def test_member_match_works(self): """Test the member match against wildcard and non-wildcard members.""" iam_policy_members = [ IamPolicyMember.create_from(self.members[0]), # specific user IamPolicyMember.create_from(self.members[3]), # allUsers IamPolicyMember.create_from(self.members[5]), # *@company.com IamPolicyMember.create_from(self.members[6]), # *@*.gserviceaccount IamPolicyMember.create_from(self.members[7]), # user:* ] self.assertTrue(iam_policy_members[0].matches(self.test_members[0])) # test globs/allUsers self.assertTrue(iam_policy_members[1].matches(self.members[1])) self.assertTrue(iam_policy_members[1].matches(self.test_members[3])) self.assertTrue(iam_policy_members[2].matches(self.test_members[0])) self.assertTrue(iam_policy_members[3].matches(self.test_members[1])) self.assertTrue(iam_policy_members[4].matches(self.test_members[2])) self.assertTrue(iam_policy_members[4].matches(self.test_members[4])) # test non matches self.assertFalse(iam_policy_members[0].matches( 'user:[email protected]')) self.assertFalse(iam_policy_members[2].matches( 'user:[email protected]')) self.assertFalse(iam_policy_members[3].matches( 'serviceAccount:[email protected]')) self.assertFalse(iam_policy_members[3].matches( 'serviceAccount:[email protected]'))
def test_member_create_from_is_correct(self): """Test that IamPolicyMember creation is correct.""" iam_member1 = IamPolicyMember.create_from(self.members[0]) self.assertEqual('user', iam_member1.type) self.assertEqual('*****@*****.**', iam_member1.name) self.assertEqual('^test\-user\@company\.com$', iam_member1.name_pattern.pattern) iam_member2 = IamPolicyMember.create_from(self.members[3]) self.assertEqual('allUsers', iam_member2.type) self.assertIsNone(iam_member2.name) self.assertIsNone(iam_member2.name_pattern)
def test_org_project_inherit_org_rule_violation(self): """Test org with blacklist and child with whitelist, no inherit. Test that the project whitelist rule overrides the org blacklist rule when the project does not inherit from parent. Setup: * Create a RulesEngine with RULES5 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules5 = copy.deepcopy(test_rules.RULES5) rules5['rules'][1]['inherit_from_parents'] = True rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org blacklist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_org_2_child_rules_report_violation(self): """Test org "children" whitelist works with org "children" blacklist. Test that org children whitelist with org children blacklist rules report violation. Setup: * Create a RulesEngine with RULES6 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook( test_rules.RULES6, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=1, rule_name='project blacklist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_one_member_mismatch(self): """Test a policy where one member mismatches the whitelist. Setup: * Create a RulesEngine and add test_rules.RULES1. * Create the policy binding. * Create the Rule and rule bindings. * Create the resource association for the Rule. Expected results: One policy binding member missing from the whitelist. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': ['user:[email protected]', 'user:[email protected]'] }] } actual_violations = set( rules_engine.find_policy_violations(self.project1, policy)) # expected rule_bindings = [{ 'role': 'roles/*', 'members': ['user:*@company.com'] }] rule = scanner_rules.Rule( 'my rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='whitelist') expected_outstanding = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( resource_type=self.project1.type, resource_id=self.project1.id, rule_name=rule.rule_name, rule_index=rule.rule_index, role='roles/editor', violation_type=scanner_rules.VIOLATION_TYPE.get(rule.mode), members=tuple(expected_outstanding['roles/editor'])) ]) self.assertEqual(expected_violations, actual_violations)
def test_folder_rule_whitelist(self): """Test a simple folder whitelist rule.""" rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook({}, test_rules.FOLDER_RULES1, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789], [self.folder1, self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock # one violation for folder because of organization 778899 # one violation for project because of project3's parent folder_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.folder1, folder_policy), rules_engine.find_policy_violations(self.project3, project_policy))) # expected expected_outstanding = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='folder rule 1', resource_id=self.folder1.id, resource_type=self.folder1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_org_project_noinherit_project_overrides_org_rule(self): """Test org with blacklist and child with whitelist, no inherit. Test that the project whitelist rule overrides the org blacklist rule when the project does not inherit from parent. Setup: * Create a RulesEngine with RULES5 rule set. * Create policy. Expected result: * Find 0 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook( test_rules.RULES5, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy) ) # expected expected_outstanding_proj = { 'roles/editor': [ IamPolicyMember.create_from('user:[email protected]') ] } expected_violations = set([]) self.assertItemsEqual(expected_violations, actual_violations)
