def test_clean_stale_issues(self):
from security_monkey.common.audit_issue_cleanup import clean_stale_issues
items = Item.query.all()
assert len(items) == 1
item = items[0]
item.issues.append(ItemAudit(score=1, issue='Test Issue', item_id=item.id,
auditor_setting=AuditorSettings(disabled=False,
technology=self.technology,
account=self.account,
auditor_class='MockAuditor1')))
item.issues.append(ItemAudit(score=1, issue='Issue with missing auditor', item_id=item.id,
auditor_setting=AuditorSettings(disabled=False,
technology=self.technology,
account=self.account,
auditor_class='MissingAuditor')))
db.session.commit()
clean_stale_issues()
items = Item.query.all()
assert len(items) == 1
item = items[0]
assert len(item.issues) == 1
assert item.issues[0].issue == 'Test Issue'
def test_link_to_support_item_issues(self):
auditor = Auditor(accounts=['test_account'])
sub_item_id = 2
issue1_text = 'This is test issue1'
issue2_text = 'This is test issue2'
issue1_score = 10
issue2_score = 5
item = ChangeItem(index='test_index',
account='test_account',
name='item_name')
sub_item = Item(id=sub_item_id,
tech_id=1,
account_id=1,
name='sub_item_name')
sub_item.issues.append(ItemAudit(score=issue1_score,
issue=issue1_text))
sub_item.issues.append(ItemAudit(score=issue2_score,
issue=issue2_text))
auditor.link_to_support_item_issues(item,
sub_item,
issue_message="TEST")
self.assertTrue(len(item.audit_issues) == 1)
new_issue = item.audit_issues[0]
self.assertTrue(new_issue.score == issue1_score + issue2_score)
self.assertTrue(new_issue.issue == "TEST")
self.assertTrue(len(new_issue.sub_items) == 1)
self.assertTrue(new_issue.sub_items[0] == sub_item)
def test_inactivate_old_revisions(self):
from security_monkey.datastore_utils import inactivate_old_revisions, hash_item, persist_item, result_from_item
from security_monkey.datastore import ItemRevision, Item
self.setup_db()
# Need to create 3 items first before we can test deletions:
for x in range(0, 3):
modConf = dict(ACTIVE_CONF)
modConf["name"] = "SomeRole{}".format(x)
modConf["Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x)
sti = SomeTestItem().from_slurp(modConf, account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# persist:
persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
# Add issues for these items: (just add two for testing purposes)
db.session.add(ItemAudit(score=10,
issue="IAM Role has full admin permissions.",
notes=json.dumps(sti.config),
item_id=db_item.id))
db.session.add(ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=db_item.id))
db.session.commit()
# Now, actually test for deleted revisions:
arns = [
"arn:aws:iam::012345678910:role/SomeRole", # <-- Does not exist in the list
"arn:aws:iam::012345678910:role/SomeRole0", # <-- Does exist -- should not get deleted
]
inactivate_old_revisions(SomeWatcher(), arns, self.account, self.technology)
# Check that SomeRole1 and SomeRole2 are marked as inactive:
for x in range(1, 3):
item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == "arn:aws:iam::012345678910:role/SomeRole{}".format(x),
).one()
assert not item_revision.active
# Check that there are no issues associated with this item:
assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 0
# Check that the SomeRole0 is still OK:
item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == "arn:aws:iam::012345678910:role/SomeRole0".format(x),
).one()
assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 2
assert item_revision.active
def test_from_items(self):
issue = ItemAudit()
issue.score = 1
issue.justified = True
issue.issue = 'test issue'
issue.justification = 'test justification'
old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount',
new_config=CONFIG_1, active=True, audit_issues=[issue])
old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount',
new_config=CONFIG_1, active=True)
new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2,
active=True)
merged_item_w_issues = ChangeItem.from_items(old_item=old_item_w_issues, new_item=new_item)
