def test_whereami_jenkins_docker(self, mock_http_get_metadata, mock_getenv): """ Tests whereami to see if it returns 'ec2' by mocking an ec2 Jenkins Docker environment Args: mock_http_get_metadata: MagicMock, returns "i-somestuff" mock_get_env: MagicMock, mocks the environment variables Returns: None Raises: AssertionError if any of the assert checks fail """ mock_http_get_metadata.return_value = "i-somestuff" def getenv_side_effect(key, default=None): if key == "JENKINS_URL": return True if key == "JENKINS_DOCKER": return True return default mock_getenv.side_effect = getenv_side_effect result = ef_utils.whereami() self.assertEquals(result, "ec2")
def load(self): """Loads the config""" whereami = ef_utils.whereami() if whereami == 'ec2': try: return self.load_from_ssm() except ClientError as e: pass return self.load_from_local_file()
def __init__(self): # service environment self._account_alias = None self._env = None # prod, staging, proto<n>, global -- the name used in AWS self._env_short = None # prod, staging, proto, global -- the generic name for matching when templating # _env_full deals with naming differences for "proto<n>" and "global.<alias>" in the service registry self._env_full = None # prod, staging, proto, global.<account_alias> -- name found in SR self._service = None # Service registry object self._service_registry = None # tool context self._aws_clients = None self._commit = None self._devel = None self._verbose = None self._whereami = whereami()
def __init__(self): # service environment self._account_alias = None self._env = None # the name used in AWS -- e.g. prod, proto<n>, mgmt self._env_short = None # the generic name -- e.g. prod, proto, mgmt self._env_full = None # name found in SR -- e.g. prod, proto, mgmt.<account_alias> self._service = None # Service registry object self._service_registry = None # tool context self._account_id = None self._aws_clients = None self._commit = None self._devel = None self._verbose = None self._whereami = whereami()
def test_whereami_unknown(self, mock_gethostname): """ Tests whereami to see if it returns 'unknown' by mocking the environment to not match anything Args: mock_gethostname: MagicMock, returns some junk value Returns: None Raises: AssertionError if any of the assert checks fail """ mock_gethostname.return_value = "not local" result = ef_utils.whereami() self.assertEquals(result, "unknown")
def test_whereami_local(self, mock_gethostname): """ Tests whereami to see if it returns 'local' by mocking a local machine environment Args: mock_gethostname: MagicMock, returns .local Returns: None Raises: AssertionError if any of the assert checks fail """ mock_gethostname.return_value = ".local" result = ef_utils.whereami() self.assertEquals(result, "local")
def test_whereami_ec2(self, mock_http_get_metadata): """ Tests whereami to see if it returns 'ec2' by mocking an ec2 environment Args: mock_http_get_metadata: MagicMock, returns "i-somestuff" Returns: None Raises: AssertionError if any of the assert checks fail """ mock_http_get_metadata.return_value = "i-somestuff" result = ef_utils.whereami() self.assertEquals(result, "ec2")
def main(): global RESOURCES, WHERE openlog(LOG_IDENT) WHERE = whereami() if WHERE == "unknown": critical( "Cannot determine whether operating context is ec2 or local. Exiting." ) elif WHERE == "local": critical( "local mode not supported: must run under virtualbox-kvm or in ec2" ) elif WHERE == "ec2": # get info needed for logging try: instance_id = http_get_metadata('instance-id') log_info("Instance id: " + instance_id) except IOError as error: critical("Error retrieving instance-id metadata: " + repr(error)) log_info("startup") log_info("boto3: " + str(boto3.utils.sys.version_info)) log_info("boto3: " + str(boto3.utils.sys.version)) # Tailor to operating mode if WHERE == "virtualbox-kvm": service = gethostname().split(".", 1)[0] elif WHERE == "ec2": log_info("EC2: setting up S3 client") try: session = boto3.Session() # S3 iteration is easier using the S3 Resource RESOURCES["s3"] = session.resource("s3") except (botocore.exceptions.BotoCoreError, IOError) as e: critical("Error setting up S3 resource " + repr(e)) service = http_get_instance_role() log_info("platform: {} service: {}".format(WHERE, service)) merge_files("all") merge_files("ssh", skip_on_user_group_error=True) merge_files(service) log_info("exit: success") closelog()
