def test_to_full_resource_name(self):
"""Test to_full_resource_name."""
self.assertEqual(to_full_resource_name('', 'foo/bar'), 'foo/bar/')
self.assertEqual(to_full_resource_name('foo/bar/', 'bar/baz'),
'foo/bar/bar/baz/')
def _convert_iam_policy(self, iam_policy):
"""Convert an IAM policy to a database object.
Args:
iam_policy (object): IAM policy to store.
"""
_, full_res_name = self._get_parent(iam_policy)
parent_type_name = self._type_name(iam_policy)
iam_policy_type_name = to_type_name(
iam_policy.get_category(),
':'.join(parent_type_name.split('/')))
iam_policy_full_res_name = to_full_resource_name(
full_res_name,
iam_policy_type_name)
resource = self.dao.TBL_RESOURCE(
cai_resource_name=iam_policy.get_cai_resource_name(),
cai_resource_type=iam_policy.get_cai_resource_type(),
full_name=iam_policy_full_res_name,
type_name=iam_policy_type_name,
name=iam_policy.get_resource_id(),
type=iam_policy.get_category(),
data=iam_policy.get_resource_data_raw(),
parent_type_name=parent_type_name)
self.session.add(resource)
def _convert_resource(self,
resource,
cached=False,
display_key='name',
email_key='email'):
"""Convert resource to a database object.
Args:
resource (dict): A resource to store.
cached (bool): Set to true for resources that have child resources
or policies associated with them.
display_key (str): The key in the resource dictionary to lookup to
get the display name for the resource.
email_key (str): The key in the resource dictionary to lookup to get
the email associated with the resource.
"""
data = resource.get_resource_data()
if self._is_root(resource):
parent, type_name = None, self._type_name(resource)
full_res_name = to_full_resource_name('', type_name)
else:
parent, full_res_name, type_name = self._full_resource_name(
resource)
row = self.dao.TBL_RESOURCE(full_name=full_res_name,
type_name=type_name,
name=resource.get_resource_id(),
type=resource.get_resource_type(),
display_name=data.get(display_key, ''),
email=data.get(email_key, ''),
data=resource.get_resource_data_raw(),
parent=parent)
self.session.add(row)
if cached:
self._add_to_cache(row, resource.id)
def _get_policy_full_name(cls, resource, policy_name):
"""Create a full name for a resource policy.
Args:
resource (Resource): Crawled resource.
policy_name (str): The category name for the policy data.
Returns:
str: A full name for the policy.
"""
type_name = utils.to_type_name(policy_name, resource.key())
return utils.to_full_resource_name(resource.get_full_resource_name(),
type_name)
def find_violations(self, resource, log_sinks):
"""Find Log Sink violations in the rule book.
Args:
resource (gcp_type): The resource that the log sinks belong to.
log_sinks (list): list of log sinks for resource.
Yields:
namedtuple: Returns RuleViolation named tuple.
"""
# Required-mode violations are violations on the parent resource,
# other violations are on the sink resource.
if self.rule['mode'] == _REQUIRED:
if _required_sink_missing(self.rule['sink'], log_sinks):
sink = self.rule['sink']
yield self.RuleViolation(
resource_name=resource.id,
resource_type=resource.type,
resource_id=resource.id,
full_name=resource.full_name,
rule_name=self.rule_name,
rule_index=self.rule_index,
violation_type=VIOLATION_TYPE,
sink_destination=sink['destination'],
sink_filter=sink['filter'],
sink_include_children=sink['include_children'],
resource_data='')
else:
if self.rule['mode'] == _WHITELIST:
violating_sinks = _find_whitelist_violations(
self.rule['sink'], log_sinks)
else:
violating_sinks = _find_blacklist_violations(
self.rule['sink'], log_sinks)
# Return a violation for each sink that violates black/whitelist.
for sink in violating_sinks:
yield self.RuleViolation(
resource_name=sink.name,
resource_type=sink.type,
resource_id=sink.id,
full_name=to_full_resource_name(resource.full_name,
sink.id),
rule_name=self.rule_name,
rule_index=self.rule_index,
violation_type=VIOLATION_TYPE,
sink_destination=sink.destination,
sink_filter=sink.sink_filter,
sink_include_children=sink.include_children,
resource_data=sink.raw_json)
def _full_resource_name(self, resource):
"""Returns the parent object, full resource name and type name.
Args:
resource (object): Resource whose full resource name and parent
should be returned.
Returns:
str: full resource name for the provided resource.
