def test_to_full_resource_name(self): """Test to_full_resource_name.""" self.assertEqual(to_full_resource_name('', 'foo/bar'), 'foo/bar/') self.assertEqual(to_full_resource_name('foo/bar/', 'bar/baz'), 'foo/bar/bar/baz/')
def _convert_iam_policy(self, iam_policy): """Convert an IAM policy to a database object. Args: iam_policy (object): IAM policy to store. """ _, full_res_name = self._get_parent(iam_policy) parent_type_name = self._type_name(iam_policy) iam_policy_type_name = to_type_name( iam_policy.get_category(), ':'.join(parent_type_name.split('/'))) iam_policy_full_res_name = to_full_resource_name( full_res_name, iam_policy_type_name) resource = self.dao.TBL_RESOURCE( cai_resource_name=iam_policy.get_cai_resource_name(), cai_resource_type=iam_policy.get_cai_resource_type(), full_name=iam_policy_full_res_name, type_name=iam_policy_type_name, name=iam_policy.get_resource_id(), type=iam_policy.get_category(), data=iam_policy.get_resource_data_raw(), parent_type_name=parent_type_name) self.session.add(resource)
def _convert_resource(self, resource, cached=False, display_key='name', email_key='email'): """Convert resource to a database object. Args: resource (dict): A resource to store. cached (bool): Set to true for resources that have child resources or policies associated with them. display_key (str): The key in the resource dictionary to lookup to get the display name for the resource. email_key (str): The key in the resource dictionary to lookup to get the email associated with the resource. """ data = resource.get_resource_data() if self._is_root(resource): parent, type_name = None, self._type_name(resource) full_res_name = to_full_resource_name('', type_name) else: parent, full_res_name, type_name = self._full_resource_name( resource) row = self.dao.TBL_RESOURCE(full_name=full_res_name, type_name=type_name, name=resource.get_resource_id(), type=resource.get_resource_type(), display_name=data.get(display_key, ''), email=data.get(email_key, ''), data=resource.get_resource_data_raw(), parent=parent) self.session.add(row) if cached: self._add_to_cache(row, resource.id)
def _get_policy_full_name(cls, resource, policy_name): """Create a full name for a resource policy. Args: resource (Resource): Crawled resource. policy_name (str): The category name for the policy data. Returns: str: A full name for the policy. """ type_name = utils.to_type_name(policy_name, resource.key()) return utils.to_full_resource_name(resource.get_full_resource_name(), type_name)
def find_violations(self, resource, log_sinks): """Find Log Sink violations in the rule book. Args: resource (gcp_type): The resource that the log sinks belong to. log_sinks (list): list of log sinks for resource. Yields: namedtuple: Returns RuleViolation named tuple. """ # Required-mode violations are violations on the parent resource, # other violations are on the sink resource. if self.rule['mode'] == _REQUIRED: if _required_sink_missing(self.rule['sink'], log_sinks): sink = self.rule['sink'] yield self.RuleViolation( resource_name=resource.id, resource_type=resource.type, resource_id=resource.id, full_name=resource.full_name, rule_name=self.rule_name, rule_index=self.rule_index, violation_type=VIOLATION_TYPE, sink_destination=sink['destination'], sink_filter=sink['filter'], sink_include_children=sink['include_children'], resource_data='') else: if self.rule['mode'] == _WHITELIST: violating_sinks = _find_whitelist_violations( self.rule['sink'], log_sinks) else: violating_sinks = _find_blacklist_violations( self.rule['sink'], log_sinks) # Return a violation for each sink that violates black/whitelist. for sink in violating_sinks: yield self.RuleViolation( resource_name=sink.name, resource_type=sink.type, resource_id=sink.id, full_name=to_full_resource_name(resource.full_name, sink.id), rule_name=self.rule_name, rule_index=self.rule_index, violation_type=VIOLATION_TYPE, sink_destination=sink.destination, sink_filter=sink.sink_filter, sink_include_children=sink.include_children, resource_data=sink.raw_json)
def _full_resource_name(self, resource): """Returns the parent object, full resource name and type name. Args: resource (object): Resource whose full resource name and parent should be returned. Returns: str: full resource name for the provided resource. """ type_name = self._type_name(resource) parent, full_res_name = self._get_parent(resource) full_resource_name = to_full_resource_name(full_res_name, type_name) return parent, full_resource_name, type_name
