def test_add_single_rule_builds_correct_map(self):
"""Test that adding a single rule builds the correct map."""
rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp)
actual_rules = rule_book.resource_rules_map
# expected
rule_bindings = [{
'role': 'roles/*',
'members': ['user:*@company.com']
}]
rule = scanner_rules.Rule(
'my rule',
0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
mode='whitelist')
expected_org_rules = ire.ResourceRules(self.org789,
rules=set([rule]),
applies_to='self_and_children')
expected_proj1_rules = ire.ResourceRules(self.project1,
rules=set([rule]),
applies_to='self')
expected_proj2_rules = ire.ResourceRules(self.project2,
rules=set([rule]),
applies_to='self')
expected_rules = {
(self.org789, 'self_and_children'): expected_org_rules,
(self.project1, 'self'): expected_proj1_rules,
(self.project2, 'self'): expected_proj2_rules
}
self.assertEqual(expected_rules, actual_rules)
def test_policy_binding_matches_whitelist_rules(self):
"""Test that a policy binding matches the whitelist rules.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a whitelist rule with the test rules.
Expected results:
All policy binding members are in the whitelist.
"""
test_binding = {
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
'group:[email protected]',
'serviceAccount:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:*@company.com',
'user:abc@*.somewhere.com',
'group:*@googlegroups.com',
'serviceAccount:*@*.gserviceaccount.com',
]
}]
rule = scanner_rules.Rule(
'test rule',
0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
mode='whitelist')
resource_rule = ire.ResourceRules(rules=[rule])
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(0, len(results))
def test_policy_binding_mismatches_required_rules(self):
"""Test that a required list of members mismatches policy binding.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a required rule with the test rules.
Expected results:
All required members are found in the policy.
"""
test_binding = {
'role':
'roles/owner',
'members': [
'user:[email protected]',
'group:[email protected]',
'serviceAccount:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:[email protected]',
'user:[email protected]',
]
}]
rule = scanner_rules.Rule(
'test rule',
0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
mode='required')
resource_rule = ire.ResourceRules(resource=self.project1)
resource_rule.rules.add(rule)
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(1, len(results))
def test_policy_binding_does_not_match_blacklist_rules(self):
"""Test that a policy binding does not match the blacklist.
Setup:
* Create a test policy binding.
* Create a test rule binding.
* Create a blacklist rule with the test rules.
Expected results:
No policy bindings found in the blacklist.
"""
test_binding = {
'role': 'roles/owner',
'members': [
'user:[email protected]',
]
}
rule_bindings = [{
'role':
'roles/owner',
'members': [
'user:*@company.com',
'user:abc@*.somewhere.com',
'group:*@googlegroups.com',
'serviceAccount:*@*.gserviceaccount.com',
]
}]
rule = scanner_rules.Rule(
'test rule',
0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
mode='blacklist')
resource_rule = ire.ResourceRules(rules=[rule])
results = list(
resource_rule.find_mismatches(self.project1, test_binding))
self.assertEqual(0, len(results))
