-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASK-833
GSuite.Drive.ExternalFileShare sender-receiver pairs in EXC…
…EPTION_PATTERN (#1394) Co-authored-by: Ariel Ropek <[email protected]>
- Loading branch information
1 parent
09d2d70
commit 69caf97
Showing
2 changed files
with
93 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,9 +5,8 @@ | |
| COMPANY_DOMAIN = "your-company-name.com" | ||
| EXCEPTION_PATTERNS = { | ||
| # The glob pattern for the document title (lowercased) | ||
| "document title p*": { | ||
| # All actors allowed to receive the file share | ||
| "allowed_for": { | ||
| "1 document title p*": { # allow any title "all" | ||
| "allowed_to_send": { | ||
| "[email protected]", | ||
| "[email protected]", | ||
| "[email protected]", | ||
|
|
@@ -17,6 +16,26 @@ | |
| # Allow any user in a specific domain | ||
| # "*@acme.com" | ||
| }, | ||
| "allowed_to_receive": { | ||
| "[email protected]", | ||
| "[email protected]", | ||
| "[email protected]", | ||
| "[email protected]", | ||
| # Allow any user | ||
| # "all" | ||
| # Allow any user in a specific domain | ||
| # "*@acme.com" | ||
| }, | ||
| # The time limit for how long the file share stays valid | ||
| "allowed_until": datetime.datetime(year=2030, month=6, day=2), | ||
| }, | ||
| "2 document title p*": { | ||
| "allowed_to_send": { | ||
| "[email protected]", | ||
| }, | ||
| "allowed_to_receive": { | ||
| "*@acme.com", | ||
| }, | ||
| # The time limit for how long the file share stays valid | ||
| "allowed_until": datetime.datetime(year=2030, month=6, day=2), | ||
| }, | ||
|
|
@@ -32,7 +51,7 @@ def _check_acl_change_event(actor_email, acl_change_event): | |
| doc_title = parameters.get("doc_title", "TITLE_UNKNOWN") | ||
| old_visibility = parameters.get("old_visibility", "OLD_VISIBILITY_UNKNOWN") | ||
| new_visibility = parameters.get("visibility", "NEW_VISIBILITY_UNKNOWN") | ||
| target_user = parameters.get("target_user", "USER_UNKNOWN") | ||
| target_user = parameters.get("target_user") or parameters.get("target_domain") or "USER_UNKNOWN" | ||
| current_time = datetime.datetime.now() | ||
|
|
||
| if ( | ||
|
|
@@ -41,24 +60,32 @@ def _check_acl_change_event(actor_email, acl_change_event): | |
| and not target_user.endswith(f"@{COMPANY_DOMAIN}") | ||
| ): | ||
| # This is a dangerous share, check exceptions: | ||
|
|
||
| for pattern, details in EXCEPTION_PATTERNS.items(): | ||
| doc_title_match = pattern_match(doc_title.lower(), pattern) | ||
| allowed_for_match = pattern_match_list(actor_email, details.get("allowed_for")) | ||
| allowed_for_all_match = details.get("allowed_for") == {"all"} | ||
| proper_title = pattern_match(doc_title.lower(), pattern) or pattern == "all" | ||
|
|
||
| proper_sender = pattern_match_list( | ||
| actor_email, details.get("allowed_to_send") | ||
| ) or details.get("allowed_to_send") == {"all"} | ||
|
|
||
| proper_receiver = pattern_match_list( | ||
| target_user, details.get("allowed_to_receive") | ||
| ) or details.get("allowed_to_receive") == {"all"} | ||
|
|
||
| if ( | ||
| doc_title_match | ||
| and (allowed_for_match or allowed_for_all_match) | ||
| proper_title | ||
| and proper_sender | ||
| and proper_receiver | ||
| and current_time < details.get("allowed_until") | ||
| ): | ||
| return False | ||
| # No exceptions match. | ||
| # Return the event summary (which is True) to alert & use in title. | ||
| return { | ||
| "actor": actor_email, | ||
| "doc_title": doc_title, | ||
| "target_user": target_user, | ||
| } | ||
