def test_query(self): factory = self.replay_flight_data('bq-dataset-query') p = self.load_policy({ 'name': 'bq-get', 'resource': 'gcp.bq-dataset'}, session_factory=factory) dataset = p.resource_manager.get_resource( event_data('bq-dataset-create.json')) self.assertEqual( dataset['datasetReference']['datasetId'], 'devxyz') self.assertTrue('access' in dataset) self.assertEqual(dataset['labels'], {'env': 'dev'})
def test_api_subscriber_run(self): factory = self.replay_flight_data('mu-api-subscriber-run') p = self.load_policy({ 'name': 'dataset-created', 'resource': 'gcp.bq-dataset', 'mode': { 'type': 'gcp-audit', 'methods': ['datasetservice.insert']}}, session_factory=factory) exec_mode = p.get_execution_mode() self.assertTrue(isinstance(exec_mode, policy.ApiAuditMode)) event = event_data('bq-dataset-create.json') resources = exec_mode.run(event, None) self.assertEqual(len(resources), 1) self.assertEqual(resources[0]['labels'], {'env': 'dev'})
def test_loadbalancer_url_map_get(self): factory = self.replay_flight_data('lb-url-maps-get') p = self.load_policy( { 'name': 'one-lb-url-map', 'resource': 'gcp.loadbalancer-url-map', 'mode': { 'type': 'gcp-audit', 'methods': [] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('lb-url-maps-get.json') instances = exec_mode.run(event, None) self.assertEqual(len(instances), 1) self.assertEqual(instances[0]['kind'], 'compute#urlMap') self.assertEqual(instances[0]['fingerprint'], 'oA9r95u1zRI=') self.assertEqual(instances[0]['name'], 'custodian-load-balancer-0')
def test_loadbalancer_target_http_proxy_get(self): factory = self.replay_flight_data('lb-target-http-proxies-get') p = self.load_policy( { 'name': 'one-lb-target-http-proxies', 'resource': 'gcp.loadbalancer-target-http-proxy', 'mode': { 'type': 'gcp-audit', 'methods': [] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('lb-target-http-proxies-get.json') instances = exec_mode.run(event, None) self.assertEqual(len(instances), 1) self.assertEqual(instances[0]['kind'], 'compute#targetHttpProxy') self.assertEqual(instances[0]['name'], 'custodian-load-balancer-0-target-proxy')
def test_loadbalancer_ssl_certificate_get(self): factory = self.replay_flight_data('lb-ssl-certificates-get') p = self.load_policy( { 'name': 'one-lb-ssl-certificates', 'resource': 'gcp.loadbalancer-ssl-certificate', 'mode': { 'type': 'gcp-audit', 'methods': [] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('lb-ssl-certificate-get.json') instances = exec_mode.run(event, None) self.assertEqual(len(instances), 1) self.assertEqual(instances[0]['kind'], 'compute#sslCertificate') self.assertEqual(instances[0]['name'], 'comelfo-com-google-certificate')
def test_billingaccount_get(self): billingaccount_resource_name = 'billingAccounts/CU570D-1A4CU5-70D1A4' session_factory = self.replay_flight_data( 'cloudbilling-account-get') policy = self.load_policy( {'name': 'billing-cloudbilling-account-audit', 'resource': 'gcp.cloudbilling-account', 'mode': { 'type': 'gcp-audit', 'methods': ['AssignProjectToBillingAccount'] }}, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('cloudbilling-account-assign.json') resources = exec_mode.run(event, None) self.assertEqual(resources[0]['name'], billingaccount_resource_name)
def test_instance_template_get(self): resource_name = 'custodian-instance-template' session_factory = self.replay_flight_data('instance-template-get') policy = self.load_policy( { 'name': 'gcp-instance-template-audit', 'resource': 'gcp.instance-template', 'mode': { 'type': 'gcp-audit', 'methods': ['beta.compute.instanceTemplates.insert'] } }, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('instance-template-create.json') resources = exec_mode.run(event, None) self.assertEqual(resources[0]['name'], resource_name)
