def pre_test_setup(self):
self.gh_items = [
GitHubOrgItem(account="Netflix",
name="Netflix",
arn="Netflix",
config=CONFIG_ONE),
GitHubOrgItem(account="Netflix-PRIVATE",
name="Netflix-PRIVATE",
arn="Netflix-PRIVATE",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Netflix",
account_type_id=self.account_type.id,
identifier="Netflix",
active=True,
third_party=False))
db.session.add(
Account(name="Netflix-PRIVATE",
account_type_id=self.account_type.id,
identifier="Netflix-PRIVATE",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
RDSSnapshotAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT1",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT1",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="123123123123", name="TEST_ACCOUNT2",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT2",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="109876543210", name="TEST_ACCOUNT3",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT3",
third_party=False, active=False)
db.session.add(account)
account = Account(identifier="456456456456", name="TEST_ACCOUNT4",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT4",
third_party=False, active=False)
db.session.add(account)
db.session.commit()
RUNTIME_WATCHERS.clear()
RUNTIME_AUDIT_COUNTS.clear()
def pre_test_setup(self):
# Delete any remaining test cruft:
if app.config.get("GITHUB_CREDENTIALS"):
del app.config["GITHUB_CREDENTIALS"]
self.account_type = AccountType(name="GitHub")
self.accounts = []
db.session.add(self.account_type)
db.session.commit()
# Tests need to be run from the working dir such that `security_monkey/tests/utilities/templates/github_creds`
# can be found!
for x in ["one", "two", "three"]:
account = Account(name="Org-{}".format(x),
account_type_id=self.account_type.id,
identifier="Org-{}".format(x),
active=True)
account.custom_fields.append(
AccountTypeCustomValues(name="access_token_file",
value="security_monkey/tests/"
"utilities/templates/github_creds"))
db.session.add(account)
self.accounts.append(account)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
active=True,
third_party=False,
account_type_id=account_type_result.id)
self.technology = Technology(name="s3")
self.item = Item(region="us-west-2",
name="somebucket",
arn=ARN_PREFIX + ":s3:::somebucket",
technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(self.item)
db.session.commit()
mock_s3().start()
client = boto3.client("s3")
client.create_bucket(Bucket="somebucket")
client.create_bucket(Bucket="someotherbucket")
client.create_bucket(Bucket="someotherbucket2")
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="octocat",
account_type_id=self.account_type.id,
identifier="octocat",
active=True,
third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
self.gh_items = [
GitHubOrgItem(account="octocat",
name="Hello-World",
arn="octocat/Hello-World",
config=CONFIG_ONE),
GitHubOrgItem(account="octocat",
name="Repo-Private",
arn="octocat/Repo-Private",
config=CONFIG_TWO),
]
def test_slurp(self, mock_get):
from security_monkey.watchers.github.org import GitHubOrg
org_watcher = GitHubOrg(accounts=["Org-one"])
result, exc = org_watcher.slurp()
assert exc == {}
assert len(result) == 1
assert result[0].account == "Org-one"
assert result[0].name == "Org-one"
assert result[0].index == "organization"
assert len(ExceptionLogs.query.all()) == 0
# And failures:
db.session.add(
Account(name="FAILURE",
account_type_id=self.account_type.id,
identifier="FAILURE",
active=True,
third_party=False))
db.session.commit()
org_watcher = GitHubOrg(accounts=["FAILURE"])
result, exc = org_watcher.slurp()
assert len(exc) == 1
assert len(ExceptionLogs.query.all()) == 1
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('lambda', 'us-east-1')
conn.create_function(
FunctionName='testFunction',
Runtime='python2.7',
Role='test-iam-role',
Handler='lambda_function.handler',
Code={
'ZipFile': get_test_zip_file()
},
Description='test lambda function',
Timeout=3,
MemorySize=128,
Publish=True,
)
watcher = LambdaFunction(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def pre_test_setup(self):
self.gh_items = [
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_ONE),
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="team")
db.session.add(self.technology)
db.session.commit()
def add_account(number,
third_party,
name,
s3_name,
active,
notes,
role_name='SecurityMonkey',
edit=False):
''' Adds an account. If one with the same number already exists, do nothing,
unless edit is True, in which case, override the existing account. Returns True
if an action is taken, False otherwise. '''
query = Account.query
query = query.filter(Account.number == number)
if query.count():
if not edit:
return False
else:
query.delete()
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.role_name = role_name
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
return True
def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(number="012345678910", name="testing",
s3_name="testing", role_name="SecurityMonkey",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
ec2 = boto3.resource('ec2', region_name='us-east-1')
ec2.create_dhcp_options(DhcpConfigurations=[{
'Key': 'domain-name',
'Values': ['example.com']
}, {
'Key': 'domain-name-servers',
'Values': ['10.0.10.2']
}])
watcher = DHCP(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_route53('the_key', 'the_secret')
zone = conn.create_hosted_zone("testdns.aws.com")
zone_id = zone["CreateHostedZoneResponse"][
"HostedZone"]["Id"].split("/")[-1]
changes = boto.route53.record.ResourceRecordSets(conn, zone_id)
change = changes.add_change("CREATE", "testdns.aws.com", "A")
change.add_value("10.1.1.1")
changes.commit()
watcher = Route53(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def _setup_account(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="test_account",
account_type_id=account_type_result.id)
