def pre_test_setup(self):
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
active=True,
third_party=False,
account_type_id=account_type_result.id)
self.technology = Technology(name="s3")
self.item = Item(region="us-west-2",
name="somebucket",
arn=ARN_PREFIX + ":s3:::somebucket",
technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(self.item)
db.session.commit()
mock_s3().start()
client = boto3.client("s3")
client.create_bucket(Bucket="somebucket")
client.create_bucket(Bucket="someotherbucket")
client.create_bucket(Bucket="someotherbucket2")
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="octocat",
account_type_id=self.account_type.id,
identifier="octocat",
active=True,
third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
self.gh_items = [
GitHubOrgItem(account="octocat",
name="Hello-World",
arn="octocat/Hello-World",
config=CONFIG_ONE),
GitHubOrgItem(account="octocat",
name="Repo-Private",
arn="octocat/Repo-Private",
config=CONFIG_TWO),
]
def pre_test_setup(self):
RDSSnapshotAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(number="012345678910", name="testing",
s3_name="testing", role_name="SecurityMonkey",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT1",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT1",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="123123123123", name="TEST_ACCOUNT2",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT2",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="109876543210", name="TEST_ACCOUNT3",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT3",
third_party=False, active=False)
db.session.add(account)
account = Account(identifier="456456456456", name="TEST_ACCOUNT4",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT4",
third_party=False, active=False)
db.session.add(account)
db.session.commit()
RUNTIME_WATCHERS.clear()
RUNTIME_AUDIT_COUNTS.clear()
def pre_test_setup(self):
# Delete any remaining test cruft:
if app.config.get("GITHUB_CREDENTIALS"):
del app.config["GITHUB_CREDENTIALS"]
self.account_type = AccountType(name="GitHub")
self.accounts = []
db.session.add(self.account_type)
db.session.commit()
# Tests need to be run from the working dir such that `security_monkey/tests/utilities/templates/github_creds`
# can be found!
for x in ["one", "two", "three"]:
account = Account(name="Org-{}".format(x),
account_type_id=self.account_type.id,
identifier="Org-{}".format(x),
active=True)
account.custom_fields.append(
AccountTypeCustomValues(name="access_token_file",
value="security_monkey/tests/"
"utilities/templates/github_creds"))
db.session.add(account)
self.accounts.append(account)
db.session.commit()
def pre_test_setup(self):
self.gh_items = [
GitHubOrgItem(account="Netflix",
name="Netflix",
arn="Netflix",
config=CONFIG_ONE),
GitHubOrgItem(account="Netflix-PRIVATE",
name="Netflix-PRIVATE",
arn="Netflix-PRIVATE",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Netflix",
account_type_id=self.account_type.id,
identifier="Netflix",
active=True,
third_party=False))
db.session.add(
Account(name="Netflix-PRIVATE",
account_type_id=self.account_type.id,
identifier="Netflix-PRIVATE",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
self.gh_items = [
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_ONE),
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="team")
db.session.add(self.technology)
db.session.commit()
def _setup_account(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="test_account",
account_type_id=account_type_result.id)
db.session.add(account)
db.session.commit()
def setup_db(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
third_party=False,
active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def pre_test_setup(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def pre_test_setup(self):
account_result = Account.query.filter(
Account.name == 'TEST_ACCOUNT').first()
if not account_result:
account_type = AccountType(name='AWS')
db.session.add(account_type)
db.session.commit()
account_result = Account(name='TEST_ACCOUNT',
identifier='012345678910',
account_type_id=account_type.id)
db.session.add(account_result)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(self.account)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
db.session.add(account)
db.session.commit()
mock_file_system.clear()
build_mock_result(watcher_configs, [])
def amazon_accounts():
""" Pre-populates standard AWS owned accounts """
import os
import json
