def test_backend_service(self): """Test backend_service.Key.""" url_1 = ('https://www.googleapis.com/compute/v1/' 'projects/foo/global/backendServices/bar') url_2 = ('https://www.googleapis.com/compute/v1/' 'projects/foo/regions/bar/backendServices/baz') obj_1 = backend_service.BackendService(project_id='foo', name='bar') obj_2 = backend_service.BackendService(project_id='foo', region='bar', name='baz') key_1 = key.Key(backend_service.KEY_OBJECT_KIND, { 'project_id': 'foo', 'name': 'bar', 'region': None }) key_2 = key.Key(backend_service.KEY_OBJECT_KIND, { 'project_id': 'foo', 'name': 'baz', 'region': 'bar' }) self.assertEqual(key_1, obj_1.key) self.assertEqual(key_1, backend_service.Key.from_url(url_1)) self.assertEqual(key_2, obj_2.key) self.assertEqual(key_2, backend_service.Key.from_url(url_2)) url_invalid_1 = ('https://www.googleapis.com/compute/v1/' 'projects/foo') url_invalid_2 = ('https://www.googleapis.com/compute/v1/' 'backendServices/foo') self.assertRaises(ValueError, backend_service.Key.from_url, url_invalid_1) self.assertRaises(ValueError, backend_service.Key.from_url, url_invalid_2)
def test_direct_access_violation(self): rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') direct_source = 'some-tag' service = backend_service.BackendService( full_name='fake_full_name111', project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set([direct_source]), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [ ire.RuleViolation( resource_type=resource_mod.ResourceType.BACKEND_SERVICE, resource_name='bs1', resource_id=service.resource_id, full_name='fake_full_name111', rule_name=rule.rule_name, rule_index=rule.rule_index, violation_type='IAP_VIOLATION', alternate_services_violations=[], direct_access_sources_violations=[direct_source], iap_enabled_violation=False, resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'), ] self.assertEqual(expected_violations, results)
def test_no_violations(self): rule = ire.Rule('my rule', 0, [], [], '^.*$') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource(project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set(), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) self.assertEquals([], results)
def test_violations_iap_disabled(self): """If IAP is disabled, don't report other violations.""" rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(full_name='fake_full_name111', project_id=self.project1.id, name='bs1') alternate_service = backend_service.Key.from_args( project_id=self.project1.id, name='bs2') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set([alternate_service]), direct_access_sources=set(['some-tag']), iap_enabled=False) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [] self.assertEquals(expected_violations, results)
from google.cloud.forseti.scanner.scanners import base_scanner from google.cloud.forseti.scanner.scanners import iap_scanner from google.cloud.forseti.services.dao import ModelManager # pylint: disable=bad-indentation BACKEND_SERVICES = { # The main backend service. 'bs1': backend_service_type.BackendService( project_id='foo', name='bs1', backends=[{ 'group': ('https://www.googleapis.com/compute/v1/' 'projects/foo/regions/wl-redqueen1/' 'instanceGroups/ig_managed') }, { 'group': ('https://www.googleapis.com/compute/v1/' 'projects/foo/regions/wl-redqueen1/' 'instanceGroups/ig_unmanaged') }], iap={'enabled': True}, port=80, port_name='http', ), # Another backend service that connects to the same backend. 'bs1_same_backend': backend_service_type.BackendService( project_id='foo', name='bs1_same_backend', backends=[{ 'group': ('https://www.googleapis.com/compute/v1/' 'projects/foo/regions/wl-redqueen1/'