"""
type_name = self._type_name(resource)
parent, full_res_name = self._get_parent(resource)
full_resource_name = to_full_resource_name(full_res_name, type_name)
return parent, full_resource_name, type_name
def _convert_resource(self,
resource,
cached=False,
display_key='name',
email_key='email',
display_name=''):
"""Convert resource to a database object.
Args:
resource (Resource): A resource to store.
cached (bool): Set to true for resources that have child resources
or policies associated with them.
display_key (str): The key in the resource dictionary to lookup to
get the display name for the resource.
email_key (str): The key in the resource dictionary to lookup to get
the email associated with the resource.
display_name (str): Display name of the resource.
"""
data = resource.get_resource_data()
if self._is_root(resource):
parent, type_name = None, self._type_name(resource)
full_res_name = to_full_resource_name('', type_name)
else:
parent, full_res_name, type_name = self._full_resource_name(
resource)
row = self.dao.TBL_RESOURCE(
cai_resource_name=resource.get_cai_resource_name(),
cai_resource_type=resource.get_cai_resource_type(),
full_name=full_res_name,
type_name=type_name,
name=resource.get_resource_id(),
type=resource.get_resource_type(),
# display_key key is not present for org policy and display_name is
# needed. So it is specifically passed in.
display_name=display_name or data.get(display_key, ''),
# email_key key is not always present and it can be empty in
# certain cases such as for org policy.
email=data.get(email_key, '') if isinstance(data, dict) else '',
data=resource.get_resource_data_raw(),
parent=parent)
self.session.add(row)
if cached:
self._add_to_cache(row, resource.id)
def _convert_service_config(self, service_config):
"""Convert Kubernetes Service Config to a database object.
Args:
service_config (dict): A Service Config resource to store.
"""
parent, full_res_name = self._get_parent(service_config)
sc_type_name = to_type_name(service_config.get_category(),
parent.type_name)
sc_res_name = to_full_resource_name(full_res_name, sc_type_name)
resource = self.dao.TBL_RESOURCE(
full_name=sc_res_name,
type_name=sc_type_name,
name=service_config.get_resource_id(),
type=service_config.get_category(),
data=service_config.get_resource_data_raw(),
parent=parent)
self.session.add(resource)
def _convert_enabled_apis(self, enabled_apis):
"""Convert a description of enabled APIs to a database object.
Args:
enabled_apis (object): Enabled APIs description to store.
"""
parent, full_res_name = self._get_parent(enabled_apis)
apis_type_name = to_type_name(enabled_apis.get_category(),
':'.join(parent.type_name.split('/')))
apis_res_name = to_full_resource_name(full_res_name, apis_type_name)
resource = self.dao.TBL_RESOURCE(
full_name=apis_res_name,
type_name=apis_type_name,
name=enabled_apis.get_resource_id(),
type=enabled_apis.get_category(),
data=enabled_apis.get_resource_data_raw(),
parent=parent)
self.session.add(resource)
def _convert_gcs_policy(self, gcs_policy):
"""Convert a gcs policy to a database object.
Args:
gcs_policy (object): Cloud Storage Bucket ACL policy to store.
"""
parent, full_res_name = self._get_parent(gcs_policy)
policy_type_name = to_type_name(gcs_policy.get_category(),
gcs_policy.get_resource_id())
policy_res_name = to_full_resource_name(full_res_name,
policy_type_name)
resource = self.dao.TBL_RESOURCE(
full_name=policy_res_name,
type_name=policy_type_name,
name=gcs_policy.get_resource_id(),
type=gcs_policy.get_category(),
data=gcs_policy.get_resource_data_raw(),
parent=parent)
self.session.add(resource)
def _convert_dataset_policy(self, dataset_policy):
"""Convert a dataset policy to a database object.
Args:
dataset_policy (object): Dataset policy to store.
"""
# TODO: Dataset policies should be integrated in the model, not stored
# as a resource.
parent, full_res_name = self._get_parent(dataset_policy)
policy_type_name = to_type_name(dataset_policy.get_category(),
dataset_policy.get_resource_id())
policy_res_name = to_full_resource_name(full_res_name,
policy_type_name)
resource = self.dao.TBL_RESOURCE(
full_name=policy_res_name,
type_name=policy_type_name,
name=dataset_policy.get_resource_id(),
type=dataset_policy.get_category(),
data=dataset_policy.get_resource_data_raw(),
parent=parent)
self.session.add(resource)
