def test_forseti_service_generated_fields(self):
yaml = ruamel.yaml.YAML()
overall_root = yaml.load(TEST_YAML_CONTENT)
self.assertEqual(
field_generation.get_forseti_service_generated_fields(overall_root), {
'service_account':
'*****@*****.**',
'server_bucket':
'gs://forseti-server-6fcf0fc/'
})
def run(deployment_config, output_path=None):
"""Run the rule generator.
Generate rules for all supported scanners based on the given deployment config
and write them in the given output directory.
Args:
deployment_config(dict): The loaded yaml deployment config.
output_path (str): Path to a local directory or a GCS bucket
path starting with gs://.
Raises:
ValueError: If no output_path given AND no forseti config in the
deployment_config.
"""
if not output_path:
output_path = field_generation.get_forseti_service_generated_fields(
deployment_config).get('server_bucket')
if not output_path:
raise ValueError((
'Must provide an output path or set the "forseti_server_bucket" '
'field in the overall generated_fields'))
if output_path.startswith('gs://'):
# output path is a GCS bucket
with tempfile.TemporaryDirectory() as tmp_dir:
_write_rules(deployment_config, tmp_dir)
logging.info('Copying rules files to %s', output_path)
runner.run_command([
'gsutil',
'cp',
os.path.join(tmp_dir, '*.yaml'),
posixpath.join(output_path, 'rules'),
])
else:
# output path is a local directory
_write_rules(deployment_config, output_path)
def grant_access(config):
service_account = field_generation.get_forseti_service_generated_fields(
config.root)['service_account']
forseti.grant_access(project_id, service_account)
def get_iam_policy_cleanup(config):
"""Get cleanup commands for unexpected IAM bindings."""
project_id = config.project['project_id']
policy_str = runner.run_gcloud_command(
['projects', 'get-iam-policy', project_id], project_id=project_id)
policy = yaml.YAML().load(policy_str)
existing_role_to_members = _get_role_to_members(policy['bindings'])
# TODO: avoid duplication with data_project.py and rule generator
# project config once we switch to CFT
owners_group_role = ('roles/owner'
if 'organization_id' in config.root['overall'] else
'roles/resourcemanager.projectIamAdmin')
initial_bindings = [
{
'role': owners_group_role,
'members': ['group:{}'.format(config.project['owners_group'])]
},
{
'role': 'roles/iam.securityReviewer',
'members': ['group:{}'.format(config.project['auditors_group'])]
},
]
if 'editors_group' in config.project:
initial_bindings.append({
'role':
'roles/editor',
'members': [
'group:{}'.format(group)
for group in config.project['editors_group']
]
})
for additional in config.project.get('additional_project_permissions', []):
for role in additional['roles']:
initial_bindings.append({
'role': role,
'members': additional['members'],
})
if 'forseti' in config.root:
forseti_service_account = field_generation.get_forseti_service_generated_fields(
config.root).get('service_account')
if forseti_service_account:
for role in forseti.get_forseti_roles(project_id):
initial_bindings.append({
'role': role,
'members': ['serviceAccount:{}'.format(forseti_service_account)],
})
want_role_to_members = _get_role_to_members(initial_bindings)
for role, members in existing_role_to_members.items():
existing_role_to_members[role].difference_update(want_role_to_members[role])
cleanup_commands = []
for role, members in existing_role_to_members.items():
for member in members:
cleanup_commands.append(
'gcloud projects remove-iam-policy-binding {project_id} '
'--member={member} --role={role} --project={project_id}'.format(
project_id=project_id, member=member, role=role))
return Output(cleanup_commands=cleanup_commands)