def test_cluster_get(self): project_id = "cloud-custodian" name = "standard-cluster-1" factory = self.replay_flight_data('gke-cluster-get', project_id) p = self.load_policy({ 'name': 'one-gke-cluster', 'resource': 'gcp.gke-cluster', 'mode': { 'type': 'gcp-audit', 'methods': ['io.k8s.core.v1.nodes.create']}}, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('k8s_create_cluster.json') clusters = exec_mode.run(event, None) self.assertEqual(clusters[0]['name'], name)
def test_pubsub_subscription_get(self): project_id = 'cloud-custodian' subscription_name = 'custodian' resource_name = 'projects/{}/subscriptions/{}'.format(project_id, subscription_name) session_factory = self.replay_flight_data( 'pubsub-subscription-get', project_id=project_id) policy = self.load_policy( {'name': 'gcp-pubsub-subscription-audit', 'resource': 'gcp.pubsub-subscription', 'mode': { 'type': 'gcp-audit', 'methods': ['google.pubsub.v1.Subscriber.CreateSubscription'] }}, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('pubsub-subscription-create.json') resources = exec_mode.run(event, None) self.assertEqual(resources[0]['name'], resource_name)
def test_autoscaler_get(self): resource_name = 'instance-group-1' session_factory = self.replay_flight_data('autoscaler-get') policy = self.load_policy( { 'name': 'gcp-autoscaler-audit', 'resource': 'gcp.autoscaler', 'mode': { 'type': 'gcp-audit', 'methods': ['v1.compute.autoscalers.insert'] } }, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('autoscaler-insert.json') resources = exec_mode.run(event, None) self.assertEqual(resources[0]['name'], resource_name)
def test_job_get(self): project_id = 'cloud-custodian' job_id = 'bquxjob_4c28c9a7_16958c2791d' location = 'US' factory = self.replay_flight_data('bq-job-get', project_id=project_id) p = self.load_policy({ 'name': 'bq-job-get', 'resource': 'gcp.bq-job', 'mode': { 'type': 'gcp-audit', 'methods': ['google.cloud.bigquery.v2.JobService.InsertJob'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('bq-job-create.json') job = exec_mode.run(event, None) self.assertEqual(job[0]['jobReference']['jobId'], job_id) self.assertEqual(job[0]['jobReference']['location'], location) self.assertEqual(job[0]['jobReference']['projectId'], project_id) self.assertEqual(job[0]['id'], "{}:{}.{}".format(project_id, location, job_id))
def test_table_get(self): project_id = 'cloud-custodian' factory = self.replay_flight_data('bq-table-get', project_id=project_id) p = self.load_policy( { 'name': 'bq-table-get', 'resource': 'gcp.bq-table', 'mode': { 'type': 'gcp-audit', 'methods': ['google.cloud.bigquery.v2.TableService.InsertTable'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('bq-table-create.json') job = exec_mode.run(event, None) self.assertIn('tableReference', job[0].keys())
def test_models_get(self): project_id = 'cloud-custodian' name = "test_model" factory = self.replay_flight_data('ml-model-get', project_id=project_id) p = self.load_policy( { 'name': 'ml-model-get', 'resource': 'gcp.ml-model', 'mode': { 'type': 'gcp-audit', 'methods': ['google.cloud.ml.v1.ModelService.CreateModel'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('ml-model-create.json') models = exec_mode.run(event, None) self.assertIn(name, models[0]['name'])
