members=[
iam.IamPolicyMember.create_from('user:%s' % ('d' * 300))
],
),
]
long_string = '{"member": "user:%s", "role": "%s"}' % (('d' * 300),
('c' * 300))
self.fake_flattened_violations = [
{
'resource_id': '1',
'resource_type': self.fake_violations[0].resource_type,
'rule_index': 0,
'rule_name': self.fake_violations[0].rule_name,
'violation_type': self.fake_violations[0].violation_type,
'violation_data': {
'role': self.fake_violations[0].role,
'member': 'user:[email protected]'
}
},
{
'resource_id': '1',
'resource_type': self.fake_violations[0].resource_type,
'rule_index': 0,
'rule_name': self.fake_violations[0].rule_name,
'violation_type': self.fake_violations[0].violation_type,
'violation_data': {
'role': self.fake_violations[0].role,
'member': 'user:[email protected]'
}
},
{
'resource_id': '1',
'resource_type': self.fake_violations[1].resource_type,
'rule_index': 1,
'rule_name': self.fake_violations[1].rule_name,
'violation_type': self.fake_violations[1].violation_type,
'violation_data': {
'role': self.fake_violations[1].role,
'member': 'user:%s' % ('d' * 300)
}
},
]
self.expected_fake_violations = [
('x', '1', 'rule name', 0, 'ADDED',
'{"member": "user:[email protected]", "role": "roles/editor"}'),
('x', '1', 'rule name', 0, 'ADDED',
'{"member": "user:[email protected]", "role": "roles/editor"}'),
('a' * 255, '1', 'b' * 255, 1, 'REMOVED', long_string),
]
def test_org_self_rules_work_with_org_child_rules(self):
"""Test org "self" whitelist works with org "children" whitelist
Test hierarchical rules.
Setup:
* Create a RulesEngine with RULES4 rule set.
* Create policy.
Expected result:
* Find 3 rule violations.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES4,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
org_policy = {
'bindings': [{
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
project_policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
actual_violations = set(
itertools.chain(
rules_engine.find_policy_violations(self.org789, org_policy),
rules_engine.find_policy_violations(self.project1,
project_policy)))
# expected
expected_outstanding_org = {
'roles/owner':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_outstanding_proj = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=0,
rule_name='org whitelist',
resource_id=self.org789.id,
resource_type=self.org789.type,
violation_type='ADDED',
role=org_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_org['roles/owner'])),
scanner_rules.RuleViolation(
rule_index=1,
rule_name='project whitelist',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_proj['roles/editor'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def test_org_proj_rules_vs_policy_has_violations(self):
"""Test rules on org and project with whitelist, blacklist, required.
Test whitelist, blacklist, and required rules against an org that has
1 blacklist violation and a project that has 1 whitelist violation and
1 required violation.
Setup:
* Create a RulesEngine with RULES3 rule set.
* Create policy.
Expected result:
* Find 3 rule violations.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES3,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
org_policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
project_policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
}
actual_violations = set(
itertools.chain(
rules_engine.find_policy_violations(self.org789, org_policy),
rules_engine.find_policy_violations(self.project1,
project_policy),
))
# expected
expected_outstanding_org = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_outstanding_project = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')],
'roles/viewer':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=1,
rule_name='my blacklist rule',
resource_id=self.org789.id,
resource_type=self.org789.type,
violation_type='ADDED',
role=org_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_org['roles/editor'])),
scanner_rules.RuleViolation(
rule_index=0,
rule_name='my whitelist rule',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_project['roles/editor'])),
scanner_rules.RuleViolation(
rule_index=2,
rule_name='my required rule',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='REMOVED',
role='roles/viewer',
members=tuple(expected_outstanding_project['roles/viewer'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
"""Test a ruleset with whitelist and blacklist violating rules.
Setup:
* Mock find_ancestors().
* Create a RulesEngine with RULES2 rule set.
* Create policy.
Expected result:
* Find 1 rule violation.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path,
self.fake_timestamp)
# TODO: mock the rules local path to return RULES2
rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES2,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789], []])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
policy = {
'bindings': [{
'role':
'roles/editor',
'members': [
'user:[email protected]', 'user:[email protected]',
'user:[email protected]'
]
}]
}
actual_violations = set(
itertools.chain(
rules_engine.find_policy_violations(self.project1, policy),
rules_engine.find_policy_violations(self.project2, policy)))
# expected
expected_outstanding1 = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_outstanding2 = {
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=0,
rule_name='my rule',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=tuple(expected_outstanding1['roles/editor'])),
scanner_rules.RuleViolation(
rule_index=0,
rule_name='my rule',
resource_type=self.project2.type,
resource_id=self.project2.id,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=tuple(expected_outstanding1['roles/editor'])),
scanner_rules.RuleViolation(
rule_index=1,
rule_name='my other rule',
resource_type=self.project2.type,
resource_id=self.project2.id,
violation_type='ADDED',
role=policy['bindings'][0]['role'],
members=tuple(expected_outstanding2['roles/editor'])),
scanner_rules.RuleViolation(
rule_index=2,
rule_name='required rule',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='REMOVED',
role='roles/viewer',
members=tuple([
IamPolicyMember.create_from(
'user:[email protected]')
]))
])
self.assertItemsEqual(expected_violations, actual_violations)
def test_wildcard_resources_with_project_whitelist(self):
"""Test whitelisted wildcard resources.