def test_whereami_unknown(self, mock_http_get_metadata, mock_gethostname, mock_is_in_virtualbox): """ Tests whereami to see if it returns 'unknown' by mocking the environment to not match anything Args: mock_http_get_metadata: MagicMock, returns something other than "i-...." mock_gethostname: MagicMock, returns some junk value Returns: None Raises: AssertionError if any of the assert checks fail """ mock_http_get_metadata.return_value = "nothinguseful" mock_is_in_virtualbox.return_value = False mock_gethostname.return_value = "not local" result = ef_utils.whereami() self.assertEquals(result, "unknown")
def test_whereami_local(self, mock_http_get_metadata, mock_gethostname, mock_is_in_virtualbox): """ Tests whereami to see if it returns 'local' by mocking a local machine environment Args: mock_http_get_metadata: MagicMock, returns something other than "i-...." mock_gethostname: MagicMock, returns .local Returns: None Raises: AssertionError if any of the assert checks fail """ mock_http_get_metadata.return_value = "nothinguseful" mock_is_in_virtualbox.return_value = False mock_gethostname.return_value = ".local" result = ef_utils.whereami() self.assertEquals(result, "local")
class TestEFVersionResolver(unittest.TestCase): """Tests for 'ef_version_resolver.py'""" # initialize based on where running where = whereami() if where == "local": session = boto3.Session(profile_name=get_account_alias("proto0"), region_name=EFConfig.DEFAULT_REGION) elif where == "ec2": region = http_get_metadata("placement/availability-zone/") region = region[:-1] session = boto3.Session(region_name=region) else: fail("Can't test in environment: " + where) clients = { "ec2": session.client("ec2") } def test_ami_id(self): """Does ami-id,data-api resolve to an AMI id""" test_string = "ami-id,data-api" resolver = EFVersionResolver(TestEFVersionResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^ami-[a-f0-9]{8}$")
def __init__(self, profile=None, region=None, # set both for user access mode lambda_context=None, # set if target is 'self' and this is a lambda target_other=False, env=None, service=None, # set env & service if target_other=True verbose=False ): """ Depending on how this is called, access mode (how it logs into AWS) and target (what the various context vars report) will vary ACCESS MODE - how this logs in to AWS user: "******" both 'profile' and 'region' are required is always "operating on something else" (TARGET is never "self") role: "running in AWS EC2 or Lambda with a role credential" do not set profile TARGET - what context is reported self: "this ec2 instance or lambda is initializing itself" assumed for ec2 and lambda, unless target_other=True in the constructor never an option for "user" access mode other: "this local user, ec2 instance, or lambda is configuring something else" always "other" if access mode is "user" if access mode is "role", set target_other=True in the constructor Constructor must also set 'env' and 'service' self: lambda_context must be provided if this is a lambda; leave it unset for ec2 INSTANCE_ID = instance ID if EC2, else None FUNCTION_NAME = function name if lambda, else None ACCOUNT = numeric account this is running in ACCOUNT_ALIAS = named alias of the account this is running in ROLE = role this is running as ENV = the environment this is running in, from role name ENV_SHORT = derived from ENV ENV_FULL = fully qualified environment, same as ENV unless env is a global env (mgmt.* or global.*) SERVICE = the service this is, from role name REGION = region this is running in something else: INSTANCE_ID = None FUNCTION_NAME = None ACCOUNT = the numeric account I'm logged into (look up) ACCOUNT_ALIAS = the alias of the account i'm logged into (look up) ROLE = None ENV = the target's environment, passed in from the constructor ENV_SHORT = derived from ENV ENV_FULL = ENV, with ".<ACCOUNT_ALIAS>" as appropriate SERVICE = the service name, passed in from the constructor REGION = the region I am in (ec2, lambda) or explicitly set (region= in constructor) Collects instance's environment for use in templates: {{ACCOUNT}} - AWS account number CloudFormation can use this or the AWS::AccountID pseudo param {{ACCOUNT_ALIAS}} - AWS account alias {{ENV}} - environment: mgmt, prod, staging, proto<N>, etc. {{ENV_SHORT}} - env with <N> or account trimmed: mgmt, prod, staging, proto, etc. {{ENV_FULL}} - env fully qualified: prod, staging, proto<N>, mgmt.