def test_member_match_works(self):
        """Test the member match against wildcard and non-wildcard members."""
        iam_policy_members = [
            IamPolicyMember.create_from(self.members[0]), # specific user
            IamPolicyMember.create_from(self.members[3]), # allUsers
            IamPolicyMember.create_from(self.members[5]), # *@company.com
            IamPolicyMember.create_from(self.members[6]), # *@*.gserviceaccount
            IamPolicyMember.create_from(self.members[7]), # user:*
        ]

        self.assertTrue(iam_policy_members[0].matches(self.test_members[0]))

        # test globs/allUsers
        self.assertTrue(iam_policy_members[1].matches(self.members[1]))
        self.assertTrue(iam_policy_members[1].matches(self.test_members[3]))
        self.assertTrue(iam_policy_members[2].matches(self.test_members[0]))
        self.assertTrue(iam_policy_members[3].matches(self.test_members[1]))
        self.assertTrue(iam_policy_members[4].matches(self.test_members[2]))
        self.assertTrue(iam_policy_members[4].matches(self.test_members[4]))

        # test non matches
        self.assertFalse(iam_policy_members[0].matches(
            'user:[email protected]'))
        self.assertFalse(iam_policy_members[2].matches(
            'user:[email protected]'))
        self.assertFalse(iam_policy_members[3].matches(
            'serviceAccount:[email protected]'))
        self.assertFalse(iam_policy_members[3].matches(
            'serviceAccount:[email protected]'))
    def test_member_create_from_is_correct(self):
        """Test that IamPolicyMember creation is correct."""
        iam_member1 = IamPolicyMember.create_from(self.members[0])
        self.assertEqual('user', iam_member1.type)
        self.assertEqual('*****@*****.**', iam_member1.name)
        self.assertEqual('^test\-user\@company\.com$',
                         iam_member1.name_pattern.pattern)

        iam_member2 = IamPolicyMember.create_from(self.members[3])
        self.assertEqual('allUsers', iam_member2.type)
        self.assertIsNone(iam_member2.name)
        self.assertIsNone(iam_member2.name_pattern)
示例#3
0
    def test_org_project_inherit_org_rule_violation(self):
        """Test org with blacklist and child with whitelist, no inherit.

        Test that the project whitelist rule overrides the org blacklist rule
        when the project does not inherit from parent.

        Setup:
            * Create a RulesEngine with RULES5 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules5 = copy.deepcopy(test_rules.RULES5)
        rules5['rules'][1]['inherit_from_parents'] = True
        rules_engine.rule_book = ire.IamRuleBook(rules5, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org blacklist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
示例#4
0
    def test_org_2_child_rules_report_violation(self):
        """Test org "children" whitelist works with org "children" blacklist.

        Test that org children whitelist with org children blacklist rules
        report violation.

        Setup:
            * Create a RulesEngine with RULES6 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(
            test_rules.RULES6, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='project blacklist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
示例#5
0
    def test_one_member_mismatch(self):
        """Test a policy where one member mismatches the whitelist.

        Setup:
            * Create a RulesEngine and add test_rules.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            One policy binding member missing from the whitelist.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': ['user:[email protected]', 'user:[email protected]']
            }]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, policy))

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = scanner_rules.Rule(
            'my rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='whitelist')
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_violations = set([
            scanner_rules.RuleViolation(
                resource_type=self.project1.type,
                resource_id=self.project1.id,
                rule_name=rule.rule_name,
                rule_index=rule.rule_index,
                role='roles/editor',
                violation_type=scanner_rules.VIOLATION_TYPE.get(rule.mode),
                members=tuple(expected_outstanding['roles/editor']))
        ])

        self.assertEqual(expected_violations, actual_violations)
示例#6
0
    def test_folder_rule_whitelist(self):
        """Test a simple folder whitelist rule."""
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook({}, test_rules.FOLDER_RULES1,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789], [self.folder1, self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        # one violation for folder because of organization 778899
        # one violation for project because of project3's parent
        folder_policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.folder1,
                                                    folder_policy),
                rules_engine.find_policy_violations(self.project3,
                                                    project_policy)))

        # expected
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='folder rule 1',
                resource_id=self.folder1.id,
                resource_type=self.folder1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding['roles/editor'])),
        ])
        self.assertItemsEqual(expected_violations, actual_violations)
示例#7
0
    def test_org_project_noinherit_project_overrides_org_rule(self):
        """Test org with blacklist and child with whitelist, no inherit.

        Test that the project whitelist rule overrides the org blacklist rule
        when the project does not inherit from parent.

        Setup:
            * Create a RulesEngine with RULES5 rule set.
            * Create policy.

        Expected result:
            * Find 0 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(
            test_rules.RULES5, self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role': 'roles/owner',
                    'members': [
                        'user:[email protected]',
                    ]
                }
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy)
        )

        # expected
        expected_outstanding_proj = {
            'roles/editor': [
                IamPolicyMember.create_from('user:[email protected]')
            ]
        }

        expected_violations = set([])

        self.assertItemsEqual(expected_violations, actual_violations)
示例#8
0
    def test_one_member_mismatch(self):
        """Test a policy where one member mismatches the whitelist.