from security_monkey.datastore import Account, AccountType
data_file = os.path.join(os.path.dirname(__file__), "data",
"aws_accounts.json")
data = json.load(open(data_file, 'r'))
app.logger.info('Adding / updating Amazon owned accounts')
try:
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
db.session.refresh(account_type_result)
for group, info in data.items():
for aws_account in info['accounts']:
acct_name = "{group} ({region})".format(
group=group, region=aws_account['region'])
account = Account.query.filter(
Account.number == aws_account['account_id']).first()
if not account:
app.logger.debug(
' Adding account {0}'.format(acct_name))
account = Account()
else:
app.logger.debug(
' Updating account {0}'.format(acct_name))
account.number = aws_account['account_id']
account.identifier = aws_account['account_id']
account.account_type_id = account_type_result.id
account.active = False
account.third_party = True
account.name = acct_name
account.notes = info['url']
db.session.add(account)
db.session.commit()
app.logger.info('Finished adding Amazon owned accounts')
except Exception as e:
app.logger.exception("An error occured while adding accounts")
store_exception("manager-amazon-accounts", None, e)
def pre_test_setup(self):
self.account_type = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not self.account_type:
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
self.test_account = Account(type=self.account_type,
name="test_account",
identifier="012345678910")
self.technology = Technology(name="testtech")
db.session.add(self.test_account)
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {
"Org-one": "token-one",
"FAILURE": "FAILURE",
"Netflix": "token-two"
}
db.session.add(Account(name="Org-one", account_type_id=self.account_type.id,
identifier="Org-one", active=True, third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn=ARN_PREFIX + ":iam::012345678910:role/testrole", technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(item)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
for x in range(0, 9):
db.session.add(
Account(name="account{}".format(x),
account_type_id=self.account_type.id,
identifier="01234567891{}".format(x),
active=True))
db.session.commit()
mock_sts().start()
mock_s3().start()
self.s3_client = boto3.client("s3")
self.s3_client.create_bucket(Bucket="testBucket")
def pre_test_setup(self):
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
from security_monkey.datastore import Account, AccountType
from security_monkey import db
IAMRoleAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def applies_to_account(self, account):
return True
mock_query = MockAccountQuery()
mock_db_session = MockDBSession()
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
test_account.account_type = AccountType(name='AWS')
test_account.third_party = False
test_account.active = True
mock_query.add_account(test_account)
test_account2 = Account()
test_account2.name = "TEST_ACCOUNT2"
test_account2.notes = "TEST ACCOUNT2"
test_account2.s3_name = "TEST_ACCOUNT2"
test_account2.number = "123123123123"
test_account2.role_name = "TEST_ACCOUNT"
test_account2.account_type = AccountType(name='AWS')
test_account2.third_party = False
test_account2.active = True
mock_query.add_account(test_account2)
def pre_test_setup(self):
self.s3_items = [
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket1",
config=CONFIG_ONE),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket2",
config=CONFIG_TWO),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT2",
name="bucket3",
config=CONFIG_THREE),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT3",
name="bucket4",
config=CONFIG_FOUR)
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
account.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="23984723987489237489237489237489uwedfjhdsjklfhksdf"
"h2389"))
account.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt1"))
account2 = Account(identifier="012345678911",
name="TEST_ACCOUNT2",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT2",
third_party=False,
active=True)
account2.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="lksdjfilou32890u47238974189237euhuu128937192837189"
"uyh1hr3"))
account2.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt2"))
account3 = Account(identifier="012345678912",
name="TEST_ACCOUNT3",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT3",
third_party=True,
active=True)
account3.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="dsfhgiouhy23984723789y4riuwhfkajshf91283742389u"
