示例#1
0
    def test_policy_with_no_rules_has_no_violations(self):
        """Test a policy against an empty RuleBook.

        Setup:
            * Create an empty RuleBook.
            * Create the policy bindings.
            * Created expected violations list.

        Expected results:
            No policy violations found.
        """
        # actual
        rule_book = OrgRuleBook()
        policy_bindings = [{
            'role':
            'roles/editor',
            'members': ['user:[email protected]', 'user:[email protected]']
        }]

        actual_violations = rule_book.find_violations(self.project1,
                                                      policy_bindings[0])

        # expected
        expected_violations = []

        self.assertEqual(expected_violations, actual_violations)
示例#2
0
    def test_no_mismatch(self):
        """Test a policy where no members mismatch the whitelist.

        Setup:
            * Create a RuleBook and add self.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            No policy binding members missing from the whitelist.
        """
        # actual
        rule_book = OrgRuleBook()
        rule_book._add_rules(self.RULES1)
        policy_bindings = [{
            'role':
            'roles/editor',
            'members': ['user:[email protected]', 'user:[email protected]']
        }]

        actual_violations = list(
            rule_book.find_violations(self.project1, policy_bindings[0]))

        # expected
        expected_violations = []

        self.assertEqual(expected_violations, actual_violations)
示例#3
0
    def test_org_whitelist_rules_vs_policy_no_violations(self):
        """Test ruleset on an org with whitelist with no rule violations.

        Setup:
            * Create a RulesEngine with RULES1 rule set.
            * Create policy.

        Expected result:
            * Find no rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES1)

        policy = {
            'bindings': [{
                'role': 'roles/editor',
                'members': [
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = []
        actual_violations.extend(
            rules_engine.find_policy_violations(self.org789, policy))

        self.assertItemsEqual([], actual_violations)
示例#4
0
    def test_add_single_rule_builds_correct_map(self):
        """Test that adding a single rule builds the correct map."""
        rule_book = OrgRuleBook(self.RULES1)
        actual_rules = rule_book.resource_rules_map

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
        expected_org_rules = ResourceRules(self.org789,
                                           rules=set([rule]),
                                           applies_to='self_and_children')
        expected_proj1_rules = ResourceRules(self.project1,
                                             rules=set([rule]),
                                             applies_to='self')
        expected_proj2_rules = ResourceRules(self.project2,
                                             rules=set([rule]),
                                             applies_to='self')
        expected_rules = {
            self.org789: expected_org_rules,
            self.project1: expected_proj1_rules,
            self.project2: expected_proj2_rules
        }

        self.assertEqual(expected_rules, actual_rules)
示例#5
0
    def test_one_member_mismatch(self):
        """Test a policy where one member mismatches the whitelist.

        Setup:
            * Create a RuleBook and add self.RULES1.
            * Create the policy binding.
            * Create the Rule and rule bindings.
            * Create the resource association for the Rule.

        Expected results:
            One policy binding member missing from the whitelist.
        """
        # actual
        rule_book = OrgRuleBook()
        rule_book._add_rules(self.RULES1)
        policy_bindings = [{
            'role':
            'roles/editor',
            'members': ['user:[email protected]', 'user:[email protected]']
        }]

        actual_violations = list(
            rule_book.find_violations(self.project1, policy_bindings[0]))

        # expected
        rule_bindings = [{
            'role': 'roles/*',
            'members': ['user:*@company.com']
        }]
        rule = Rule('my rule', 0, rule_bindings, mode='whitelist')
        expected_outstanding = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_violations = [
            RuleViolation(resource_type=self.project1.resource_type,
                          resource_id=self.project1.resource_id,
                          rule_name=rule.rule_name,
                          rule_index=rule.rule_index,
                          role='roles/editor',
                          violation_type=RULE_VIOLATION_TYPE.get(rule.mode),
                          members=expected_outstanding['roles/editor'])
        ]

        self.assertEqual(expected_violations, actual_violations)
示例#6
0
    def test_empty_policy_with_rules_no_violations(self):
        """Test an empty policy against the RulesEngine with rules.

        Setup:
            * Create a RulesEngine.
            * Created expected violations list.

