Add location scanner #2075
Add location scanner #2075
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #2075 +/- ##
==========================================
- Coverage 89.12% 89.03% -0.09%
==========================================
Files 168 170 +2
Lines 12788 12941 +153
==========================================
+ Hits 11397 11522 +125
- Misses 1391 1419 +28
|
| @@ -47,6 +50,7 @@ def __init__( | |||
| name (str): The bucket's unique GCP name, with the | |||
| format "buckets/{id}". | |||
| display_name (str): The bucket's display name. | |||
| locations (List[str]): Locations this bucket resides in. | |||
There was a problem hiding this comment.
I think extend the comment here to mention that a bucket will only have a single location.
| @@ -229,6 +232,15 @@ def parent(self): | |||
| """ | |||
| return self._parent | |||
|
|
|||
| @property | |||
| def locations(self): | |||
| """Locations the resource resides in. | |||
There was a problem hiding this comment.
Maybe mention that some resources support multiple locations (GKE), others will always have a single location (GCS/BQ/...), and others do not support location (will return None).
|
|
||
|
|
||
| class LocationRulesEngine(base_rules_engine.BaseRulesEngine): | ||
| """Rules engine for Liens.""" |
There was a problem hiding this comment.
Here and in other lines/files, a few instances of "Lien" still in comments.
|
|
||
| resource_type = raw_resource.get('type') | ||
|
|
||
| if resource_type not in {'project', 'folder', 'organization'}: |
There was a problem hiding this comment.
Make this a class "constant" e.g.
SUPPORTED_RESOURCE_TYPES = frozenset(['project', 'folder', 'organization'])
Same for the supported applies_to types.
| resource (Resource): The GCP resource to check locations for. | ||
| This is where we start looking for rule violations and | ||
| we move up the resource hierarchy (if permitted by the | ||
| resource's "inherit_from_parents" property). |
There was a problem hiding this comment.
remove comment about 'inherit_from_parents'
| self.applies_to = applies_to | ||
|
|
||
| loc_re_str = '|'.join([ | ||
| regular_exp.escape_and_globify(loc_wildcard) |
| """ | ||
| resources = [] | ||
|
|
||
| resource_type_to_fn = {'bucket': bucket.Bucket.from_json} |
There was a problem hiding this comment.
Document what kind of function is expected here. Perhaps we could move this this out to somewhere the rule engine and scanner can both see, so there is a single source of truth for supported resources
| mode='whitelist', | ||
| type='bucket', | ||
| locations=['eu*'], | ||
| ) |
There was a problem hiding this comment.
One of the tests should cover exact matches (no wildcard), and multiple locations in a single rule
Currently only supports buckets.
Part of #2053.