Skip to content

dns

Sample rules

A few rules that use objects from this package:

non_car_cloud_dns_ensure_rsasha1_disabled 
from typing import List, Dict, Optional

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.context.gcp.resources.dns.gcp_dns_managed_zone import GcpDnsManagedZone, DnsDefKeyAlgorithm, GcpDnsManagedZoneDnsSecCfgDefKeySpecs
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class CloudDnsNoRsasha1UsedRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_cloud_dns_ensure_rsasha1_disabled'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for cloud_dns in env_context.dns_managed_zones:
            if affected_dns_keys := self._get_affected_keys(cloud_dns):
                issues.append(
                    Issue(
                        f"The {cloud_dns.get_type()} `{cloud_dns.get_friendly_name()}` has rsasha1 enabled for key(s) "
                        f"{', '.join(key.key_type.value for key in affected_dns_keys)}",
                        cloud_dns,
                        cloud_dns))
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.dns_managed_zones)

    @staticmethod
    def _get_affected_keys(cloud_dns: GcpDnsManagedZone) -> Optional[List[GcpDnsManagedZoneDnsSecCfgDefKeySpecs]]:
        if cloud_dns.dnssec_config and cloud_dns.dnssec_config.state == 'on':
            return [default_key for default_key in cloud_dns.dnssec_config.default_key_specs
                    if default_key.algorithm == DnsDefKeyAlgorithm.RSASHA1]
        return None

DnsDefKeyAlgorithm (str, Enum)

An enumeration.

DnsDefKeyType (str, Enum)

An enumeration.

GcpDnsManagedZone (GcpResource)

Attributes:

Name Type Description
name str

(Required) User assigned name for this resource. Must be unique within the project.
dns_name str

(Required) The DNS name of this managed zone.
description Optional[str]

(Optional) A textual description field.
dnssec_config Optional[GcpDnsManagedZoneDnsSecCfg]

(Optional) DNSSEC configuration parameters.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

GcpDnsManagedZoneDnsSecCfg dataclass

Attributes:

Name Type Description
kind str

(Optional) Identifies the kind of resource.
non_existence Optional[str]

(Optional) Specifies the mechanism used to provide authenticated denial-of-existence responses. Possible values are nsec and nsec3.
state str

(Optional) Specifies whether DNSSEC is enabled, and what mode it is in. Possible values are off, on, and transfer.
default_key_specs List[cloudrail.knowledge.context.gcp.resources.dns.gcp_dns_managed_zone.GcpDnsManagedZoneDnsSecCfgDefKeySpecs]

(Optional) Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone.

GcpDnsManagedZoneDnsSecCfgDefKeySpecs dataclass

Attributes:

Name Type Description
algorithm DnsDefKeyAlgorithm

(Optional) String mnemonic specifying the DNSSEC algorithm of this key Possible values are ecdsap256sha256, ecdsap384sha384, rsasha1, rsasha256, and rsasha512.
key_length int

(Optional) Length of the keys in bits.
key_type DnsDefKeyType

(Optional) (Optional) Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK).
kind str

(Optional) Identifies the kind of resource.