Setup:
* Create a RulesEngine with RULES9 rule set.
* Create policy.
Expected result:
* Find 2 rule violations:
- A policy binding that violates the org whitelist.
- A policy binding that violates the org whitelist, even though
the project whitelist allows it.
"""
# actual
rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
rules_engine = ire.IamRulesEngine(rules_local_path)
rules_engine.rule_book = ire.IamRuleBook({}, test_rules.RULES9,
self.fake_timestamp)
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
# have to return 2 [self.org789] because the find_ancestors() call is
# called twice, once for each find_violations().
find_ancestor_mock = mock.MagicMock(
side_effect=[[self.org789], [self.org789]])
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
find_ancestor_mock
project_policy = {
'bindings': [
{
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
'user:[email protected]',
]
},
{
'role': 'roles/editor',
'members': [
'user:[email protected]',
]
},
]
}
actual_violations = set(
rules_engine.find_policy_violations(self.project1, project_policy))
# expected
# [email protected] not in any whitelists
# [email protected] is allowed by the project whitelist
# but we still alert due to the org whitelist.
expected_outstanding_proj = {
'roles/owner': [
IamPolicyMember.create_from('user:[email protected]'),
IamPolicyMember.create_from(
'user:[email protected]'),
],
'roles/editor':
[IamPolicyMember.create_from('user:[email protected]')]
}
expected_violations = set([
scanner_rules.RuleViolation(
rule_index=0,
rule_name='org whitelist',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][0]['role'],
members=tuple(expected_outstanding_proj['roles/owner'])),
scanner_rules.RuleViolation(
rule_index=0,
rule_name='org whitelist',
resource_id=self.project1.id,
resource_type=self.project1.type,
violation_type='ADDED',
role=project_policy['bindings'][1]['role'],
members=tuple(expected_outstanding_proj['roles/editor'])),
])
self.assertItemsEqual(expected_violations, actual_violations)
def setUp(self, mock_db_connector):
mock_db_connector.return_value = None
self.resource_name = 'violations'
self.dao = violation_dao.ViolationDao()
self.fake_snapshot_timestamp = '12345'
self.fake_table_name = ('%s_%s' %
(self.resource_name, self.fake_snapshot_timestamp))
self.fake_violations = [
rules.RuleViolation(
resource_type='x',
resource_id='1',
rule_name='rule name',
rule_index=0,
violation_type='ADDED',
role='roles/editor',
members=[iam.IamPolicyMember.create_from(m)
for m in ['user:[email protected]', 'user:[email protected]']],
),
rules.RuleViolation(
resource_type='%se' % ('a'*300),
resource_id='1',
rule_name='%sh' % ('b'*300),
rule_index=1,
violation_type='REMOVED',
role='%s' % ('c'*300),
members=[iam.IamPolicyMember.create_from(
'user:%s' % ('d'*300))],
),
]
long_string = '{"member": "user:%s", "role": "%s"}' % (('d'*300),('c'*300))
self.fake_flattened_violations = [
{
'resource_id': '1',
'resource_type':
self.fake_violations[0].resource_type,
'rule_index': 0,
'rule_name': self.fake_violations[0].rule_name,
'violation_type': self.fake_violations[0].violation_type,
'violation_data': {
'role': self.fake_violations[0].role,
'member': 'user:[email protected]'
}
},
{
'resource_id': '1',
'resource_type':
self.fake_violations[0].resource_type,
'rule_index': 0,
'rule_name': self.fake_violations[0].rule_name,
'violation_type': self.fake_violations[0].violation_type,
'violation_data': {
'role': self.fake_violations[0].role,
'member': 'user:[email protected]'
}
},
{
'resource_id': '1',
'resource_type':
self.fake_violations[1].resource_type,
'rule_index': 1,
'rule_name': self.fake_violations[1].rule_name,
'violation_type': self.fake_violations[1].violation_type,
'violation_data': {
'role': self.fake_violations[1].role,
'member': 'user:%s' % ('d'*300)
}
},
]
self.expected_fake_violations = [
('2e598a34bf36b5ad577f6e8eec47acf0ffe71143e82bc78c9cfaac8f553a4fa4f09078ebe0769639d9dc9fffc2dffb94345ae6696fbe4e646e8b9bb723fd3ab0',
'x', '1', 'rule name', 0, 'ADDED',
'{"member": "user:[email protected]", "role": "roles/editor"}',
'2020-08-28 10:20:30'),
('5420235c547006300e7842c45c9b0419bc1c5590fd4200607e9925010123f5905f374c2b182420f6ecb161146c8d18c6683045026c810009154b03a56f5a94f5',
'x', '1', 'rule name', 0, 'ADDED',
'{"member": "user:[email protected]", "role": "roles/editor"}',
'2010-08-28 10:20:30'),
('i'*255,
'a'*255, '1', 'b'*255, 1, 'REMOVED', long_string,
'2030-08-28 10:20:30'),
]
