def test_add_single_rule_builds_correct_map(self): """Test that adding a single rule builds the correct map.""" rule_book = ire.IamRuleBook(test_rules.RULES1, self.fake_timestamp) actual_rules = rule_book.resource_rules_map # expected rule_bindings = [{ 'role': 'roles/*', 'members': ['user:*@company.com'] }] rule = scanner_rules.Rule( 'my rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='whitelist') expected_org_rules = ire.ResourceRules(self.org789, rules=set([rule]), applies_to='self_and_children') expected_proj1_rules = ire.ResourceRules(self.project1, rules=set([rule]), applies_to='self') expected_proj2_rules = ire.ResourceRules(self.project2, rules=set([rule]), applies_to='self') expected_rules = { (self.org789, 'self_and_children'): expected_org_rules, (self.project1, 'self'): expected_proj1_rules, (self.project2, 'self'): expected_proj2_rules } self.assertEqual(expected_rules, actual_rules)
def test_policy_binding_matches_whitelist_rules(self): """Test that a policy binding matches the whitelist rules. Setup: * Create a test policy binding. * Create a test rule binding. * Create a whitelist rule with the test rules. Expected results: All policy binding members are in the whitelist. """ test_binding = { 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', 'group:[email protected]', 'serviceAccount:[email protected]', ] } rule_bindings = [{ 'role': 'roles/owner', 'members': [ 'user:*@company.com', 'user:abc@*.somewhere.com', 'group:*@googlegroups.com', 'serviceAccount:*@*.gserviceaccount.com', ] }] rule = scanner_rules.Rule( 'test rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='whitelist') resource_rule = ire.ResourceRules(rules=[rule]) results = list( resource_rule.find_mismatches(self.project1, test_binding)) self.assertEqual(0, len(results))
def test_policy_binding_mismatches_required_rules(self): """Test that a required list of members mismatches policy binding. Setup: * Create a test policy binding. * Create a test rule binding. * Create a required rule with the test rules. Expected results: All required members are found in the policy. """ test_binding = { 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'group:[email protected]', 'serviceAccount:[email protected]', ] } rule_bindings = [{ 'role': 'roles/owner', 'members': [ 'user:[email protected]', 'user:[email protected]', ] }] rule = scanner_rules.Rule( 'test rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='required') resource_rule = ire.ResourceRules(resource=self.project1) resource_rule.rules.add(rule) results = list( resource_rule.find_mismatches(self.project1, test_binding)) self.assertEqual(1, len(results))
def test_policy_binding_does_not_match_blacklist_rules(self): """Test that a policy binding does not match the blacklist. Setup: * Create a test policy binding. * Create a test rule binding. * Create a blacklist rule with the test rules. Expected results: No policy bindings found in the blacklist. """ test_binding = { 'role': 'roles/owner', 'members': [ 'user:[email protected]', ] } rule_bindings = [{ 'role': 'roles/owner', 'members': [ 'user:*@company.com', 'user:abc@*.somewhere.com', 'group:*@googlegroups.com', 'serviceAccount:*@*.gserviceaccount.com', ] }] rule = scanner_rules.Rule( 'test rule', 0, [IamPolicyBinding.create_from(b) for b in rule_bindings], mode='blacklist') resource_rule = ire.ResourceRules(rules=[rule]) results = list( resource_rule.find_mismatches(self.project1, test_binding)) self.assertEqual(0, len(results))