<account_alias>, etc. {{FUNCTION_NAME}} - only for lambdas {{INSTANCE_ID}} - only for ec2 {{REGION}} - the region currently being worked in CloudFormation can use this or the AWS::Region pseudo param {{ROLE}} - the role bound to the ec2 instance or lambda; only for ec2 and lambda CloudFormation: compose role name in template by joining other strings """ # instance vars self.verbose = False # print noisy status if True # resolved tokens - only look up symbols once per session. Protect internal names by declaring self.resolved = { "ACCOUNT": None, "ACCOUNT_ALIAS": None, "ENV": None, "ENV_SHORT": None, "ENV_FULL": None, "FUNCTION_NAME": None, "INSTANCE_ID": None, "REGION": None, "ROLE": None } # template and parameters are populated by the load() method as each template is processed self.template = None # parameters that accompany this template, if any self.parameters = {} # Sets of symbols found in the current template (only) # read back with self.symbols() and self.unresolved_symbols() self.symbols = set() # capture verbosity pref from constructor self.verbose = verbose # determine ACCESS MODE if profile: # accessing as a user target_other = True if not region: fail("'region' is required with 'profile' for user-mode access") where = whereami() # require env and service params init() when target is 'other' if (target_other or where == "virtualbox-kvm") and (env is None or service is None): fail("'env' and 'service' must be set when target is 'other' or running in " + where) if target_other or profile: self.resolved["REGION"] = region # lambda initializing self elif lambda_context: self.resolved["REGION"] = lambda_context.invoked_function_arn.split(":")[3] # ec2 initializing self else: self.resolved["REGION"] = get_metadata_or_fail("placement/availability-zone/")[:-1] # Create clients - if accessing by role, profile should be None clients = [ "cloudformation", "cloudfront", "cognito-identity", "cognito-idp", "ec2", "elbv2", "iam", "kms", "lambda", "route53", "s3", "sts", "waf" ] try: EFTemplateResolver.__CLIENTS = create_aws_clients(self.resolved["REGION"], profile, *clients) except RuntimeError as error: fail("Exception logging in with Session()", error) # Create EFAwsResolver object for interactive lookups EFTemplateResolver.__AWSR = EFAwsResolver(EFTemplateResolver.__CLIENTS) # Create EFConfigResolver object for ef tooling config lookups EFTemplateResolver.__EFCR = EFConfigResolver() # Create EFVersionResolver object for version lookups EFTemplateResolver.__VR = EFVersionResolver(EFTemplateResolver.__CLIENTS) # Set the internal parameter values for aws # self-configuring lambda if (not target_other) and lambda_context: arn_split = lambda_context.invoked_function_arn.split(":") self.resolved["ACCOUNT"] = arn_split[4] self.resolved["FUNCTION_NAME"] = arn_split[6] try: lambda_desc = EFTemplateResolver.__CLIENTS["lambda"].get_function() except: fail("Exception in get_function: ", sys.exc_info()) self.resolved["ROLE"] = lambda_desc["Configuration"]["Role"] env = re.search("^({})-".format(EFConfig.VALID_ENV_REGEX), self.resolved["ROLE"]) if not env: fail("Did not find environment in lambda function name.") self.resolved["ENV"] = env.group(1) parsed_service = re.search(self.resolved["ENV"] + "-(.*?)-lambda", self.resolved["ROLE"]) if parsed_service: self.resolved["SERVICE"] = parsed_service.group(1) # self-configuring EC2 elif (not target_other) and (not lambda_context): self.resolved["INSTANCE_ID"] = get_metadata_or_fail('instance-id') try: instance_desc = EFTemplateResolver.__CLIENTS["ec2"].describe_instances(InstanceIds=[self.resolved["INSTANCE_ID"]]) except: fail("Exception in describe_instances: ", sys.exc_info()) self.resolved["ACCOUNT"] = instance_desc["Reservations"][0]["OwnerId"] arn = instance_desc["Reservations"][0]["Instances"][0]["IamInstanceProfile"]["Arn"] self.resolved["ROLE"] = arn.split(":")[5].split("/")[1] env = re.search("^({})-".format(EFConfig.VALID_ENV_REGEX), self.resolved["ROLE"]) if not env: fail("Did not find environment in role name") self.resolved["ENV"] = env.group(1) self.resolved["SERVICE"] = "-".join(self.resolved["ROLE"].split("-")[1:]) # target is "other" else: try: if whereami() == "ec2": self.resolved["ACCOUNT"] = str(json.loads(http_get_metadata('iam/info'))["InstanceProfileArn"].split(":")[4]) else: self.resolved["ACCOUNT"] = get_account_id(EFTemplateResolver.__CLIENTS["sts"]) except botocore.exceptions.ClientError as error: fail("Exception in get_user()", error) self.resolved["ENV"] = env self.resolved["SERVICE"] = service # ACCOUNT_ALIAS is resolved consistently for access modes and targets other than virtualbox try: self.resolved["ACCOUNT_ALIAS"] = EFTemplateResolver.__CLIENTS["iam"].list_account_aliases()["AccountAliases"][0] except botocore.exceptions.ClientError as error: fail("Exception in list_account_aliases", error) # ENV_SHORT is resolved the same way for all access modes and targets self.resolved["ENV_SHORT"] = self.resolved["ENV"].strip(".0123456789") # ENV_FULL is resolved the same way for all access modes and targets, depending on previously-resolved values if self.resolved["ENV"] in EFConfig.ACCOUNT_SCOPED_ENVS: self.resolved["ENV_FULL"] = "{}.{}".format(self.resolved["ENV"], self.resolved["ACCOUNT_ALIAS"]) else: self.resolved["ENV_FULL"] = self.resolved["ENV"] if self.verbose: print(repr(self.resolved), file=sys.stderr)