def test_spanner_instance_get(self): session_factory = self.replay_flight_data('spanner-instance-get') policy = self.load_policy( {'name': 'one-spanner-instance', 'resource': 'gcp.spanner-instance', 'mode': { 'type': 'gcp-audit', 'methods': [] }}, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('spanner-instance-get.json') instances = exec_mode.run(event, None) self.assertEqual(instances[0]['state'], 'READY') self.assertEqual(instances[0]['config'], 'projects/custodian-test-project-0/instanceConfigs/regional-asia-east1') self.assertEqual(instances[0]['name'], 'projects/custodian-test-project-0/instances/custodian-spanner-1')
def test_get(self): factory = self.replay_flight_data('iam-project-role') p = self.load_policy( { 'name': 'role-get', 'resource': 'gcp.project-role', 'mode': { 'type': 'gcp-audit', 'methods': ['google.iam.admin.v1.CreateRole'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('iam-role-create.json') roles = exec_mode.run(event, None) self.assertEqual(len(roles), 1) self.assertEqual(roles[0]['name'], 'projects/cloud-custodian/roles/CustomRole1')
def test_job_get(self): project_id = 'cloud-custodian' jod_id = "2019-05-16_04_24_18-6110555549864901093" factory = self.replay_flight_data('dataflow-get-resource', project_id) p = self.load_policy( { 'name': 'job', 'resource': 'gcp.dataflow-job', 'mode': { 'type': 'gcp-audit', 'methods': ['storage.buckets.update'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('df-job-create.json') resource = exec_mode.run(event, None) self.assertEqual(resource[0]['id'], jod_id) self.assertEqual(resource[0]['name'], 'test1') self.assertEqual(resource[0]['projectId'], project_id) self.assertEqual(resource[0]['location'], 'us-central1')
def test_handler_run(self, from_data): func_cwd = self.get_temp_dir() output_temp = self.get_temp_dir() pdata = { 'name': 'dataset-created', 'resource': 'gcp.bq-dataset', 'mode': { 'type': 'gcp-audit', 'methods': ['datasetservice.insert']}} with open(os.path.join(func_cwd, 'config.json'), 'w') as fh: fh.write(json.dumps({'policies': [pdata]})) event = event_data('bq-dataset-create.json') p = self.load_policy(pdata) self.patch(p, 'push', lambda evt, ctx: None) self.patch(handler, 'get_tmp_output_dir', lambda: output_temp) from_data.return_value = [p] self.change_cwd(func_cwd) self.assertEqual(handler.run(event), True)
def test_route_get(self): project_id = 'cloud-custodian' factory = self.replay_flight_data('route-get', project_id=project_id) p = self.load_policy( { 'name': 'route-created', 'resource': 'gcp.route', 'mode': { 'type': 'gcp-audit', 'methods': ['v1.compute.routes.insert'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('route-create.json') routes = exec_mode.run(event, None) self.assertEqual(len(routes), 1) self.assertEqual(routes[0]['destRange'], '10.0.0.0/24')
def test_get_log_sink(self): project_id = 'cloud-custodian' sink_name = "testqqqqqqqqqqqqqqqqq" factory = self.replay_flight_data('log-project-sink-resource', project_id) p = self.load_policy( { 'name': 'logsink', 'resource': 'gcp.logsink', 'mode': { 'type': 'gcp-audit', 'methods': ['google.logging.v2.ConfigServiceV2.CreateSink'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('log-create-project-sink.json') resource = exec_mode.run(event, None) self.assertEqual(resource[0]['name'], sink_name)
def test_router_get(self): project_id = 'cloud-custodian' factory = self.replay_flight_data('router-get', project_id=project_id) p = self.load_policy( { 'name': 'router-created', 'resource': 'gcp.router', 'mode': { 'type': 'gcp-audit', 'methods': ['beta.compute.routers.insert'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('router-create.json') routers = exec_mode.run(event, None) self.assertEqual(len(routers), 1) self.assertEqual(routers[0]['bgp']['asn'], 65001)
