def setUp(self):
        """Set up GCP resources for tests."""
        self.alre = alre
        self.alre.LOGGER = mock.MagicMock()
        self.org_234 = Organization('234',
                                    display_name='Organization 234',
                                    full_name='organization/234/',
                                    data='fake_org_data_234')

        self.folder_56 = Folder('56',
                                display_name='Folder 56',
                                full_name='folder/56',
                                data='fake_folder_data456456')

        self.proj_1 = Project('proj-1',
                              project_number=11223344,
                              display_name='My project 1',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-1/',
                              data='fake_project_data_2341')

        self.proj_2 = Project(
            'proj-2',
            project_number=223344,
            display_name='My project 2',
            parent=self.folder_56,
            full_name='organization/234/folder/56/project/proj-2/',
            data='fake_project_data_4562')

        self.proj_3 = Project('project-3',
                              project_number=33445566,
                              display_name='My project 3',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-3/',
                              data='fake_project_data_1233')
예제 #2
0
    def test_multi_items_in_rule_match(self):
        """Test no violations are found with multiple items in rule"""
        processed_rule = {
            'ancestor_resources': [Folder('456'), Organization('7890')]
        }

        rule = engine_module.Rule(rule_name='test_multi_items_in_rule_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNone(violation)
예제 #3
0
    def setUp(self):
        """Set up GCP resources for tests."""
        self.lsre = lsre
        self.lsre.LOGGER = mock.MagicMock()

        # Set up resources in the following hierarchy:
        #             +-----> billing_acct_abcd
        #             |
        #             |
        #             +-----------------------> proj-1
        #             |
        #             |
        #     org_234 +-----> folder_56 +-----> proj-2
        #             |
        #             |
        #             +-----------------------> proj-3
        self.org_234 = Organization('234',
                                    display_name='Organization 234',
                                    full_name='organization/234/',
                                    data='fake_org_data_234')

        self.billing_acct_abcd = BillingAccount(
            'ABCD-1234',
            display_name='Billing Account ABCD',
            full_name='organization/234/billingAccount/ABCD-1234/',
            data='fake_billing_account_data_abcd')

        self.folder_56 = Folder('56',
                                display_name='Folder 56',
                                full_name='organization/234/folder/56/',
                                data='fake_folder_data456456')

        self.proj_1 = Project('proj-1',
                              project_number=11223344,
                              display_name='My project 1',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-1/',
                              data='fake_project_data_2341')

        self.proj_2 = Project(
            'proj-2',
            project_number=223344,
            display_name='My project 2',
            parent=self.folder_56,
            full_name='organization/234/folder/56/project/proj-2/',
            data='fake_project_data_4562')

        self.proj_3 = Project('proj-3',
                              project_number=33445566,
                              display_name='My project 3',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-3/',
                              data='fake_project_data_1233')
 def setUp(self):
     self.org = Organization('1234567890', display_name='My org name')
     self.folder = Folder('55555',
                          display_name='My folder',
                          parent=self.org)
     self.project1 = Project('project-1', 11111, display_name='Project 1')
     self.project2 = Project('project-2',
                             22222,
                             display_name='Project 2',
                             parent=self.org)
     self.project3 = Project('project-3',
                             33333,
                             display_name='Project 3',
                             parent=self.folder)
예제 #5
0
    def test_multi_items_no_match(self):
        """Test violations are found with multiple items in rule"""
        processed_rule = {
            'ancestor_resources': [Folder('45'), Organization('789')]
        }

        rule = engine_module.Rule(rule_name='test_multi_items_no_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_multi_items_no_match',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)
    def test_find_violations(self):
        """Test finding violations"""
        epas.get_user_emails = mock.MagicMock(return_value=TEST_EMAILS)
        scanner = epas.ExternalProjectAccessScanner(
            self.global_configs, self.scanner_configs, self.service_config,
            self.model_name, self.snapshot_timestamp, self.rules)

