def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) bucket = rule_def.get('bucket') entity = rule_def.get('entity') email = rule_def.get('email') domain = rule_def.get('domain') role = rule_def.get('role') if (bucket is None) or (entity is None) or (email is None) or\ (domain is None) or (role is None): raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = bkt_acls.BucketAccessControls( escape_and_globify(bucket), escape_and_globify(entity), escape_and_globify(email), escape_and_globify(domain), escape_and_globify(role.upper())) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) instance_name = rule_def.get('instance_name') authorized_networks = rule_def.get('authorized_networks') ssl_enabled = rule_def.get('ssl_enabled') if (instance_name is None) or (authorized_networks is None) or\ (ssl_enabled is None): raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = csql_acls.CloudSqlAccessControl( escape_and_globify(instance_name), escape_and_globify(authorized_networks), ssl_enabled) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule
def __init__(self, role_name, members=None): """Initialize. Args: role_name (str): The string name of the role. members (list): The role members of the policy binding. """ if not role_name or not members: raise errors.InvalidIamPolicyBindingError( ('Invalid IAM policy binding: ' 'role_name={}, members={}'.format(role_name, members))) self.role_name = role_name self.members = _get_iam_members(members) self.role_pattern = re.compile(escape_and_globify(role_name), flags=re.IGNORECASE)
def __init__(self, member_type, member_name=None): """Initialize. Args: member_type (str): The string member type (see `member_types`). member_name (str): The string member name. """ if not member_type or not self._member_type_exists(member_type): raise errors.InvalidIamPolicyMemberError( 'Invalid policy member: {}'.format(member_type)) self.type = member_type self.name = member_name self.name_pattern = None if member_name: self.name_pattern = re.compile(escape_and_globify(self.name), flags=re.IGNORECASE)
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ resources = rule_def.get('resource') for resource in resources: resource_ids = resource.get('resource_ids') if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) dataset_id = rule_def.get('dataset_id') special_group = rule_def.get('special_group') user_email = rule_def.get('user_email') domain = rule_def.get('domain') group_email = rule_def.get('group_email') role = rule_def.get('role') is_any_none = any(item is None for item in [ dataset_id, special_group, user_email, domain, group_email, role]) if is_any_none: raise audit_errors.InvalidRulesSchemaError( 'Faulty rule {}'.format(rule_def.get('name'))) rule_def_resource = bq_acls.BigqueryAccessControls( escape_and_globify(dataset_id), escape_and_globify(special_group), escape_and_globify(user_email), escape_and_globify(domain), escape_and_globify(group_email), escape_and_globify(role.upper())) rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) if not self.resource_rules_map.get(rule_index): self.resource_rules_map[rule_index] = rule
def add_rule(self, rule_def, rule_index): # pylint: disable=too-many-locals """Add a rule to the rule book. Args: rule_def (dict): rule definition properties rule_index (int): index of the rule from the rule definitions, assigned automatically when the rule book is built """ self._rules_sema.acquire() try: for resource in rule_def.get('resource'): resource_ids = resource.get('resource_ids') resource_type = None try: resource_type = resource_mod.ResourceType.verify( resource.get('type')) except resource_errors.InvalidResourceTypeError: raise audit_errors.InvalidRulesSchemaError( 'Missing resource type in rule {}'.format(rule_index)) if not resource_ids or len(resource_ids) < 1: raise audit_errors.InvalidRulesSchemaError( 'Missing resource ids in rule {}'.format(rule_index)) allowed_alternate_services = [ regex_util.escape_and_globify(glob) for glob in rule_def.get('allowed_alternate_services', '').split(',') if glob ] allowed_direct_access_sources = [ regex_util.escape_and_globify(glob) for glob in rule_def.get('allowed_direct_access_sources', '').split(',') if glob ] allowed_iap_enabled = regex_util.escape_and_globify( rule_def.get('allowed_iap_enabled', '*')) # For each resource id associated with the rule, create a # mapping of resource => rules. for resource_id in resource_ids: gcp_resource = resource_util.create_resource( resource_id=resource_id, resource_type=resource_type) rule = Rule( rule_name=rule_def.get('name'), rule_index=rule_index, allowed_alternate_services=allowed_alternate_services, allowed_direct_access_sources=( allowed_direct_access_sources), allowed_iap_enabled=allowed_iap_enabled) rule_applies_to = resource.get('applies_to') rule_key = (gcp_resource, rule_applies_to) # See if we have a mapping of the resource and rule resource_rules = self.resource_rules_map.get(rule_key) # If no mapping exists, create it. if not resource_rules: resource_rules = ResourceRules( resource=gcp_resource, applies_to=rule_applies_to, inherit_from_parents=rule_def.get( 'inherit_from_parents', False)) self.resource_rules_map[rule_key] = resource_rules # If the rule isn't in the mapping, add it. if rule not in resource_rules.rules: resource_rules.rules.add(rule) finally: self._rules_sema.release()
def add_rule(self, rule_def, rule_index): """Add a rule to the rule book. Add a rule to the rule book. The rule supplied to this method is the dictionary parsed from the rules definition file. For example, this rule... # rules yaml: rules: - name: all networks covered in whitelist project: '*' network: '*' is_external_network: True whitelist: master: - master-1 network: - network-1 - network-2 default: - default-1 ... gets parsed into: { "rules": [ { "name": "all networks covered in whitelist", "project": "*", "network": "*", "is_external_network": true, "whitelist": { "master": [ "master-1" ], "network": [ "network-1", "network-2" ], "default": [ "default-1" ] } } ] } Args: rule_def (dict): A dictionary containing rule definition properties. rule_index (int): The index of the rule from the rule definitions. Assigned automatically when the rule book is built. """ project = rule_def.get('project') network = rule_def.get('network') whitelist = rule_def.get('whitelist') is_external_network = rule_def.get('is_external_network') if ((whitelist is None) or (project is None) or (network is None) or (is_external_network is None)): raise audit_errors.InvalidRulesSchemaError('Faulty rule {}'.format( rule_def.get('name'))) rule_def_resource = { 'whitelist': whitelist, 'project': escape_and_globify(project), 'network': escape_and_globify(network), 'is_external_network': is_external_network } rule = Rule(rule_name=rule_def.get('name'), rule_index=rule_index, rules=rule_def_resource) resource_rules = self.resource_rules_map.get(rule_index) if not resource_rules: self.resource_rules_map[rule_index] = rule