google.cloud.forseti.scanner.audit.kms_rules_engine module

Rules engine for checking crypto keys configuration.

class KMSRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for crypto key rules.

__eq__(other)[source]

Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__ne__(other)[source]

Not Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__repr__()[source]

Object representation.

Returns:The object representation.
Return type:str
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 205
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
find_violations(key)[source]

Find crypto key violations in the rule book.

Parameters:key (CryptoKey) – The GCP resource to check for violations.
Returns:resource crypto key rule violations.
Return type:RuleViolation
get_resource_rules(resource)[source]

Get all the resource rules for resource.

Parameters:resource (Resource) – The gcp_type Resource find in the map.
Returns:A ResourceRules object.
Return type:ResourceRules
supported_resource_types = frozenset(['organization'])
class KMSRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for KMS scanner.

add_rules(rules)[source]

Add rules to the rule book.

Parameters:rules (list) – The list of rules to add to the book.
build_rule_book(global_configs=None)[source]

Build KMSRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_violations(key, force_rebuild=False)[source]

Determine whether crypto key configuration violates rules.

Parameters:
  • key (CryptoKey) – A crypto key resource to check.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

generator

class ResourceRules(resource=None, rules=None)[source]

Bases: object

An association of a resource to rules.

__eq__(other)[source]

Compare == with another object.

Parameters:other (ResourceRules) – object to compare with
Returns:comparison result
Return type:int
__ne__(other)[source]

Compare != with another object.

Parameters:other (object) – object to compare with
Returns:comparison result
Return type:int
__repr__()[source]

String representation of this node.

Returns:debug string
Return type:str
find_violations(key)[source]

Determine if the policy binding matches this rule’s criteria.

Parameters:key (CryptoKey) – crypto key resource.
Returns:RuleViolation
Return type:list
class Rule(rule_name, rule_index, rule)[source]

Bases: object

Rule properties from the rule definition file, also finds violations.

__eq__(other)[source]

Test whether Rule equals other Rule.

Parameters:other (Rule) – object to compare to
Returns:comparison result
Return type:int
__hash__()[source]

Make a hash of the rule index.

Returns:The hash of the rule index.
Return type:int
__ne__(other)[source]

Test whether Rule is not equal to another Rule.

Parameters:other (object) – object to compare to
Returns:comparison result
Return type:int
classmethod find_match_algorithms(key, rule_algorithms)[source]

Check if there is a match for this rule algorithm against the given resource.

Parameters:
  • key (Resource) – The resource to check for a match.
  • rule_algorithms (string) – The algorithms of this rule.
Returns:

Returns true if a match is found.

Return type:

bool

classmethod find_match_protection_level(key, rule_protection_level)[source]
Check if there is a match for this rule protection level against the
given resource.
Parameters:
  • key (Resource) – The resource to check for a match.
  • rule_protection_level (string) – The protection level of this rule.
Returns:

Returns true if a match is found.

Return type:

bool

classmethod find_match_purpose(key, rule_purpose)[source]

Check if there is a match for this rule purpose against the given resource.

Parameters:
  • key (Resource) – The resource to check for a match.
  • rule_purpose (list) – The purpose of this rule.
Returns:

Returns true if a match is found.

Return type:

bool

classmethod find_match_rotation_period(key, rotation_period, mode)[source]

Check if there is a match for this rule rotation period against the given resource.

If the mode is whitelist and days since the key was last rotated is less than or equals to the rotation period specified then there is no violation.

If the mode is blacklist and days since the key was last rotated is greater than the rotation period specified then there is a violation.

Parameters:
  • key (Resource) – The resource to check for a match.
  • mode (string) – The mode specified in the rule.
  • rotation_period (string) – The cut off rotation schedule of crypto
  • specified in rule file. (key) –
Returns:

Returns true if a match is found.

Return type:

bool

classmethod find_match_state(key, rule_state)[source]

Check if there is a match for this rule state against the given resource.

Parameters:
  • key (Resource) – The resource to check for a match.
  • rule_state (list) – The state of this rule.
Returns:

Returns true if a match is found.

Return type:

bool

find_violations(key)[source]

Find violations for this rule against the given resource.

Parameters:key (Resource) – The resource to check for violations.
Returns:Returns a list of RuleViolation named tuples.
Return type:list
class RuleViolation(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_id', 'resource_type', 'resource_name', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'state', 'primary_version', 'next_rotation_time', 'rotation_period', 'key_creation_time', 'algorithm', 'protection_level', 'purpose', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

algorithm
full_name
key_creation_time
next_rotation_time
primary_version
protection_level
purpose
resource_data
resource_id
resource_name
resource_type
rotation_period
rule_index
rule_name
state
violation_type