Rules engine for checking crypto keys configuration.
KMSRuleBook
(rule_defs=None)[source]¶Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook
The RuleBook for crypto key rules.
__eq__
(other)[source]¶Equals.
Parameters: | other (object) – Object to compare. |
---|---|
Returns: | True or False. |
Return type: | bool |
__ne__
(other)[source]¶Not Equals.
Parameters: | other (object) – Object to compare. |
---|---|
Returns: | True or False. |
Return type: | bool |
_abc_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache_version
= 214¶_abc_registry
= <_weakrefset.WeakSet object>¶add_rule
(rule_def, rule_index)[source]¶Add a rule to the rule book.
Parameters: |
|
---|
add_rules
(rule_defs)[source]¶Add rules to the rule book.
Parameters: | rule_defs (dict) – rule definitions dictionary |
---|
find_violations
(key)[source]¶Find crypto key violations in the rule book.
Parameters: | key (CryptoKey) – The GCP resource to check for violations. |
---|---|
Returns: | resource crypto key rule violations. |
Return type: | RuleViolation |
get_resource_rules
(resource)[source]¶Get all the resource rules for resource.
Parameters: | resource (Resource) – The gcp_type Resource find in the map. |
---|---|
Returns: | A ResourceRules object. |
Return type: | ResourceRules |
supported_resource_types
= frozenset({'organization'})¶KMSRulesEngine
(rules_file_path, snapshot_timestamp=None)[source]¶Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine
Rules engine for KMS scanner.
add_rules
(rules)[source]¶Add rules to the rule book.
Parameters: | rules (list) – The list of rules to add to the book. |
---|
build_rule_book
(global_configs=None)[source]¶Build KMSRuleBook from the rules definition file.
Parameters: | global_configs (dict) – Global configurations. |
---|
find_violations
(key, force_rebuild=False)[source]¶Determine whether crypto key configuration violates rules.
Parameters: |
|
---|---|
Returns: | A generator of rule violations. |
Return type: | generator |
ResourceRules
(resource=None, rules=None)[source]¶Bases: object
An association of a resource to rules.
__eq__
(other)[source]¶Compare == with another object.
Parameters: | other (ResourceRules) – object to compare with |
---|---|
Returns: | comparison result |
Return type: | int |
Rule
(rule_name, rule_index, rule)[source]¶Bases: object
Rule properties from the rule definition file, also finds violations.
__eq__
(other)[source]¶Test whether Rule equals other Rule.
Parameters: | other (Rule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | int |
__hash__
()[source]¶Make a hash of the rule index.
Returns: | The hash of the rule index. |
---|---|
Return type: | int |
__ne__
(other)[source]¶Test whether Rule is not equal to another Rule.
Parameters: | other (object) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | int |
find_match_algorithms
(key, rule_algorithms)[source]¶Check if there is a match for this rule algorithm against the given resource.
Parameters: |
|
---|---|
Returns: | Returns true if a match is found. |
Return type: | bool |
find_match_protection_level
(key, rule_protection_level)[source]¶Parameters: |
|
---|---|
Returns: | Returns true if a match is found. |
Return type: | bool |
find_match_purpose
(key, rule_purpose)[source]¶Check if there is a match for this rule purpose against the given resource.
Parameters: |
|
---|---|
Returns: | Returns true if a match is found. |
Return type: | bool |
find_match_rotation_period
(key, rotation_period, mode)[source]¶Check if there is a match for this rule rotation period against the given resource.
If the mode is whitelist and days since the key was last rotated is less than or equals to the rotation period specified then there is no violation.
If the mode is blacklist and days since the key was last rotated is greater than the rotation period specified then there is a violation.
Parameters: |
|
---|---|
Returns: | Returns true if a match is found. |
Return type: | bool |
RuleViolation
(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)¶Bases: tuple
__getnewargs__
()¶Return self as a plain tuple. Used by copy and pickle.
__new__
(_cls, resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)¶Create new instance of RuleViolation(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)
__repr__
()¶Return a nicely formatted representation string
_asdict
()¶Return a new OrderedDict which maps field names to their values.
_fields
= ('resource_id', 'resource_type', 'resource_name', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'state', 'primary_version', 'next_rotation_time', 'rotation_period', 'key_creation_time', 'algorithm', 'protection_level', 'purpose', 'resource_data')¶_make
(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new RuleViolation object from a sequence or iterable
_replace
(**kwds)¶Return a new RuleViolation object replacing specified fields with new values
_source
= "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass RuleViolation(tuple):\n 'RuleViolation(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)'\n\n __slots__ = ()\n\n _fields = ('resource_id', 'resource_type', 'resource_name', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'state', 'primary_version', 'next_rotation_time', 'rotation_period', 'key_creation_time', 'algorithm', 'protection_level', 'purpose', 'resource_data')\n\n def __new__(_cls, resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data):\n 'Create new instance of RuleViolation(resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data)'\n return _tuple.__new__(_cls, (resource_id, resource_type, resource_name, full_name, rule_index, rule_name, violation_type, state, primary_version, next_rotation_time, rotation_period, key_creation_time, algorithm, protection_level, purpose, resource_data))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new RuleViolation object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 16:\n raise TypeError('Expected 16 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new RuleViolation object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('resource_id', 'resource_type', 'resource_name', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'state', 'primary_version', 'next_rotation_time', 'rotation_period', 'key_creation_time', 'algorithm', 'protection_level', 'purpose', 'resource_data'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(resource_id=%r, resource_type=%r, resource_name=%r, full_name=%r, rule_index=%r, rule_name=%r, violation_type=%r, state=%r, primary_version=%r, next_rotation_time=%r, rotation_period=%r, key_creation_time=%r, algorithm=%r, protection_level=%r, purpose=%r, resource_data=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n resource_id = _property(_itemgetter(0), doc='Alias for field number 0')\n\n resource_type = _property(_itemgetter(1), doc='Alias for field number 1')\n\n resource_name = _property(_itemgetter(2), doc='Alias for field number 2')\n\n full_name = _property(_itemgetter(3), doc='Alias for field number 3')\n\n rule_index = _property(_itemgetter(4), doc='Alias for field number 4')\n\n rule_name = _property(_itemgetter(5), doc='Alias for field number 5')\n\n violation_type = _property(_itemgetter(6), doc='Alias for field number 6')\n\n state = _property(_itemgetter(7), doc='Alias for field number 7')\n\n primary_version = _property(_itemgetter(8), doc='Alias for field number 8')\n\n next_rotation_time = _property(_itemgetter(9), doc='Alias for field number 9')\n\n rotation_period = _property(_itemgetter(10), doc='Alias for field number 10')\n\n key_creation_time = _property(_itemgetter(11), doc='Alias for field number 11')\n\n algorithm = _property(_itemgetter(12), doc='Alias for field number 12')\n\n protection_level = _property(_itemgetter(13), doc='Alias for field number 13')\n\n purpose = _property(_itemgetter(14), doc='Alias for field number 14')\n\n resource_data = _property(_itemgetter(15), doc='Alias for field number 15')\n\n"¶algorithm
¶full_name
¶key_creation_time
¶next_rotation_time
¶primary_version
¶protection_level
¶purpose
¶resource_data
¶resource_id
¶resource_name
¶resource_type
¶rotation_period
¶rule_index
¶rule_name
¶state
¶violation_type
¶