google.cloud.forseti.scanner.audit.groups_settings_rules_engine module

Rules engine for checking gsuite groups settings configuration.

class GroupsSettingsRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for GroupsSettings rules.

__eq__(other)[source]

Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__ne__(other)[source]

Not Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__repr__()[source]

Object representation.

Returns:The object representation.
Return type:str
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
find_violations(settings, iam_only)[source]

Find groups settings violations in the rule book.

Parameters:
  • settings (GroupsSettings) – The GCP resource to check for violations.
  • iam_only (bool) – IAM only.
Returns:

resource groups settings rule violations.

Return type:

RuleViolation

get_resource_rules(_resource)[source]

Get all the resource rules for resource.

Parameters:_resource (Resource) – The gcp_type Resource find in the map.
Returns:A ResourceRules object.
Return type:ResourceRules
supported_settings = frozenset({'allowExternalMembers', 'whoCanJoin', 'whoCanInvite', 'whoCanViewGroup', 'whoCanViewMembership', 'whoCanLeaveGroup', 'whoCanAdd'})
class GroupsSettingsRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for Groups Settings scanner.

add_rules(rules)[source]

Add rules to the rule book.

Parameters:rules (list) – The list of rules to add to the book.
build_rule_book(global_configs=None)[source]

Build GroupsSettingsRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_violations(settings, iam_only, force_rebuild=False)[source]

Determine whether Groups Settings violates rules.

Parameters:
  • settings (GroupsSettings) – A GroupsSettings resource to check.
  • iam_only (bool) – IAM only.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

generator

class ResourceRules(_resource=None, iam_only_rules=None, not_iam_only_rules=None)[source]

Bases: object

An association of a resource to rules.

__eq__(other)[source]

Compare == with another object.

Parameters:other (ResourceRules) – object to compare with
Returns:comparison result
Return type:int
__ne__(other)[source]

Compare != with another object.

Parameters:other (object) – object to compare with
Returns:comparison result
Return type:int
__repr__()[source]

String representation of this node.

Returns:debug string
Return type:str
find_violations(settings, iam_only)[source]

Determine if the policy binding matches this rule’s criteria.

Parameters:
  • settings (GroupsSettings) – groups settings resource.
  • iam_only (bool) – IAM only.
Returns:

RuleViolation

Return type:

list

class Rule(rule_name, rule_index, rule)[source]

Bases: object

Rule properties from the rule definition file, also finds violations.

__eq__(other)[source]

Test whether Rule equals other Rule.

Parameters:other (Rule) – object to compare to
Returns:comparison result
Return type:int
__hash__()[source]

Make a hash of the rule index.

Returns:The hash of the rule index.
Return type:int
__ne__(other)[source]

Test whether Rule is not equal to another Rule.

Parameters:other (object) – object to compare to
Returns:comparison result
Return type:int
find_blacklist_violation(settings)[source]

Finds violations in case that rule is blacklist.

Parameters:settings (GroupsSettings) – Groups Settings.
Returns:
Statement of what the broken rule required,
or empty string in case that rule is not violated.
Return type:str
find_violations(settings)[source]

Find GroupsSettings violations.

Parameters:settings (GroupsSettings) – The resource to check for violations.
Returns:Returns a list of RuleViolation named tuples.
Return type:list
find_whitelist_violation(settings)[source]

Finds violations in case that rule is whitelist.

Parameters:settings (GroupsSettings) – Groups settings.
Returns:
Statement of what the broken rule required,
or empty string in case that rule is not violated.
Return type:str
rule_requirements()[source]

Used to create violation reason.

Returns:value couples specified in rule, joined by AND.
Return type:str
class RuleViolation(group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup)

Create new instance of RuleViolation(group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup)

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values.

_fields = ('group_email', 'resource_type', 'rule_index', 'rule_name', 'violation_type', 'violation_reason', 'whoCanAdd', 'whoCanJoin', 'whoCanViewMembership', 'whoCanViewGroup', 'whoCanInvite', 'allowExternalMembers', 'whoCanLeaveGroup')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass RuleViolation(tuple):\n 'RuleViolation(group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup)'\n\n __slots__ = ()\n\n _fields = ('group_email', 'resource_type', 'rule_index', 'rule_name', 'violation_type', 'violation_reason', 'whoCanAdd', 'whoCanJoin', 'whoCanViewMembership', 'whoCanViewGroup', 'whoCanInvite', 'allowExternalMembers', 'whoCanLeaveGroup')\n\n def __new__(_cls, group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup):\n 'Create new instance of RuleViolation(group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup)'\n return _tuple.__new__(_cls, (group_email, resource_type, rule_index, rule_name, violation_type, violation_reason, whoCanAdd, whoCanJoin, whoCanViewMembership, whoCanViewGroup, whoCanInvite, allowExternalMembers, whoCanLeaveGroup))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new RuleViolation object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 13:\n raise TypeError('Expected 13 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new RuleViolation object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('group_email', 'resource_type', 'rule_index', 'rule_name', 'violation_type', 'violation_reason', 'whoCanAdd', 'whoCanJoin', 'whoCanViewMembership', 'whoCanViewGroup', 'whoCanInvite', 'allowExternalMembers', 'whoCanLeaveGroup'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(group_email=%r, resource_type=%r, rule_index=%r, rule_name=%r, violation_type=%r, violation_reason=%r, whoCanAdd=%r, whoCanJoin=%r, whoCanViewMembership=%r, whoCanViewGroup=%r, whoCanInvite=%r, allowExternalMembers=%r, whoCanLeaveGroup=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n group_email = _property(_itemgetter(0), doc='Alias for field number 0')\n\n resource_type = _property(_itemgetter(1), doc='Alias for field number 1')\n\n rule_index = _property(_itemgetter(2), doc='Alias for field number 2')\n\n rule_name = _property(_itemgetter(3), doc='Alias for field number 3')\n\n violation_type = _property(_itemgetter(4), doc='Alias for field number 4')\n\n violation_reason = _property(_itemgetter(5), doc='Alias for field number 5')\n\n whoCanAdd = _property(_itemgetter(6), doc='Alias for field number 6')\n\n whoCanJoin = _property(_itemgetter(7), doc='Alias for field number 7')\n\n whoCanViewMembership = _property(_itemgetter(8), doc='Alias for field number 8')\n\n whoCanViewGroup = _property(_itemgetter(9), doc='Alias for field number 9')\n\n whoCanInvite = _property(_itemgetter(10), doc='Alias for field number 10')\n\n allowExternalMembers = _property(_itemgetter(11), doc='Alias for field number 11')\n\n whoCanLeaveGroup = _property(_itemgetter(12), doc='Alias for field number 12')\n\n"
allowExternalMembers
group_email
resource_type
rule_index
rule_name
violation_reason
violation_type
whoCanAdd
whoCanInvite
whoCanJoin
whoCanLeaveGroup
whoCanViewGroup
whoCanViewMembership