class TestEFAwsResolver(unittest.TestCase): """Tests for `ef_aws_resolver.py`.""" # initialize based on where running where = whereami() if where == "local": session = boto3.Session(profile_name=context.account_alias, region_name=EFConfig.DEFAULT_REGION) elif where == "ec2": region = http_get_metadata("placement/availability-zone/") region = region[:-1] session = boto3.Session(region_name=region) else: fail("Can't test in environment: " + where) clients = { "cloudformation": session.client("cloudformation"), "cloudfront": session.client("cloudfront"), "ec2": session.client("ec2"), "iam": session.client("iam"), "route53": session.client("route53"), "waf": session.client("waf") } ## Test coverage of ec2:eni/eni-id is disabled because the we are not presently creating ## ENI fixtures and this test does not at present generate an ENI for testing this lookup function ## Why are these retained here? The lookup function is still valid, and useful. We just can't test it at the moment # def test_ec2_eni_eni_id(self): # """Does ec2:eni/eni-id,eni-proto3-dnsproxy-1a resolve to an ENI ID""" # test_string = "ec2:eni/eni-id,eni-proto3-dnsproxy-1a" # resolver = EFAwsResolver(TestEFAwsResolver.clients) # self.assertRegexpMatches(resolver.lookup(test_string), "^eni-[a-f0-9]{8}$") # def test_ec2_eni_eni_id_none(self): # """Does ec2:eni/eni-id,cant_possibly_match return None""" # test_string = "ec2:eni/eni-id,cant_possibly_match" # resolver = EFAwsResolver(TestEFAwsResolver.clients) # self.assertIsNone(resolver.lookup(test_string)) # def test_ec2_eni_eni_id_default(self): # """Does ec2:eni/eni-id,cant_possibly_match,DEFAULT return default value""" # test_string = "ec2:eni/eni-id,cant_possibly_match,DEFAULT" # resolver = EFAwsResolver(TestEFAwsResolver.clients) # self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_elasticip_elasticip_id(self): """Does ec2:elasticip/elasticip-id,ElasticIpMgmtCingest1 resolve to elastic IP allocation ID""" test_string = "ec2:elasticip/elasticip-id,ElasticIpMgmtCingest1" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^eipalloc-[a-f0-9]{8}$") def test_ec2_elasticip_elasticip_id_none(self): """Does ec2:elasticip/elasticip-id,cant_possibly_match return None""" test_string = "ec2:elasticip/elasticip-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_elasticip_elasticip_id_default(self): """Does ec2:elasticip/elasticip-id,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:elasticip/elasticip-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_elasticip_elasticip_ipaddress(self): """Does ec2:elasticip/elasticip-ipaddress,ElasticIpMgmtCingest1 resolve to elastic IP address""" test_string = "ec2:elasticip/elasticip-ipaddress,ElasticIpMgmtCingest1" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") def test_ec2_elasticip_elasticip_ipaddress_none(self): """Does ec2:elasticip/elasticip-ipaddress,cant_possibly_match return None""" test_string = "ec2:elasticip/elasticip-ipaddress,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_elasticip_elasticip_ipaddress_default(self): """Does ec2:elasticip/elasticip-ipaddress,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:elasticip/elasticip-ipaddress,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_route_table_main_route_table_id(self): """Does ec2:route-table/main-route-table-id,vpc-<env> resolve to route table ID""" test_string = "ec2:route-table/main-route-table-id,vpc-" + context.env resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^rtb-[a-f0-9]{8}$") def test_ec2_route_table_main_route_table_id_none(self): """Does ec2:route-table/main-route-table-id,cant_possibly_match return None""" test_string = "ec2:route-table/main-route-table-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_route_table_main_route_table_id_default(self): """Does