def test_encrypt_and_push_creds_to_s3(cli_mock):
"""CLI - Outputs - Encrypt and push creds to s3"""
props = {
'non-secret':
OutputProperty(description='short description of info needed',
value='http://this.url.value')
}
return_value = encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key',
props, 'test_alias')
assert_true(return_value)
cli_mock.assert_not_called()
props['secret'] = OutputProperty(
description='short description of secret needed',
value='1908AGSG98A8908AG',
cred_requirement=True)
# Create the bucket to hold the mock object being put
boto3.client('s3', region_name='us-east-1').create_bucket(Bucket='bucket')
return_value = encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key',
props, 'test_alias')
assert_true(return_value)
def configure_output(options):
"""Configure a new output for this service
Args:
options (argparser): Basically a namedtuple with the service setting
"""
account_config = CONFIG['global']['account']
region = account_config['region']
prefix = account_config['prefix']
kms_key_alias = account_config['kms_key_alias']
# Verify that the word alias is not in the config.
# It is interpolated when the API call is made.
if 'alias/' in kms_key_alias:
kms_key_alias = kms_key_alias.split('/')[1]
# Retrieve the proper service class to handle dispatching the alerts of this services
output = get_output_dispatcher(options.service, region, prefix,
config_outputs.load_outputs_config())
# If an output for this service has not been defined, the error is logged
# prior to this
if not output:
return
# get dictionary of OutputProperty items to be used for user prompting
props = output.get_user_defined_properties()
for name, prop in props.iteritems():
# pylint: disable=protected-access
props[name] = prop._replace(value=user_input(
prop.description, prop.mask_input, prop.input_restrictions))
service = output.__service__
config = config_outputs.load_config(props, service)
# An empty config here means this configuration already exists,
# so we can ask for user input again for a unique configuration
if config is False:
return configure_output(options)
secrets_bucket = '{}.streamalert.secrets'.format(prefix)
secrets_key = output.output_cred_name(props['descriptor'].value)
# Encrypt the creds and push them to S3
# then update the local output configuration with properties
if config_outputs.encrypt_and_push_creds_to_s3(region, secrets_bucket,
secrets_key, props,
kms_key_alias):
updated_config = output.format_output_config(config, props)
config_outputs.update_outputs_config(config, updated_config, service)
LOGGER_CLI.info(
'Successfully saved \'%s\' output configuration for service \'%s\'',
props['descriptor'].value, options.service)
else:
LOGGER_CLI.error(
'An error occurred while saving \'%s\' '
'output configuration for service \'%s\'',
props['descriptor'].value, options.service)
def test_encrypt_and_push_creds_to_s3_kms_failure(log_mock, boto_mock):
"""Encrypt and push creds to s3 - kms failure"""
props = {
'secret': OutputProperty(
description='short description of secret needed',
value='1908AGSG98A8908AG',
cred_requirement=True)}
err_response = {
'Error':
{
'Code': 100,
'Message': 'BAAAD',
'BucketName': 'bucket'
}
}
# Add ClientError side_effect to mock
boto_mock.side_effect = ClientError(err_response, 'operation')
encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key', props, 'test_alias')
log_mock.assert_called_with('An error occurred during credential encryption')