def _convert_resource(self, resource, cached=False, display_key='name', email_key='email', display_name=''): """Convert resource to a database object. Args: resource (Resource): A resource to store. cached (bool): Set to true for resources that have child resources or policies associated with them. display_key (str): The key in the resource dictionary to lookup to get the display name for the resource. email_key (str): The key in the resource dictionary to lookup to get the email associated with the resource. display_name (str): Display name of the resource. """ data = resource.get_resource_data() if self._is_root(resource): parent, type_name = None, self._type_name(resource) full_res_name = to_full_resource_name('', type_name) else: parent, full_res_name, type_name = self._full_resource_name( resource) row = self.dao.TBL_RESOURCE( cai_resource_name=resource.get_cai_resource_name(), cai_resource_type=resource.get_cai_resource_type(), full_name=full_res_name, type_name=type_name, name=resource.get_resource_id(), type=resource.get_resource_type(), # display_key key is not present for org policy and display_name is # needed. So it is specifically passed in. display_name=display_name or data.get(display_key, ''), # email_key key is not always present and it can be empty in # certain cases such as for org policy. email=data.get(email_key, '') if isinstance(data, dict) else '', data=resource.get_resource_data_raw(), parent=parent) self.session.add(row) if cached: self._add_to_cache(row, resource.id)
def _convert_service_config(self, service_config): """Convert Kubernetes Service Config to a database object. Args: service_config (dict): A Service Config resource to store. """ parent, full_res_name = self._get_parent(service_config) sc_type_name = to_type_name(service_config.get_category(), parent.type_name) sc_res_name = to_full_resource_name(full_res_name, sc_type_name) resource = self.dao.TBL_RESOURCE( full_name=sc_res_name, type_name=sc_type_name, name=service_config.get_resource_id(), type=service_config.get_category(), data=service_config.get_resource_data_raw(), parent=parent) self.session.add(resource)
def _convert_enabled_apis(self, enabled_apis): """Convert a description of enabled APIs to a database object. Args: enabled_apis (object): Enabled APIs description to store. """ parent, full_res_name = self._get_parent(enabled_apis) apis_type_name = to_type_name(enabled_apis.get_category(), ':'.join(parent.type_name.split('/'))) apis_res_name = to_full_resource_name(full_res_name, apis_type_name) resource = self.dao.TBL_RESOURCE( full_name=apis_res_name, type_name=apis_type_name, name=enabled_apis.get_resource_id(), type=enabled_apis.get_category(), data=enabled_apis.get_resource_data_raw(), parent=parent) self.session.add(resource)
def _convert_gcs_policy(self, gcs_policy): """Convert a gcs policy to a database object. Args: gcs_policy (object): Cloud Storage Bucket ACL policy to store. """ parent, full_res_name = self._get_parent(gcs_policy) policy_type_name = to_type_name(gcs_policy.get_category(), gcs_policy.get_resource_id()) policy_res_name = to_full_resource_name(full_res_name, policy_type_name) resource = self.dao.TBL_RESOURCE( full_name=policy_res_name, type_name=policy_type_name, name=gcs_policy.get_resource_id(), type=gcs_policy.get_category(), data=gcs_policy.get_resource_data_raw(), parent=parent) self.session.add(resource)
def _convert_dataset_policy(self, dataset_policy): """Convert a dataset policy to a database object. Args: dataset_policy (object): Dataset policy to store. """ # TODO: Dataset policies should be integrated in the model, not stored # as a resource. parent, full_res_name = self._get_parent(dataset_policy) policy_type_name = to_type_name(dataset_policy.get_category(), dataset_policy.get_resource_id()) policy_res_name = to_full_resource_name(full_res_name, policy_type_name) resource = self.dao.TBL_RESOURCE( full_name=policy_res_name, type_name=policy_type_name, name=dataset_policy.get_resource_id(), type=dataset_policy.get_category(), data=dataset_policy.get_resource_data_raw(), parent=parent) self.session.add(resource)