def test_find_violation_for_publicly_exposed_acls(self):
rules_local_path = get_datafile_path(__file__,
'buckets_test_rules_1.yaml')
rules_engine = bre.BucketsRulesEngine(rules_file_path=rules_local_path)
rules_engine.build_rule_book()
rules_map = rules_engine.rule_book.resource_rules_map
all_users_rule = rules_map[0]
all_authenticated_users_rule = rules_map[1]
# Everything is allowed.
acl_dict = json.loads(
BUCKET_ACL_TEMPLATE.format(entity='project-owners-123456'))
acl = bucket_access_controls.BucketAccessControls.from_dict(
'test-project', 'fake_inventory_data', acl_dict)
violation = all_users_rule.find_violations(acl)
self.assertEquals(0, len(list(violation)))
# Exposed to everyone in the world.
acl_dict = json.loads(BUCKET_ACL_TEMPLATE.format(entity='allUsers'))
acl = bucket_access_controls.BucketAccessControls.from_dict(
'test-project', 'fake_inventory_data', acl_dict)
violation = all_users_rule.find_violations(acl)
self.assertEquals(1, len(list(violation)))
# Exposed to all google-authenticated users in the world.
acl_dict = json.loads(
BUCKET_ACL_TEMPLATE.format(entity='allAuthenticatedUsers'))
acl = bucket_access_controls.BucketAccessControls.from_dict(
'test-project', 'fake_inventory_data', acl_dict)
violation = all_authenticated_users_rule.find_violations(acl)
self.assertEquals(1, len(list(violation)))
def test_build_rule_book_from_gcs_works(self, mock_load_rules_from_gcs):
"""Test that a RuleBook is built correctly with a mocked gcs file.
Setup:
* Create a mocked GCS object from a test yaml file.
* Get the yaml file content.
Expected results:
There are 4 resources that have rules, in the rule book.
"""
bucket_name = 'bucket-name'
rules_path = 'input/buckets_test_rules_1.yaml'
full_rules_path = 'gs://{}/{}'.format(bucket_name, rules_path)
rules_engine = bre.BucketsRulesEngine(rules_file_path=full_rules_path)
# Read in the rules file
file_content = None
with open(get_datafile_path(__file__, 'buckets_test_rules_1.yaml'),
'r') as rules_local_file:
try:
file_content = yaml.safe_load(rules_local_file)
except yaml.YAMLError:
raise
mock_load_rules_from_gcs.return_value = file_content
rules_engine.build_rule_book()
self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))
def test_build_rule_book_no_resource_type_fails(self):
"""Test that a rule without a resource cannot be created."""
rules_local_path = get_datafile_path(__file__,
'buckets_test_rules_2.yaml')
rules_engine = bre.BucketsRulesEngine(rules_file_path=rules_local_path)
with self.assertRaises(InvalidRulesSchemaError):
rules_engine.build_rule_book()
def test_build_rule_book_from_local_yaml_file_works(self):
"""Test that a RuleBook is built correctly with a yaml file."""
rules_local_path = get_datafile_path(__file__,
'buckets_test_rules_1.yaml')
rules_engine = bre.BucketsRulesEngine(rules_file_path=rules_local_path)
rules_engine.build_rule_book()
self.assertEqual(2, len(rules_engine.rule_book.resource_rules_map))