        Setup:
            * Create a RuleBook and add self.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            One policy binding member missing from the whitelist.
        """
        # actual
        rule_book = OrgRuleBook()
        rule_book._add_rules(self.RULES1)
        policy_bindings = [{
            'role':
            'roles/editor',
            'members': ['user:[email protected]', 'user:[email protected]']
        }]

        actual_violations = list(
            rule_book.find_violations(self.project1, policy_bindings[0]))

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_violations = [
            RuleViolation(resource_type=self.project1.resource_type,
                          resource_id=self.project1.resource_id,
                          rule_name=rule.rule_name,
                          rule_index=rule.rule_index,
                          role='roles/editor',
                          violation_type=RULE_VIOLATION_TYPE.get(rule.mode),
                          members=expected_outstanding['roles/editor'])
        ]

        self.assertEqual(expected_violations, actual_violations)
 def test_member_invalid_type_raises(self):
     """Test that invalid member type raises exception."""
     with self.assertRaises(InvalidIamPolicyMemberError):
         iam_member = IamPolicyMember('fake_type')
 def test_is_matching_domain_fail_invalid_email(self):
     member = IamPolicyMember.create_from('domain:xyz.edu')
     other = IamPolicyMember.create_from('user:u AT xyz DOT edu')
     self.assertFalse(member._is_matching_domain(other))
 def test_is_matching_domain_fail_wrong_type(self):
     member = IamPolicyMember.create_from('group:xyz.edu')
     other = IamPolicyMember.create_from('user:[email protected]')
     self.assertFalse(member._is_matching_domain(other))
示例#12
0
    def test_org_proj_rules_vs_policy_has_violations(self):
        """Test rules on org and project with whitelist, blacklist, required.

        Test whitelist, blacklist, and required rules against an org that has
        1 blacklist violation and a project that has 1 whitelist violation and
        1 required violation.

        Setup:
            * Create a RulesEngine with RULES3 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES3,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        org_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.org789, org_policy),
                rules_engine.find_policy_violations(self.project1,
                                                    project_policy),
            ))

        # expected
        expected_outstanding_org = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_project = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')],
            'roles/viewer':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='my blacklist rule',
                resource_id=self.org789.id,
                resource_type=self.org789.type,
                violation_type='ADDED',
                role=org_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_org['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my whitelist rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_project['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=2,
                rule_name='my required rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=tuple(expected_outstanding_project['roles/viewer'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
示例#13
0
    def test_wildcard_resources_with_project_whitelist(self):
        """Test whitelisted wildcard resources.

        Setup:
            * Create a RulesEngine with RULES9 rule set.
            * Create policy.

        Expected result:
            * Find 2 rule violations:
               - A policy binding that violates the org whitelist.
               - A policy binding that violates the org whitelist, even though
                 the project whitelist allows it.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook({}, test_rules.RULES9,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        # have to return 2 [self.org789] because the find_ancestors() call is
        # called twice, once for each find_violations().
        find_ancestor_mock = mock.MagicMock(
            side_effect=[[self.org789], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        project_policy = {
            'bindings': [
                {
                    'role':
                    'roles/owner',
                    'members': [
                        'user:[email protected]',
                        'user:[email protected]',
                        'user:[email protected]',
                    ]
                },
                {
                    'role': 'roles/editor',
                    'members': [
                        'user:[email protected]',
                    ]
                },
            ]
        }

        actual_violations = set(
            rules_engine.find_policy_violations(self.project1, project_policy))

        # expected
        # [email protected] not in any whitelists
        # [email protected] is allowed by the project whitelist
        # but we still alert due to the org whitelist.
        expected_outstanding_proj = {
            'roles/owner': [
                IamPolicyMember.create_from('user:[email protected]'),
                IamPolicyMember.create_from(
                    'user:[email protected]'),
            ],
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/owner'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][1]['role'],
                members=tuple(expected_outstanding_proj['roles/editor'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
示例#14
0
    def test_org_proj_rules_vs_policy_has_violations(self):
        """Test rules on org and project with whitelist, blacklist, required.

        Test whitelist, blacklist, and required rules against an org that has
        1 blacklist violation and a project that has 1 whitelist violation and
        1 required violation.

        Setup:
            * Create a RulesEngine with RULES3 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES3)

        org_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = []
        actual_violations.extend(
            rules_engine.find_policy_violations(self.org789, org_policy))
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project1, project_policy))

        # expected
        expected_outstanding_org = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_project = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')],
            'roles/viewer':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = [
            RuleViolation(rule_index=1,
                          rule_name='my blacklist rule',
                          resource_id=self.org789.resource_id,
                          resource_type=self.org789.resource_type,
                          violation_type='ADDED',
                          role=org_policy['bindings'][0]['role'],
                          members=expected_outstanding_org['roles/editor']),
            RuleViolation(
                rule_index=0,
                rule_name='my whitelist rule',
                resource_id=self.project1.resource_id,
                resource_type=self.project1.resource_type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=expected_outstanding_project['roles/editor']),
            RuleViolation(
                rule_index=2,
                rule_name='my required rule',
                resource_id=self.project1.resource_id,
                resource_type=self.project1.resource_type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=expected_outstanding_project['roles/viewer']),
        ]

        self.assertItemsEqual(expected_violations, actual_violations)
示例#15
0
    def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
        """Test a ruleset with whitelist and blacklist violating rules.

