def _read_from_config(self, config_file_path=None): """Read from the forseti configuration file. Args: config_file_path (str): Forseti server config file path Returns: tuple(dict, str): (Forseti server configuration, Error message) """ # if config_file_path is not passed in, we will use the default # configuration path that was passed in during the initialization # of the server. forseti_config_path = config_file_path or self.forseti_config_file_path forseti_config = {} err_msg = '' try: forseti_config = file_loader.read_and_parse_file( forseti_config_path) except (AttributeError, IOError): err_msg = ('Unable to open Forseti Security config file. Please ' 'check your path and filename and try again.') LOGGER.exception(err_msg) return forseti_config, err_msg
def enforce_single_project(enforcer, project_id, policy_filename): """Runs the enforcer on a single project. Args: enforcer (BatchFirewallEnforcer): An instance of the batch_enforcer.BatchFirewallEnforcer class. project_id (str): The project to enforce. policy_filename (str): The json encoded file to read the firewall policy from. Raises: InvalidParsedPolicyFileError: When the policy file can't be parsed. Returns: EnforcerLogProto: A instance of the proto. """ policy = file_loader.read_and_parse_file(policy_filename) if not isinstance(policy, list): raise InvalidParsedPolicyFileError( 'Invalid parsed policy file: found %s expected list' % type(policy)) project_policies = [(project_id, policy)] enforcer_results = enforcer.run(project_policies) for result in enforcer_results.results: result.gce_firewall_enforcement.policy_path = policy_filename result.run_context = enforcer_log_pb2.ENFORCER_ONE_PROJECT return enforcer_results
def get_default_endpoint(self): """Get server address. Returns: str: Forseti server endpoint """ default_env_variable = 'FORSETI_CLIENT_CONFIG' try: conf_path = os.environ[default_env_variable] configs = file_loader.read_and_parse_file(conf_path) server_ip = configs.get('server_ip') if server_ip: return '{}:50051'.format(server_ip) except KeyError: LOGGER.info( 'Unable to read environment variable: %s, will use ' 'the default endpoint instead, endpoint: %s', default_env_variable, self.DEFAULT_ENDPOINT) except IOError: LOGGER.info( 'Unable to open file: %s, will use the default ' 'endpoint instead, endpoint: %s', conf_path, self.DEFAULT_ENDPOINT) return self.DEFAULT_ENDPOINT
def _load_rule_definitions(self): """Load the rule definitions file from GCS or local filesystem. Returns: dict: The parsed dict from the rule definitions file. """ LOGGER.debug('Loading %r rules from %r', self, self.full_rules_path) rules = file_loader.read_and_parse_file(self.full_rules_path) LOGGER.debug('Got rules: %r', rules) return rules
def run(self): """Runs the groups scanner.""" root = self._retrieve() group_rules = file_loader.read_and_parse_file(self.rules) root = self._apply_all_rules(root, group_rules) all_violations = self._find_violations(root) self._output_results(all_violations)
def main(): """The main entry point for Forseti Security Enforcer runner.""" arg_parser = argparse.ArgumentParser() arg_parser.add_argument( '--forseti_config', default='/home/ubuntu/forseti-security/configs/' 'forseti_conf_server.yaml', help='Fully qualified path and filename of the Forseti config file.') arg_parser.add_argument( '--enforce_project', default=None, help='A single projectId to enforce the firewall on.' ' Must be used with the policy_file flag.') arg_parser.add_argument( '--policy_file', default=None, help='A json encoded policy file to enforce,' ' must contain a list of Firewall resources to' 'apply to the project. If in a GCS bucket, ' 'include full path, e.g. ' '"gs://<bucketname>/path/to/file".') arg_parser.add_argument( '--dry_run', default=False, help='If True will simulate the changes and not change' 'any policies.') arg_parser.add_argument( '--concurrent_threads', default=10, help='The number concurrent worker threads to use.') arg_parser.add_argument( '--maximum_firewall_write_operations', default=10, help='The maximum number of in flight write operations' 'on project firewalls. Each running thread is ' 'allowed up to this many running operations, ' 'so to limit the over all number of operations, ' 'limit the number of write threads using the' ' maximum_project_writer_threads flag.') arg_parser.add_argument( '--maximum_project_writer_threads', default=1, help='The maximum number of projects with active write ' 'operations on project firewalls.') flags = vars(arg_parser.parse_args()) forseti_config = flags['forseti_config'] if forseti_config is None: LOGGER.error('Path to Forseti Security config needs to be specified.') sys.exit() try: configs = file_loader.read_and_parse_file(forseti_config) except IOError: LOGGER.exception('Unable to open Forseti Security config file. ' 'Please check your path and filename and try again.') sys.exit() global_configs = configs.get('global') enforcer = initialize_batch_enforcer( global_configs, flags['concurrent_threads'], flags['maximum_project_writer_threads'], flags['maximum_firewall_write_operations'], flags['dry_run'] ) if flags['enforce_project'] and flags['policy_file']: enforcer_results = enforce_single_project(enforcer, flags['enforce_project'], flags['policy_file']) print enforcer_results else: print 'Batch mode not implemented yet.'