google.cloud.forseti.scanner.audit.service_account_key_rules_engine module

Rules engine for checking service account key age.

class ResourceRules(resource=None, rules=None)[source]

Bases: object

An association of a resource to rules.

__eq__(other)[source]

Compare == with another object.

Parameters:other (ResourceRules) – object to compare with
Returns:comparison result
Return type:int
__ne__(other)[source]

Compare != with another object.

Parameters:other (object) – object to compare with
Returns:comparison result
Return type:int
__repr__()[source]

String representation of this node.

Returns:debug string
Return type:str
find_policy_violations(service_account)[source]

Determine if the policy binding matches this rule’s criteria.

Parameters:service_account (ServiceAccount) – service account resource.
Returns:RuleViolation
Return type:list
class Rule(rule_name, rule_index, key_max_age)[source]

Bases: object

Rule properties from the rule definition file, also finds violations.

__eq__(other)[source]

Test whether Rule equals other Rule.

Parameters:other (Rule) – object to compare to
Returns:comparison result
Return type:int
__hash__()[source]

Make a hash of the rule index.

For now, this will suffice since the rule index is assigned automatically when the rules map is built, and the scanner only handles one rule file at a time. Later on, we’ll need to revisit this hash method when we process multiple rule files.

Returns:The hash of the rule index.
Return type:int
__ne__(other)[source]

Test whether Rule is not equal to another Rule.

Parameters:other (object) – object to compare to
Returns:comparison result
Return type:int
_is_more_than_max_age(created_time, scan_time)[source]

Check if the key has been rotated: is the key creation time older than max_age in the policy

Parameters:
  • created_time (str) – The time at which the key was created (this is the validAfterTime in the key API response (in string_formats.DEFAULT_FORSETI_TIMESTAMP) format
  • scan_time (datetime) – Snapshot timestamp.
Returns:

Returns true if un_rotated

Return type:

bool

find_policy_violations(service_account)[source]

Find service account key age violations based on the max_age.

Parameters:service_account (ServiceAccount) – ServiceAccount object.
Returns:Returns a list of RuleViolation named tuples
Return type:list
class RuleViolation(resource_type, resource_id, service_account_name, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, key_id, key_created_time, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_type', 'resource_id', 'service_account_name', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'violation_reason', 'project_id', 'key_id', 'key_created_time', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

full_name
key_created_time
key_id
project_id
resource_data
resource_id
resource_type
rule_index
rule_name
service_account_name
violation_reason
violation_type
class ServiceAccountKeyRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for service account key age rules.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 207
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
find_violations(service_account)[source]

Find violations in the rule book.

Parameters:service_account (ServiceAccount) – service account resource.
Returns:RuleViolation
Return type:list
get_resource_rules(resource)[source]

Get all the resource rules for resource.

Parameters:resource (Resource) – The gcp_type Resource find in the map.
Returns:A ResourceRules object.
Return type:ResourceRules
class ServiceAccountKeyRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for service account key scanner.

build_rule_book(global_configs=None)[source]

Build ServiceAccountKeyRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_policy_violations(service_account, force_rebuild=False)[source]

Determine whether service account key age violates rules.

Parameters:
  • service_account (ServiceAccount) – A service account resource to
  • check.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

generator