Scanner for the Identity-Aware Proxy rules engine.
IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)¶Bases: tuple
__getnewargs__()¶Return self as a plain tuple. Used by copy and pickle.
__new__(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)¶Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)
__repr__()¶Return a nicely formatted representation string
_asdict()¶Return a new OrderedDict which maps field names to their values.
_fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')¶_make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new IapResource object from a sequence or iterable
_replace(**kwds)¶Return a new IapResource object replacing specified fields with new values
_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass IapResource(tuple):\n 'IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n\n __slots__ = ()\n\n _fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')\n\n def __new__(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled):\n 'Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n return _tuple.__new__(_cls, (project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new IapResource object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 5:\n raise TypeError('Expected 5 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new IapResource object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(project_full_name=%r, backend_service=%r, alternate_services=%r, direct_access_sources=%r, iap_enabled=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n project_full_name = _property(_itemgetter(0), doc='Alias for field number 0')\n\n backend_service = _property(_itemgetter(1), doc='Alias for field number 1')\n\n alternate_services = _property(_itemgetter(2), doc='Alias for field number 2')\n\n direct_access_sources = _property(_itemgetter(3), doc='Alias for field number 3')\n\n iap_enabled = _property(_itemgetter(4), doc='Alias for field number 4')\n\n"¶alternate_services¶backend_service¶direct_access_sources¶iap_enabled¶project_full_name¶IapScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]¶Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner
Pipeline to IAP-related data from DAO.
SCANNER_OUTPUT_CSV_FMT = 'scanner_output_iap.{}.csv'¶_abc_cache = <_weakrefset.WeakSet object>¶_abc_negative_cache = <_weakrefset.WeakSet object>¶_abc_negative_cache_version = 214¶_abc_registry = <_weakrefset.WeakSet object>¶_find_violations(iap_data)[source]¶Find IAP violations.
| Parameters: | iap_data (iter) – Generator of IAP resources and resource counts per project in the inventory. |
|---|---|
| Returns: | RuleViolation |
| Return type: | list |
_flatten_violations(violations)[source]¶Flatten RuleViolations into a dict for each RuleViolation member.
| Parameters: | violations (list) – The RuleViolations to flatten. |
|---|---|
| Yields: | dict – Iterator of RuleViolations as a dict per member. |
_get_backend_services(parent_type_name)[source]¶Retrieves backend services.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | BackendService |
| Return type: | list |
_get_firewall_rules(parent_type_name)[source]¶Retrieves firewall rules.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | FirewallRule |
| Return type: | list |
_get_instance_group_managers(parent_type_name)[source]¶Retrieves instance group managers.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | InstanceGroupManager |
| Return type: | list |
_get_instance_groups(parent_type_name)[source]¶Retrieves instance groups.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | InstanceGroup |
| Return type: | list |
_get_instance_templates(parent_type_name)[source]¶Retrieves instance templates.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | InstanceTemplate |
| Return type: | list |
_get_instances(parent_type_name)[source]¶Retrieves instances.
| Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
|---|---|
| Returns: | Instance |
| Return type: | list |
_output_results(all_violations)[source]¶Output results.
| Parameters: | all_violations (list) – A list of violations. |
|---|
NetworkPort(network, port)¶Bases: tuple
__getnewargs__()¶Return self as a plain tuple. Used by copy and pickle.
__new__(_cls, network, port)¶Create new instance of NetworkPort(network, port)
__repr__()¶Return a nicely formatted representation string
_asdict()¶Return a new OrderedDict which maps field names to their values.
_fields = ('network', 'port')¶_make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new NetworkPort object from a sequence or iterable
_replace(**kwds)¶Return a new NetworkPort object replacing specified fields with new values
_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass NetworkPort(tuple):\n 'NetworkPort(network, port)'\n\n __slots__ = ()\n\n _fields = ('network', 'port')\n\n def __new__(_cls, network, port):\n 'Create new instance of NetworkPort(network, port)'\n return _tuple.__new__(_cls, (network, port))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new NetworkPort object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 2:\n raise TypeError('Expected 2 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new NetworkPort object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('network', 'port'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(network=%r, port=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n network = _property(_itemgetter(0), doc='Alias for field number 0')\n\n port = _property(_itemgetter(1), doc='Alias for field number 1')\n\n"¶network¶port¶_RunData(backend_services, firewall_rules, instances, instance_groups, instance_group_managers, instance_templates)[source]¶Bases: object
Information needed to compute IAP properties.
convert_dict_key_to_str(instance_dict, target_key)[source]¶Return a value from a dict with str keys.
| Parameters: |
|
|---|---|
| Returns: | value return from dict using str key |
| Return type: | value |
find_instance_by_url(instance_url)[source]¶Find an instance for the given URL.
| Parameters: | instance_url (str) – instance URL |
|---|---|
| Returns: | instance |
| Return type: | Instance |
find_instance_group_by_url(instance_group_url)[source]¶Find an instance group for the given URL.
| Parameters: | instance_group_url (str) – instance group URL |
|---|---|
| Returns: | instance group |
| Return type: | InstanceGroup |
firewall_allowed_sources(network_port, tag)[source]¶Which source (networks, tags) can connect to the given destination?
| Parameters: |
|
|---|---|
| Returns: | allowed source networks and tags |
| Return type: | set |
instance_group_network_port(backend_service, instance_group)[source]¶Which network and port is used for a service’s backends?
A backend service can communicate with its backends on a different network and port number for each of the service’s backend instance groups.
| Parameters: |
|
|---|---|
| Returns: | how the service communicates with backends |
| Return type: |
is_alternate_service(backend_service, backend_service2)[source]¶Do two backend services expose any of the same (instance, port) ?
| Parameters: |
|
|---|---|
| Returns: | whether the two services share any (instance, port) |
| Return type: | bool |
make_iap_resource(backend_service, project_full_name)[source]¶Get an IapResource for a service.
| Parameters: |
|
|---|---|
| Returns: | the corresponding resource |
| Return type: |
Which instance tags are used for an instance group?
Includes tags used by instances in the group and, for managed groups, tags in the group’s template.
| Parameters: | instance_group (InstanceGroup) – the group to query tags for |
|---|---|
| Returns: | tags |
| Return type: | set |