def add_roles(self, initial=True): mock_iam().start() mock_sts().start() mock_iam().start() client = boto3.client("iam") aspd = { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } } ] } if initial: last = 11 else: last = 9 # Simulates 2 deleted roles... for x in range(0, last): # Create the IAM Role via Moto: aspd["Statement"][0]["Resource"] = "arn:aws:iam:012345678910:role/roleNumber{}".format(x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(OPEN_POLICY, indent=4))
def add_roles(self, initial=True): mock_sts().start() mock_iam().start() client = boto3.client("iam") aspd = { "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } }] } if initial: last = 11 else: last = 9 # Simulates 2 deleted roles... for x in range(0, last): # Create the IAM Role via Moto: aspd["Statement"][0][ "Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format( x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(OPEN_POLICY, indent=4))
def iam(): mock_iam().start() client = boto3.client("iam") yield client mock_iam().stop()
def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="testing", third_party=False, active=True, account_type_id=account_type_result.id) self.technology = Technology(name="iamrole") self.total_roles = 75 db.session.add(self.account) db.session.add(self.technology) db.session.commit() mock_iam().start() client = boto3.client("iam") aspd = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } }] } policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "*", "Resource": "*" }] } for x in range(0, self.total_roles): # Create the IAM Role via Moto: aspd["Statement"][0][ "Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format( x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(policy, indent=4))
def create_lambda_for_config_rule(): """Return the ARN of a lambda that can be used by a custom rule.""" role_name = "test-role" lambda_role = None with mock_iam(): iam_client = boto3.client("iam", region_name=TEST_REGION) try: lambda_role = iam_client.get_role( RoleName=role_name)["Role"]["Arn"] except ClientError: lambda_role = iam_client.create_role( RoleName=role_name, AssumeRolePolicyDocument="test policy", Path="/", )["Role"]["Arn"] # Create the lambda function and identify its location. lambda_client = boto3.client("lambda", region_name=TEST_REGION) lambda_client.create_function( FunctionName="test_config_rule", Runtime="python3.8", Role=lambda_role, Handler="lambda_function.lambda_handler", Code={"ZipFile": zipped_lambda_function()}, Description="Lambda test function for config rule", Timeout=3, MemorySize=128, Publish=True, )
def release_store(project_id, region_name, role_arn): with moto.mock_dynamodb2(), moto.mock_sts(), moto.mock_iam(): store = DynamoReleaseStore(project_id=project_id, region_name=region_name, role_arn=role_arn) store.initialise() yield store
def test_create_service_role_already_exists(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json() ) self.assertTrue( create_ecs_service_role( context=self.context, provider=self.provider, ) ) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy( RoleName=role_name, PolicyName=policy_name )
def setUp(self): super().setUp() # Setup mock AWS self.s3_mock = mock_s3() self.s3_mock.start() self.iam_mock = mock_iam() self.iam_mock.start() self.sqs_mock = mock_sqs() self.sqs_mock.start() if self.deployment_stage == 'local': # When online, we need STS to access SecretsManager to access RDS. # When offline, mock out STS/SecretsManager and use local Postgres. # STS self.sts_mock = mock_sts() self.sts_mock.start() # UploadDbConfig self.upload_db_config = UploadDbConfig() self.upload_db_config.set({ 'database_uri': 'postgresql://:@localhost/upload_local', 'pgbouncer_uri': 'postgresql://:@localhost/upload_local' }) # Upload Bucket self.upload_bucket = boto3.resource('s3').Bucket( self.upload_config.bucket_name) self.upload_bucket.create() self.sqs = boto3.resource('sqs') self.sqs.create_queue(QueueName=f"bogo_url") self.sqs.create_queue(QueueName=f"delete_sqs_url") self.sqs.create_queue(QueueName=f"test_validation_q_url")
