Skip to content
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.

External Project Access Scanner reports violations for rules that are actually an allow-list #3422

Open
kevensen opened this issue Nov 8, 2019 · 4 comments
Open

External Project Access Scanner reports violations for rules that are actually an allow-list #3422

kevensen opened this issue Nov 8, 2019 · 4 comments
Assignees
@kevensen
Labels
found-in-2.23 Issues reported in 2.23 release. module: scanner priority: p2 Important feature defect, moderate live issue triaged: yes type: bug

Comments

@kevensen
Copy link
Contributor

kevensen commented Nov 8, 2019

The logic needs to be corrected.

forseti-security/google/cloud/forseti/scanner/audit/external_project_access_rules_engine.py

Lines 280 to 288 in 705cb3c

for resource in self.rules['ancestor_resources']:
if resource in ancestry:
matched_resources.append(resource)
if 'users' in list(self.rules.keys()):
if user_email not in self.rules['users']:
applies_to_user = False
if not (matched_resources and applies_to_user):

@auto-comment
Copy link

auto-comment bot commented Nov 8, 2019
edited by kevensen

Thank you for opening an issue. Our team's interrupts engineer will review your issue shortly.

Issue Resolution:

  • [Interrupts Engineer] Triage / apply categorization labels
  • [Interrupts Engineer] Verify / Reproduce the reported issue
  • [Forseti Engineer] Perform root cause analysis
  • Forseti Engineer] Add tasks and next steps to resolve this issue.

@kevensen kevensen added found-in-2.23 Issues reported in 2.23 release. module: scanner priority: p2 Important feature defect, moderate live issue triaged: yes labels Nov 8, 2019
@kevensen
Copy link
Contributor Author

kevensen commented Nov 11, 2019
edited

  • Fix logic

@dekuhn dekuhn added the Interrupts: Follow-up Needed Issues to triage or need followup by engineering assigned to interrupts. label Nov 11, 2019
@kevensen kevensen mentioned this issue Nov 11, 2019
Closed
5 tasks
@red2k18
Copy link
Contributor

red2k18 commented Nov 27, 2019

@kevensen Thanks for submitting PR to fix this issue! Please address the comments on the PR when you get a chance so this can be closed.

@gkowalski-google
Copy link
Collaborator

@kevensen Can you confirm the PR linked will resolve this issue? If so, we can get it over the finish line.

@gkowalski-google gkowalski-google removed the Interrupts: Follow-up Needed Issues to triage or need followup by engineering assigned to interrupts. label Feb 6, 2020
@gkowalski-google gkowalski-google removed this from the Forseti Sprint 2020.03.30 milestone Mar 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kevensen kevensen

Labels
found-in-2.23 Issues reported in 2.23 release. module: scanner priority: p2 Important feature defect, moderate live issue triaged: yes type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dekuhn @kevensen @gkowalski-google @red2k18