Ejemplo n.º 1
0
    def test_unique_api_calls(self):
        oil = Oil()
        plugin_mock_1 = MagicMock()
        plugin_mock_1.requirements = {
            'distributions': ['aws', 'cloudfront', 'list_distributions'],
            'instances': ['aws', 'ec2', 'describe_instances'],
        }

        plugin_mock_2 = MagicMock()
        plugin_mock_2.requirements = {
            'distributions': ['aws', 'cloudfront', 'list_distributions'],
            'other_distributions': ['aws', 'cloudfront', 'other_distributions'],
            'instances': ['aws', 'ec2', 'describe_instances'],
        }

        oil.plugins = {
            'aws': {
                'cloudfront': {
                    'plugin_1': plugin_mock_1,
                    'plugin_2': plugin_mock_2,
                }
            }
        }

        calls = oil._unique_api_calls()
        self.assertEqual(
            calls['aws']['cloudfront'],
            set(['list_distributions', 'other_distributions'])
        )
        self.assertEqual(
            calls['aws']['ec2'],
            set(['describe_instances'])
        )
Ejemplo n.º 2
0
    def test_oil_can_scan_for_password_rotation_with_config(self):
        plugin_config = {
            'password_rotation_severity_2_threshold':
            180,
            'password_rotation_severity_1_threshold':
            90,
            'password_rotation_severity_2_message':
            ('{days} days since last rotation for {username} '),
            'password_rotation_severity_1_message':
            ('{days} days since last rotation for {username}'),
            'password_rotation_severity_0_message':
            ('{username} is not violating password rotation '
             'best practices'),
            'password_rotation_severity_0_message':
            ('No password for this user'),
        }
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserPasswordRotationPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_password_rotation', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 3
0
    def test_collect_api_data_organizes_data_correctly(self, get_barrel_mock):
        barrel_mock = MagicMock()
        barrel_mock.tap.return_value = {
            'any_region': []
        }
        get_barrel_mock.return_value = barrel_mock

        expected = {
            'aws': {
                'cloudfront': {
                    'any_region': {
                        'list_distributions': []
                    }
                }
            }
        }

        oil = Oil()
        oil._collect_api_data('aws', 'cloudfront', 'list_distributions')
        self.assertEqual(oil.cached_api_data, expected)
Ejemplo n.º 4
0
    def test_oil_can_scan_for_access_key_usage(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(AccessKeyUsagePlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('access_key_usage', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 5
0
    def test_oil_can_scan_for_password_rotation_date_for_user(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserPasswordRotationPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_password_rotation', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 6
0
    def test_oil_can_scan_for_high_threat_ports_on_instances(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(InstanceHighThreatPortPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('instance_high_threat_port', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 7
0
    def test_oil_can_scan_for_https_usage(self):
        oil = Oil()
        oil.register_barrel(CloudFrontBarrel)
        oil.register_plugin(HTTPSPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        cloudfront_results = aws_results.get('cloudfront', {})
        plugin_results = cloudfront_results.get('https', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 8
0
    def test_oil_can_scan_for_name_tag_compliance(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(InstanceNameTagPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('instance_name_tag', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 9
0
    def test_oil_can_scan_for_public_ip_on_instances(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(PublicIpPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('public_ip', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 10
0
    def test_oil_can_scan_for_rds_public_db_instances(self):
        oil = Oil()
        oil.register_barrel(RDSBarrel)
        oil.register_plugin(PublicDBInstancesPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        rds_results = aws_results.get('rds', {})
        plugin_results = rds_results.get('public_db_instances', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 11
0
    def test_oil_can_scan_for_active_mfa_device_for_user(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserMFAPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_mfa', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 12
0
    def test_oil_can_scan_for_s3_origin_access_identity(self):
        oil = Oil()
        oil.register_barrel(CloudFrontBarrel)
        oil.register_plugin(S3OriginAccessIdentityPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        cloudfront_results = aws_results.get('cloudfront', {})
        plugin_results = cloudfront_results.get('s3_origin_access_identity',
                                                [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 13
0
    def test_oil_can_scan_for_access_key_usage_with_custom_config(self):
        plugin_config = {
            'access_key_last_used_severity_two_threshold': 90,
            'access_key_last_used_severity_one_threshold': 60,
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(AccessKeyUsagePlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('access_key_usage', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 14
0
    def test_oil_can_scan_for_total_users_with_config(self):
        plugin_config = {
            'total_users_severity_2_threshold': 50,
            'total_users_severity_1_threshold': 20,
            'total_users_severity_2_message': ('Total users: {total_users}'),
            'total_users_severity_1_message': ('Total users: {total_users}'),
            'total_users_severity_0_message': ('Total users: {total_users}'),
            'no_users_message': ('No users in this AWS account'),
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(TotalUsersPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('total_users', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 15
0
    def test_oil_can_scan_for_active_mfa_device_with_config(self):
        plugin_config = {
            'root_user_enabled_message': 'Enabled: {username}',
            'root_user_not_enabled_message': 'Not Enabled: {username}',
            'root_user_not_enabled_severity_level': 1,
            'enabled_message': 'Enabled: {username}',
            'not_enabled_message': 'Not Enabled: {username}',
            'not_enabled_severity_level': 1,
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserMFAPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_mfa', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 16
0
    def test_oil_can_scan_for_total_users(self):
        config = {
            'aws': {
                'iam': {
                    'plugins': [{
                        'name': 'total_users',
                    }]
                }
            }
        }

        oil = Oil(config)
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(TotalUsersPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('total_users', [])

        self.assertNotEqual(plugin_results, [])
Ejemplo n.º 17
0
 def test_oil_throws_error_with_bad_kwargs(self):
     with self.assertRaises(RuntimeError):
         Oil(bad_arg='my_bad_arg')
Ejemplo n.º 18
0
 def test_validate_kwargs_throws_error_with_bad_kwargs(self):
     oil = Oil()
     with self.assertRaises(RuntimeError):
         oil._validate_kwargs(bad_arg='my_bad_arg')