def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="testing", third_party=False, active=True, account_type_id=account_type_result.id) self.technology = Technology(name="iamrole") self.total_roles = 75 db.session.add(self.account) db.session.add(self.technology) db.session.commit() mock_iam().start() client = boto3.client("iam") aspd = { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } } ] } policy = { "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*" } ] } for x in range(0, self.total_roles): # Create the IAM Role via Moto: aspd["Statement"][0]["Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format(x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(policy, indent=4))
def iam(aws_credentials): """Mocked IAM Fixture.""" from consoleme.config import config with mock_iam(): yield boto3.client( "iam", region_name="us-east-1", **config.get("boto3.client_kwargs", {}) )
def _get_role_name(region_name): with mock_iam(): iam = boto3.client("iam", region_name=region_name) try: return iam.get_role(RoleName="test-role")["Role"]["Arn"] except ClientError: return iam.create_role( RoleName="test-role", AssumeRolePolicyDocument="test policy", Path="/" )["Role"]["Arn"]
def sim_iam(): mock_iam_instance = mock_iam() mock_iam_instance.start() mock_sts_instance = mock_sts() mock_sts_instance.start() yield mock_iam_instance.stop() mock_sts_instance.stop()
def get_role_arn(): with mock_iam(): iam = boto3.client("iam", region_name="us-west-2") try: return iam.get_role(RoleName="my-role")["Role"]["Arn"] except ClientError: return iam.create_role( RoleName="my-role", AssumeRolePolicyDocument="some policy", Path="/my-path/", )["Role"]["Arn"]
def single_iam_role(iam_service): """Return a single IAM Role. Be warned, you can ONLY access properties on the resultant role that do not entail additional API calls. Even if you add @mock_iam decorator to your test method the role will not exist in that context. To mock additional API calls use the @iam_service and @mock_iam fixtures on your test function and call create_iam_role within that. """ with mock_iam(): create_iam_role() return list(iam_service.collection("role").all())[0]
def get_role_arn(): with mock_iam(): iam = boto3.client("iam", region_name="us-west-2") try: iam.create_role( RoleName="my-role", AssumeRolePolicyDocument="some policy", Path="/my-path/", ) except ClientError: pass # Will fail second/third time - difficult to execute once with parallel tests return iam.get_role(RoleName="my-role")["Role"]["Arn"]
def start(): """ Entrypoint for mocking IAM. :return: nothing """ # start IAM mocking with moto mock = mock_iam() mock.start() """ Monkey-patching of moto """ # create new field in AccessKey model for LastUsedDate attribute moto.iam.models.AccessKey.last_used = None # create hook for GetAccessKeyLastUsed API call moto.iam.responses.IamResponse.get_access_key_last_used = get_access_key_last_used """ Monkey-patching is done """
def test_obtain_new_iam_token(monkeypatch, without_aws_env): import moto from sqlalchemy.engine.url import URL url = URL.create( 'postgresql', host="fakehost", database="fake_db", port=5432, username="******", password="******", ) monkeypatch.setenv("AWS_ACCESS_KEY_ID", "fake-key-id") monkeypatch.setenv("AWS_SECRET_ACCESS_KEY", "fake-secret") with moto.mock_iam(): token = obtain_new_iam_auth_token(url, region_name='us-west-1') assert isinstance(token, str)
def test_create_service_role(self) -> None: """Test create service role.""" with mock_iam(): client = boto3.client("iam", region_name=REGION) role_name = "ecsServiceRole" with self.assertRaises(ClientError): client.get_role(RoleName=role_name) self.assertTrue( create_ecs_service_role(context=self.context, provider=self.provider)) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) policy_name = "AmazonEC2ContainerServiceRolePolicy" client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def test_create_service_role_already_exists(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) self.assertTrue( create_ecs_service_role( context=self.context, provider=self.provider, )) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def test_create_service_role(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) with self.assertRaises(ClientError): client.get_role(RoleName=role_name) self.assertTrue( create_ecs_service_role(region=REGION, namespace="fake", mappings={}, parameters={})) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def setUp(self): with warnings.catch_warnings(): warnings.filterwarnings("ignore", category=DeprecationWarning) current_account_id = "111122223333" region = "us-east-1" self.mock = mock_iam() self.mock.start() self.client = get_boto3_client(profile=None, service="iam", region=region) self.client.create_role(RoleName=MY_RESOURCE, AssumeRolePolicyDocument=json.dumps( constants.EC2_ASSUME_ROLE_POLICY)) self.example = IAMRole(name=MY_RESOURCE, region=region, client=self.client, current_account_id=current_account_id) self.roles = IAMRoles(client=self.client, current_account_id=current_account_id, region=region)