db.session.add(account)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
third_party=False,
active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def setup_db(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def pre_test_setup(self):
account_result = Account.query.filter(
Account.name == 'TEST_ACCOUNT').first()
if not account_result:
account_type = AccountType(name='AWS')
db.session.add(account_type)
db.session.commit()
account_result = Account(name='TEST_ACCOUNT',
identifier='012345678910',
account_type_id=account_type.id)
db.session.add(account_result)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
db.session.add(account)
db.session.commit()
mock_file_system.clear()
build_mock_result(watcher_configs, [])
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
# Add the fake source account into the database:
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
db.session.add(test_account)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(self.account)
db.session.commit()
def amazon_accounts():
""" Pre-populates standard AWS owned accounts """
import os
import json
from security_monkey.datastore import Account, AccountType
data_file = os.path.join(os.path.dirname(__file__), "data",
"aws_accounts.json")
data = json.load(open(data_file, 'r'))
app.logger.info('Adding / updating Amazon owned accounts')
try:
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
db.session.refresh(account_type_result)
for group, info in data.items():
for aws_account in info['accounts']:
acct_name = "{group} ({region})".format(
group=group, region=aws_account['region'])
account = Account.query.filter(
Account.number == aws_account['account_id']).first()
if not account:
app.logger.debug(
' Adding account {0}'.format(acct_name))
account = Account()
else:
app.logger.debug(
' Updating account {0}'.format(acct_name))
account.number = aws_account['account_id']
account.identifier = aws_account['account_id']
account.account_type_id = account_type_result.id
account.active = False
account.third_party = True
account.name = acct_name
account.notes = info['url']
db.session.add(account)
db.session.commit()
app.logger.info('Finished adding Amazon owned accounts')
except Exception as e:
app.logger.exception("An error occured while adding accounts")
store_exception("manager-amazon-accounts", None, e)
def test_fetch_aws_canonical_ids_command(self):
accounts = Account.query.all()
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[
0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Make it something else to test overrides:
account.custom_fields[0].value = "replaceme"
db.session.add(account)
db.session.commit()
# Test without override (nothing should be changed):
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "replaceme"
# Test override:
fetch_aws_canonical_ids(True)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[
0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Create an inactive account:
inactive = Account(name="inactive",
account_type_id=self.account_type.id,
identifier="109876543210")
db.session.add(inactive)
db.session.commit()
# Run the change again:
fetch_aws_canonical_ids(True)
# Ensure that nothing happened to the inactive account:
assert len(inactive.custom_fields) == 0
# Also verify that no exceptions were encountered:
assert len(ExceptionLogs.query.all()) == 0
mock_sts().stop()
mock_s3().stop()
def pre_test_setup(self):
self.account_type = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not self.account_type:
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
self.test_account = Account(type=self.account_type,
name="test_account",
identifier="012345678910")
self.technology = Technology(name="testtech")
db.session.add(self.test_account)
db.session.add(self.technology)
db.session.commit()
def test_slurp(self, mock_get):
db.session.add(Account(name="Netflix", account_type_id=self.account_type.id,
identifier="Netflix", active=True, third_party=False))
db.session.commit()
repo_watcher = GitHubRepo(accounts=["Netflix"])
repo_watcher.slurp_list()
result, exc = repo_watcher.slurp()
assert len(result) == 2
assert result[0].account == "Netflix"
assert result[0].arn == "Netflix/security_monkey"
assert result[0].index == "repository"
assert len(exc) == 0
assert len(ExceptionLogs.query.all()) == 0
def pre_test_setup(self):
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
from security_monkey.datastore import Account, AccountType
from security_monkey import db
IAMRoleAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {
"Org-one": "token-one",
"FAILURE": "FAILURE",
"Netflix": "token-two"
}
db.session.add(Account(name="Org-one", account_type_id=self.account_type.id,
identifier="Org-one", active=True, third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
def test_get_creds_file(self):
# Load the creds file:
creds = get_github_creds(["Org-one", "Org-two", "Org-three"])
for x in ["one", "two", "three"]:
assert creds["Org-{}".format(x)] == "token-{}".format(x)
# And without one specified:
db.session.add(
Account(name="Org-BAD",
account_type_id=self.account_type.id,
identifier="Org-BAD",
active=True))
db.session.commit()
with self.assertRaises(GitHubCredsError) as _:
get_github_creds(["Org-BAD"])
def pre_test_setup(self):
SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def test_slurp_list(self, mock_get):
repo_watcher = GitHubRepo(accounts=["Org-one"])
result, exc = repo_watcher.slurp_list()
assert exc == {}
assert len(result) == len(repo_watcher.total_list) == 2
assert result[0]["name"] == "security_monkey"
assert result[1]["name"] == "hubcommander"
assert len(ExceptionLogs.query.all()) == 0
# And failures:
db.session.add(Account(name="FAILURE", account_type_id=self.account_type.id,
identifier="FAILURE", active=True, third_party=False))
db.session.commit()
repo_watcher = GitHubRepo(accounts=["FAILURE"])
result, exc = repo_watcher.slurp()
assert len(exc) == 1
assert len(ExceptionLogs.query.all()) == 1
