def test_violations_for_rules_on_wildcard(self):
"""Role is a incorrect forsetiBigqueryViewer that should have violations."""
rules_engine = get_rules_engine_with_rule(
RoleRulesEngineTest.yaml_str_multiple_rules_on_projects)
self.assertTrue(1 <= len(rules_engine.rule_book.rules_map))
data_creater = frsd.FakeRoleDataCreater(
'forsetiBigqueryViewer',
["bigquery.datasets.get", "bigquery.tables.list"], frsd.PROJECT1)
fake_role = data_creater.get_resource()
got_violations = list(rules_engine.find_violations(fake_role))
self.assertEqual(got_violations, [
frsd.generate_violation(fake_role, 0, 'forsetiBigqueryViewer rule')
])
def test_violations_for_rules(self):
"""Role is a incorrect forsetiCloudsqlViewer(project 1) that should have violations."""
rules_engine = get_rules_engine_with_rule(
RoleRulesEngineTest.yaml_str_multiple_rules_on_projects)
self.assertTrue(1 <= len(rules_engine.rule_book.rules_map))
data_creater = frsd.FakeRoleDataCreater(
'forsetiCloudsqlViewer',
["cloudsql.databases.get", "cloudsql.databases.list"],
frsd.PROJECT1)
fake_role = data_creater.get_resource()
got_violations = list(rules_engine.find_violations(fake_role))
self.assertEqual(got_violations, [
frsd.generate_violation(fake_role, 1,
'forsetiCloudsqlViewer rule backupRuns')
])
def test_retrieve_and_find_violation(self):
"""Test a yaml file that includes more than one rules"""
rule_yaml = """
rules:
- role_name: "forsetiBigqueryViewer"
name: "forsetiBigqueryViewer rule"
permissions:
- "bigquery.datasets.get"
- "bigquery.tables.get"
- "bigquery.tables.list"
resource:
- type: project
resource_ids: ['def-project-1']
- role_name: "forsetiCloudsqlViewer"
name: "forsetiCloudsqlViewer rule"
permissions:
- "cloudsql.backupRuns.get"
- "cloudsql.backupRuns.list"
resource:
- type: organization
resource_ids: ['*']
- role_name: "anotherForsetiRole"
name: "All anotherForsetiRole from everywhere must obey this rule"
permissions:
- "cloudsql.instances.get"
- "cloudsql.instances.list"
resource:
- type: role
resource_ids: ['anotherForsetiRole']
"""
role_test_data = [
frsd.FakeRoleDataInput(name='forsetiBigqueryViewer',
permission=[
'bigquery.datasets.get',
'bigquery.tables.get',
'bigquery.tables.list'
],
parent=frsd.PROJECT1),
frsd.FakeRoleDataInput(
name='forsetiBigqueryViewer',
permission=['bigquery.datasets.get', 'bigquery.tables.list'],
parent=frsd.PROJECT2),
frsd.FakeRoleDataInput(name='forsetiCloudsqlViewer',
permission=[
'cloudsql.backupRuns.get',
'cloudsql.backupRuns.list',
'cloudsql.instances.get'
],
parent=frsd.PROJECT1),
frsd.FakeRoleDataInput(name='anotherForsetiRole',
permission=[
'cloudsql.instances.get',
'cloudsql.instances.list',
'bigquery.tables.list'
],
parent=frsd.PROJECT2),
]
_mock_bucket = get_mock_role(role_test_data)
with tempfile.NamedTemporaryFile(suffix='.yaml') as f:
f.write(rule_yaml.encode())
f.flush()
_fake_bucket_list = _mock_bucket(None, 'role')
self.scanner = role_scanner.RoleScanner({}, {}, mock.MagicMock(),
'', '', f.name)
mock_data_access = mock.MagicMock()
mock_data_access.scanner_iter.side_effect = _mock_bucket
mock_service_config = mock.MagicMock()
mock_service_config.model_manager = mock.MagicMock()
mock_service_config.model_manager.get.return_value = (
mock.MagicMock(), mock_data_access)
self.scanner.service_config = mock_service_config
role_info = self.scanner._retrieve()
all_violations = self.scanner._find_violations(role_info)
res_map = {}
for i in _fake_bucket_list:
res_map[i.id] = i
expected_violations = set([
frsd.generate_violation(res_map['forsetiCloudsqlViewer'], 1,
'forsetiCloudsqlViewer rule'),
frsd.generate_violation(
res_map['anotherForsetiRole'], 2,
'All anotherForsetiRole from everywhere must obey this rule'
),
])
self.assertEqual(expected_violations, set(all_violations))
def test_violations_on_rules_with_multiple_resource_ids(self):
"""Test a rule that has more than one resource_ids."""
rule_yaml = """
rules:
- role_name: "forsetiBigqueryViewer"
name: "forsetiBigqueryViewer rule"
permissions:
- "bigquery.datasets.get"
- "bigquery.tables.get"
- "bigquery.tables.list"
resource:
- type: project
resource_ids: ['def-project-1', 'def-project-2']
"""
role_test_data = [
frsd.FakeRoleDataInput(name='forsetiBigqueryViewer',
permission=[
'bigquery.datasets.get',
'bigquery.tables.get',
'bigquery.tables.list'
],
parent=frsd.PROJECT1),
frsd.FakeRoleDataInput(
name='forsetiBigqueryViewer',
permission=['bigquery.datasets.get', 'bigquery.tables.list'],
parent=frsd.PROJECT2),
]
_mock_bucket = get_mock_role(role_test_data)
with tempfile.NamedTemporaryFile(suffix='.yaml') as f:
f.write(rule_yaml.encode())
f.flush()
_fake_bucket_list = _mock_bucket(None, 'role')
self.scanner = role_scanner.RoleScanner({}, {}, mock.MagicMock(),
'', '', f.name)
mock_data_access = mock.MagicMock()
mock_data_access.scanner_iter.side_effect = _mock_bucket
mock_service_config = mock.MagicMock()
mock_service_config.model_manager = mock.MagicMock()
mock_service_config.model_manager.get.return_value = (
mock.MagicMock(), mock_data_access)
self.scanner.service_config = mock_service_config
role_info = self.scanner._retrieve()
all_violations = self.scanner._find_violations(role_info)
res_map = {}
for i in _fake_bucket_list:
res_map[i.id] = i
expected_violations = set([
frsd.generate_violation(res_map['forsetiBigqueryViewer'], 0,
'forsetiBigqueryViewer rule'),
])
self.assertEqual(expected_violations, set(all_violations))
expected_flatten_violations = [{
'resource_name':
'projects/def-project-2/roles/forsetiBigqueryViewer',
'resource_id':
'forsetiBigqueryViewer',
'resource_type':
'role',
'full_name':
'organization/123456/project/def-project-2/role/forsetiBigqueryViewer/',
'rule_index':
0,
'rule_name':
'forsetiBigqueryViewer rule',
'violation_type':
'CUSTOM_ROLE_VIOLATION',
'violation_data':
'["bigquery.datasets.get", "bigquery.tables.list"]',
'resource_data':
'{"name": "projects/def-project-2/roles/forsetiBigqueryViewer", "includedPermissions": ["bigquery.datasets.get", "bigquery.tables.list"]}'
}]
self.assertEqual(
list(self.scanner._flatten_violations(expected_violations)),
expected_flatten_violations)