def test_generate_rules(self): # Project-specific whitelists are only generated for projects with a # non-empty list of enabled_apis. projects = [ scanner_test_utils.create_test_project( project_id='project_1', project_num=100000001, extra_fields={ 'enabled_apis': [ 'bigquery-json.googleapis.com', 'servicemanagement.googleapis.com', 'monitoring.googleapis.com', 'storage-api.googleapis.com', 'logging.googleapis.com', 'storage-component.googleapis.com' ] }), scanner_test_utils.create_test_project( project_id='project_2', project_num=100000002, extra_fields={'enabled_apis': []}), scanner_test_utils.create_test_project( project_id='project_3', project_num=100000003, extra_fields={'enabled_apis': ['pubsub.googleapis.com']}), scanner_test_utils.create_test_project( project_id='project_4', project_num=100000004, ), ] got_rules = easr.EnabledApisScannerRules().generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load(_EXPECTED_RULES_YAML) self.assertEqual(got_rules, want_rules)
def test_generate_rules(self): projects = [ scanner_test_utils.create_test_project(project_id='project-1', project_num=123456), scanner_test_utils.create_test_project( project_id='project-2', project_num=789012, extra_fields={ 'audit_logs': { 'logs_bigquery_dataset': { 'name': 'project_2_logs', 'location': 'US', }, }, }, audit_logs_project={ 'project_id': 'audit-logs', 'owners_group': '*****@*****.**', }) ] got_rules = lssr.LogSinkScannerRules().generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load(_EXPECTED_RULES_YAML) self.assertEqual(got_rules, want_rules)
def test_generate_rules(self): projects = [ scanner_test_utils.create_test_project( project_id='project_1', project_num=123456, extra_fields={ 'additional_project_permissions': [{ 'roles': ['roles/bigquery.dataViewer'], 'members': ['group:[email protected]'], }], 'data_buckets': [ { 'name_suffix': '-data' }, { 'name_suffix': '-more-data' }, { 'name_suffix': '-euro-data' }, ] }), scanner_test_utils.create_test_project( project_id='project_2', project_num=789012, extra_fields={ 'editors_groups': ['*****@*****.**'], 'data_readwrite_groups': ['*****@*****.**'], 'data_readonly_groups': [ '*****@*****.**', '*****@*****.**', ], 'data_buckets': [{ 'name_suffix': '-data' }], 'audit_logs': { 'logs_bigquery_dataset': { 'name': 'project_2_logs', 'location': 'US', }, }, }, audit_logs_project={ 'project_id': 'audit-logs', 'owners_group': '*****@*****.**', }), ] got_rules = isr.IamScannerRules.generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load(_EXPECTED_RULES_YAML) self.assertDictEqual(got_rules, want_rules)
def test_generate_rules_local_audit_logs(self): projects = [ scanner_test_utils.create_test_project( project_id='project-1', project_num=123456, extra_fields={ 'bigquery_datasets': [{ 'name': 'dataset', 'location': 'US', }], }, ), ] got_rules = location_scanner_rules.LocationScannerRules( ).generate_rules(projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load( _EXPECTED_RULES_YAML.format( global_resource_type='organization', global_resource_ids=['246801357924'], audit_logs_project_id='project-1', audit_logs_bucket_id='project-1-logs', audit_logs_dataset_id='project-1:audit_logs', )) self.assertEqual(got_rules, want_rules)
def test_generate_rules_project_with_local_audit_logs(self): projects = [scanner_test_utils.create_test_project( project_id='project_1', project_num=123456, extra_fields=TEST_DATASETS)] got_rules = bq_rules.BigQueryScannerRules().generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load('rules:\n{}\n{}\n{}'.format( EXPECTED_GLOBAL_RULES_YAML, EXPECTED_PROJECT_RULES_YAML, EXPECTED_LOCAL_AUDIT_PROJECT_YAML)) self.assertEqual(got_rules, want_rules)
def test_generate_rules_project_with_remote_audit_logs(self): expected_audit_project_yaml = """ - name: Whitelist for project project_1 audit logs mode: whitelist resource: - type: project resource_ids: - project_1-audit dataset_ids: - project_1-audit:audit_logs bindings: - role: OWNER members: - group_email: '*****@*****.**' - role: WRITER members: - user_email: '*****@*****.**' - role: READER members: - group_email: '*****@*****.**' """ extra_fields = { 'audit_logs': { 'logs_bigquery_dataset': { 'name': 'audit_logs', 'location': 'US', }, } } extra_fields.update(TEST_DATASETS) projects = [ scanner_test_utils.create_test_project( project_id='project_1', project_num=123456, extra_fields=extra_fields, audit_logs_project={ 'project_id': 'project_1-audit', 'owners_group': '*****@*****.**', }) ] got_rules = bq_rules.BigQueryScannerRules().generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load('rules:\n{}\n{}\n{}'.format( EXPECTED_GLOBAL_RULES_YAML.format( global_resource_type='organization', global_resource_ids=['246801357924']), EXPECTED_PROJECT_RULES_YAML, expected_audit_project_yaml)) self.assertEqual(got_rules, want_rules)
