Scanner for the Identity-Aware Proxy rules engine.
IapResource
(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)¶Bases: tuple
__getnewargs__
()¶Return self as a plain tuple. Used by copy and pickle.
__new__
(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)¶Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)
__repr__
()¶Return a nicely formatted representation string
_asdict
()¶Return a new OrderedDict which maps field names to their values.
_fields
= ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')¶_make
(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new IapResource object from a sequence or iterable
_replace
(**kwds)¶Return a new IapResource object replacing specified fields with new values
_source
= "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass IapResource(tuple):\n 'IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n\n __slots__ = ()\n\n _fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')\n\n def __new__(_cls, project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled):\n 'Create new instance of IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)'\n return _tuple.__new__(_cls, (project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new IapResource object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 5:\n raise TypeError('Expected 5 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new IapResource object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(project_full_name=%r, backend_service=%r, alternate_services=%r, direct_access_sources=%r, iap_enabled=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n project_full_name = _property(_itemgetter(0), doc='Alias for field number 0')\n\n backend_service = _property(_itemgetter(1), doc='Alias for field number 1')\n\n alternate_services = _property(_itemgetter(2), doc='Alias for field number 2')\n\n direct_access_sources = _property(_itemgetter(3), doc='Alias for field number 3')\n\n iap_enabled = _property(_itemgetter(4), doc='Alias for field number 4')\n\n"¶alternate_services
¶backend_service
¶direct_access_sources
¶iap_enabled
¶project_full_name
¶IapScanner
(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]¶Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner
Pipeline to IAP-related data from DAO.
SCANNER_OUTPUT_CSV_FMT
= 'scanner_output_iap.{}.csv'¶_abc_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache_version
= 214¶_abc_registry
= <_weakrefset.WeakSet object>¶_find_violations
(iap_data)[source]¶Find IAP violations.
Parameters: | iap_data (iter) – Generator of IAP resources and resource counts per project in the inventory. |
---|---|
Returns: | RuleViolation |
Return type: | list |
_flatten_violations
(violations)[source]¶Flatten RuleViolations into a dict for each RuleViolation member.
Parameters: | violations (list) – The RuleViolations to flatten. |
---|---|
Yields: | dict – Iterator of RuleViolations as a dict per member. |
_get_backend_services
(parent_type_name)[source]¶Retrieves backend services.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | BackendService |
Return type: | list |
_get_firewall_rules
(parent_type_name)[source]¶Retrieves firewall rules.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | FirewallRule |
Return type: | list |
_get_instance_group_managers
(parent_type_name)[source]¶Retrieves instance group managers.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | InstanceGroupManager |
Return type: | list |
_get_instance_groups
(parent_type_name)[source]¶Retrieves instance groups.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | InstanceGroup |
Return type: | list |
_get_instance_templates
(parent_type_name)[source]¶Retrieves instance templates.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | InstanceTemplate |
Return type: | list |
_get_instances
(parent_type_name)[source]¶Retrieves instances.
Parameters: | parent_type_name (str) – The parent resource type and name to pull. |
---|---|
Returns: | Instance |
Return type: | list |
_output_results
(all_violations)[source]¶Output results.
Parameters: | all_violations (list) – A list of violations. |
---|
NetworkPort
(network, port)¶Bases: tuple
__getnewargs__
()¶Return self as a plain tuple. Used by copy and pickle.
__new__
(_cls, network, port)¶Create new instance of NetworkPort(network, port)
__repr__
()¶Return a nicely formatted representation string
_asdict
()¶Return a new OrderedDict which maps field names to their values.
_fields
= ('network', 'port')¶_make
(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶Make a new NetworkPort object from a sequence or iterable
_replace
(**kwds)¶Return a new NetworkPort object replacing specified fields with new values
_source
= "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass NetworkPort(tuple):\n 'NetworkPort(network, port)'\n\n __slots__ = ()\n\n _fields = ('network', 'port')\n\n def __new__(_cls, network, port):\n 'Create new instance of NetworkPort(network, port)'\n return _tuple.__new__(_cls, (network, port))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new NetworkPort object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 2:\n raise TypeError('Expected 2 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new NetworkPort object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('network', 'port'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(network=%r, port=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n network = _property(_itemgetter(0), doc='Alias for field number 0')\n\n port = _property(_itemgetter(1), doc='Alias for field number 1')\n\n"¶network
¶port
¶_RunData
(backend_services, firewall_rules, instances, instance_groups, instance_group_managers, instance_templates)[source]¶Bases: object
Information needed to compute IAP properties.
convert_dict_key_to_str
(instance_dict, target_key)[source]¶Return a value from a dict with str keys.
Parameters: |
|
---|---|
Returns: | value return from dict using str key |
Return type: | value |
find_instance_by_url
(instance_url)[source]¶Find an instance for the given URL.
Parameters: | instance_url (str) – instance URL |
---|---|
Returns: | instance |
Return type: | Instance |
find_instance_group_by_url
(instance_group_url)[source]¶Find an instance group for the given URL.
Parameters: | instance_group_url (str) – instance group URL |
---|---|
Returns: | instance group |
Return type: | InstanceGroup |
firewall_allowed_sources
(network_port, tag)[source]¶Which source (networks, tags) can connect to the given destination?
Parameters: |
|
---|---|
Returns: | allowed source networks and tags |
Return type: | set |
instance_group_network_port
(backend_service, instance_group)[source]¶Which network and port is used for a service’s backends?
A backend service can communicate with its backends on a different network and port number for each of the service’s backend instance groups.
Parameters: |
|
---|---|
Returns: | how the service communicates with backends |
Return type: |
is_alternate_service
(backend_service, backend_service2)[source]¶Do two backend services expose any of the same (instance, port) ?
Parameters: |
|
---|---|
Returns: | whether the two services share any (instance, port) |
Return type: | bool |
make_iap_resource
(backend_service, project_full_name)[source]¶Get an IapResource for a service.
Parameters: |
|
---|---|
Returns: | the corresponding resource |
Return type: |
Which instance tags are used for an instance group?
Includes tags used by instances in the group and, for managed groups, tags in the group’s template.
Parameters: | instance_group (InstanceGroup) – the group to query tags for |
---|---|
Returns: | tags |
Return type: | set |