Conversation
Codecov Report
@@ Coverage Diff @@
## dev #2075 +/- ##
==========================================
- Coverage 89.12% 89.03% -0.09%
==========================================
Files 168 170 +2
Lines 12788 12941 +153
==========================================
+ Hits 11397 11522 +125
- Misses 1391 1419 +28
|
@@ -47,6 +50,7 @@ def __init__( | |||
name (str): The bucket's unique GCP name, with the | |||
format "buckets/{id}". | |||
display_name (str): The bucket's display name. | |||
locations (List[str]): Locations this bucket resides in. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think extend the comment here to mention that a bucket will only have a single location.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -229,6 +232,15 @@ def parent(self): | |||
""" | |||
return self._parent | |||
|
|||
@property | |||
def locations(self): | |||
"""Locations the resource resides in. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe mention that some resources support multiple locations (GKE), others will always have a single location (GCS/BQ/...), and others do not support location (will return None).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
|
||
class LocationRulesEngine(base_rules_engine.BaseRulesEngine): | ||
"""Rules engine for Liens.""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here and in other lines/files, a few instances of "Lien" still in comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
resource_type = raw_resource.get('type') | ||
|
||
if resource_type not in {'project', 'folder', 'organization'}: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make this a class "constant" e.g.
SUPPORTED_RESOURCE_TYPES = frozenset(['project', 'folder', 'organization'])
Same for the supported applies_to types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
resource (Resource): The GCP resource to check locations for. | ||
This is where we start looking for rule violations and | ||
we move up the resource hierarchy (if permitted by the | ||
resource's "inherit_from_parents" property). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove comment about 'inherit_from_parents'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
self.applies_to = applies_to | ||
|
||
loc_re_str = '|'.join([ | ||
regular_exp.escape_and_globify(loc_wildcard) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
loc_wildcard.lower() here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
""" | ||
resources = [] | ||
|
||
resource_type_to_fn = {'bucket': bucket.Bucket.from_json} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Document what kind of function is expected here. Perhaps we could move this this out to somewhere the rule engine and scanner can both see, so there is a single source of truth for supported resources
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
mode='whitelist', | ||
type='bucket', | ||
locations=['eu*'], | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One of the tests should cover exact matches (no wildcard), and multiple locations in a single rule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the location scanner!
Currently only supports buckets.
Part of #2053.