google.cloud.forseti.scanner.scanners.external_project_access_scanner module

External project access scanner.

class ExternalProjectAccessScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Scanner for external project access.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
_find_violations(ancestries_by_user)[source]

Find violations in the policies.

Parameters:ancestries_by_user (dict) – The project ancestries collected from the scanner
Returns:A list of ExternalProjectAccess violations
Return type:list
static _flatten_violations(violations)[source]

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:violations (list) – The RuleViolations to flatten.
Yields:dict – Iterator of RuleViolations as a dict per member.
_get_crm_client(user_email)[source]

Get a user scoped CloudResourceManagerClient.

Parameters:user_email (str) – The e-mail address of the user.
Returns:crm client
Return type:CloudResourceManagerClient
_output_results(all_violations)[source]

Output results.

Parameters:all_violations (list) – A list of violations.
_retrieve()[source]

Retrieve the project ancestries for all users.

Returns:User project relationship. {“user1@example.com”: [[Project(“1234”), Organization(“1234567”)],
[Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]],
user2@example.com”: [[Project(“1234”), Organization(“34567”)],
[Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]]}
Return type:dict
run()[source]

Entry point to run the scanner.

extract_project_ids(crm_client)[source]

Extract a list of project ID’s

Parameters:crm_client (CloudResourceManagerClient) – An authenticated CRM client
Returns:Project ID’s as strings
Return type:list
get_project_ancestries(crm_client, project_id_list)[source]

Get the ancestries from a list of project ID’s

Parameters:
Returns:

A list of lists ofResource objects

defining the ancestrychain from the Project to the Organization

Return type:

list

get_project_ancestry(crm_client, project_id)[source]
get_user_emails(service_config, member_types=None)[source]

Retrieves the list of user email addresses from inventory.

Parameters:
  • service_config (dict) – The service configuration
  • member_types (list) – Member types to query in storage. This defaults to ‘gsuite_user’.
Returns:

List of list of user e-mail addresses.

Return type:

list

memoize_ancestry(ancestry_function)[source]

A decorator function to intelligently retrieve project ancestries, only if necessary.

Parameters:ancestry_function (function) – The ancestry retrieval function.
Returns:The helper
Return type:function