google.cloud.forseti.scanner.audit.blacklist_rules_engine module

Rules engine for Blacklist of IP addresses.

class BlacklistRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for networks resources.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book. :param rule_def: A dictionary containing rule definition

properties.
Parameters:rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book. :param rule_defs: rules definitions :type rule_defs: dict

static get_and_parse_blacklist(url)[source]

Download blacklist and parse it into IPs and netblocks. :param url: url to download blacklist from :type url: str

Returns:first one is IP addresses, second one is network blocks
Return type:lists
get_resource_rules()[source]

Get all the resource rules for (resource, RuleAppliesTo.*). :returns: A list of ResourceRules. :rtype: list

class BlacklistRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for BlacklistRules.

add_rules(rules)[source]

Add rules to the rule book. :param rules: rule definitions :type rules: dicts

build_rule_book(global_configs=None)[source]

Build BlacklistRuleBook from rules definition file. :param global_configs: Global Configs :type global_configs: dict

find_violations(instance_network_interface, force_rebuild=False)[source]

Determine whether the networks violates rules. :param instance_network_interface: list of

instance_network_interface
Parameters:force_rebuild (bool) – set to false to not force a rebuiid
Returns:iterator of all violations
Return type:list
class Rule(rule_blacklist, rule_index, rules)[source]

Bases: object

The rules class for instance_network_interface.

class RuleViolation(resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data)

Create new instance of RuleViolation(resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data)

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values.

_fields = ('resource_type', 'full_name', 'resource_name', 'rule_blacklist', 'rule_name', 'rule_index', 'violation_type', 'project', 'network', 'ip', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass RuleViolation(tuple):\n 'RuleViolation(resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data)'\n\n __slots__ = ()\n\n _fields = ('resource_type', 'full_name', 'resource_name', 'rule_blacklist', 'rule_name', 'rule_index', 'violation_type', 'project', 'network', 'ip', 'resource_data')\n\n def __new__(_cls, resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data):\n 'Create new instance of RuleViolation(resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data)'\n return _tuple.__new__(_cls, (resource_type, full_name, resource_name, rule_blacklist, rule_name, rule_index, violation_type, project, network, ip, resource_data))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new RuleViolation object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 11:\n raise TypeError('Expected 11 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new RuleViolation object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('resource_type', 'full_name', 'resource_name', 'rule_blacklist', 'rule_name', 'rule_index', 'violation_type', 'project', 'network', 'ip', 'resource_data'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(resource_type=%r, full_name=%r, resource_name=%r, rule_blacklist=%r, rule_name=%r, rule_index=%r, violation_type=%r, project=%r, network=%r, ip=%r, resource_data=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n resource_type = _property(_itemgetter(0), doc='Alias for field number 0')\n\n full_name = _property(_itemgetter(1), doc='Alias for field number 1')\n\n resource_name = _property(_itemgetter(2), doc='Alias for field number 2')\n\n rule_blacklist = _property(_itemgetter(3), doc='Alias for field number 3')\n\n rule_name = _property(_itemgetter(4), doc='Alias for field number 4')\n\n rule_index = _property(_itemgetter(5), doc='Alias for field number 5')\n\n violation_type = _property(_itemgetter(6), doc='Alias for field number 6')\n\n project = _property(_itemgetter(7), doc='Alias for field number 7')\n\n network = _property(_itemgetter(8), doc='Alias for field number 8')\n\n ip = _property(_itemgetter(9), doc='Alias for field number 9')\n\n resource_data = _property(_itemgetter(10), doc='Alias for field number 10')\n\n"
full_name
ip
network
project
resource_data
resource_name
resource_type
rule_blacklist
rule_index
rule_name
violation_type
static address_in_network(ipaddr, net)[source]

Checks if ip address is in net :param ipaddr: IP address to check :type ipaddr: str :param net: network to check :type net: str

Returns:True if ipaddr in net
Return type:bool
find_violations(instance_network_interface)[source]

Raise violation if the IP is not in the whitelist.

Parameters:instance_network_interface (InstanceNetworkInterface) – object
Yields:namedtuple – Returns RuleViolation named tuple
is_blacklisted(ipaddr)[source]

Checks if ip address is in a blacklist :param ipaddr: IP address to check :type ipaddr: str

Returns:True if ipaddr is blacklisted
Return type:bool