def _read_from_config(self, config_file_path=None):
"""Read from the forseti configuration file.
Args:
config_file_path (str): Forseti server config file path
Returns:
tuple(dict, str): (Forseti server configuration, Error message)
"""
# if config_file_path is not passed in, we will use the default
# configuration path that was passed in during the initialization
# of the server.
forseti_config_path = config_file_path or self.forseti_config_file_path
forseti_config = {}
err_msg = ''
try:
forseti_config = file_loader.read_and_parse_file(
forseti_config_path)
except (AttributeError, IOError):
err_msg = ('Unable to open Forseti Security config file. Please '
'check your path and filename and try again.')
LOGGER.exception(err_msg)
return forseti_config, err_msg
def enforce_single_project(enforcer, project_id, policy_filename):
"""Runs the enforcer on a single project.
Args:
enforcer (BatchFirewallEnforcer): An instance of the
batch_enforcer.BatchFirewallEnforcer class.
project_id (str): The project to enforce.
policy_filename (str): The json encoded file to read the firewall policy
from.
Raises:
InvalidParsedPolicyFileError: When the policy file can't be parsed.
Returns:
EnforcerLogProto: A instance of the proto.
"""
policy = file_loader.read_and_parse_file(policy_filename)
if not isinstance(policy, list):
raise InvalidParsedPolicyFileError(
'Invalid parsed policy file: found %s expected list' %
type(policy))
project_policies = [(project_id, policy)]
enforcer_results = enforcer.run(project_policies)
for result in enforcer_results.results:
result.gce_firewall_enforcement.policy_path = policy_filename
result.run_context = enforcer_log_pb2.ENFORCER_ONE_PROJECT
return enforcer_results
def get_default_endpoint(self):
"""Get server address.
Returns:
str: Forseti server endpoint
"""
default_env_variable = 'FORSETI_CLIENT_CONFIG'
try:
conf_path = os.environ[default_env_variable]
configs = file_loader.read_and_parse_file(conf_path)
server_ip = configs.get('server_ip')
if server_ip:
return '{}:50051'.format(server_ip)
except KeyError:
LOGGER.info(
'Unable to read environment variable: %s, will use '
'the default endpoint instead, endpoint: %s',
default_env_variable, self.DEFAULT_ENDPOINT)
except IOError:
LOGGER.info(
'Unable to open file: %s, will use the default '
'endpoint instead, endpoint: %s', conf_path,
self.DEFAULT_ENDPOINT)
return self.DEFAULT_ENDPOINT
def _load_rule_definitions(self):
"""Load the rule definitions file from GCS or local filesystem.
Returns:
dict: The parsed dict from the rule definitions file.
"""
LOGGER.debug('Loading %r rules from %r', self, self.full_rules_path)
rules = file_loader.read_and_parse_file(self.full_rules_path)
LOGGER.debug('Got rules: %r', rules)
return rules
def run(self):
"""Runs the groups scanner."""
root = self._retrieve()
group_rules = file_loader.read_and_parse_file(self.rules)
root = self._apply_all_rules(root, group_rules)
all_violations = self._find_violations(root)
self._output_results(all_violations)
def main():
"""The main entry point for Forseti Security Enforcer runner."""
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument(
'--forseti_config',
default='/home/ubuntu/forseti-security/configs/'
'forseti_conf_server.yaml',
help='Fully qualified path and filename of the Forseti config file.')
arg_parser.add_argument(
'--enforce_project', default=None,
help='A single projectId to enforce the firewall on.'
' Must be used with the policy_file flag.')
arg_parser.add_argument(
'--policy_file', default=None,
help='A json encoded policy file to enforce,'
' must contain a list of Firewall resources to'
'apply to the project. If in a GCS bucket, '
'include full path, e.g. '
'"gs://<bucketname>/path/to/file".')
arg_parser.add_argument(
'--dry_run', default=False,
help='If True will simulate the changes and not change'
'any policies.')
arg_parser.add_argument(
'--concurrent_threads', default=10,
help='The number concurrent worker threads to use.')
arg_parser.add_argument(
'--maximum_firewall_write_operations', default=10,
help='The maximum number of in flight write operations'
'on project firewalls. Each running thread is '
'allowed up to this many running operations, '
'so to limit the over all number of operations, '
'limit the number of write threads using the'
' maximum_project_writer_threads flag.')
arg_parser.add_argument(
'--maximum_project_writer_threads', default=1,
help='The maximum number of projects with active write '
'operations on project firewalls.')
flags = vars(arg_parser.parse_args())
forseti_config = flags['forseti_config']
if forseti_config is None:
LOGGER.error('Path to Forseti Security config needs to be specified.')
sys.exit()
try:
configs = file_loader.read_and_parse_file(forseti_config)
except IOError:
LOGGER.exception('Unable to open Forseti Security config file. '
'Please check your path and filename and try again.')
sys.exit()
global_configs = configs.get('global')
enforcer = initialize_batch_enforcer(
global_configs, flags['concurrent_threads'],
flags['maximum_project_writer_threads'],
flags['maximum_firewall_write_operations'],
flags['dry_run']
)
if flags['enforce_project'] and flags['policy_file']:
enforcer_results = enforce_single_project(enforcer,
flags['enforce_project'],
flags['policy_file'])
print enforcer_results
else:
print 'Batch mode not implemented yet.'
