def test_direct_access_violation(self): rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') direct_source = 'some-tag' service = backend_service.BackendService( full_name='fake_full_name111', project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set([direct_source]), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [ ire.RuleViolation( resource_type=resource_mod.ResourceType.BACKEND_SERVICE, resource_name='bs1', resource_id=service.resource_id, full_name='fake_full_name111', rule_name=rule.rule_name, rule_index=rule.rule_index, violation_type='IAP_VIOLATION', alternate_services_violations=[], direct_access_sources_violations=[direct_source], iap_enabled_violation=False, resource_data='{"full_name": "fake_full_name111", "id": "None", "name": "bs1"}'), ] self.assertEqual(expected_violations, results)
def test_no_violations(self): rule = ire.Rule('my rule', 0, [], [], '^.*$') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(project_id=self.project1.id, name='bs1') iap_resource = iap_scanner.IapResource(project_full_name='', backend_service=service, alternate_services=set(), direct_access_sources=set(), iap_enabled=True) results = list(resource_rule.find_mismatches(service, iap_resource)) self.assertEquals([], results)
def test_violations_iap_disabled(self): """If IAP is disabled, don't report other violations.""" rule = ire.Rule('my rule', 0, [], [], '^.*') resource_rule = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') service = backend_service.BackendService(full_name='fake_full_name111', project_id=self.project1.id, name='bs1') alternate_service = backend_service.Key.from_args( project_id=self.project1.id, name='bs2') iap_resource = iap_scanner.IapResource( project_full_name='', backend_service=service, alternate_services=set([alternate_service]), direct_access_sources=set(['some-tag']), iap_enabled=False) results = list(resource_rule.find_mismatches(service, iap_resource)) expected_violations = [] self.assertEquals(expected_violations, results)
def test_add_single_rule_builds_correct_map(self): """Test that adding a single rule builds the correct map.""" rule_book = ire.IapRuleBook( {}, test_iap_rules.RULES1, self.fake_timestamp) actual_rules = rule_book.resource_rules_map rule = ire.Rule('my rule', 0, [], [], '^.*$') expected_org_rules = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') expected_proj1_rules = ire.ResourceRules(self.project1, rules=set([rule]), applies_to='self') expected_proj2_rules = ire.ResourceRules(self.project2, rules=set([rule]), applies_to='self') expected_rules = { (self.org789, 'self_and_children'): expected_org_rules, (self.project1, 'self'): expected_proj1_rules, (self.project2, 'self'): expected_proj2_rules } self.assertEqual(expected_rules, actual_rules)