def test_unique_api_calls(self): oil = Oil() plugin_mock_1 = MagicMock() plugin_mock_1.requirements = { 'distributions': ['aws', 'cloudfront', 'list_distributions'], 'instances': ['aws', 'ec2', 'describe_instances'], } plugin_mock_2 = MagicMock() plugin_mock_2.requirements = { 'distributions': ['aws', 'cloudfront', 'list_distributions'], 'other_distributions': ['aws', 'cloudfront', 'other_distributions'], 'instances': ['aws', 'ec2', 'describe_instances'], } oil.plugins = { 'aws': { 'cloudfront': { 'plugin_1': plugin_mock_1, 'plugin_2': plugin_mock_2, } } } calls = oil._unique_api_calls() self.assertEqual( calls['aws']['cloudfront'], set(['list_distributions', 'other_distributions']) ) self.assertEqual( calls['aws']['ec2'], set(['describe_instances']) )
def test_oil_can_scan_for_password_rotation_with_config(self): plugin_config = { 'password_rotation_severity_2_threshold': 180, 'password_rotation_severity_1_threshold': 90, 'password_rotation_severity_2_message': ('{days} days since last rotation for {username} '), 'password_rotation_severity_1_message': ('{days} days since last rotation for {username}'), 'password_rotation_severity_0_message': ('{username} is not violating password rotation ' 'best practices'), 'password_rotation_severity_0_message': ('No password for this user'), } oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(UserPasswordRotationPlugin, plugin_config) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('user_password_rotation', []) self.assertNotEqual(plugin_results, [])
def test_collect_api_data_organizes_data_correctly(self, get_barrel_mock): barrel_mock = MagicMock() barrel_mock.tap.return_value = { 'any_region': [] } get_barrel_mock.return_value = barrel_mock expected = { 'aws': { 'cloudfront': { 'any_region': { 'list_distributions': [] } } } } oil = Oil() oil._collect_api_data('aws', 'cloudfront', 'list_distributions') self.assertEqual(oil.cached_api_data, expected)
def test_oil_can_scan_for_access_key_usage(self): oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(AccessKeyUsagePlugin) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('access_key_usage', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_password_rotation_date_for_user(self): oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(UserPasswordRotationPlugin) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('user_password_rotation', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_high_threat_ports_on_instances(self): oil = Oil() oil.register_barrel(EC2Barrel) oil.register_plugin(InstanceHighThreatPortPlugin) results = oil.scan() aws_results = results.get('aws', {}) ec2_results = aws_results.get('ec2', {}) plugin_results = ec2_results.get('instance_high_threat_port', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_https_usage(self): oil = Oil() oil.register_barrel(CloudFrontBarrel) oil.register_plugin(HTTPSPlugin) results = oil.scan() aws_results = results.get('aws', {}) cloudfront_results = aws_results.get('cloudfront', {}) plugin_results = cloudfront_results.get('https', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_name_tag_compliance(self): oil = Oil() oil.register_barrel(EC2Barrel) oil.register_plugin(InstanceNameTagPlugin) results = oil.scan() aws_results = results.get('aws', {}) ec2_results = aws_results.get('ec2', {}) plugin_results = ec2_results.get('instance_name_tag', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_public_ip_on_instances(self): oil = Oil() oil.register_barrel(EC2Barrel) oil.register_plugin(PublicIpPlugin) results = oil.scan() aws_results = results.get('aws', {}) ec2_results = aws_results.get('ec2', {}) plugin_results = ec2_results.get('public_ip', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_rds_public_db_instances(self): oil = Oil() oil.register_barrel(RDSBarrel) oil.register_plugin(PublicDBInstancesPlugin) results = oil.scan() aws_results = results.get('aws', {}) rds_results = aws_results.get('rds', {}) plugin_results = rds_results.get('public_db_instances', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_for_user(self): oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(UserMFAPlugin) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('user_mfa', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_s3_origin_access_identity(self): oil = Oil() oil.register_barrel(CloudFrontBarrel) oil.register_plugin(S3OriginAccessIdentityPlugin) results = oil.scan() aws_results = results.get('aws', {}) cloudfront_results = aws_results.get('cloudfront', {}) plugin_results = cloudfront_results.get('s3_origin_access_identity', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_access_key_usage_with_custom_config(self): plugin_config = { 'access_key_last_used_severity_two_threshold': 90, 'access_key_last_used_severity_one_threshold': 60, } oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(AccessKeyUsagePlugin, plugin_config) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('access_key_usage', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users_with_config(self): plugin_config = { 'total_users_severity_2_threshold': 50, 'total_users_severity_1_threshold': 20, 'total_users_severity_2_message': ('Total users: {total_users}'), 'total_users_severity_1_message': ('Total users: {total_users}'), 'total_users_severity_0_message': ('Total users: {total_users}'), 'no_users_message': ('No users in this AWS account'), } oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(TotalUsersPlugin, plugin_config) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('total_users', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_with_config(self): plugin_config = { 'root_user_enabled_message': 'Enabled: {username}', 'root_user_not_enabled_message': 'Not Enabled: {username}', 'root_user_not_enabled_severity_level': 1, 'enabled_message': 'Enabled: {username}', 'not_enabled_message': 'Not Enabled: {username}', 'not_enabled_severity_level': 1, } oil = Oil() oil.register_barrel(IAMBarrel) oil.register_plugin(UserMFAPlugin, plugin_config) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('user_mfa', []) self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users(self): config = { 'aws': { 'iam': { 'plugins': [{ 'name': 'total_users', }] } } } oil = Oil(config) oil.register_barrel(IAMBarrel) oil.register_plugin(TotalUsersPlugin) results = oil.scan() aws_results = results.get('aws', {}) iam_results = aws_results.get('iam', {}) plugin_results = iam_results.get('total_users', []) self.assertNotEqual(plugin_results, [])
def test_oil_throws_error_with_bad_kwargs(self): with self.assertRaises(RuntimeError): Oil(bad_arg='my_bad_arg')
def test_validate_kwargs_throws_error_with_bad_kwargs(self): oil = Oil() with self.assertRaises(RuntimeError): oil._validate_kwargs(bad_arg='my_bad_arg')