示例#1
0
    def add_rule(self, rule_def, rule_index):
        """Add a rule to the rule book.

        Args:
            rule_def (dict): A dictionary containing rule definition
                properties.
            rule_index (int): The index of the rule from the rule definitions.
                Assigned automatically when the rule book is built.
        """
        resources = rule_def.get('resource')

        for resource in resources:
            resource_ids = resource.get('resource_ids')

            if not resource_ids or len(resource_ids) < 1:
                raise audit_errors.InvalidRulesSchemaError(
                    'Missing resource ids in rule {}'.format(rule_index))

            bucket = rule_def.get('bucket')
            entity = rule_def.get('entity')
            email = rule_def.get('email')
            domain = rule_def.get('domain')
            role = rule_def.get('role')

            if (bucket is None) or (entity is None) or (email is None) or\
               (domain is None) or (role is None):
                raise audit_errors.InvalidRulesSchemaError(
                    'Faulty rule {}'.format(rule_def.get('name')))

            rule_def_resource = bkt_acls.BucketAccessControls(
                escape_and_globify(bucket), escape_and_globify(entity),
                escape_and_globify(email), escape_and_globify(domain),
                escape_and_globify(role.upper()))

            rule = Rule(rule_name=rule_def.get('name'),
                        rule_index=rule_index,
                        rules=rule_def_resource)

            resource_rules = self.resource_rules_map.get(rule_index)

            if not resource_rules:
                self.resource_rules_map[rule_index] = rule
示例#2
0
    def add_rule(self, rule_def, rule_index):
        """Add a rule to the rule book.

        Args:
            rule_def (dict): A dictionary containing rule definition
                properties.
            rule_index (int): The index of the rule from the rule definitions.
                Assigned automatically when the rule book is built.
        """
        resources = rule_def.get('resource')

        for resource in resources:
            resource_ids = resource.get('resource_ids')

            if not resource_ids or len(resource_ids) < 1:
                raise audit_errors.InvalidRulesSchemaError(
                    'Missing resource ids in rule {}'.format(rule_index))

            instance_name = rule_def.get('instance_name')
            authorized_networks = rule_def.get('authorized_networks')
            ssl_enabled = rule_def.get('ssl_enabled')

            if (instance_name is None) or (authorized_networks is None) or\
             (ssl_enabled is None):
                raise audit_errors.InvalidRulesSchemaError(
                    'Faulty rule {}'.format(rule_def.get('name')))

            rule_def_resource = csql_acls.CloudSqlAccessControl(
                escape_and_globify(instance_name),
                escape_and_globify(authorized_networks),
                ssl_enabled)

            rule = Rule(rule_name=rule_def.get('name'),
                        rule_index=rule_index,
                        rules=rule_def_resource)

            resource_rules = self.resource_rules_map.get(rule_index)

            if not resource_rules:
                self.resource_rules_map[rule_index] = rule
示例#3
0
    def __init__(self, role_name, members=None):
        """Initialize.

        Args:
            role_name (str): The string name of the role.
            members (list): The role members of the policy binding.
        """
        if not role_name or not members:
            raise errors.InvalidIamPolicyBindingError(
                ('Invalid IAM policy binding: '
                 'role_name={}, members={}'.format(role_name, members)))
        self.role_name = role_name
        self.members = _get_iam_members(members)
        self.role_pattern = re.compile(escape_and_globify(role_name),
                                       flags=re.IGNORECASE)
示例#4
0
    def __init__(self, member_type, member_name=None):
        """Initialize.

        Args:
            member_type (str): The string member type (see `member_types`).
            member_name (str): The string member name.
        """
        if not member_type or not self._member_type_exists(member_type):
            raise errors.InvalidIamPolicyMemberError(
                'Invalid policy member: {}'.format(member_type))
        self.type = member_type
        self.name = member_name
        self.name_pattern = None
        if member_name:
            self.name_pattern = re.compile(escape_and_globify(self.name),
                                           flags=re.IGNORECASE)
示例#5
0
    def add_rule(self, rule_def, rule_index):
        """Add a rule to the rule book.

        Args:
            rule_def (dict): A dictionary containing rule definition
                properties.
            rule_index (int): The index of the rule from the rule definitions.
                Assigned automatically when the rule book is built.
        """
        resources = rule_def.get('resource')

        for resource in resources:
            resource_ids = resource.get('resource_ids')

            if not resource_ids or len(resource_ids) < 1:
                raise audit_errors.InvalidRulesSchemaError(
                    'Missing resource ids in rule {}'.format(rule_index))

            dataset_id = rule_def.get('dataset_id')
            special_group = rule_def.get('special_group')
            user_email = rule_def.get('user_email')
            domain = rule_def.get('domain')
            group_email = rule_def.get('group_email')
            role = rule_def.get('role')

            is_any_none = any(item is None for item in [
                dataset_id,
                special_group,
                user_email,
                domain,
                group_email,
                role])

            if is_any_none:
                raise audit_errors.InvalidRulesSchemaError(
                    'Faulty rule {}'.format(rule_def.get('name')))

            rule_def_resource = bq_acls.BigqueryAccessControls(
                escape_and_globify(dataset_id),
                escape_and_globify(special_group),
                escape_and_globify(user_email),
                escape_and_globify(domain),
                escape_and_globify(group_email),
                escape_and_globify(role.upper()))

            rule = Rule(rule_name=rule_def.get('name'),
                        rule_index=rule_index,
                        rules=rule_def_resource)

            if not self.resource_rules_map.get(rule_index):
                self.resource_rules_map[rule_index] = rule
示例#6
0
    def add_rule(self, rule_def, rule_index):  # pylint: disable=too-many-locals
        """Add a rule to the rule book.

