google.cloud.forseti.scanner.scanners.iap_scanner module

Scanner for the Identity-Aware Proxy rules engine.

class IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)

Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values.

_fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new IapResource object from a sequence or iterable

_replace(**kwds)

Return a new IapResource object replacing specified fields with new values

_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass IapResource(tuple):\n 'IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n\n __slots__ = ()\n\n _fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')\n\n def __new__(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled):\n 'Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n return _tuple.__new__(_cls, (project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new IapResource object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 5:\n raise TypeError('Expected 5 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new IapResource object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(project_full_name=%r, backend_service=%r, alternate_services=%r, direct_access_sources=%r, iap_enabled=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n project_full_name = _property(_itemgetter(0), doc='Alias for field number 0')\n\n backend_service = _property(_itemgetter(1), doc='Alias for field number 1')\n\n alternate_services = _property(_itemgetter(2), doc='Alias for field number 2')\n\n direct_access_sources = _property(_itemgetter(3), doc='Alias for field number 3')\n\n iap_enabled = _property(_itemgetter(4), doc='Alias for field number 4')\n\n"
alternate_services
backend_service
direct_access_sources
iap_enabled
project_full_name
class IapScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Pipeline to IAP-related data from DAO.

SCANNER_OUTPUT_CSV_FMT = 'scanner_output_iap.{}.csv'
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
_find_violations(iap_data)[source]

Find IAP violations.

Parameters:iap_data (iter) – Generator of IAP resources and resource counts per project in the inventory.
Returns:RuleViolation
Return type:list
static _flatten_violations(violations)[source]

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:violations (list) – The RuleViolations to flatten.
Yields:dict – Iterator of RuleViolations as a dict per member.
_get_backend_services(parent_type_name)[source]

Retrieves backend services.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:BackendService
Return type:list
_get_firewall_rules(parent_type_name)[source]

Retrieves firewall rules.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:FirewallRule
Return type:list
_get_instance_group_managers(parent_type_name)[source]

Retrieves instance group managers.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceGroupManager
Return type:list
_get_instance_groups(parent_type_name)[source]

Retrieves instance groups.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceGroup
Return type:list
_get_instance_templates(parent_type_name)[source]

Retrieves instance templates.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceTemplate
Return type:list
_get_instances(parent_type_name)[source]

Retrieves instances.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:Instance
Return type:list
_output_results(all_violations)[source]

Output results.

Parameters:all_violations (list) – A list of violations.
_retrieve()[source]

Retrieves the data for the scanner.

Yields:

list

A list of IAP Resources for a project, to pass to the rules

engine

dict: A dict of resource counts for the project.

run()[source]

Runs the data collection.

class NetworkPort(network, port)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, network, port)

Create new instance of NetworkPort(network, port)

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values.

_fields = ('network', 'port')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new NetworkPort object from a sequence or iterable

_replace(**kwds)

Return a new NetworkPort object replacing specified fields with new values

_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass NetworkPort(tuple):\n 'NetworkPort(network, port)'\n\n __slots__ = ()\n\n _fields = ('network', 'port')\n\n def __new__(_cls, network, port):\n 'Create new instance of NetworkPort(network, port)'\n return _tuple.__new__(_cls, (network, port))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new NetworkPort object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 2:\n raise TypeError('Expected 2 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new NetworkPort object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('network', 'port'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(network=%r, port=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n network = _property(_itemgetter(0), doc='Alias for field number 0')\n\n port = _property(_itemgetter(1), doc='Alias for field number 1')\n\n"
network
port
class _RunData(backend_services, firewall_rules, instances, instance_groups, instance_group_managers, instance_templates)[source]

Bases: object

Information needed to compute IAP properties.

static convert_dict_key_to_str(instance_dict, target_key)[source]

Return a value from a dict with str keys.

Parameters:
  • instance_dict (dict) – dict to convert
  • target_key (object) – object key
Returns:

value return from dict using str key

Return type:

value

find_instance_by_url(instance_url)[source]

Find an instance for the given URL.

Parameters:instance_url (str) – instance URL
Returns:instance
Return type:Instance
find_instance_group_by_url(instance_group_url)[source]

Find an instance group for the given URL.

Parameters:instance_group_url (str) – instance group URL
Returns:instance group
Return type:InstanceGroup
firewall_allowed_sources(network_port, tag)[source]

Which source (networks, tags) can connect to the given destination?

Parameters:
  • network_port (NetworkPort) – connection destination
  • tag (str) – instance tag for destination instance
Returns:

allowed source networks and tags

Return type:

set

static instance_group_network_port(backend_service, instance_group)[source]

Which network and port is used for a service’s backends?

A backend service can communicate with its backends on a different network and port number for each of the service’s backend instance groups.

Parameters:
Returns:

how the service communicates with backends

Return type:

NetworkPort

is_alternate_service(backend_service, backend_service2)[source]

Do two backend services expose any of the same (instance, port) ?

Parameters:
Returns:

whether the two services share any (instance, port)

Return type:

bool

make_iap_resource(backend_service, project_full_name)[source]

Get an IapResource for a service.

Parameters:
  • backend_service (BackendService) – service to create a resource for
  • project_full_name (str) – The full path to the parent project including all ancestors.
Returns:

the corresponding resource

Return type:

IapResource

tags_for_instance_group(instance_group)[source]

Which instance tags are used for an instance group?

Includes tags used by instances in the group and, for managed groups, tags in the group’s template.

Parameters:instance_group (InstanceGroup) – the group to query tags for
Returns:tags
Return type:set