def test_create_service_role(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) with self.assertRaises(ClientError): client.get_role(RoleName=role_name) self.assertTrue( create_ecs_service_role( context=self.context, provider=self.provider, ) ) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy( RoleName=role_name, PolicyName=policy_name )
def iam_client(aws_region): with mock_iam(): yield boto3.client("iam", region_name=aws_region)
def iam(): with mock_iam(): yield boto3.client('iam', region_name='us-east-1')
def test_find_batch_changes(self): """ Runs through a full find job via the IAMRole watcher, as that supports batching. However, this is mostly testing the logic through each function call -- this is not going to do any boto work and that will instead be mocked out. :return: """ from security_monkey.scheduler import find_changes from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account(name="TEST_ACCOUNT1") watcher = IAMRole(accounts=[test_account.name]) technology = Technology(name="iamrole") db.session.add(technology) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])] import security_monkey.scheduler security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"]) return exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp find_changes([test_account.name], test_account.name) # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 # Delete one of the items: # Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again... mock_iam().stop() mock_sts().stop() self.add_roles(initial=False) # Run the it again: watcher.current_account = None # Need to reset the watcher find_changes([test_account.name], test_account.name) # Check that nothing new was added: assert len(Item.query.all()) == 11 # There should be 2 less issues and 2 more revisions: assert len(ItemAudit.query.all()) == 9 assert len(ItemRevision.query.all()) == 13 # Check that the deleted roles show as being inactive: ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \ .filter(Item.arn.in_( ["arn:aws:iam::012345678910:role/roleNumber9", "arn:aws:iam::012345678910:role/roleNumber10"])).all() assert len(ir) == 2 assert not ir[0].active assert not ir[1].active # Finally -- test with a slurp list exception (just checking that things don't blow up): def mock_slurp_list_with_exception(): import security_monkey.watchers.iam.iam_role security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0 exception_map = original_slurp_list() assert len(exception_map) > 0 return exception_map watcher.slurp_list = mock_slurp_list_with_exception watcher.current_account = None # Need to reset the watcher find_changes([test_account.name], test_account.name) mock_iam().stop() mock_sts().stop()
def iam(): with mock_iam(): yield boto3.client("iam", region_name="us-east-1")
def test_report_batch_changes(self, mock_fix_orphaned): from security_monkey.task_scheduler.tasks import manual_run_change_reporter from security_monkey.datastore import Item, ItemRevision, ItemAudit from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account.query.filter( Account.name == "TEST_ACCOUNT1").one() watcher = IAMRole(accounts=[test_account.name]) watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] # Set up the Reporter: import security_monkey.reporter old_all_monitors = security_monkey.reporter.all_monitors security_monkey.reporter.all_monitors = lambda x, y: [batched_monitor] import security_monkey.task_scheduler.tasks old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp manual_run_change_reporter([test_account.name]) assert mock_fix_orphaned.called # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 mock_iam().stop() mock_sts().stop() security_monkey.reporter.all_monitors = old_all_monitors security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