"823723"))
account3.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt3"))
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
ResourcePolicyAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
datastore = Datastore()
# S3
datastore.store('s3',
'us-east-1',
'TEST_ACCOUNT',
'my-test-s3-bucket',
True,
dict(),
arn='arn:aws:s3:::my-test-s3-bucket')
datastore.store('s3',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-s3-bucket-two',
True,
dict(),
arn='arn:aws:s3:::my-test-s3-bucket-two')
datastore.store('s3',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-s3-bucket-three',
True,
dict(),
arn='arn:aws:s3:::my-test-s3-bucket-three')
# IAM User
datastore.store('iamuser',
'us-east-1',
'TEST_ACCOUNT',
'my-test-iam-user',
True,
dict(UserId='AIDA11111111111111111',
UserName='******'),
arn='arn:aws:iam::012345678910:user/my-test-iam-user')
datastore.store(
'iamuser',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-iam-user-two',
True,
dict(UserId='AIDA22222222222222222',
UserName='******'),
arn='arn:aws:iam::222222222222:user/my-test-iam-user-two')
datastore.store(
'iamuser',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-iam-user-three',
True,
dict(UserId='AIDA33333333333333333',
UserName='******'),
arn='arn:aws:iam::333333333333:user/my-test-iam-user-three')
# IAM Role
datastore.store('iamrole',
'us-east-1',
'TEST_ACCOUNT',
'my-test-iam-role',
True,
dict(RoleId='AISA11111111111111111',
RoleName='my-test-iam-role'),
arn='arn:aws:iam::012345678910:role/my-test-iam-role')
datastore.store(
'iamrole',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-iam-role-two',
True,
dict(RoleId='AISA22222222222222222',
RoleName='my-test-iam-role-two'),
arn='arn:aws:iam::222222222222:role/my-test-iam-role-two')
datastore.store(
'iamrole',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-iam-role-three',
True,
dict(RoleId='AISA33333333333333333',
RoleName='my-test-iam-role-three'),
arn='arn:aws:iam::333333333333:role/my-test-iam-role-three')
# NAT Gateway
datastore.store(
'natgateway',
'us-east-1',
'TEST_ACCOUNT',
'my-test-natgateway',
True,
dict(nat_gateway_addresses=[
dict(public_ip='54.11.11.11', private_ip='172.16.11.11')
]),
arn=None) # natgateway has no ARN :(
datastore.store(
'natgateway',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-natgateway-two',
True,
dict(nat_gateway_addresses=[
dict(public_ip='54.22.22.22', private_ip='172.16.22.22')
]),
arn=None) # natgateway has no ARN :(
datastore.store(
'natgateway',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-natgateway-three',
True,
dict(nat_gateway_addresses=[
dict(public_ip='54.33.33.33', private_ip='172.16.33.33')
]),
arn=None) # natgateway has no ARN :(
# VPC
datastore.store(
'vpc',
'us-east-1',
'TEST_ACCOUNT',
'my-test-vpc',
True,
dict(id='vpc-11111111', cidr_block='10.1.1.1/18'),
arn='arn:aws:ec2:us-east-1:012345678910:vpc/vpc-11111111')
datastore.store(
'vpc',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-vpc-two',
True,
dict(id='vpc-22222222', cidr_block='10.2.2.2/18'),
arn='arn:aws:ec2:us-east-1:222222222222:vpc/vpc-22222222')
datastore.store(
'vpc',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-vpc-three',
True,
dict(id='vpc-33333333', cidr_block='10.3.3.3/18'),
arn='arn:aws:ec2:us-east-1:333333333333:vpc/vpc-33333333')
# VPC Service Endpoint (For S3 and things)
datastore.store('endpoint',
'us-east-1',
'TEST_ACCOUNT',
'my-test-vpce',
True,
dict(id='vpce-11111111'),
arn=None) # vpce has no ARN :(
datastore.store('endpoint',
'us-east-1',
'TEST_ACCOUNT_TWO',
'my-test-vpce-two',
True,
dict(id='vpce-22222222'),
arn=None) # vpce has no ARN :(
datastore.store('endpoint',
'us-east-1',
'TEST_ACCOUNT_THREE',
'my-test-vpce-three',
True,
dict(id='vpce-33333333'),
arn=None) # vpce has no ARN :(
def pre_test_setup(self):
ElasticSearchServiceAuditor(
accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
# Add some test network whitelists into this:
# es_auditor.network_whitelist = []
WHITELIST_CIDRS = [
("Test one", "192.168.1.1/32"),
("Test two", "100.0.0.0/16"),
]
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.name = cidr[0]
whitelist_cidr.notes = cidr[0]
whitelist_cidr.cidr = cidr[1]
db.session.add(whitelist_cidr)
db.session.commit()
def test_celery_skipabeat(self, mock_store_exception,
mock_expired_exceptions, mock_account_tech,
mock_purge, mock_setup):
from security_monkey.task_scheduler.beat import setup_the_tasks
