def test_encrypt_and_push_creds_to_s3(cli_mock): """CLI - Outputs - Encrypt and push creds to s3""" props = { 'non-secret': OutputProperty(description='short description of info needed', value='http://this.url.value') } return_value = encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key', props, 'test_alias') assert_true(return_value) cli_mock.assert_not_called() props['secret'] = OutputProperty( description='short description of secret needed', value='1908AGSG98A8908AG', cred_requirement=True) # Create the bucket to hold the mock object being put boto3.client('s3', region_name='us-east-1').create_bucket(Bucket='bucket') return_value = encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key', props, 'test_alias') assert_true(return_value)
def configure_output(options): """Configure a new output for this service Args: options (argparser): Basically a namedtuple with the service setting """ account_config = CONFIG['global']['account'] region = account_config['region'] prefix = account_config['prefix'] kms_key_alias = account_config['kms_key_alias'] # Verify that the word alias is not in the config. # It is interpolated when the API call is made. if 'alias/' in kms_key_alias: kms_key_alias = kms_key_alias.split('/')[1] # Retrieve the proper service class to handle dispatching the alerts of this services output = get_output_dispatcher(options.service, region, prefix, config_outputs.load_outputs_config()) # If an output for this service has not been defined, the error is logged # prior to this if not output: return # get dictionary of OutputProperty items to be used for user prompting props = output.get_user_defined_properties() for name, prop in props.iteritems(): # pylint: disable=protected-access props[name] = prop._replace(value=user_input( prop.description, prop.mask_input, prop.input_restrictions)) service = output.__service__ config = config_outputs.load_config(props, service) # An empty config here means this configuration already exists, # so we can ask for user input again for a unique configuration if config is False: return configure_output(options) secrets_bucket = '{}.streamalert.secrets'.format(prefix) secrets_key = output.output_cred_name(props['descriptor'].value) # Encrypt the creds and push them to S3 # then update the local output configuration with properties if config_outputs.encrypt_and_push_creds_to_s3(region, secrets_bucket, secrets_key, props, kms_key_alias): updated_config = output.format_output_config(config, props) config_outputs.update_outputs_config(config, updated_config, service) LOGGER_CLI.info( 'Successfully saved \'%s\' output configuration for service \'%s\'', props['descriptor'].value, options.service) else: LOGGER_CLI.error( 'An error occurred while saving \'%s\' ' 'output configuration for service \'%s\'', props['descriptor'].value, options.service)
def test_encrypt_and_push_creds_to_s3_kms_failure(log_mock, boto_mock): """Encrypt and push creds to s3 - kms failure""" props = { 'secret': OutputProperty( description='short description of secret needed', value='1908AGSG98A8908AG', cred_requirement=True)} err_response = { 'Error': { 'Code': 100, 'Message': 'BAAAD', 'BucketName': 'bucket' } } # Add ClientError side_effect to mock boto_mock.side_effect = ClientError(err_response, 'operation') encrypt_and_push_creds_to_s3('us-east-1', 'bucket', 'key', props, 'test_alias') log_mock.assert_called_with('An error occurred during credential encryption')