def test_one_member_mismatch(self): """Test a policy where one member mismatches the whitelist. Setup: * Create a RuleBook and add self.RULES1. * Create the policy binding. * Create the Rule and rule bindings. * Create the resource association for the Rule. Expected results: One policy binding member missing from the whitelist. """ # actual rule_book = OrgRuleBook() rule_book._add_rules(self.RULES1) policy_bindings = [{ 'role': 'roles/editor', 'members': ['user:[email protected]', 'user:[email protected]'] }] actual_violations = list( rule_book.find_violations(self.project1, policy_bindings[0])) # expected rule_bindings = [{ 'role': 'roles/*', 'members': ['user:*@company.com'] }] rule = Rule('my rule', 0, rule_bindings, mode='whitelist') expected_outstanding = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = [ RuleViolation(resource_type=self.project1.resource_type, resource_id=self.project1.resource_id, rule_name=rule.rule_name, rule_index=rule.rule_index, role='roles/editor', violation_type=RULE_VIOLATION_TYPE.get(rule.mode), members=expected_outstanding['roles/editor']) ] self.assertEqual(expected_violations, actual_violations)
def test_member_invalid_type_raises(self): """Test that invalid member type raises exception.""" with self.assertRaises(InvalidIamPolicyMemberError): iam_member = IamPolicyMember('fake_type')
def test_is_matching_domain_fail_invalid_email(self): member = IamPolicyMember.create_from('domain:xyz.edu') other = IamPolicyMember.create_from('user:u AT xyz DOT edu') self.assertFalse(member._is_matching_domain(other))
def test_is_matching_domain_fail_wrong_type(self): member = IamPolicyMember.create_from('group:xyz.edu') other = IamPolicyMember.create_from('user:[email protected]') self.assertFalse(member._is_matching_domain(other))
def test_org_proj_rules_vs_policy_has_violations(self): """Test rules on org and project with whitelist, blacklist, required. Test whitelist, blacklist, and required rules against an org that has 1 blacklist violation and a project that has 1 whitelist violation and 1 required violation. Setup: * Create a RulesEngine with RULES3 rule set. * Create policy. Expected result: * Find 3 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES3, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock org_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.org789, org_policy), rules_engine.find_policy_violations(self.project1, project_policy), )) # expected expected_outstanding_org = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding_project = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')], 'roles/viewer': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=1, rule_name='my blacklist rule', resource_id=self.org789.id, resource_type=self.org789.type, violation_type='ADDED', role=org_policy['bindings'][0]['role'], members=tuple(expected_outstanding_org['roles/editor'])), scanner_rules.RuleViolation( rule_index=0, rule_name='my whitelist rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_project['roles/editor'])), scanner_rules.RuleViolation( rule_index=2, rule_name='my required rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='REMOVED', role='roles/viewer', members=tuple(expected_outstanding_project['roles/viewer'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_wildcard_resources_with_project_whitelist(self): """Test whitelisted wildcard resources. Setup: * Create a RulesEngine with RULES9 rule set. * Create policy. Expected result: * Find 2 rule violations: - A policy binding that violates the org whitelist. - A policy binding that violates the org whitelist, even though the project whitelist allows it. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook({}, test_rules.RULES9, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() # have to return 2 [self.org789] because the find_ancestors() call is # called twice, once for each find_violations(). find_ancestor_mock = mock.MagicMock( side_effect=[[self.org789], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock project_policy = { 'bindings': [ { 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', 'user:[email protected]', ] }, { 'role': 'roles/editor', 'members': [ 'user:[email protected]', ] }, ] } actual_violations = set( rules_engine.find_policy_violations(self.project1, project_policy)) # expected # [email protected] not in any whitelists # [email protected] is allowed by the project whitelist # but we still alert due to the org whitelist. expected_outstanding_proj = { 'roles/owner': [ IamPolicyMember.create_from('user:[email protected]'), IamPolicyMember.create_from( 'user:[email protected]'), ], 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/owner'])), scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][1]['role'], members=tuple(expected_outstanding_proj['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_org_proj_rules_vs_policy_has_violations(self): """Test rules on org and project with whitelist, blacklist, required. Test whitelist, blacklist, and required rules against an org that has 1 blacklist violation and a project that has 1 whitelist violation and 1 required violation. Setup: * Create a RulesEngine with RULES3 rule set. * Create policy. Expected result: * Find 3 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = OrgRulesEngine(rules_local_path) rules_engine.rule_book = OrgRuleBook(self.RULES3) org_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } actual_violations = [] actual_violations.extend( rules_engine.find_policy_violations(self.org789, org_policy)) actual_violations.extend( rules_engine.find_policy_violations(self.project1, project_policy)) # expected expected_outstanding_org = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding_project = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')], 'roles/viewer': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = [ RuleViolation(rule_index=1, rule_name='my blacklist rule', resource_id=self.org789.resource_id, resource_type=self.org789.resource_type, violation_type='ADDED', role=org_policy['bindings'][0]['role'], members=expected_outstanding_org['roles/editor']), RuleViolation( rule_index=0, rule_name='my whitelist rule', resource_id=self.project1.resource_id, resource_type=self.project1.resource_type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=expected_outstanding_project['roles/editor']), RuleViolation( rule_index=2, rule_name='my required rule', resource_id=self.project1.resource_id, resource_type=self.project1.resource_type, violation_type='REMOVED', role='roles/viewer', members=expected_outstanding_project['roles/viewer']), ] self.assertItemsEqual(expected_violations, actual_violations)
