google.cloud.forseti.scanner.scanners.iap_scanner module

Scanner for the Identity-Aware Proxy rules engine.

class IapResource(project_full_name, backend_service, alternate_services, direct_access_sources, iap_enabled)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('project_full_name', 'backend_service', 'alternate_services', 'direct_access_sources', 'iap_enabled')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new IapResource object from a sequence or iterable

_replace(**kwds)

Return a new IapResource object replacing specified fields with new values

alternate_services
backend_service
direct_access_sources
iap_enabled
project_full_name
class IapScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Pipeline to IAP-related data from DAO.

SCANNER_OUTPUT_CSV_FMT = 'scanner_output_iap.{}.csv'
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 190
_abc_registry = <_weakrefset.WeakSet object>
_find_violations(iap_data)[source]

Find IAP violations.

Parameters:iap_data (iter) – Generator of IAP resources and resource counts per project in the inventory.
Returns:RuleViolation
Return type:list
static _flatten_violations(violations)[source]

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:violations (list) – The RuleViolations to flatten.
Yields:dict – Iterator of RuleViolations as a dict per member.
_get_backend_services(parent_type_name)[source]

Retrieves backend services.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:BackendService
Return type:list
_get_firewall_rules(parent_type_name)[source]

Retrieves firewall rules.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:FirewallRule
Return type:list
_get_instance_group_managers(parent_type_name)[source]

Retrieves instance group managers.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceGroupManager
Return type:list
_get_instance_groups(parent_type_name)[source]

Retrieves instance groups.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceGroup
Return type:list
_get_instance_templates(parent_type_name)[source]

Retrieves instance templates.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:InstanceTemplate
Return type:list
_get_instances(parent_type_name)[source]

Retrieves instances.

Parameters:parent_type_name (str) – The parent resource type and name to pull.
Returns:Instance
Return type:list
_output_results(all_violations)[source]

Output results.

Parameters:all_violations (list) – A list of violations.
_retrieve()[source]

Retrieves the data for the scanner.

Yields:

list

A list of IAP Resources for a project, to pass to the rules

engine

dict: A dict of resource counts for the project.

run()[source]

Runs the data collection.

class NetworkPort(network, port)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('network', 'port')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new NetworkPort object from a sequence or iterable

_replace(**kwds)

Return a new NetworkPort object replacing specified fields with new values

network
port
class _RunData(backend_services, firewall_rules, instances, instance_groups, instance_group_managers, instance_templates)[source]

Bases: object

Information needed to compute IAP properties.

find_instance_by_url(instance_url)[source]

Find an instance for the given URL.

Parameters:instance_url (str) – instance URL
Returns:instance
Return type:Instance
find_instance_group_by_url(instance_group_url)[source]

Find an instance group for the given URL.

Parameters:instance_group_url (str) – instance group URL
Returns:instance group
Return type:InstanceGroup
firewall_allowed_sources(network_port, tag)[source]

Which source (networks, tags) can connect to the given destination?

Parameters:
  • network_port (NetworkPort) – connection destination
  • tag (str) – instance tag for destination instance
Returns:

allowed source networks and tags

Return type:

set

static instance_group_network_port(backend_service, instance_group)[source]

Which network and port is used for a service’s backends?

A backend service can communicate with its backends on a different network and port number for each of the service’s backend instance groups.

Parameters:
Returns:

how the service communicates with backends

Return type:

NetworkPort

is_alternate_service(backend_service, backend_service2)[source]

Do two backend services expose any of the same (instance, port) ?

Parameters:
Returns:

whether the two services share any (instance, port)

Return type:

bool

make_iap_resource(backend_service, project_full_name)[source]

Get an IapResource for a service.

Parameters:
  • backend_service (BackendService) – service to create a resource for
  • project_full_name (str) – The full path to the parent project including all ancestors.
Returns:

the corresponding resource

Return type:

IapResource

tags_for_instance_group(instance_group)[source]

Which instance tags are used for an instance group?

Includes tags used by instances in the group and, for managed groups, tags in the group’s template.

Parameters:instance_group (InstanceGroup) – the group to query tags for
Returns:tags
Return type:set