        Expected results:
            No policy violations found.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES1)

        actual_violations = rules_engine.find_policy_violations(
            self.project1, {})

        # expected
        expected_violations = []

        self.assertEqual(expected_violations, actual_violations)
示例#7
0
    def test_org_proj_rules_vs_policy_has_violations(self):
        """Test rules on org and project with whitelist, blacklist, required.

        Test whitelist, blacklist, and required rules against an org that has
        1 blacklist violation and a project that has 1 whitelist violation and
        1 required violation.

        Setup:
            * Create a RulesEngine with RULES3 rule set.
            * Create policy.

        Expected result:
            * Find 3 rule violations.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES3)

        org_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        project_policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]',
                    'user:[email protected]',
                ]
            }]
        }

        actual_violations = []
        actual_violations.extend(
            rules_engine.find_policy_violations(self.org789, org_policy))
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project1, project_policy))

        # expected
        expected_outstanding_org = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding_project = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')],
            'roles/viewer':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = [
            RuleViolation(rule_index=1,
                          rule_name='my blacklist rule',
                          resource_id=self.org789.resource_id,
                          resource_type=self.org789.resource_type,
                          violation_type='ADDED',
                          role=org_policy['bindings'][0]['role'],
                          members=expected_outstanding_org['roles/editor']),
            RuleViolation(
                rule_index=0,
                rule_name='my whitelist rule',
                resource_id=self.project1.resource_id,
                resource_type=self.project1.resource_type,
                violation_type='ADDED',
                role=project_policy['bindings'][0]['role'],
                members=expected_outstanding_project['roles/editor']),
            RuleViolation(
                rule_index=2,
                rule_name='my required rule',
                resource_id=self.project1.resource_id,
                resource_type=self.project1.resource_type,
                violation_type='REMOVED',
                role='roles/viewer',
                members=expected_outstanding_project['roles/viewer']),
        ]

        self.assertItemsEqual(expected_violations, actual_violations)
示例#8
0
    def test_whitelist_blacklist_rules_vs_policy_has_violations(self):
        """Test a ruleset with whitelist and blacklist violating rules.

        Setup:
            * Create a RulesEngine with RULES2 rule set.
            * Create policy.

        Expected result:
            * Find 1 rule violation.
        """
        # actual
        rules_local_path = get_datafile_path(__file__, 'test_rules_1.yaml')
        rules_engine = OrgRulesEngine(rules_local_path)
        rules_engine.rule_book = OrgRuleBook(self.RULES2)

        policy = {
            'bindings': [{
                'role':
                'roles/editor',
                'members': [
                    'user:[email protected]', 'user:[email protected]',
                    'user:[email protected]'
                ]
            }]
        }

        actual_violations = []
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project1, policy))
        actual_violations.extend(
            rules_engine.find_policy_violations(self.project2, policy))

        # expected
        expected_outstanding1 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }
        expected_outstanding2 = {
            'roles/editor':
            [IamPolicyMember.create_from('user:[email protected]')]
        }

        expected_violations = [
            RuleViolation(rule_index=0,
                          rule_name='my rule',
                          resource_id=self.project1.resource_id,
                          resource_type=self.project1.resource_type,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding1['roles/editor']),
            RuleViolation(rule_index=0,
                          rule_name='my rule',
                          resource_type=self.project2.resource_type,
                          resource_id=self.project2.resource_id,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding1['roles/editor']),
            RuleViolation(rule_index=1,
                          rule_name='my other rule',
                          resource_type=self.project2.resource_type,
                          resource_id=self.project2.resource_id,
                          violation_type='ADDED',
                          role=policy['bindings'][0]['role'],
                          members=expected_outstanding2['roles/editor']),
            RuleViolation(rule_index=2,
                          rule_name='required rule',
                          resource_id=self.project1.resource_id,
                          resource_type=self.project1.resource_type,
                          violation_type='REMOVED',
                          role='roles/viewer',
                          members=[
                              IamPolicyMember.create_from(
                                  'user:[email protected]')
                          ])
        ]

        self.assertItemsEqual(expected_violations, actual_violations)