def test_find_batch_changes(self, mock_fix_orphaned): """ Runs through a full find job via the IAMRole watcher, as that supports batching. However, this is mostly testing the logic through each function call -- this is not going to do any boto work and that will instead be mocked out. :return: """ from security_monkey.task_scheduler.tasks import manual_run_change_finder from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account(name="TEST_ACCOUNT1") watcher = IAMRole(accounts=[test_account.name]) technology = Technology(name="iamrole") db.session.add(technology) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] import security_monkey.task_scheduler.tasks old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp manual_run_change_finder([test_account.name], [watcher.index]) assert mock_fix_orphaned.called # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 # Delete one of the items: # Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again... mock_iam().stop() mock_sts().stop() self.add_roles(initial=False) # Run the it again: watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) # Check that nothing new was added: assert len(Item.query.all()) == 11 # There should be the same number of issues and 2 more revisions: assert len(ItemAudit.query.all()) == 11 assert len(ItemRevision.query.all()) == 13 # Check that the deleted roles show as being inactive: ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \ .filter(Item.arn.in_( [ARN_PREFIX + ":iam::012345678910:role/roleNumber9", ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all() assert len(ir) == 2 assert not ir[0].active assert not ir[1].active # Finally -- test with a slurp list exception (just checking that things don't blow up): import security_monkey.watchers.iam.iam_role old_list_roles = security_monkey.watchers.iam.iam_role.list_roles def mock_slurp_list_with_exception(): security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0 items, exception_map = original_slurp_list() assert len(exception_map) > 0 return items, exception_map watcher.slurp_list = mock_slurp_list_with_exception watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors security_monkey.watchers.iam.iam_role.list_roles = old_list_roles mock_iam().stop() mock_sts().stop()
def iam(aws_credentials): with mock_iam(): yield boto3.client("iam", region_name="us-east-1")
def create_release_store(self, project_id): with moto.mock_dynamodb2(), moto.mock_sts(), moto.mock_iam(): yield DynamoReleaseStore( project_id=project_id, region_name="eu-west-1", role_arn="arn:aws:iam::0123456789:role/example_role")
def iam(aws_creds): with moto.mock_iam(): yield boto3.resource('iam')
def setUp(self): with warnings.catch_warnings(): warnings.filterwarnings("ignore", category=DeprecationWarning) self.mock_kms = mock_kms() self.mock_iam = mock_iam() self.mock_ecr = mock_ecr() self.mock_kms.start() self.mock_ecr.start() self.mock_iam.start() self.current_account_id = "123456789012" # Set up KMS keys in 3 regions self.ue1_kms_client = get_boto3_client(profile=None, service="kms", region="us-east-1") self.ue2_kms_client = get_boto3_client(profile=None, service="kms", region="us-east-2") self.euw1_kms_client = get_boto3_client(profile=None, service="kms", region="eu-west-1") region = "us-east-1" self.iam_client = get_boto3_client(profile=None, service="iam", region=region) # self.iam_client = get_boto3_client(profile=None, service="iam", region="us-east-1") self.uw1_ecr_client = get_boto3_client(profile=None, service="ecr", region="us-west-1") # Get the ARNs so you can test them later self.ue1_key_arn = self.ue1_kms_client.create_key( )["KeyMetadata"]["Arn"] self.ue2_key_arn = self.ue2_kms_client.create_key( )["KeyMetadata"]["Arn"] self.euw1_key_arn = self.euw1_kms_client.create_key( )["KeyMetadata"]["Arn"] iam_role = self.iam_client.create_role( RoleName="yolo", AssumeRolePolicyDocument=json.dumps( constants.EC2_ASSUME_ROLE_POLICY)) self.iam_role_arn = iam_role["Role"]["Arn"] self.ecr_arn = self.uw1_ecr_client.create_repository( repositoryName="alpine")["repository"]["repositoryArn"] # Create the objects that will store our results self.service_resources_single_region = ServiceResourcesSingleRegion( user_provided_service="kms", region="us-east-1", current_account_id=self.current_account_id, profile=None, cloak=False) self.service_resources_multi_region = ServiceResourcesMultiRegion( user_provided_service="kms", user_provided_region="all", current_account_id=self.current_account_id, profile=None, cloak=False) # Let's exclude all the services that do not match the ones we specified above. # That way, we can avoid an issue where moto tries to make API calls it does not support excluded_services = [] for supported_service in constants.SUPPORTED_AWS_SERVICES: if supported_service not in ["all", "iam", "ecr", "kms"]: excluded_services.append(supported_service) print(f"Excluded services: {excluded_services}") self.resource_results = ResourceResults( user_provided_service="all", user_provided_region="all", current_account_id=self.current_account_id, profile=None, cloak=False, excluded_names=[], excluded_services=excluded_services)
