示例#1
0
    def test_add_single_rule_builds_correct_map(self):
        """Test that adding a single rule builds the correct map."""
        rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp)
        actual_rules = rule_book.resource_rules_map

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = scanner_rules.Rule(
            'my rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='whitelist')
        expected_org_rules = ire.ResourceRules(self.org789,
                                               rules=set([rule]),
                                               applies_to='self_and_children')
        expected_proj1_rules = ire.ResourceRules(self.project1,
                                                 rules=set([rule]),
                                                 applies_to='self')
        expected_proj2_rules = ire.ResourceRules(self.project2,
                                                 rules=set([rule]),
                                                 applies_to='self')
        expected_rules = {
            (self.org789, 'self_and_children'): expected_org_rules,
            (self.project1, 'self'): expected_proj1_rules,
            (self.project2, 'self'): expected_proj2_rules
        }

        self.assertEqual(expected_rules, actual_rules)
示例#2
0
    def test_policy_binding_matches_whitelist_rules(self):
        """Test that a policy binding matches the whitelist rules.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a whitelist rule with the test rules.

        Expected results:
            All policy binding members are in the whitelist.
        """
        test_binding = {
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'user:[email protected]',
                'group:[email protected]',
                'serviceAccount:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:*@company.com',
                'user:abc@*.somewhere.com',
                'group:*@googlegroups.com',
                'serviceAccount:*@*.gserviceaccount.com',
            ]
        }]

        rule = scanner_rules.Rule(
            'test rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='whitelist')
        resource_rule = ire.ResourceRules(rules=[rule])
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(0, len(results))
示例#3
0
    def test_policy_binding_mismatches_required_rules(self):
        """Test that a required list of members mismatches policy binding.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a required rule with the test rules.

        Expected results:
            All required members are found in the policy.
        """
        test_binding = {
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'group:[email protected]',
                'serviceAccount:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:[email protected]',
                'user:[email protected]',
            ]
        }]

        rule = scanner_rules.Rule(
            'test rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='required')
        resource_rule = ire.ResourceRules(resource=self.project1)
        resource_rule.rules.add(rule)
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(1, len(results))
示例#4
0
    def test_policy_binding_does_not_match_blacklist_rules(self):
        """Test that a policy binding does not match the blacklist.

        Setup:
            * Create a test policy binding.
            * Create a test rule binding.
            * Create a blacklist rule with the test rules.

        Expected results:
            No policy bindings found in the blacklist.
        """
        test_binding = {
            'role': 'roles/owner',
            'members': [
                'user:[email protected]',
            ]
        }
        rule_bindings = [{
            'role':
            'roles/owner',
            'members': [
                'user:*@company.com',
                'user:abc@*.somewhere.com',
                'group:*@googlegroups.com',
                'serviceAccount:*@*.gserviceaccount.com',
            ]
        }]

        rule = scanner_rules.Rule(
            'test rule',
            0, [IamPolicyBinding.create_from(b) for b in rule_bindings],
            mode='blacklist')
        resource_rule = ire.ResourceRules(rules=[rule])
        results = list(
            resource_rule.find_mismatches(self.project1, test_binding))

        self.assertEqual(0, len(results))