| # No exceptions match. | ||
| # Return the event summary (which is True) to alert & use in title. | ||
| return { | ||
| "actor": actor_email, | ||
| "doc_title": doc_title, | ||
| "target_user": target_user, | ||
| } | ||
| return False | ||
|
|
||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,7 +48,7 @@ Tests: | |
| { "name": "old_visibility", "value": "private" }, | ||
| { "name": "doc_id", "value": "1111111111111111111" }, | ||
| { "name": "doc_type", "value": "document" }, | ||
| { "name": "doc_title", "value": "Document Title Primary" }, | ||
| { "name": "doc_title", "value": "1 Document Title Primary" }, | ||
| { "name": "visibility", "value": "shared_externally" }, | ||
| { | ||
| "name": "originating_app_id", | ||
|
|
@@ -86,7 +86,7 @@ Tests: | |
| [ | ||
| { "name": "primary_event", "boolValue": true }, | ||
| { "name": "visibility_change", "value": "external" }, | ||
| { "name": "target_user", "value": "alice@external.com" }, | ||
| { "name": "target_domain", "value": "external.com" }, | ||
| { "name": "old_visibility", "value": "private" }, | ||
| { "name": "doc_id", "value": "1111111111111111111" }, | ||
| { "name": "doc_type", "value": "document" }, | ||
|
|
@@ -129,11 +129,11 @@ Tests: | |
| { "name": "primary_event", "boolValue": true }, | ||
| { "name": "billable", "boolValue": true }, | ||
| { "name": "visibility_change", "value": "external" }, | ||
| { "name": "target_domain", "value": "acme.com" }, | ||
| { "name": "target_user", "value": "samuel@abc.com" }, | ||
| { "name": "old_visibility", "value": "private" }, | ||
| { "name": "doc_id", "value": "1111111111111111111" }, | ||
| { "name": "doc_type", "value": "document" }, | ||
| { "name": "doc_title", "value": "Document Title Pattern" }, | ||
| { "name": "doc_title", "value": "1 Document Title Pattern" }, | ||
| { "name": "visibility", "value": "shared_externally" }, | ||
| { | ||
| "name": "originating_app_id", | ||
|
|
@@ -150,3 +150,49 @@ Tests: | |
| }, | ||
| ], | ||
| } | ||
| - Name: Share Allowed by Exception - 2 | ||
| LogType: GSuite.Reports | ||
| ExpectedResult: false | ||
| Log: | ||
| { | ||
| "kind": "admin#reports#activity", | ||
| "id": | ||
| { | ||
| "time": "2020-07-07T15:50:49.617Z", | ||
| "uniqueQualifier": "1111111111111111111", | ||
| "applicationName": "drive", | ||
| "customerId": "C010qxghg", | ||
| }, | ||
| "actor": | ||
| { "email": "[email protected]", "profileId": "1111111111111111111" }, | ||
| "events": | ||
| [ | ||
| { | ||
| "type": "acl_change", | ||
| "name": "change_user_access", | ||
| "parameters": | ||
| [ | ||
| { "name": "primary_event", "boolValue": true }, | ||
| { "name": "billable", "boolValue": true }, | ||
| { "name": "visibility_change", "value": "external" }, | ||
| { "name": "target_user", "value": "[email protected]" }, | ||
| { "name": "old_visibility", "value": "private" }, | ||
| { "name": "doc_id", "value": "1111111111111111111" }, | ||
| { "name": "doc_type", "value": "document" }, | ||
| { "name": "doc_title", "value": "2 Document Title Pattern" }, | ||
| { "name": "visibility", "value": "shared_externally" }, | ||
| { | ||
| "name": "originating_app_id", | ||
| "value": "1111111111111111111", | ||
| }, | ||
| { "name": "owner_is_shared_drive", "boolValue": false }, | ||
| { "name": "owner_is_team_drive", "boolValue": false }, | ||
| { "name": "old_value", "multiValue": [ "none" ] }, | ||
| { | ||
| "name": "new_value", | ||
| "multiValue": [ "people_within_domain_with_link" ], | ||
| }, | ||
| ], | ||
| }, | ||
| ], | ||
| } | ||