def test_generate_rules_no_org_id(self): global_config = scanner_test_utils.create_test_global_config() global_config.pop('organization_id') projects = [ scanner_test_utils.create_test_project(project_id='project_1', project_num=123456) ] got_rules = lien_scanner_rules.LienScannerRules().generate_rules( projects, global_config) want_rules = yaml.load( _EXPECTED_RULES_YAML.format(global_resource_type='folder', global_resource_ids=['357801357924'])) self.assertEqual(got_rules, want_rules)
def test_generate_rules_no_org_id(self): global_config = scanner_test_utils.create_test_global_config() global_config.pop('organization_id') projects = [ scanner_test_utils.create_test_project(project_id='project_1', project_num=123456, extra_fields=TEST_DATASETS) ] got_rules = bq_rules.BigQueryScannerRules().generate_rules( projects, global_config) want_rules = yaml.load('rules:\n{}\n{}\n{}'.format( EXPECTED_GLOBAL_RULES_YAML.format( global_resource_type='folder', global_resource_ids=['357801357924']), EXPECTED_PROJECT_RULES_YAML, EXPECTED_LOCAL_AUDIT_PROJECT_YAML)) self.assertEqual(got_rules, want_rules)
def test_generate_rules(self): projects = [ scanner_test_utils.create_test_project( project_id='project-1', project_num=123456, extra_fields={ 'bigquery_datasets': [{ 'name': 'dataset', 'location': 'US', }], }, ), ] got_rules = resource_scanner_rules.ResourceScannerRules( ).generate_rules(projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load(_EXPECTED_RULES_YAML) self.assertEqual(got_rules, want_rules)
def test_generate_rules_local_remote_logs(self): projects = [ scanner_test_utils.create_test_project( project_id='project-1', project_num=123456, extra_fields={ 'bigquery_datasets': [{ 'name': 'dataset', 'location': 'US', }], 'audit_logs': { 'logs_gcs_bucket': { 'name': 'project-1-remote-logs', 'location': 'US', }, 'logs_bigquery_dataset': { 'name': 'project-1-remote-dataset', 'location': 'US', }, }, }, audit_logs_project={ 'project_id': 'project-1-audit', 'owners_group': '*****@*****.**', }), ] got_rules = location_scanner_rules.LocationScannerRules( ).generate_rules(projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load( _EXPECTED_RULES_YAML.format( audit_logs_project_id='project-1-audit', audit_logs_bucket_id='project-1-remote-logs', audit_logs_dataset_id= 'project-1-audit:project-1-remote-dataset', )) self.assertEqual(got_rules, want_rules)
members: - group:[email protected] - group:[email protected] """ _PROJECTS = [ scanner_test_utils.create_test_project( project_id='project_1', project_num=123456, extra_fields={ 'additional_project_permissions': [{ 'roles': ['roles/bigquery.dataViewer'], 'members': ['group:[email protected]'], }], 'data_buckets': [ { 'name_suffix': '-data' }, { 'name_suffix': '-more-data' }, { 'name_suffix': '-euro-data' }, ] }), scanner_test_utils.create_test_project( project_id='project_2', project_num=789012, extra_fields={ 'editors_groups': ['*****@*****.**'], 'data_readwrite_groups': ['*****@*****.**'],
- name: 'Whitelist Log sink for project project-2.' mode: whitelist resource: - type: project applies_to: self resource_ids: - project-2 sink: destination: >- bigquery.googleapis.com/projects/audit-logs/datasets/project_2_logs filter: '*' include_children: '*' """ _PROJECTS = [ scanner_test_utils.create_test_project(project_id='project-1', project_num=123456), scanner_test_utils.create_test_project(project_id='project-2', project_num=789012, extra_fields={ 'audit_logs': { 'logs_bigquery_dataset': { 'name': 'project_2_logs', 'location': 'US', }, }, }, audit_logs_project={ 'project_id': 'audit-logs', 'owners_group':
def test_generate_rules_project_with_additional_permissions(self): extra_permissions_rule_yaml = """ - name: 'Whitelist for dataset(s): project_1:extra_data' mode: whitelist resource: - type: project resource_ids: - project_1 dataset_ids: - project_1:extra_data bindings: - role: OWNER members: - group_email: '*****@*****.**' - group_email: '*****@*****.**' - role: WRITER members: - group_email: '*****@*****.**' - user_email: '*****@*****.**' - user_email: '*****@*****.**' - role: READER members: - group_email: '*****@*****.**' - group_email: '*****@*****.**' """ datasets = { 'bigquery_datasets': [ { 'name': 'us_data', 'location': 'US' }, { 'name': 'extra_data', 'location': 'US', 'additional_dataset_permissions': { 'owners': ['group:[email protected]'], 'readwrite': [ 'serviceAccount:[email protected]', 'user:[email protected]'], } }, { 'name': 'euro_data', 'location': 'EU' }, ] } projects = [scanner_test_utils.create_test_project( project_id='project_1', project_num=123456, extra_fields=datasets)] got_rules = bq_rules.BigQueryScannerRules().generate_rules( projects, scanner_test_utils.create_test_global_config()) want_rules = yaml.load('rules:\n{}\n{}\n{}\n{}'.format( EXPECTED_GLOBAL_RULES_YAML, EXPECTED_PROJECT_RULES_YAML, extra_permissions_rule_yaml, EXPECTED_LOCAL_AUDIT_PROJECT_YAML)) self.assertEqual(got_rules, want_rules)