        Args:
            rule_def (dict): rule definition properties
            rule_index (int): index of the rule from the rule definitions,
                              assigned automatically when the rule book is built
        """
        self._rules_sema.acquire()

        try:
            for resource in rule_def.get('resource'):
                resource_ids = resource.get('resource_ids')
                resource_type = None
                try:
                    resource_type = resource_mod.ResourceType.verify(
                        resource.get('type'))
                except resource_errors.InvalidResourceTypeError:
                    raise audit_errors.InvalidRulesSchemaError(
                        'Missing resource type in rule {}'.format(rule_index))

                if not resource_ids or len(resource_ids) < 1:
                    raise audit_errors.InvalidRulesSchemaError(
                        'Missing resource ids in rule {}'.format(rule_index))

                allowed_alternate_services = [
                    regex_util.escape_and_globify(glob) for glob in
                    rule_def.get('allowed_alternate_services', '').split(',')
                    if glob
                ]
                allowed_direct_access_sources = [
                    regex_util.escape_and_globify(glob)
                    for glob in rule_def.get('allowed_direct_access_sources',
                                             '').split(',') if glob
                ]
                allowed_iap_enabled = regex_util.escape_and_globify(
                    rule_def.get('allowed_iap_enabled', '*'))

                # For each resource id associated with the rule, create a
                # mapping of resource => rules.
                for resource_id in resource_ids:
                    gcp_resource = resource_util.create_resource(
                        resource_id=resource_id, resource_type=resource_type)

                    rule = Rule(
                        rule_name=rule_def.get('name'),
                        rule_index=rule_index,
                        allowed_alternate_services=allowed_alternate_services,
                        allowed_direct_access_sources=(
                            allowed_direct_access_sources),
                        allowed_iap_enabled=allowed_iap_enabled)

                    rule_applies_to = resource.get('applies_to')
                    rule_key = (gcp_resource, rule_applies_to)

                    # See if we have a mapping of the resource and rule
                    resource_rules = self.resource_rules_map.get(rule_key)

                    # If no mapping exists, create it.
                    if not resource_rules:
                        resource_rules = ResourceRules(
                            resource=gcp_resource,
                            applies_to=rule_applies_to,
                            inherit_from_parents=rule_def.get(
                                'inherit_from_parents', False))
                        self.resource_rules_map[rule_key] = resource_rules

                    # If the rule isn't in the mapping, add it.
                    if rule not in resource_rules.rules:
                        resource_rules.rules.add(rule)
        finally:
            self._rules_sema.release()
    def add_rule(self, rule_def, rule_index):
        """Add a rule to the rule book.

        Add a rule to the rule book.

        The rule supplied to this method is the dictionary parsed from
        the rules definition file.

        For example, this rule...

        # rules yaml:
            rules:
          - name: all networks covered in whitelist
            project: '*'
            network: '*'
            is_external_network: True
            whitelist:
              master:
                - master-1
              network:
                - network-1
                - network-2
              default:
                - default-1

        ... gets parsed into:
        {
            "rules": [
                {
                    "name": "all networks covered in whitelist",
                    "project": "*",
                    "network": "*",
                    "is_external_network": true,
                    "whitelist": {
                        "master": [
                            "master-1"
                        ],
                        "network": [
                            "network-1",
                            "network-2"
                        ],
                        "default": [
                            "default-1"
                        ]
                    }
                }
            ]
        }

        Args:
            rule_def (dict): A dictionary containing rule definition properties.
            rule_index (int): The index of the rule from the rule definitions.
                Assigned automatically when the rule book is built.
        """
        project = rule_def.get('project')
        network = rule_def.get('network')
        whitelist = rule_def.get('whitelist')
        is_external_network = rule_def.get('is_external_network')

        if ((whitelist is None) or (project is None) or (network is None)
                or (is_external_network is None)):
            raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format(
                rule_def.get('name')))

        rule_def_resource = {
            'whitelist': whitelist,
            'project': escape_and_globify(project),
            'network': escape_and_globify(network),
            'is_external_network': is_external_network
        }

        rule = Rule(rule_name=rule_def.get('name'),
                    rule_index=rule_index,
                    rules=rule_def_resource)

        resource_rules = self.resource_rules_map.get(rule_index)
        if not resource_rules:
            self.resource_rules_map[rule_index] = rule