        scanner.rules_engine.build_rule_book(
            self.service_config.get_inventory_config())
        user_ancestries = {
            '*****@*****.**':
            [[Project('1234'), Organization('1234567')],
             [Project('12345'),
              Folder('ABCDEFG'),
              Organization('HIJKLMNOP')]]
        }
        violations = scanner._find_violations(user_ancestries)
        self.assertEqual(len(violations), 2)
예제 #7
0
    def setUp(self):
        """Set up parent GCP resources for tests."""
        self.org_234 = Organization('234',
                                    display_name='Organization 234',
                                    full_name='organization/234/',
                                    data='fake_org_data_234')

        self.folder_56 = Folder('56',
                                display_name='Folder 56',
                                full_name='folder/56',
                                data='fake_folder_data456456')

        self.proj_1 = Project('proj-1',
                              project_number=11223344,
                              display_name='My project 1',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-1/',
                              data='fake_project_data_2341')
예제 #8
0
class ExternalProjectAccessRulesEngineTest(ForsetiTestCase):
    """Tests for the ExternalProjectAccessRulesEngine."""

    TEST_ANCESTRIES = {
        '*****@*****.**': [Project('13579'),
                              Folder('24680'),
                              Organization('1234567')],
        '*****@*****.**': [Project('13579'),
                              Folder('0987654321'),
                              Organization('1234567')]}
    TEST_ANCESTRIES_SIMPLE = {
        '*****@*****.**': [Project('13579'),
                              Organization('567890')]}
    TEST_ANCESTRIES_VIOLATIONS = {
        '*****@*****.**': [Project('13579'),
                              Folder('24680'),
                              Organization('1357924680')]}

    def setUp(self):
        self.rules_engine = engine_module
        self.rules_engine.LOGGER = mock.MagicMock()
        self.inventory_config = mock.MagicMock()
        self.inventory_config.get_root_resource_id = (
            mock.MagicMock(return_value='organizations/567890'))


    def test_no_rule_added(self):
        """Test that a RuleBook is built correctly with an empty yaml file."""
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_0.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book(self.inventory_config)
        self.assertEqual(0, len(rules_engine.rule_book.resource_rules_map))

    def test_good_yaml_file(self):
        """Test that a RuleBook is built correctly with a yaml file."""
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_1.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book(self.inventory_config)
        self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))

    def test_yaml_file_bad_ancestor(self):
        """Test that a RuleBook is built correctly with a yaml file."""
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_2.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        with self.assertRaises(audit_errors.InvalidRulesSchemaError):
            rules_engine.build_rule_book(self.inventory_config)

    def test_no_violations(self):
        """Test that no violations are found"""
        all_violations = []
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_1.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book(self.inventory_config)
        for user, ancestry in self.TEST_ANCESTRIES.items():
            violations = rules_engine.find_violations(
                user, ancestry, True)
            all_violations.extend(violations)
        self.assertEqual(len(all_violations), 0)

    def test_no_violations_no_rules(self):
        """Test that no violations are found when no rules in the file."""
        all_violations = []
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_0.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book(self.inventory_config)
        for user, ancestry in self.TEST_ANCESTRIES_SIMPLE.items():
            violations = rules_engine.find_violations(
                user, ancestry, True)
            all_violations.extend(violations)
        self.assertEqual(len(all_violations), 0)

    def test_violations_are_found(self):
        """Test that violations are found"""
        all_violations = []
        rules_local_path = get_datafile_path(
            __file__, 'external_project_access_test_rules_1.yaml')
        rules_engine = engine_module.ExternalProjectAccessRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book(self.inventory_config)
        for user, ancestry in self.TEST_ANCESTRIES_VIOLATIONS.items():
            violations = rules_engine.find_violations(user, 
                                                             ancestry, 
                                                             True)
            all_violations.extend(violations)
        self.assertEqual(len(all_violations), 2)
예제 #9
0
class ExternalProjectAccessRuleTest(ForsetiTestCase):
    """Tests for the ExternalProjectAccessRuleBook."""

