google.cloud.forseti.scanner.scanners.iam_rules_scanner module

Scanner for the IAM rules engine.

class IamPolicyScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Scanner for IAM data.

SCANNER_OUTPUT_CSV_FMT = 'scanner_output_iam.{}.csv'
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 190
_abc_registry = <_weakrefset.WeakSet object>
_find_violations(policies)[source]

Find violations in the policies.

Parameters:policies (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in.
Returns:A list of all violations
Return type:list
static _flatten_violations(violations)[source]

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:violations (list) – The RuleViolations to flatten.
Yields:dict – Iterator of RuleViolations as a dict per member.
_output_results(all_violations)[source]

Output results.

Parameters:all_violations (list) – A list of violations.
_retrieve()[source]

Retrieves the data for scanner.

Returns:List of (gcp_type, forseti_data_model_resource) tuples. dict: A dict of resource counts.
Return type:list
run()[source]

Runs the data collection.

_add_bucket_ancestor_bindings(policy_data)[source]

Add bucket relevant IAM policy bindings from ancestors.

Resources can inherit policy bindings from ancestors in the resource manager tree. For example: a GCS bucket inherits a ‘objectViewer’ role from a project or folder (up in the tree).

So far the IAM rules engine only checks the set of bindings directly attached to a resource (direct bindings set (DBS)). We need to add relevant bindings inherited from ancestors to DBS so that these are also checked for violations.

If we find one more than one binding with the same role name, we need to merge the members.

NOTA BENE: this function only handles buckets and bindings relevant to these at present (but can and should be expanded to handle projects and folders going forward).

Parameters:policy_data (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in.