def iam(sts, conn_dict): with mock_iam(): yield boto3_cached_conn("iam", **conn_dict)
def sim_iam(): mock_iam_instance = mock_iam() mock_iam_instance.start() # Create a user and role with attached policies user = clients.iam_resource.create_user(UserName='******') group = clients.iam_resource.create_group(GroupName='testgroup') group_policy = clients.iam_resource.create_policy( PolicyName='group-managed-policy', PolicyDocument=utils.make_iam_policy([{ 'Action': 'iam:CreatePolicyVersion', 'Resource': '*', 'Effect': 'Allow' }, { 'Action': 'iam:ListPolicyVersions', 'Resource': '*', 'Effect': 'Allow' }])) group.attach_policy(PolicyArn=group_policy.arn) group.create_policy(PolicyName='group-policy', PolicyDocument=utils.make_iam_policy([{ 'Action': 'iam:PutGroupPolicy', 'Resource': '*', 'Effect': 'Allow' }])) user.add_group(GroupName='testgroup') user_policy = clients.iam_resource.create_policy( PolicyName='user-managed-policy', PolicyDocument=utils.make_iam_policy([{ 'Action': 'iam:CreatePolicy', 'Resource': '*', 'Effect': 'Allow' }])) user.attach_policy(PolicyArn=user_policy.arn) user.create_policy(PolicyName='user-policy', PolicyDocument=utils.make_iam_policy([{ 'Action': 'iam:PutUserPolicy', 'Resource': '*', 'Effect': 'Allow' }])) role = clients.iam_resource.create_role( RoleName='trl', AssumeRolePolicyDocument=utils.make_iam_policy([{ 'Effect': 'Allow', 'Principal': { 'Service': ['ec2.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }])) role_policy = clients.iam_resource.create_policy( PolicyName='role-managed-policy', PolicyDocument=utils.make_iam_policy([ { 'Action': 'iam:ListPolicyVersions', 'Resource': '*', 'Effect': 'Allow' }, { 'Action': 's3:*', 'Resource': '*', 'Effect': 'Deny' }, ])) role.attach_policy(PolicyArn=role_policy.arn) role.Policy('role-policy').put( PolicyDocument=utils.make_iam_policy([{ 'Action': 'iam:PutRolePolicy', 'Resource': '*', 'Effect': 'Allow' }])) yield mock_iam_instance.stop()
def iam_client(aws_credentials): """Yield a mock IAM client that will not affect a real AWS account.""" with mock_iam(): yield boto3.client("iam", region_name=AWS_REGION)
def test_report_batch_changes(self): from security_monkey.alerter import Alerter from security_monkey.reporter import Reporter from security_monkey.datastore import Item, ItemRevision, ItemAudit from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor account_type_result = AccountType.query.filter(AccountType.name == "AWS").one() db.session.add(account_type_result) db.session.commit() test_account = Account(name="TEST_ACCOUNT") watcher = IAMRole(accounts=[test_account.name]) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])] # Set up the Reporter: import security_monkey.reporter old_all_monitors = security_monkey.reporter.all_monitors security_monkey.reporter.all_monitors = lambda x, y: [] test_reporter = Reporter() test_reporter.all_monitors = [batched_monitor] test_reporter.account_alerter = Alerter(watchers_auditors=test_reporter.all_monitors, account=test_account.name) import security_monkey.scheduler # import security_monkey.monitors # old_get_monitors = security_monkey.scheduler.get_monitors security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"]) return exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp test_reporter.run(account=test_account.name) # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 mock_iam().stop() mock_sts().stop() # Something isn't cleaning itself up properly and causing other core tests to fail. # This is the solution: security_monkey.reporter.all_monitors = old_all_monitors import monitor_mock security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def iam(aws_credentials): """Get mocked API for AWS IAM""" with mock_iam(): yield boto3.resource('iam')