def __init__(self, accounts=None, alert_accounts=None, debug=False):
self.account_watchers = {}
self.account_alerters = {}
if not alert_accounts:
alert_accounts = accounts
for account in accounts:
self.account_watchers[account] = [
(SQS(accounts=[account], debug=debug), None),
(ELB(accounts=[account], debug=debug), None),
(IAMSSL(accounts=[account], debug=debug), None),
(RDSSecurityGroup(accounts=[account], debug=debug),
RDSSecurityGroupAuditor(accounts=[account], debug=debug)),
(SecurityGroup(accounts=[account], debug=debug),
SecurityGroupAuditor(accounts=[account], debug=debug)),
(S3(accounts=[account],
debug=debug), S3Auditor(accounts=[account], debug=debug)),
(IAMUser(accounts=[account], debug=debug),
IAMUserAuditor(accounts=[account], debug=debug)),
(IAMGroup(accounts=[account], debug=debug), None),
(IAMRole(accounts=[account], debug=debug), None),
(Keypair(accounts=[account], debug=debug), None),
(SNS(accounts=[account],
debug=debug), SNSAuditor(accounts=[account], debug=debug))
]
if account in alert_accounts:
self.account_alerters[account] = Alerter(
watchers_auditors=self.account_watchers[account],
account=account)
def test_1_s3_slurp(self, test_patch):
"""Should add an exception when ???"""
class Grant(object):
display_name = 'test_acl'
permission = 'READ'
class ACL(object):
def __init__(self):
self.grants = [Grant(), Grant(), Grant()]
class intraACL(object):
acl = ACL()
def to_xml(self):
return ''
class Bucket(object):
name = 'test_bucket_name'
def get_location(self):
return None
def get_acl(self):
return intraACL()
def get_policy(self):
return '{ "fake": "policy" }'
def get_versioning_status(self):
return ""
class MockS3(object):
def get_bucket(self, blah):
return Bucket()
def get_all_buckets(self):
return [Bucket(), Bucket()]
def close(self):
pass
from security_monkey.watchers.s3 import S3
test_patch.return_value = MockS3()
accounts = ['testaccount']
cw = S3(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for item in items:
print "Item: {} - {}".format(item.name, item.new_config)
self.assertEqual(len(items), 2)
self.assertEqual(len(el), 0)
def test_0_s3_slurp(self, test_patch):
"""Slurp should add an exception to the exceptions map when
slurping accounts that don't exist."""
from security_monkey.watchers.s3 import S3
import boto.s3
test_patch.return_value = None
accounts = ['doesntexit1', 'doesntexist2']
cw = S3(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for account in accounts:
self.assertIn(('s3', account), el)
def test_slurp(self):
"""
Tests whether the watcher finds the three created buckets.
:return:
"""
mock_sts().start()
s3_watcher = S3(accounts=[self.account.name])
item_list, exception_map = s3_watcher.slurp()
assert len(item_list) == 3 # We created 3 buckets
def test_watcher_exceptions(self):
"""
Tests that if exceptions are encountered, the watcher continues.
Unfortunately -- moto lacks all of the S3 methods that we need. So this is just a
test to ensure that exception handling works OK.
:return:
"""
mock_sts().start()
s3_watcher = S3(accounts=[self.account.name])
s3_watcher.slurp()
assert len(ExceptionLogs.query.all()) == 3 # We created 3 buckets
mock_s3().stop()
mock_sts().stop()
def find_s3_changes(accounts):
""" Runs watchers/s3"""
accounts = __prep_accounts__(accounts)
cw = S3(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
s3_item = S3Item(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(s3_item)
au = S3Auditor(accounts=accounts, debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()