def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_route53('the_key', 'the_secret')
zone = conn.create_hosted_zone("testdns.aws.com")
zone_id = zone["CreateHostedZoneResponse"][
"HostedZone"]["Id"].split("/")[-1]
changes = boto.route53.record.ResourceRecordSets(conn, zone_id)
change = changes.add_change("CREATE", "testdns.aws.com", "A")
change.add_value("10.1.1.1")
changes.commit()
watcher = Route53(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('lambda', 'us-east-1')
conn.create_function(
FunctionName='testFunction',
Runtime='python2.7',
Role='test-iam-role',
Handler='lambda_function.handler',
Code={
'ZipFile': get_test_zip_file()
},
Description='test lambda function',
Timeout=3,
MemorySize=128,
Publish=True,
)
watcher = LambdaFunction(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def add_account(number,
third_party,
name,
s3_name,
active,
notes,
role_name='SecurityMonkey',
edit=False):
''' Adds an account. If one with the same number already exists, do nothing,
unless edit is True, in which case, override the existing account. Returns True
if an action is taken, False otherwise. '''
query = Account.query
query = query.filter(Account.number == number)
if query.count():
if not edit:
return False
else:
query.delete()
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.role_name = role_name
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
return True
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
ec2 = boto3.resource('ec2', region_name='us-east-1')
ec2.create_dhcp_options(DhcpConfigurations=[{
'Key': 'domain-name',
'Values': ['example.com']
}, {
'Key': 'domain-name-servers',
'Values': ['10.0.10.2']
}])
watcher = DHCP(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
# Add the fake source account into the database:
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
db.session.add(test_account)
db.session.commit()
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_vpc("the_key", "the secret")
conn.create_vpc("10.0.0.0/16")
watcher = RouteTable(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client("ec2", "us-east-1")
reservation = conn.run_instances(ImageId="ami-1234abcd", MinCount=1, MaxCount=1)
instance = reservation["Instances"][0]
conn.create_image(InstanceId=instance["InstanceId"], Name="test-ami", Description="this is a test ami")
watcher = EC2Image(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_ec2('the_key', 'the_secret')
conn.create_volume(50, "us-east-1a")
watcher = EBSVolume(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('ec2', 'us-east-1')
conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1)
watcher = EC2Instance(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('ec2', 'us-east-1')
conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1)
watcher = EC2Instance(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.rds.connect_to_region('us-east-1')
conn.create_dbsecurity_group('db_sg1', 'DB Security Group')
watcher = RDSSecurityGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.rds.connect_to_region('us-east-1')
conn.create_dbsecurity_group('db_sg1', 'DB Security Group')
watcher = RDSSecurityGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.rds.connect_to_region('us-east-1')
conn.create_dbinstance("db-master-1", 10, 'db.m1.small', 'root',
'hunter2')
watcher = RDSDBInstance(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE),
]
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
def add_account(number, third_party, name, s3_name, active, notes, edit=False):
''' Adds an account. If one with the same number already exists, do nothing,
unless edit is True, in which case, override the existing account. Returns True
if an action is taken, False otherwise. '''
query = Account.query
query = query.filter(Account.number == number)
if query.count():
if not edit:
return False
else:
query.delete()
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
return True
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
vpc_conn = boto.vpc.connect_to_region("us-east-1")
vpc = vpc_conn.create_vpc("10.0.0.0/16")
subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24")
subnet_ids = [subnet.id]
conn = boto.rds.connect_to_region("us-east-1")
conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids)
watcher = RDSSubnetGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_route53("the_key", "the_secret")
zone = conn.create_hosted_zone("testdns.aws.com")
zone_id = zone["CreateHostedZoneResponse"]["HostedZone"]["Id"].split("/")[-1]
changes = boto.route53.record.ResourceRecordSets(conn, zone_id)
change = changes.add_change("CREATE", "testdns.aws.com", "A")
change.add_value("10.1.1.1")
changes.commit()
watcher = Route53(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_vpc('the_key', 'the secret')
vpc = conn.create_vpc("10.0.0.0/16")
peer_vpc = conn.create_vpc("10.0.0.0/16")
conn.create_vpc_peering_connection(vpc.id, peer_vpc.id)
watcher = Peering(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
ec2 = boto3.resource('ec2', region_name='us-east-1')
ec2.create_dhcp_options(DhcpConfigurations=[
{'Key': 'domain-name', 'Values': ['example.com']},
{'Key': 'domain-name-servers', 'Values': ['10.0.10.2']}
])
watcher = DHCP(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE),
]
# Add the fake source account into the database:
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
db.session.add(test_account)
db.session.commit()
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
vpc_conn = boto.vpc.connect_to_region("us-east-1")
vpc = vpc_conn.create_vpc("10.0.0.0/16")
subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24")
subnet_ids = [subnet.id]
conn = boto.rds.connect_to_region("us-east-1")
conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids)
watcher = RDSSubnetGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def post(self):
"""
.. http:post:: /api/1/account/
Create a new account.
