Rules engine for checking service account key age.
ResourceRules
(resource=None, rules=None)[source]¶Bases: object
An association of a resource to rules.
__eq__
(other)[source]¶Compare == with another object.
Parameters: | other (ResourceRules) – object to compare with |
---|---|
Returns: | comparison result |
Return type: | int |
__ne__
(other)[source]¶Compare != with another object.
Parameters: | other (object) – object to compare with |
---|---|
Returns: | comparison result |
Return type: | int |
find_violations
(service_account)[source]¶Determine if the policy binding matches this rule’s criteria.
Parameters: | service_account (ServiceAccount) – service account resource. |
---|---|
Returns: | RuleViolation |
Return type: | list |
Rule
(rule_name, rule_index, key_max_age)[source]¶Bases: object
Rule properties from the rule definition file, also finds violations.
__eq__
(other)[source]¶Test whether Rule equals other Rule.
Parameters: | other (Rule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | int |
__hash__
()[source]¶Make a hash of the rule index.
For now, this will suffice since the rule index is assigned automatically when the rules map is built, and the scanner only handles one rule file at a time. Later on, we’ll need to revisit this hash method when we process multiple rule files.
Returns: | The hash of the rule index. |
---|---|
Return type: | int |
__ne__
(other)[source]¶Test whether Rule is not equal to another Rule.
Parameters: | other (object) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | int |
_is_more_than_max_age
(created_time, scan_time)[source]¶Check if the key has been rotated: is the key creation time older than max_age in the policy
Parameters: |
|
---|---|
Returns: | Returns true if un_rotated |
Return type: | bool |
find_violations
(service_account)[source]¶Find service account key age violations based on the max_age.
Parameters: | service_account (ServiceAccount) – ServiceAccount object. |
---|---|
Returns: | Returns a list of RuleViolation named tuples |
Return type: | list |
RuleViolation
(resource_type, resource_id, resource_name, service_account_name, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, key_id, key_created_time, resource_data)¶Bases: tuple
__getnewargs__
()¶Return self as a plain tuple. Used by copy and pickle.
__getstate__
()¶Exclude the OrderedDict from pickling
__repr__
()¶Return a nicely formatted representation string
_asdict
()¶Return a new OrderedDict which maps field names to their values
_fields
= ('resource_type', 'resource_id', 'resource_name', 'service_account_name', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'violation_reason', 'project_id', 'key_id', 'key_created_time', 'resource_data')¶_make
(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new RuleViolation object from a sequence or iterable
_replace
(**kwds)¶Return a new RuleViolation object replacing specified fields with new values
full_name
¶key_created_time
¶key_id
¶project_id
¶resource_data
¶resource_id
¶resource_name
¶resource_type
¶rule_index
¶rule_name
¶service_account_name
¶violation_reason
¶violation_type
¶ServiceAccountKeyRuleBook
(rule_defs=None)[source]¶Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook
The RuleBook for service account key age rules.
_abc_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache_version
= 207¶_abc_registry
= <_weakrefset.WeakSet object>¶add_rule
(rule_def, rule_index)[source]¶Add a rule to the rule book.
Parameters: |
|
---|
add_rules
(rule_defs)[source]¶Add rules to the rule book.
Parameters: | rule_defs (dict) – rule definitions dictionary |
---|
find_violations
(service_account)[source]¶Find violations in the rule book.
Parameters: | service_account (ServiceAccount) – service account resource. |
---|---|
Returns: | RuleViolation |
Return type: | list |
get_resource_rules
(resource)[source]¶Get all the resource rules for resource.
Parameters: | resource (Resource) – The gcp_type Resource find in the map. |
---|---|
Returns: | A ResourceRules object. |
Return type: | ResourceRules |
ServiceAccountKeyRulesEngine
(rules_file_path, snapshot_timestamp=None)[source]¶Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine
Rules engine for service account key scanner.
build_rule_book
(global_configs=None)[source]¶Build ServiceAccountKeyRuleBook from the rules definition file.
Parameters: | global_configs (dict) – Global configurations. |
---|
find_violations
(service_account, force_rebuild=False)[source]¶Determine whether service account key age violates rules.
Parameters: |
|
---|---|
Returns: | A generator of rule violations. |
Return type: | generator |