def test_direct_access_violation(self):
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
direct_source = 'some-tag'
service = backend_service.BackendService(
full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set([direct_source]),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service,
iap_resource))
expected_violations = [
ire.RuleViolation(
resource_type=resource_mod.ResourceType.BACKEND_SERVICE,
resource_name='bs1',
resource_id=service.resource_id,
full_name='fake_full_name111',
rule_name=rule.rule_name,
rule_index=rule.rule_index,
violation_type='IAP_VIOLATION',
alternate_services_violations=[],
direct_access_sources_violations=[direct_source],
iap_enabled_violation=False,
resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'),
]
self.assertEqual(expected_violations, results)
def test_add_single_rule_builds_correct_map(self):
"""Test that adding a single rule builds the correct map."""
rule_book = ire.IapRuleBook(
{}, test_iap_rules.RULES1, self.fake_timestamp)
actual_rules = rule_book.resource_rules_map
rule = ire.Rule('my rule', 0, [], [], '^.*$')
expected_org_rules = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
expected_proj1_rules = ire.ResourceRules(self.project1,
rules=set([rule]),
applies_to='self')
expected_proj2_rules = ire.ResourceRules(self.project2,
rules=set([rule]),
applies_to='self')
expected_rules = {
(self.org789, 'self_and_children'): expected_org_rules,
(self.project1, 'self'): expected_proj1_rules,
(self.project2, 'self'): expected_proj2_rules
}
self.assertEqual(expected_rules, actual_rules)
def test_no_violations(self):
rule = ire.Rule('my rule', 0, [], [], '^.*$')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(project_id=self.project1.id,
name='bs1')
iap_resource = iap_scanner.IapResource(project_full_name='',
backend_service=service,
alternate_services=set(),
direct_access_sources=set(),
iap_enabled=True)
results = list(resource_rule.find_mismatches(service, iap_resource))
self.assertEquals([], results)
def test_violations_iap_disabled(self):
"""If IAP is disabled, don't report other violations."""
rule = ire.Rule('my rule', 0, [], [], '^.*')
resource_rule = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
service = backend_service.BackendService(full_name='fake_full_name111',
project_id=self.project1.id,
name='bs1')
alternate_service = backend_service.Key.from_args(
project_id=self.project1.id, name='bs2')
iap_resource = iap_scanner.IapResource(
project_full_name='',
backend_service=service,
alternate_services=set([alternate_service]),
direct_access_sources=set(['some-tag']),
iap_enabled=False)
results = list(resource_rule.find_mismatches(service, iap_resource))
expected_violations = []
self.assertEquals(expected_violations, results)