        Setup:
            * Create a RulesEngine with RULES2 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES2)

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]', 'user:[email protected]',
                    'user:[email protected]'
                ]
            }]
        }

        actual_violations = []
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project1, policy))
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project2, policy))

        # expected
        expected_outstanding1 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding2 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = [
            RuleViolation(rule_index=0,
                          rule_name='my rule',
                          resource_id=self.project1.resource_id,
                          resource_type=self.project1.resource_type,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding1['roles/editor']),
            RuleViolation(rule_index=0,
                          rule_name='my rule',
                          resource_type=self.project2.resource_type,
                          resource_id=self.project2.resource_id,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding1['roles/editor']),
            RuleViolation(rule_index=1,
                          rule_name='my other rule',
                          resource_type=self.project2.resource_type,
                          resource_id=self.project2.resource_id,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding2['roles/editor']),
            RuleViolation(rule_index=2,
                          rule_name='required rule',
                          resource_id=self.project1.resource_id,
                          resource_type=self.project1.resource_type,
                          violation_type='REMOVED',
                          role='roles/viewer',
                          members=[
                              IamPolicyMember.create_from(
                                  'user:[email protected]')
                          ])
        ]

        self.assertItemsEqual(expected_violations, actual_violations)
示例#16
0
    def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
        """Test a ruleset with whitelist and blacklist violating rules.

        Setup:
            * Mock find_ancestors().
            * Create a RulesEngine with RULES2 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path,
                                          self.fake_timestamp)
        # TODO: mock the rules local path to return RULES2
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES2,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[self.org789], []])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]', 'user:[email protected]',
                    'user:[email protected]'
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.project1, policy),
                rules_engine.find_policy_violations(self.project2, policy)))

        # expected
        expected_outstanding1 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding2 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding1['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='my rule',
                resource_type=self.project2.type,
                resource_id=self.project2.id,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding1['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='my other rule',
                resource_type=self.project2.type,
                resource_id=self.project2.id,
                violation_type='ADDED',
                role=policy['bindings'][0]['role'],
                members=tuple(expected_outstanding2['roles/editor'])),
            scanner_rules.RuleViolation(
                rule_index=2,
                rule_name='required rule',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=tuple([
                    IamPolicyMember.create_from(
                        'user:[email protected]')
                ]))
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
 def test_member_create_from_domain_is_correct(self):
     member = IamPolicyMember.create_from('domain:xyz.edu')
     self.assertEqual('domain', member.type)
     self.assertEqual('xyz.edu', member.name)
     self.assertEqual('^xyz\\.edu$', member.name_pattern.pattern)
示例#18
0
    def test_org_self_rules_work_with_org_child_rules(self):
        """Test org "self" whitelist works with org "children" whitelist

        Test hierarchical rules.

        Setup:
            * Create a RulesEngine with RULES4 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = ire.IamRulesEngine(rules_local_path)
        rules_engine.rule_book = ire.IamRuleBook(test_rules.RULES4,
                                                 self.fake_timestamp)
        rules_engine.rule_book.org_res_rel_dao = mock.MagicMock()
        find_ancestor_mock = mock.MagicMock(side_effect=[[], [self.org789]])
        rules_engine.rule_book.org_res_rel_dao.find_ancestors = \
            find_ancestor_mock

        org_policy = {
            'bindings': [{
                'role':
                'roles/owner',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = set(
            itertools.chain(
                rules_engine.find_policy_violations(self.org789, org_policy),
                rules_engine.find_policy_violations(self.project1,
                                                    project_policy)))

        # expected
        expected_outstanding_org = {
            'roles/owner':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_proj = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = set([
            scanner_rules.RuleViolation(
                rule_index=0,
                rule_name='org whitelist',
                resource_id=self.org789.id,
                resource_type=self.org789.type,
                violation_type='ADDED',
                role=org_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_org['roles/owner'])),
            scanner_rules.RuleViolation(
                rule_index=1,
                rule_name='project whitelist',
                resource_id=self.project1.id,
                resource_type=self.project1.type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=tuple(expected_outstanding_proj['roles/editor'])),
        ])

        self.assertItemsEqual(expected_violations, actual_violations)
 def test_is_matching_domain_success(self):
     member = IamPolicyMember.create_from('domain:xyz.edu')
     other = IamPolicyMember.create_from('user:[email protected]')
     self.assertTrue(member._is_matching_domain(other))