google.cloud.forseti.scanner.scanners.external_project_access_scanner module¶

External project access scanner.

class ExternalProjectAccessScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]¶

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Scanner for external project access.

_abc_cache = <_weakrefset.WeakSet object>¶

_abc_negative_cache = <_weakrefset.WeakSet object>¶

_abc_negative_cache_version = 207¶

_abc_registry = <_weakrefset.WeakSet object>¶

_find_violations(ancestries_by_user)[source]¶

Find violations in the policies.

Parameters:	ancestries_by_user (dict) – The project ancestries collected from the scanner
Returns:	A list of ExternalProjectAccess violations
Return type:	list

static _flatten_violations(violations)[source]¶

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:	violations (list) – The RuleViolations to flatten.
Yields:	dict – Iterator of RuleViolations as a dict per member.

_get_crm_client(user_email)[source]¶

Get a user scoped CloudResourceManagerClient.

Parameters:	user_email (str) – The e-mail address of the user.
Returns:	crm client
Return type:	CloudResourceManagerClient

_output_results(all_violations)[source]¶

Output results.

Parameters:	all_violations (list) – A list of violations.

_retrieve()[source]¶

Retrieve the project ancestries for all users.

Returns:	User project relationship. {“user1@example.com”: [[Project(“1234”), Organization(“1234567”)], [Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]], ”user2@example.com”: [[Project(“1234”), Organization(“34567”)], [Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]]}
Return type:	dict

run()[source]¶: Entry point to run the scanner.

_get_inventory_storage(session, inventory_index_id)[source]¶

Creates an open inventory.

Parameters:	session (object) – db session. inventory_index_id (int) – The inventory index
Returns:	storage object
Return type:	Storage

extract_project_ids(crm_client)[source]¶

Extract a list of project ID’s

Parameters:	crm_client (CloudResourceManagerClient) – An authenticated CRM client
Returns:	Project ID’s as strings
Return type:	list

get_project_ancestries(crm_client, project_id_list)[source]¶

Get the ancestries from a list of project ID’s

Parameters:

Parameters:	crm_client (CloudResourceManagerClient) – crm client project_id_list (list) – A list of project ID’s as strings
Returns:	A list of lists ofResource objects defining the ancestrychain from the Project to the Organization
Return type:	list

crm_client (CloudResourceManagerClient) – crm client
project_id_list (list) – A list of project ID’s as strings

Returns:

A list of lists ofResource objects: defining the ancestrychain from the Project to the Organization

Return type:

list

get_project_ancestry(crm_client, project_id)[source]¶

get_user_emails(service_config, member_types=None)[source]¶

Retrieves the list of user email addresses from inventory.

Parameters:	service_config (dict) – The service configuration member_types (list) – Member types to query in storage. This defaults to ‘gsuite_user’.
Returns:	List of list of user e-mail addresses.
Return type:	list

memoize_ancestry(ancestry_function)[source]¶

A decorator function to intelligently retrieve project ancestries, only if necessary.

Parameters:	ancestry_function (function) – The ancestry retrieval function.
Returns:	The helper
Return type:	function