def test_whitelist_blacklist_rules_vs_policy_has_violations(self): """Test a ruleset with whitelist and blacklist violating rules. Setup: * Create a RulesEngine with RULES2 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = OrgRulesEngine(rules_local_path) rules_engine.rule_book = OrgRuleBook(self.RULES2) policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', 'user:[email protected]' ] }] } actual_violations = [] actual_violations.extend( rules_engine.find_policy_violations(self.project1, policy)) actual_violations.extend( rules_engine.find_policy_violations(self.project2, policy)) # expected expected_outstanding1 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding2 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = [ RuleViolation(rule_index=0, rule_name='my rule', resource_id=self.project1.resource_id, resource_type=self.project1.resource_type, violation_type='ADDED', role=policy['bindings'][0]['role'], members=expected_outstanding1['roles/editor']), RuleViolation(rule_index=0, rule_name='my rule', resource_type=self.project2.resource_type, resource_id=self.project2.resource_id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=expected_outstanding1['roles/editor']), RuleViolation(rule_index=1, rule_name='my other rule', resource_type=self.project2.resource_type, resource_id=self.project2.resource_id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=expected_outstanding2['roles/editor']), RuleViolation(rule_index=2, rule_name='required rule', resource_id=self.project1.resource_id, resource_type=self.project1.resource_type, violation_type='REMOVED', role='roles/viewer', members=[ IamPolicyMember.create_from( 'user:[email protected]') ]) ] self.assertItemsEqual(expected_violations, actual_violations)
def test_whitelist_blacklist_rules_vs_policy_has_violations(self): """Test a ruleset with whitelist and blacklist violating rules. Setup: * Mock find_ancestors(). * Create a RulesEngine with RULES2 rule set. * Create policy. Expected result: * Find 1 rule violation. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path, self.fake_timestamp) # TODO: mock the rules local path to return RULES2 rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES2, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789], []]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', 'user:[email protected]' ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.project1, policy), rules_engine.find_policy_violations(self.project2, policy))) # expected expected_outstanding1 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding2 = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='my rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding1['roles/editor'])), scanner_rules.RuleViolation( rule_index=0, rule_name='my rule', resource_type=self.project2.type, resource_id=self.project2.id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding1['roles/editor'])), scanner_rules.RuleViolation( rule_index=1, rule_name='my other rule', resource_type=self.project2.type, resource_id=self.project2.id, violation_type='ADDED', role=policy['bindings'][0]['role'], members=tuple(expected_outstanding2['roles/editor'])), scanner_rules.RuleViolation( rule_index=2, rule_name='required rule', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='REMOVED', role='roles/viewer', members=tuple([ IamPolicyMember.create_from( 'user:[email protected]') ])) ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_member_create_from_domain_is_correct(self): member = IamPolicyMember.create_from('domain:xyz.edu') self.assertEqual('domain', member.type) self.assertEqual('xyz.edu', member.name) self.assertEqual('^xyz\\.edu$', member.name_pattern.pattern)
def test_org_self_rules_work_with_org_child_rules(self): """Test org "self" whitelist works with org "children" whitelist Test hierarchical rules. Setup: * Create a RulesEngine with RULES4 rule set. * Create policy. Expected result: * Find 3 rule violations. """ # actual rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml') rules_engine = ire.IamRulesEngine(rules_local_path) rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES4, self.fake_timestamp) rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]]) rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ find_ancestor_mock org_policy = { 'bindings': [{ 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } project_policy = { 'bindings': [{ 'role': 'roles/editor', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] } actual_violations = set( itertools.chain( rules_engine.find_policy_violations(self.org789, org_policy), rules_engine.find_policy_violations(self.project1, project_policy))) # expected expected_outstanding_org = { 'roles/owner': [IamPolicyMember.create_from('user:[email protected]')] } expected_outstanding_proj = { 'roles/editor': [IamPolicyMember.create_from('user:[email protected]')] } expected_violations = set([ scanner_rules.RuleViolation( rule_index=0, rule_name='org whitelist', resource_id=self.org789.id, resource_type=self.org789.type, violation_type='ADDED', role=org_policy['bindings'][0]['role'], members=tuple(expected_outstanding_org['roles/owner'])), scanner_rules.RuleViolation( rule_index=1, rule_name='project whitelist', resource_id=self.project1.id, resource_type=self.project1.type, violation_type='ADDED', role=project_policy['bindings'][0]['role'], members=tuple(expected_outstanding_proj['roles/editor'])), ]) self.assertItemsEqual(expected_violations, actual_violations)
def test_is_matching_domain_success(self): member = IamPolicyMember.create_from('domain:xyz.edu') other = IamPolicyMember.create_from('user:[email protected]') self.assertTrue(member._is_matching_domain(other))