google.cloud.forseti.scanner.audit.external_project_access_rules_engine module

Rules engine for external project access.

class ExternalProjectAccessRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for ExternalProjectAccess resources.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 190
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
ancestor_pattern = <_sre.SRE_Pattern object>
find_violations(user_email, project_ancestry)[source]

Determine whether project ancestry violates rules.

Parameters:
  • user_email (str) – The user’s e-mail
  • project_ancestry (list) – List of ancestries which turn out to a list of resources.
Returns:

A list of rule violations.

Return type:

list

process_rule(rule_def, rule_index)[source]

Process a rule.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
Returns:

The ancestors as resources defined in the rule

Return type:

ancestors

validate_ancestor(ancestor, rule_index)[source]

Validate the ancestor in a rule.

Parameters:
  • ancestor (str) – The ancestor defined by the rule.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
validate_ancestors(ancestors, rule_index)[source]

Validate a list of ancestors in a rule.

Parameters:
  • ancestors (list) – The ancestors defined by the rule.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
class ExternalProjectAccessRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for External Project Access.

build_rule_book(global_configs=None)[source]

Build ExternalProjectAccess rule book from the rules definition file.

Parameters:global_configs (dict) – Inventory configurations.
find_violations(user_email, project_ancestry, force_rebuild=False)[source]

Determine whether project ancestry violates rules.

Parameters:
  • user_email (str) – The user’s e-mail
  • project_ancestry (list) – List of ancestries which turn out to a list of resources.
  • force_rebuild (bool) – Force the rebuild of the rule book
Returns:

A generator of rule violations.

Return type:

generator

class Rule(rule_name, rule_index, rules)[source]

Bases: object

Rule properties from the rule definition file.

Also finds violations.

class RuleViolation(resource_type, resource_id, rule_name, rule_index, rule_ancestors, full_name, violation_type, member, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_type', 'resource_id', 'rule_name', 'rule_index', 'rule_ancestors', 'full_name', 'violation_type', 'member', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

full_name
member
resource_data
resource_id
resource_type
rule_ancestors
rule_index
rule_name
violation_type
find_violation(user_email, ancestry)[source]

Find external project access policy acl violations in the rule book.

Parameters:
  • user_email (string) – The e-mail of the user
  • ancestry (dict) – The ancestry provided by the scanner
Returns:

Returns RuleViolation named tuple or None if

not violated.

Return type:

namedtuple