Source code for

# Copyright 2017 The Forseti Security Authors. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with azthe License.
# You may obtain a copy of the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# See the License for the specific language governing permissions and
# limitations under the License.

"""Scanner for the Networks Enforcer acls rules engine."""

# pylint: disable=line-too-long
from import instance
from import project
from import logger
from import ResourceType
from import base_scanner
from import instance_network_interface_rules_engine
# pylint: enable=line-too-long

LOGGER = logger.get_logger(__name__)

[docs]class InstanceNetworkInterfaceScanner(base_scanner.BaseScanner): """Pipeline to network enforcer from DAO.""" def __init__(self, global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules): """Initialization. Args: global_configs (dict): Global configurations. scanner_configs (dict): Scanner configurations. service_config (ServiceConfig): Forseti 2.0 service configs model_name (str): name of the data model snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ. rules (str): Fully-qualified path and filename of the rules file. """ super(InstanceNetworkInterfaceScanner, self).__init__( global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules) self.rules_engine = ( instance_network_interface_rules_engine .InstanceNetworkInterfaceRulesEngine( rules_file_path=self.rules, snapshot_timestamp=self.snapshot_timestamp)) self.rules_engine.build_rule_book(self.global_configs)
[docs] @staticmethod def _flatten_violations(violations): """Flatten RuleViolations into a dict for each RuleViolation member. Args: violations (list): The RuleViolations to flatten. Yields: dict: Iterator of RuleViolations as a dict per member. """ for violation in violations: violation_data = {'project': violation.project, 'full_name': violation.full_name, 'network':, 'ip': violation.ip, 'resource_data': violation.resource_data} yield { 'resource_name': violation.resource_name, 'resource_id': violation.resource_id, 'resource_type': violation.resource_type, 'full_name': violation.full_name, 'rule_index': violation.rule_index, 'rule_name': violation.rule_name, 'violation_type': violation.violation_type, 'violation_data': violation_data, 'resource_data': violation.resource_data }
[docs] def _output_results(self, all_violations): """Output results. Args: all_violations (list): All violations """ all_violations = self._flatten_violations(all_violations) self._output_results_to_db(all_violations)
[docs] @staticmethod def _get_resource_count(project_policies, instance_network_interfaces): """Get resource count for org and project policies. Args: project_policies (dict): containing the projects (gcp_type.project.Project) and their iam policies (dict). instance_network_interfaces (list): of network_interface objects. Returns: dict: Resource count map """ resource_counts = { ResourceType.PROJECT: len(project_policies), ResourceType.INSTANCE: len(instance_network_interfaces), } return resource_counts
[docs] def _retrieve(self): """Retrieve the network interfaces for vm instances. Return: list: A list that contains nested lists of per-instance InstanceNetworksInterface objects. """ model_manager = self.service_config.model_manager scoped_session, data_access = model_manager.get(self.model_name) with scoped_session as session: network_interfaces = [] for instance_from_data_model in data_access.scanner_iter( session, 'instance'): proj = project.Project(, full_name=instance_from_data_model.parent.full_name, ) ins = instance.Instance.from_json( parent=proj, network_interfaces.append(ins.create_network_interfaces()) if not network_interfaces: LOGGER.warning('No VM network interfaces found. Exiting.') return None, 0 return network_interfaces
[docs] def _find_violations(self, enforced_networks_data): """Find violations in the policies. Args: enforced_networks_data (list): Enforced networks data to find violations in Returns: list: A list of violations """ all_violations = []'Finding enforced networks violations...') for instance_network_interface in enforced_networks_data: LOGGER.debug('%s', instance_network_interface) violations = self.rules_engine.find_violations( instance_network_interface) LOGGER.debug(violations) all_violations.extend(violations) return all_violations
[docs] def run(self): """Runs the instance network interface scanner.""" network_interfaces = self._retrieve() all_violations = self._find_violations(network_interfaces) self._output_results(all_violations)