    TEST_ANCESTORS = [Project('123'),
                      Folder('456'),
                      Organization('7890')]

    def test_single_item_in_rule_match(self):
        """Test no violations are found with single item in rule"""
        processed_rule = {
            'ancestor_resources': [Organization('7890')],
        }

        rule = engine_module.Rule(rule_name='test_single_item_in_rule_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNone(violation)

    def test_single_item_in_rule_match_with_user(self):
        """Test no violations are found with single item in rule with a user"""
        processed_rule = {
            'ancestor_resources': [Organization('7890')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_single_item_in_rule_match_with_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNone(violation)

    def test_single_item_in_rule_match_with_wrong_user(self):
        """Test no violations are found with single item in rule with a user that doesn't match the rule"""
        processed_rule = {
            'ancestor_resources': [Organization('7890')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_single_item_in_rule_match_with_wrong_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNotNone(violation)

    def test_multi_items_in_rule_match(self):
        """Test no violations are found with multiple items in rule"""
        processed_rule = {
            'ancestor_resources': [Folder('456'), Organization('7890')]
        }

        rule = engine_module.Rule(rule_name='test_multi_items_in_rule_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNone(violation)

    def test_multi_items_in_rule_match_with_user(self):
        """Test no violations are found with multiple items in rule with a user"""
        processed_rule = {
            'ancestor_resources': [Folder('456'), Organization('7890')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_multi_items_in_rule_match_with_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNone(violation)

    def test_multi_items_in_rule_match_with_wrong_user(self):
        """Test no violations are found with multiple items in rule with user that doesn't match the rule"""
        processed_rule = {
            'ancestor_resources': [Folder('456'), Organization('7890')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_multi_items_in_rule_match_with_wrong_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)
        self.assertIsNotNone(violation)

    def test_single_item_no_match(self):
        """Test violations are found with single item in rule"""
        processed_rule = {
            'ancestor_resources': [Organization('789')]
        }

        rule = engine_module.Rule(rule_name='test_single_item_no_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_single_item_no_match',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)

    def test_single_item_no_match_with_user(self):
        """Test violations are found with single item in rule with a user"""
        processed_rule = {
            'ancestor_resources': [Organization('789')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_single_item_no_match_with_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_single_item_no_match_with_user',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)

    def test_single_item_no_match_with_wrong_user(self):
        """Test violations are found with single item in rule with user that doesn't match the rule"""
        processed_rule = {
            'ancestor_resources': [Organization('789')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_single_item_no_match_with_wrong_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_single_item_no_match_with_wrong_user',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)

    def test_multi_items_no_match(self):
        """Test violations are found with multiple items in rule"""
        processed_rule = {
            'ancestor_resources': [Folder('45'), Organization('789')]
        }

        rule = engine_module.Rule(rule_name='test_multi_items_no_match',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_multi_items_no_match',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)

    def test_multi_items_no_match_with_user(self):
        """Test violations are found with multiple items in rule with a user"""
        processed_rule = {
            'ancestor_resources': [Folder('45'), Organization('789')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_multi_items_no_match_with_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_multi_items_no_match_with_user',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)

    def test_multi_items_no_match_with_wrong_user(self):
        """Test violations are found with multiple items in rule with user that doesn't match the rule"""
        processed_rule = {
            'ancestor_resources': [Folder('45'), Organization('789')],
            'users': ['*****@*****.**']
        }

        rule = engine_module.Rule(rule_name='test_multi_items_no_match_with_wrong_user',
                                  rule_index=0,
                                  rules=processed_rule)
        violation = rule.find_violation('*****@*****.**',
                                        self.TEST_ANCESTORS)

        self.assertEqual(0, violation.rule_index)
        self.assertEqual('test_multi_items_no_match_with_wrong_user',
                         violation.rule_name)
        self.assertEqual('projects/123', violation.full_name)
        self.assertEqual('projects/123,folders/456,organizations/7890',
                         violation.resource_data)
예제 #10
0
class ExternalProjectAccessRuleBookTest(ForsetiTestCase):
    """Tests for the ExternalProjectAccessRuleBook."""

