google.cloud.forseti.scanner.audit.kms_rules_engine module

Rules engine for checking crypto keys configuration.

class KMSRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for crypto key rules.

__eq__(other)[source]

Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__ne__(other)[source]

Not Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__repr__()[source]

Object representation.

Returns:The object representation.
Return type:str
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 203
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
find_violations(key)[source]

Find crypto key violations in the rule book.

Parameters:key (CryptoKey) – The GCP resource to check for violations.
Returns:resource crypto key rule violations.
Return type:RuleViolation
get_resource_rules(resource)[source]

Get all the resource rules for resource.

Parameters:resource (Resource) – The gcp_type Resource find in the map.
Returns:A ResourceRules object.
Return type:ResourceRules
supported_resource_types = frozenset(['organization'])
class KMSRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for KMS scanner.

add_rules(rules)[source]

Add rules to the rule book.

Parameters:rules (list) – The list of rules to add to the book.
build_rule_book(global_configs=None)[source]

Build KMSRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_violations(key, force_rebuild=False)[source]

Determine whether crypto key configuration violates rules.

Parameters:
  • key (CryptoKey) – A crypto key resource to check.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

generator

class ResourceRules(resource=None, rules=None)[source]

Bases: object

An association of a resource to rules.

__eq__(other)[source]

Compare == with another object.

Parameters:other (ResourceRules) – object to compare with
Returns:comparison result
Return type:int
__ne__(other)[source]

Compare != with another object.

Parameters:other (object) – object to compare with
Returns:comparison result
Return type:int
__repr__()[source]

String representation of this node.

Returns:debug string
Return type:str
find_violations(key)[source]

Determine if the policy binding matches this rule’s criteria.

Parameters:key (CryptoKey) – crypto key resource.
Returns:RuleViolation
Return type:list
class Rule(rule_name, rule_index, rule)[source]

Bases: object

Rule properties from the rule definition file, also finds violations.

__eq__(other)[source]

Test whether Rule equals other Rule.

Parameters:other (Rule) – object to compare to
Returns:comparison result
Return type:int
__hash__()[source]

Make a hash of the rule index.

Returns:The hash of the rule index.
Return type:int
__ne__(other)[source]

Test whether Rule is not equal to another Rule.

Parameters:other (object) – object to compare to
Returns:comparison result
Return type:int
find_violations(key)[source]

Find crypto key violations based on the rotation period.

Parameters:key (Resource) – The resource to check for violations.
Returns:Returns a list of RuleViolation named tuples.
Return type:list
is_key_rotated(creation_time, scan_time)[source]
Check if the key has been rotated within the time speciifed in the
policy.
Parameters:
  • creation_time (datetime) – The time at which the primary version of
  • key was created. (the) –
  • scan_time (datetime) – Snapshot timestamp.
Returns:

Returns true if key was rotated within the time specified.

Return type:

bool

class RuleViolation(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, violation_reason, primary_version, next_rotation_time, rotation_period, key_creation_time, version_creation_time, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_id', 'resource_type', 'resource_name', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'violation_reason', 'primary_version', 'next_rotation_time', 'rotation_period', 'key_creation_time', 'version_creation_time', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

full_name
key_creation_time
next_rotation_time
primary_version
resource_data
resource_id
resource_name
resource_type
rotation_period
rule_index
rule_name
version_creation_time
violation_reason
violation_type