from security_monkey.watchers.github.org import GitHubOrg
from security_monkey.auditors.github.org import GitHubOrgAuditor
# Stop the watcher registry from stepping on everyone's toes:
import security_monkey.watcher
import security_monkey.monitors
security_monkey.watcher.watcher_registry = {GitHubOrg.index: GitHubOrg}
security_monkey.monitors.watcher_registry = security_monkey.watcher.watcher_registry
app.config["GITHUB_CREDENTIALS"] = {}
# Set up the monitor:
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {"Org-one": "token-one"}
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
# Disable the other accounts:
disable_account_1 = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
disable_account_2 = Account.query.filter(
Account.name == "TEST_ACCOUNT2").one()
disable_account_1.active = False
disable_account_2.active = False
db.session.add(disable_account_1)
db.session.add(disable_account_2)
db.session.commit()
test_account = Account.query.filter(Account.name == "Org-one").one()
watcher = GitHubOrg(accounts=[test_account.name])
monitor = Monitor(GitHubOrg, test_account)
monitor.watcher = watcher
monitor.auditors = [GitHubOrgAuditor(accounts=[test_account.name])]
# This is externally executed (as in not with Celery):
db.session.add(
WatcherConfig(index=GitHubOrg.index, active=True, interval=0))
db.session.commit()
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
monitor
]
get_interval = mock.Mock()
monitor.watcher.get_interval = get_interval
setup_the_tasks(mock.Mock())
assert mock_setup.called
assert mock_purge.called
assert not mock_store_exception.called
# "apply_async" will NOT be called...
assert not mock_account_tech.apply_async.called
# The ".s" are the scheduled tasks. Too lazy to grab the intervals out.
assert not mock_account_tech.s.called # Will not be called
assert mock_expired_exceptions.s.called
assert mock_expired_exceptions.apply_async.called
# Cleanup:
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
disable_account_1.active = True
disable_account_2.active = True
test_account.active = False
db.session.add(disable_account_1)
db.session.add(disable_account_2)
db.session.add(test_account)
db.session.commit()
def pre_test_setup(self):
S3Auditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.s3_items = [
# Same Account
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket1",
config=CONFIG_ONE),
# ACL with unknown cross account access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket2",
config=CONFIG_TWO),
# ACL with friendly access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT2",
name="bucket3",
config=CONFIG_THREE),
# ACL with friendly thirdparty access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT3",
name="bucket4",
config=CONFIG_FOUR),
# Bucket without a policy
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FOUR),
# Bucket with AllUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FIVE),
# Bucket with AuthenticatedUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket6",
config=CONFIG_SIX),
# Bucket with LogDelivery
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket7",
config=CONFIG_SEVEN),
# Bucket with deprecated friendly short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket8",
config=CONFIG_EIGHT),
# Bucket with deprecated thirdparty short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket9",
config=CONFIG_NINE)
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# SAME Account
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
account.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="23984723987489237489237489237489uwedfjhdsjklfhksdfh2389"
))
account.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt1"))
# Friendly Account
account2 = Account(identifier="012345678911",
name="TEST_ACCOUNT2",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT2",
third_party=False,
active=True)
account2.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value=
"lksdjfilou32890u47238974189237euhuu128937192837189uyh1hr3"))
account2.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt2"))
# Thirdparty Account
account3 = Account(identifier="012345678912",
name="TEST_ACCOUNT3",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT3",
third_party=True,
active=True)
account3.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="dsfhgiouhy23984723789y4riuwhfkajshf91283742389u823723"))
account3.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt3"))
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