    TEST_GOOD_RULE = dict(name='default',
                          allowed_ancestors=['organizations/7890'],
                          users=['*****@*****.**'])
    TEST_BAD_RULE = dict(name='default',
                         allowed_ancestors=['policy/12345'],
                         users=['*****@*****.**',
                                'user1_at_example_dot_com'])
    TEST_RULE_DEFS = dict(rules=[TEST_GOOD_RULE])

    TEST_ANCESTORS = [Project('123'),
                      Folder('456'),
                      Organization('7890')]
    TEST_BAD_ANCESTORS = [Project('123'),
                          Folder('456'),
                          Organization('ABC')]

    def setUp(self):
        """Set up."""
        self.rule_index = 0
        self.rules_engine = engine_module
        self.rules_engine.LOGGER = mock.MagicMock()
        self.inventory_config = mock.MagicMock()

        self.inventory_config.get_root_resource_id = (
            mock.MagicMock(return_value='organizations/7890'))
        self.rule_book = (
            engine_module.ExternalProjectAccessRuleBook(self.inventory_config))

    def test_validate_good_ancestor(self):
        """Test proper rule validation"""
        self.assertIsNone(
            self.rule_book.validate_ancestors(
                self.TEST_GOOD_RULE['allowed_ancestors'], 0))

    def test_validate_bad_ancestor(self):
        """Test proper rule validation against bad ancestor"""
        with self.assertRaises(audit_errors.InvalidRulesSchemaError):
            self.rule_book.validate_ancestors(
                self.TEST_BAD_RULE['allowed_ancestors'], 0)

    def test_validate_good_user(self):
        """Test proper rule validation"""
        self.assertIsNone(
            self.rule_book.validate_users(
                self.TEST_GOOD_RULE['users'], 0))
    
    def test_validate_bad_user(self):
        """Test proper rule validation against bad user"""
        with self.assertRaises(audit_errors.InvalidRulesSchemaError) as error:
            self.rule_book.validate_users(
                self.TEST_BAD_RULE['users'], 0)
        self.assertIn('user1_at_example_dot_com', str(error.exception))
        self.assertNotIn('*****@*****.**', str(error.exception))

    def test_missing_ancestors(self):
        """Test proper rule validation against missing ancestors"""
        with self.assertRaises(audit_errors.InvalidRulesSchemaError):
            self.rule_book.validate_ancestor(None, 0)

    def test_process_good_rule(self):
        """Test proper rule processing"""
        processed_rule = self.rule_book.process_rule(self.TEST_GOOD_RULE, 0)
        self.assertEqual(processed_rule['ancestor_resources'][0].id, '7890')
        self.assertTrue(isinstance(processed_rule['ancestor_resources'][0], Organization))


    def test_process_bad_rule(self):
        """Test proper rule validation with exception"""
        with self.assertRaises(audit_errors.InvalidRulesSchemaError):
            self.rule_book.process_rule(self.TEST_BAD_RULE, 0)

    def test_add_rule(self):
        """Test proper rule addition"""
        self.rule_book.add_rule(self.TEST_GOOD_RULE, 0)
        self.assertEqual(1, len(self.rule_book.resource_rules_map))

    def test_add_rules(self):
        """Test proper addtion of multiple rules"""
        self.rule_book.add_rules(self.TEST_RULE_DEFS)
        self.assertEqual(1, len(self.rule_book.resource_rules_map))

    def test_no_violations(self):
        """Test no violations are found"""
        violations = self.rule_book.find_violations('*****@*****.**',
                                                           self.TEST_ANCESTORS)
        self.assertEqual(0, len(violations))

    def test_violations(self):
        """Test violations are found"""
        violations = self.rule_book.find_violations(
            '*****@*****.**', self.TEST_BAD_ANCESTORS)

        self.assertEqual(0, len(violations))
예제 #11
0
    def _add_ancestor_bindings_test_data(self):
        """Establishes the hierarchy below.

