Basic implementation for a policy wrapper.

The implementation here is meant to wrap a library of JSON policy
documents. Policies should be added to directories corresponding to
where they will be defined (portfolio, application, environment).
Functionality for parsing portfolio policy definitions is included. When
the policies need to be defined on a management group, the
AzureCloudProvider can iterate the appropriate tier of the policy
manager and add those definitions.
This commit is contained in:
dandds 2019-12-18 17:31:04 -05:00
parent 6460c912dd
commit 3bfb6c9621
8 changed files with 56 additions and 8 deletions

View File

@ -3,7 +3,7 @@
"files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
"lines": null "lines": null
}, },
"generated_at": "2019-12-18T15:29:41Z", "generated_at": "2019-12-18T22:26:52Z",
"plugins_used": [ "plugins_used": [
{ {
"base64_limit": 4.5, "base64_limit": 4.5,
@ -98,7 +98,7 @@
"hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
"is_secret": false, "is_secret": false,
"is_verified": false, "is_verified": false,
"line_number": 29, "line_number": 30,
"type": "Secret Keyword" "type": "Secret Keyword"
} }
], ],

View File

@ -6,6 +6,7 @@ from atst.models.user import User
from atst.models.application import Application from atst.models.application import Application
from atst.models.environment import Environment from atst.models.environment import Environment
from atst.models.environment_role import EnvironmentRole from atst.models.environment_role import EnvironmentRole
from .policy import AzurePolicyManager
class GeneralCSPException(Exception): class GeneralCSPException(Exception):
@ -429,6 +430,8 @@ class AzureCloudProvider(CloudProviderInterface):
else: else:
self.sdk = azure_sdk_provider self.sdk = azure_sdk_provider
self.policy_manager = AzurePolicyManager(config["AZURE_POLICY_LOCATION"])
def create_environment( def create_environment(
self, auth_credentials: Dict, user: User, environment: Environment self, auth_credentials: Dict, user: User, environment: Environment
): ):

View File

@ -1,12 +1,47 @@
from glob import glob
import json
from dataclasses import dataclass
from os.path import join as path_join
class AzurePolicyManager: class AzurePolicyManager:
def __init__(self, static_policy_location): def __init__(self, static_policy_location):
self._static_policy_location = static_policy_location self._static_policy_location = static_policy_location
def portfolio_definitions(): @property
def portfolio_definitions(self):
if getattr(self, "_portfolio_definitions", None) is None:
portfolio_files = self._glob_json("portfolios")
self._portfolio_definitions = self._load_policies(portfolio_files)
return self._portfolio_definitions
@property
def application_definitions(self):
pass pass
def application_definitions(): @property
def environment_definitions(self):
pass pass
def environment_definitions(): def _glob_json(self, path):
pass return glob(path_join(self._static_policy_location, "portfolios", "*.json"))
def _load_policies(self, json_policies):
return [self._load_policy(pol) for pol in json_policies]
def _load_policy(self, policy_file):
with open(policy_file, "r") as file_:
doc = json.loads(file_.read())
return AzurePolicy(
definition_point=doc["definitionPoint"],
definition=doc["policyDefinition"],
parameters=doc["parameters"],
)
@dataclass
class AzurePolicy:
definition_point: str
definition: dict
parameters: dict

View File

@ -3,6 +3,7 @@ ASSETS_URL
AZURE_ACCOUNT_NAME AZURE_ACCOUNT_NAME
AZURE_STORAGE_KEY AZURE_STORAGE_KEY
AZURE_TO_BUCKET_NAME AZURE_TO_BUCKET_NAME
AZURE_POLICY_LOCATION=policies
BLOB_STORAGE_URL=http://localhost:8000/ BLOB_STORAGE_URL=http://localhost:8000/
CAC_URL = http://localhost:8000/login-redirect CAC_URL = http://localhost:8000/login-redirect
CA_CHAIN = ssl/server-certs/ca-chain.pem CA_CHAIN = ssl/server-certs/ca-chain.pem

View File

@ -1,5 +1,5 @@
{ {
"definitionPoint": "portfolio-parent", "definitionPoint": "portfolio",
"policyDefinition": { "policyDefinition": {
"properties": { "properties": {
"displayName": "Allowed resource types", "displayName": "Allowed resource types",

View File

@ -1,5 +1,5 @@
{ {
"definitionPoint": "portfolio-parent", "definitionPoint": "portfolio",
"policyDefinition": { "policyDefinition": {
"properties": { "properties": {
"displayName": "Custom - Region Restriction", "displayName": "Custom - Region Restriction",

View File

@ -0,0 +1,8 @@
from atst.domain.csp.policy import AzurePolicyManager, AzurePolicy
def test_portfolio_definitions():
manager = AzurePolicyManager("policies")
assert len(manager.portfolio_definitions) > 0
policy = manager.portfolio_definitions[0]
assert isinstance(policy, AzurePolicy)

View File

@ -7,6 +7,7 @@ AZURE_CONFIG = {
"AZURE_CLIENT_ID": "MOCK", "AZURE_CLIENT_ID": "MOCK",
"AZURE_SECRET_KEY": "MOCK", "AZURE_SECRET_KEY": "MOCK",
"AZURE_TENANT_ID": "MOCK", "AZURE_TENANT_ID": "MOCK",
"AZURE_POLICY_LOCATION": "policies",
} }
AUTH_CREDENTIALS = { AUTH_CREDENTIALS = {