def test_backend_service(self):
"""Test backend_service.Key."""
url_1 = ('https://www.googleapis.com/compute/v1/'
'projects/foo/global/backendServices/bar')
url_2 = ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/bar/backendServices/baz')
obj_1 = backend_service.BackendService(project_id='foo', name='bar')
obj_2 = backend_service.BackendService(project_id='foo',
region='bar',
name='baz')
key_1 = key.Key(backend_service.KEY_OBJECT_KIND, {
'project_id': 'foo',
'name': 'bar',
'region': None
})
key_2 = key.Key(backend_service.KEY_OBJECT_KIND, {
'project_id': 'foo',
'name': 'baz',
'region': 'bar'
})
self.assertEqual(key_1, obj_1.key)
self.assertEqual(key_1, backend_service.Key.from_url(url_1))
self.assertEqual(key_2, obj_2.key)
self.assertEqual(key_2, backend_service.Key.from_url(url_2))
url_invalid_1 = ('https://www.googleapis.com/compute/v1/'
'projects/foo')
url_invalid_2 = ('https://www.googleapis.com/compute/v1/'
'backendServices/foo')
self.assertRaises(ValueError, backend_service.Key.from_url,
url_invalid_1)
self.assertRaises(ValueError, backend_service.Key.from_url,
url_invalid_2)
def test_direct_access_violation(self):
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
direct_source = 'some-tag'
service = backend_service.BackendService(
full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set([direct_source]),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service,
iap_resource))
expected_violations = [
ire.RuleViolation(
resource_type=resource_mod.ResourceType.BACKEND_SERVICE,
resource_name='bs1',
resource_id=service.resource_id,
full_name='fake_full_name111',
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type='IAP_VIOLATION',
alternate_services_violations=[],
direct_access_sources_violations=[direct_source],
iap_enabled_violation=False,
resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'),
]
self.assertEqual(expected_violations, results)
def test_no_violations(self):
rule = ire.Rule('my rule', 0, [], [], '^.*$')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set(),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
self.assertEquals([], results)
def test_violations_iap_disabled(self):
"""If IAP is disabled, don't report other violations."""
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
alternate_service = backend_service.Key.from_args(
project_id=self.project1.id, name='bs2')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set([alternate_service]),
direct_access_sources=set(['some-tag']),
iap_enabled=False)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = []
self.assertEquals(expected_violations, results)
from google.cloud.forseti.scanner.scanners import base_scanner
from google.cloud.forseti.scanner.scanners import iap_scanner
from google.cloud.forseti.services.dao import ModelManager
# pylint: disable=bad-indentation
BACKEND_SERVICES = {
# The main backend service.
'bs1':
backend_service_type.BackendService(
project_id='foo',
name='bs1',
backends=[{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_managed')
}, {
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
'instanceGroups/ig_unmanaged')
}],
iap={'enabled': True},
port=80,
port_name='http',
),
# Another backend service that connects to the same backend.
'bs1_same_backend':
backend_service_type.BackendService(
project_id='foo',
name='bs1_same_backend',
backends=[{
'group': ('https://www.googleapis.com/compute/v1/'
'projects/foo/regions/wl-redqueen1/'