**Example Request**:
.. sourcecode:: http
POST /api/1/account/ HTTP/1.1
Host: example.com
Accept: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'role_name': 'CustomRole',
'active': true,
'third_party': false
}
**Example Response**:
.. sourcecode:: http
HTTP/1.1 201 Created
Vary: Accept
Content-Type: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'role_name': 'CustomRole',
'active': true,
'third_party': false
}
:statuscode 201: created
:statuscode 401: Authentication Error. Please Login.
"""
auth, retval = __check_auth__(self.auth_dict)
if auth:
return retval
self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json')
self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json')
self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json')
self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json')
self.reqparse.add_argument('role_name', required=False, type=unicode, help='Custom role name.', location='json')
self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json')
self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json')
args = self.reqparse.parse_args()
account = Account()
account.name = args['name']
account.s3_name = args.get('s3_name', args['name'])
account.number = args['number']
account.notes = args['notes']
account.active = args['active']
account.third_party = args['third_party']
db.session.add(account)
db.session.commit()
db.session.refresh(account)
marshaled_account = marshal(account.__dict__, ACCOUNT_FIELDS)
marshaled_account['auth'] = self.auth_dict
return marshaled_account, 201
def audit_all_objects(self):
RUNTIME_AUDITORS[self.__class__.__name__].append(self)
def save_issues(self):
pass
mock_query = MockAccountQuery()
mock_db_session = MockDBSession()
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
test_account.third_party = False
test_account.active = True
mock_query.add_account(test_account)
test_account2 = Account()
test_account2.name = "TEST_ACCOUNT2"
test_account2.notes = "TEST ACCOUNT2"
test_account2.s3_name = "TEST_ACCOUNT2"
test_account2.number = "123123123123"
test_account2.role_name = "TEST_ACCOUNT"
test_account2.third_party = False
test_account2.active = True
mock_query.add_account(test_account2)
def post(self):
"""
.. http:post:: /api/1/account/
Create a new account.
**Example Request**:
.. sourcecode:: http
POST /api/1/account/ HTTP/1.1
Host: example.com
Accept: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'active': true,
'third_party': false
}
**Example Response**:
.. sourcecode:: http
HTTP/1.1 201 Created
Vary: Accept
Content-Type: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'active': true,
'third_party': false
}
:statuscode 201: created
:statuscode 401: Authentication Error. Please Login.
"""
auth, retval = __check_auth__(self.auth_dict)
if auth:
return retval
self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json')
self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json')
self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json')
self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json')
self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json')
self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json')
args = self.reqparse.parse_args()
name = args['name']
s3_name = args.get('s3_name', name)
number = args.get('number', None)
notes = args.get('notes', None)
active = args.get('active', True)
third_party = args.get('third_party', False)
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
updated_account = Account.query.filter(Account.id == account.id).first()
marshaled_account = marshal(updated_account.__dict__, ACCOUNT_FIELDS)
marshaled_account['auth'] = self.auth_dict
return marshaled_account, 201
def save_issues(self):
pass
def applies_to_account(self, account):
return True
mock_query = MockAccountQuery()
mock_db_session = MockDBSession()
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
test_account.account_type = AccountType(name='AWS')
test_account.third_party = False
test_account.active = True
mock_query.add_account(test_account)
test_account2 = Account()
test_account2.name = "TEST_ACCOUNT2"
test_account2.notes = "TEST ACCOUNT2"
test_account2.s3_name = "TEST_ACCOUNT2"
test_account2.number = "123123123123"
test_account2.role_name = "TEST_ACCOUNT"
test_account2.account_type = AccountType(name='AWS')
test_account2.third_party = False