merged_item_wo_issues = ChangeItem.from_items(old_item=old_item_wo_issues, new_item=new_item)
assert len(merged_item_w_issues.audit_issues) == 1
assert len(merged_item_wo_issues.audit_issues) == 0
def test_from_items(self):
issue = ItemAudit()
issue.score = 1
issue.justified = True
issue.issue = 'test issue'
issue.justification = 'test justification'
old_item_w_issues = ChangeItem(index='testtech',
region='us-west-2',
account='testaccount',
new_config=CONFIG_1,
active=True,
audit_issues=[issue])
old_item_wo_issues = ChangeItem(index='testtech',
region='us-west-2',
account='testaccount',
new_config=CONFIG_1,
active=True)
new_item = ChangeItem(index='testtech',
region='us-west-2',
account='testaccount',
new_config=CONFIG_2,
active=True)
merged_item_w_issues = ChangeItem.from_items(
old_item=old_item_w_issues, new_item=new_item)
merged_item_wo_issues = ChangeItem.from_items(
old_item=old_item_wo_issues, new_item=new_item)
assert len(merged_item_w_issues.audit_issues) == 1
assert len(merged_item_wo_issues.audit_issues) == 0
def test_save_issues(self):
item = Item(region="us-west-2",
name="testitem",
technology=self.technology,
account=self.test_account)
revision = ItemRevision(item=item, config={}, active=True)
item_audit = ItemAudit(item=item, issue="test issue")
db.session.add(item)
db.session.add(revision)
db.session.add(item_audit)
db.session.commit()
auditor = Auditor(accounts=[self.test_account.name])
auditor.index = self.technology.name
auditor.i_am_singular = self.technology.name
auditor.items = auditor.read_previous_items()
auditor.audit_objects()
try:
auditor.save_issues()
except AttributeError as e:
self.fail(
"Auditor.save_issues() raised AttributeError unexpectedly: {}".
format(e.message))
def test_find_deleted_batch(self):
"""
This will use the IAMRole watcher, since that already has batching support.
:return:
"""
from security_monkey.watchers.iam.iam_role import IAMRole
self.setup_batch_db()
# Set everything up:
watcher = IAMRole(accounts=[self.account.name])
watcher.current_account = (self.account, 0)
watcher.technology = self.technology
items = []
for x in range(0, 5):
mod_conf = dict(ACTIVE_CONF)
mod_conf["name"] = "SomeRole{}".format(x)
mod_conf[
"Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(
x)
items.append(SomeTestItem().from_slurp(
mod_conf, account_name=self.account.name))
mod_aspd = dict(ASPD)
mod_aspd[
"Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(
x)
mod_aspd["RoleName"] = "SomeRole{}".format(x)
watcher.total_list.append(mod_aspd)
watcher.find_changes(items)
# Check for deleted items:
watcher.find_deleted_batch({})
assert len(watcher.deleted_items) == 0
# Check that nothing was deleted:
for x in range(0, 5):
item_revision = ItemRevision.query.join(
(Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == ARN_PREFIX +
":iam::012345678910:role/SomeRole{}".format(x), ).one()
assert item_revision.active
# Create some issues for testing purposes:
db.session.add(
ItemAudit(score=10,
issue="IAM Role has full admin permissions.",
notes=json.dumps(item_revision.config),
item_id=item_revision.item_id))
db.session.add(
ItemAudit(score=9001,
issue="Some test issue",
notes="{}",
item_id=item_revision.item_id))
db.session.commit()
assert len(ItemAudit.query.all()) == len(items) * 2
# Remove the last two items:
removed_arns = []
removed_arns.append(watcher.total_list.pop()["Arn"])
removed_arns.append(watcher.total_list.pop()["Arn"])
# Check for deleted items again:
watcher.find_deleted_batch({})
assert len(watcher.deleted_items) == 2
# Check that the last two items were deleted:
for arn in removed_arns:
item_revision = ItemRevision.query.join(
(Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == arn, ).one()
assert not item_revision.active
# Check that the current ones weren't deleted:
for current_item in watcher.total_list:
item_revision = ItemRevision.query.join(
(Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == current_item["Arn"], ).one()
assert item_revision.active
assert len(
ItemAudit.query.filter(
ItemAudit.item_id == item_revision.item_id).all()) == 2