def test_get_project_exclusion(self): project_id = 'cloud-custodian' exclusion_name = "qwerty" factory = self.replay_flight_data('log-exclusion-get', project_id) p = self.load_policy( { 'name': 'log-exclusion-get', 'resource': 'gcp.log-exclusion', 'mode': { 'type': 'gcp-audit', 'methods': ['google.logging.v2.ConfigServiceV2.CreateExclusion'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('log-create-project-exclusion.json') resource = exec_mode.run(event, None) self.assertEqual(resource[0]['name'], exclusion_name)
def test_get_project_metric(self): project_id = 'cloud-custodian' metric_name = "test_name" factory = self.replay_flight_data('log-project-metric-query', project_id) p = self.load_policy( { 'name': 'log-project-metric', 'resource': 'gcp.log-project-metric', 'mode': { 'type': 'gcp-audit', 'methods': ['google.logging.v2.MetricsServiceV2.CreateLogMetric'] } }, session_factory=factory) exec_mode = p.get_execution_mode() event = event_data('log-create-project-metric.json') resource = exec_mode.run(event, None) self.assertEqual(resource[0]['name'], metric_name)
def test_sqlbackuprun_get(self): backup_run_id = '1557489381417' instance_name = 'custodian-postgres' project_id = 'cloud-custodian' session_factory = self.replay_flight_data('sqlbackuprun-get', project_id=project_id) policy = self.load_policy( {'name': 'gcp-sql-backup-run-audit', 'resource': 'gcp.sql-backup-run', 'mode': { 'type': 'gcp-audit', 'methods': ['cloudsql.backupRuns.create'] }}, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('sql-backup-create.json') parent_annotation_key = policy.resource_manager.resource_type.get_parent_annotation_key() resources = exec_mode.run(event, None) self.assertEqual(resources[0]['id'], backup_run_id) self.assertEqual(resources[0][parent_annotation_key]['name'], instance_name)
def test_policy_get(self): project_id = 'cloud-custodian' policy_name = 'custodian' session_factory = self.replay_flight_data('dns-policy-get', project_id=project_id) policy = self.load_policy( { 'name': 'gcp-dns-policy-dryrun', 'resource': 'gcp.dns-policy', 'mode': { 'type': 'gcp-audit', 'methods': ['dns.policies.create'] } }, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('dns-policy-create.json') resources = exec_mode.run(event, None) self.assertEqual(resources[0]['name'], policy_name)
def test_sqlsslcet_get(self): ssl_cert_sha = '49a10ed7135e3171ce5e448cc785bc63b5b81e6c' instance_name = 'custodian-postgres' project_id = 'cloud-custodian' session_factory = self.replay_flight_data('sqlsslcert-get', project_id=project_id) policy = self.load_policy( {'name': 'gcp-sql-ssl-cert-audit', 'resource': 'gcp.sql-ssl-cert', 'mode': { 'type': 'gcp-audit', 'methods': ['cloudsql.sslCerts.create'] }}, session_factory=session_factory) exec_mode = policy.get_execution_mode() event = event_data('sql-ssl-cert-create.json') parent_annotation_key = policy.resource_manager.resource_type.get_parent_annotation_key() resources = exec_mode.run(event, None) self.assertEqual(resources[0]['sha1Fingerprint'], ssl_cert_sha) self.assertEqual(resources[0][parent_annotation_key]['name'], instance_name)
def test_handler_run(self, from_data): func_cwd = self.get_temp_dir() output_temp = self.get_temp_dir() pdata = { 'name': 'dataset-created', 'resource': 'gcp.bq-dataset', 'mode': { 'type': 'gcp-audit', 'methods': ['datasetservice.insert'] } } with open(os.path.join(func_cwd, 'config.json'), 'w') as fh: fh.write(json.dumps({'policies': [pdata]})) event = event_data('bq-dataset-create.json') p = self.load_policy(pdata) self.patch(p, 'push', lambda evt, ctx: None) self.patch(handler, 'get_tmp_output_dir', lambda: output_temp) from_data.return_value = [p] self.change_cwd(func_cwd) self.assertEqual(handler.run(event), True)