               +-----------> billing_acct_abcd
               |
               |
               +----------------------------> proj_1 +-------> dataset_1_1
               |
               |
               +                                     +-------> bucket_3_1
            org_234 +------> folder_1 +-----> proj_3 |
                                                     +-------> bucket_3_2
               +
               |
               +----------------------------> proj_2 +-------> bucket_2_1
        """
        self.org_234 = Organization('234',
                                    display_name='Organization 234',
                                    full_name='organization/234/',
                                    data='fake_org_data_234')

        self.billing_acct_abcd = BillingAccount(
            'ABCD-1234',
            display_name='Billing Account ABCD',
            parent=self.org_234,
            full_name='organization/234/billing_account/ABCD-1234/',
            data='fake_billing_account_data_abcd')

        self.proj_1 = Project('proj-1',
                              project_number=22345,
                              display_name='My project 1',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-1/',
                              data='fake_project_data_111')

        self.dataset_1_1 = Dataset(
            'proj-1:dataset-1-1',
            display_name='Dataset 1.1',
            parent=self.proj_1,
            full_name=
            'organization/234/project/proj-1/dataset/proj-1:dataset-1-1',
            data='dataset_data')

        self.proj_2 = Project('proj-2',
                              project_number=22346,
                              display_name='My project 2',
                              parent=self.org_234,
                              full_name='organization/234/project/proj-2/',
                              data='fake_project_data_222')

        self.folder_1 = Folder('333',
                               display_name='Folder 1',
                               parent=self.org_234,
                               full_name='organization/234/folder/333/',
                               data='fake_folder_data_111')

        self.proj_3 = Project(
            'proj-3',
            project_number=22347,
            display_name='My project 3',
            parent=self.folder_1,
            full_name='organization/234/folder/333/project/proj-3/',
            data='fake_project_data_333')

        self.bucket_3_1 = Bucket(
            'internal-3',
            display_name='My project 3, internal data1',
            parent=self.proj_3,
            full_name=
            'organization/234/folder/333/project/proj-3/bucket/internal-3/',
            data='fake_project_data_333_bucket_1')

        self.bucket_3_2 = Bucket(
            'public-3',
            display_name='My project 3, public data',
            parent=self.proj_3,
            full_name=
            'organization/234/folder/333/project/proj-3/bucket/public-3/',
            data='fake_project_data_333_bucket_2')

        self.bucket_2_1 = Bucket(
            'internal-2',
            display_name='My project 2, internal data',
            parent=self.proj_2,
            full_name='organization/234/project/proj-2/bucket/internal-2/',
            data='fake_project_data_222_bucket_1')

        self.org_234_policy_resource = mock.MagicMock()
        self.org_234_policy_resource.full_name = (
            'organization/234/iam_policy/organization:234/')

        self.billing_acct_abcd_policy_resource = mock.MagicMock()
        self.billing_acct_abcd_policy_resource.full_name = (
            'organization/234/billing_account/ABCD-1234/iam_policy'
            '/billing_account:ABCD-1234/')

        self.folder_1_policy_resource = mock.MagicMock()
        self.folder_1_policy_resource.full_name = (
            'organization/234/folder/333/iam_policy/folder:333/')

        self.proj_1_policy_resource = mock.MagicMock()
        self.proj_1_policy_resource.full_name = (
            'organization/234/project/proj-1/iam_policy/project:proj-1')

        self.proj_2_policy_resource = mock.MagicMock()
        self.proj_2_policy_resource.full_name = (
            'organization/234/project/proj-2/iam_policy/project:proj-2')

        self.proj_3_policy_resource = mock.MagicMock()
        self.proj_3_policy_resource.full_name = (
            'organization/234/folder/333/project/proj-3/iam_policy/project:proj-3'
        )

        self.bucket_3_1_policy_resource = mock.MagicMock()
        self.bucket_3_1_policy_resource.full_name = (
            'organization/234/folder/333/project/proj-3/bucket/internal-3/iam_policy/bucket:internal-3'
        )

        self.bucket_3_2_policy_resource = mock.MagicMock()
        self.bucket_3_2_policy_resource.full_name = (
            'organization/234/folder/333/project/proj-3/bucket/public-3/iam_policy/bucket:public-3'
        )

        self.bucket_2_1_policy_resource = mock.MagicMock()
        self.bucket_2_1_policy_resource.full_name = (
            'organization/234/folder/333/project/proj-2/bucket/internal-2/iam_policy/bucket:internal-2'
        )

        self.dataset_1_1_policy_resource = mock.MagicMock()
        self.dataset_1_1_policy_resource.full_name = (
            'organization/234/project/proj-1/dataset/proj-1:dataset-1-1/iam_policy/dataset:proj-1:dataset-1-1'
        )