ec2:route-table/main-route-table-id,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:route-table/main-route-table-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_security_group_security_group_id(self): """Does ec2:security-group/security-group-id,staging-core-ec2 resolve to a security group id""" test_string = "ec2:security-group/security-group-id,staging-core-ec2" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^sg-[a-f0-9]{8}$") def test_ec2_security_group_security_group_id_none(self): """Does ec2:security-group/security-group-id,cant_possibly_match return None""" test_string = "ec2:security-group/security-group-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_security_group_security_group_id_default(self): """Does ec2:security-group/security-group-id,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:security-group/security-group-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_subnet_subnet_id(self): """Does ec2:subnet/subnet-id,subnet-staging-a resolve to a subnet ID""" test_string = "ec2:subnet/subnet-id,subnet-staging-a" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^subnet-[a-f0-9]{8}$") def test_ec2_subnet_subnet_id_none(self): """Does ec2:subnet/subnet-id,cant_possibly_match return None""" test_string = "ec2:subnet/subnet-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_subnet_subnet_id_default(self): """Does ec2:subnet/subnet-id,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:subnet/subnet-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_vpc_availabilityzones(self): """Does ec2:vpc/availabilityzones,vpc-staging resolve to correctly-delimited string of AZ(s)""" test_string = "ec2:vpc/availabilityzones,vpc-staging" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^us-west-2(a|b)(\", \"us-west-2(a|b)){0,1}$") def test_ec2_vpc_availabilityzones_none(self): """Does ec2:vpc/availabilityzones,cant_possibly_match return None""" test_string = "ec2:vpc/availabilityzones,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_vpc_availabilityzones_default(self): """Does ec2:vpc/availabilityzones,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:vpc/availabilityzones,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_vpc_cidrblock(self): """Does ec2:vpc/cidrblock,vpc-staging resolve to a CIDR block""" test_string = "ec2:vpc/cidrblock,vpc-staging" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{2}$") def test_ec2_vpc_cidrblock_none(self): """Does ec2:vpc/cidrblock,cant_possibly_match return None""" test_string = "ec2:vpc/cidrblock,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_vpc_cidrblock_default(self): """Does ec2:vpc/cidrblock,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:vpc/cidrblock,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_vpc_subnets(self): """Does ec2:vpc/subnets,vpc-staging resolve to correctly-delimited string of AZ(s)""" test_string = "ec2:vpc/subnets,vpc-staging" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^subnet-[a-f0-9]{8}(\", \"subnet-[a-f0-9]{8}){0,1}$") def test_ec2_vpc_subnets_none(self): """Does ec2:vpc/subnets,cant_possibly_match return None""" test_string = "ec2:vpc/subnets,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_vpc_subnets_default(self): """Does ec2:vpc/subnets,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:vpc/subnets,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_ec2_vpc_vpc_id(self): """Does ec2:vpc/vpc-id,vpc-staging resolve to VPC ID""" test_string = "ec2:vpc/vpc-id,vpc-staging" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^vpc-[a-f0-9]{8}$") def test_ec2_vpc_vpc_id_none(self): """Does ec2:vpc/vpc-id,cant_possibly_match return None""" test_string = "ec2:vpc/vpc-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_ec2_vpc_vpc_id_default(self): """Does ec2:vpc/vpc-id,cant_possibly_match,DEFAULT return default value""" test_string = "ec2:vpc/vpc-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_waf_rule_id(self): """Does waf:rule-id,global-OfficeCidr resolve to WAF ID""" test_string = "waf:rule-id,global-OfficeCidr" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$") def test_waf_rule_id_none(self): """Does waf:rule-id,cant_possibly_match return None""" test_string = "waf:rule-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_waf_rule_id_default(self): """Does waf:rule-id,cant_possibly_match,DEFAULT return default value""" test_string = "waf:rule-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_waf_web_acl_id(self): """Does waf:web-acl-id,staging-StaticAcl resolve to Web ACL ID""" test_string = "waf:web-acl-id,staging-StaticAcl" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches( resolver.lookup(test_string), "^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$") def test_waf_web_acl_id_none(self): """Does waf:web-acl-id,cant_possibly_match return None""" test_string = "waf:web-acl-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_waf_web_acl_id_default(self): """Does waf:web-acl-id,cant_possibly_match,DEFAULT return default value""" test_string = "waf:web-acl-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_route53_private_hosted_zone_id(self): """Does route53:private-hosted-zone-id,cx-proto0.com. resolve to zone ID""" test_string = "route53:private-hosted-zone-id,cx-proto0.com." resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^[A-Z0-9]{13,14}$") def test_route53_private_hosted_zone_id_none(self): """Does route53:private-hosted-zone-id,cant_possibly_match return None""" test_string = "route53:private-hosted-zone-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_route53_private_hosted_zone_id_default(self): """Does route53:private-hosted-zone-id,cant_possibly_match,DEFAULT return default value""" test_string = "route53:private-hosted-zone-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_route53_public_hosted_zone_id(self): """Does route53:hosted-zone-id,cx-proto0.com. resolve to zone ID""" test_string = "route53:public-hosted-zone-id,cx-proto0.com." resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^[A-Z0-9]{13,14}$") def test_route53_public_hosted_zone_id_none(self): """Does route53:public-hosted-zone-id,cant_possibly_match return None""" test_string = "route53:public-hosted-zone-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_route53_public_hosted_zone_id_default(self): """Does route53:public-hosted-zone-id,cant_possibly_match,DEFAULT return default value""" test_string = "route53:public-hosted-zone-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_cloudfront_domain_name(self): """Does cloudfront:domain-name,static.cx-proto0.com resolve to a Cloudfront FQDN""" test_string = "cloudfront:domain-name,static.cx-proto0.com" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^[a-z0-9]{13,14}.cloudfront.net$") def test_cloudfront_domain_name_none(self): """Does cloudfront:domain-name,cant_possibly_match return None""" test_string = "cloudfront:domain-name,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_cloudfront_domain_name_default(self): """Does cloudfront:domain-name,cant_possibly_match,DEFAULT return default value""" test_string = "cloudfront:domain-name,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_cloudfront_origin_access_identity_oai_id(self): """Does cloudfront:origin-access-identity/oai-id,static.cx-proto0.com resolve to oai ID""" test_string = "cloudfront:origin-access-identity/oai-id,static.cx-proto0.com" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^[A-Z0-9]{13,14}$") def test_cloudfront_origin_access_identity_oai_id_none(self): """Does cloudfront:origin-access-identity/oai-id,cant_possibly_match return None""" test_string = "cloudfront:origin-access-identity/oai-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_cloudfront_origin_access_identity_oai_id_default(self): """Does cloudfront:origin-access-identity/oai-id,cant_possibly_match,DEFAULT return default value""" test_string = "cloudfront:origin-access-identity/oai-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$") def test_cloudfront_origin_access_identity_oai_canonical_user_id(self): """Does cloudfront:origin-access-identity/oai-canonical-user-id,static.cx-proto0.com resolve to oai ID""" test_string = "cloudfront:origin-access-identity/oai-canonical-user-id,static.cx-proto0.com" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^[a-z0-9]{96}$") def test_cloudfront_origin_access_identity_oai_canonical_user_id_none( self): """Does cloudfront:origin-access-identity/oai-canonical-user-id,cant_possibly_match return None""" test_string = "cloudfront:origin-access-identity/oai-canonical-user-id,cant_possibly_match" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertIsNone(resolver.lookup(test_string)) def test_cloudfront_origin_access_identity_oai_canonical_user_id_default( self): """Does cloudfront:origin-access-identity/oai-canonical-user-id,cant_possibly_match,DEFAULT return default value""" test_string = "cloudfront:origin-access-identity/oai-canonical-user-id,cant_possibly_match,DEFAULT" resolver = EFAwsResolver(TestEFAwsResolver.clients) self.assertRegexpMatches(resolver.lookup(test_string), "^DEFAULT$")