def test_find_violation_for_publicly_exposed_acls(self): rules_local_path = get_datafile_path(__file__, 'buckets_test_rules_1.yaml') rules_engine = bre.BucketsRulesEngine(rules_file_path=rules_local_path) rules_engine.build_rule_book() rules_map = rules_engine.rule_book.resource_rules_map allUsers_rule = rules_map[0] allAuthenticatedUsers_rule = rules_map[1] # Everything is allowed. acl = bucket_access_controls.BucketAccessControls( '*', '*', '*', '*', '*', '111111') violation = allUsers_rule.find_policy_violations(acl) self.assertEquals(0, len(list(violation))) # Exposed to everyone in the world. acl = bucket_access_controls.BucketAccessControls( '*', 'allUsers', '*', '*', '*', '111111') violation = allUsers_rule.find_policy_violations(acl) self.assertEquals(1, len(list(violation))) # Test case sensitivity. acl = bucket_access_controls.BucketAccessControls( '*', 'AllUsers', '*', '*', '*', '111111') violation = allUsers_rule.find_policy_violations(acl) self.assertEquals(1, len(list(violation))) # Exposed to all google-authenticated users in the world. acl = bucket_access_controls.BucketAccessControls( '*', 'allAuthenticatedUsers', '*', '*', '*', '111111') violation = allAuthenticatedUsers_rule.find_policy_violations(acl) self.assertEquals(1, len(list(violation))) # Test case sensitivity. acl = bucket_access_controls.BucketAccessControls( '*', 'AllAuthenticatedUsers', '*', '*', '*', '111111') violation = allAuthenticatedUsers_rule.find_policy_violations(acl) self.assertEquals(1, len(list(violation)))
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def: A dictionary containing rule definition properties. rule_index: The index of the rule from the rule definitions. Assigned automatically when the rule book is built. Raises: """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) bucket = rule_def.get('bucket') entity = rule_def.get('entity') email = rule_def.get('email') domain = rule_def.get('domain') role = rule_def.get('role') if (bucket is None) or (entity is None) or (email is None) or\ (domain is None) or (role is None): raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = bkt_acls.BucketAccessControls( escape_and_globify(bucket), escape_and_globify(entity), escape_and_globify(email), escape_and_globify(domain), escape_and_globify(role.upper())) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule