def test_cwe_update_config_and_code(self):
# Originally this was testing the no update case.. but
# That is tricky to record, any updates to the code end up
# causing issues due to checksum mismatches which imply updating
# the function code / which invalidate the recorded data and
# the focus of the test.
session_factory = self.replay_flight_data(
'test_cwe_update', zdata=True)
p = Policy({
'resource': 's3',
'name': 's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'events': ["CreateBucket"],
},
'filters': [
{'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']}],
'actions': ['no-op']
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
self.addCleanup(mgr.remove, pl)
p = Policy({
'resource': 's3',
'name': 's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'memory': 256,
'events': [
"CreateBucket",
{'event': 'PutBucketPolicy',
'ids': 'requestParameters.bucketName',
'source': 's3.amazonaws.com'}]
},
'filters': [
{'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']}],
'actions': ['no-op']
}, Config.empty())
output = self.capture_logging('custodian.lambda', level=logging.DEBUG)
result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role)
lines = output.getvalue().strip().split('\n')
self.assertTrue(
'Updating function custodian-s3-bucket-policy code' in lines)
self.assertTrue(
'Updating function: custodian-s3-bucket-policy config' in lines)
self.assertEqual(result['FunctionName'], result2['FunctionName'])
# drive by coverage
functions = [i for i in mgr.list_functions()
if i['FunctionName'] == 'custodian-s3-bucket-policy']
self.assertTrue(len(functions), 1)
start = 0L
end = long(time.time() * 1000)
self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_cwe_update_config_and_code(self):
# Originally this was testing the no update case.. but
# That is tricky to record, any updates to the code end up
# causing issues due to checksum mismatches which imply updating
# the function code / which invalidate the recorded data and
# the focus of the test.
session_factory = self.replay_flight_data(
'test_cwe_update', zdata=True)
p = Policy({
'resource': 's3',
'name': 's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'events': ["CreateBucket"],
},
'filters': [
{'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']}],
'actions': ['no-op']
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
self.addCleanup(mgr.remove, pl)
p = Policy({
'resource': 's3',
'name': 's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'memory': 256,
'events': [
"CreateBucket",
{'event': 'PutBucketPolicy',
'ids': 'requestParameters.bucketName',
'source': 's3.amazonaws.com'}]
},
'filters': [
{'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']}],
'actions': ['no-op']
}, Config.empty())
output = self.capture_logging('custodian.lambda', level=logging.DEBUG)
result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role)
lines = output.getvalue().strip().split('\n')
self.assertTrue(
'Updating function custodian-s3-bucket-policy code' in lines)
self.assertTrue(
'Updating function: custodian-s3-bucket-policy config' in lines)
self.assertEqual(result['FunctionName'], result2['FunctionName'])
# drive by coverage
functions = [i for i in mgr.list_functions()
if i['FunctionName'] == 'custodian-s3-bucket-policy']
self.assertTrue(len(functions), 1)
start = 0
end = time.time() * 1000
self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_cwe_update_config_and_code(self):
# Originally this was testing the no update case.. but
# That is tricky to record, any updates to the code end up
# causing issues due to checksum mismatches which imply updating
# the function code / which invalidate the recorded data and
# the focus of the test.
session_factory = self.replay_flight_data("test_cwe_update",
zdata=True)
p = self.load_policy({
"resource":
"s3",
"name":
"s3-bucket-policy",
"mode": {
"type": "cloudtrail",
"events": ["CreateBucket"],
'runtime': 'python2.7'
},
"filters": [
{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"]
},
],
"actions": ["no-op"],
})
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, "Dev", role=ROLE)
self.addCleanup(mgr.remove, pl)
p = self.load_policy(
{
"resource":
"s3",
"name":
"s3-bucket-policy",
"mode": {
"type":
"cloudtrail",
"memory":
256,
'runtime':
'python2.7',
"events": [
"CreateBucket",
{
"event": "PutBucketPolicy",
"ids": "requestParameters.bucketName",
"source": "s3.amazonaws.com",
},
],
},
"filters": [{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}],
"actions": ["no-op"],
}, )
output = self.capture_logging("custodian.serverless",
level=logging.DEBUG)
result2 = mgr.publish(PolicyLambda(p), "Dev", role=ROLE)
lines = output.getvalue().strip().split("\n")
self.assertTrue(
"Updating function custodian-s3-bucket-policy code" in lines)
self.assertTrue(
"Updating function: custodian-s3-bucket-policy config MemorySize"
in lines)
self.assertEqual(result["FunctionName"], result2["FunctionName"])
# drive by coverage
functions = [
i for i in mgr.list_functions()
if i["FunctionName"] == "custodian-s3-bucket-policy"
]
self.assertTrue(len(functions), 1)
start = 0
end = time.time() * 1000
self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_cwe_update_config_and_code(self):
# Originally this was testing the no update case.. but
# That is tricky to record, any updates to the code end up
# causing issues due to checksum mismatches which imply updating
# the function code / which invalidate the recorded data and
# the focus of the test.
session_factory = self.replay_flight_data("test_cwe_update", zdata=True)
p = Policy(
{
"resource": "s3",
"name": "s3-bucket-policy",
"mode": {"type": "cloudtrail", "events": ["CreateBucket"], 'runtime': 'python2.7'},
"filters": [
{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}
],
"actions": ["no-op"],
},
Config.empty(),
)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, "Dev", role=ROLE)
self.addCleanup(mgr.remove, pl)
p = Policy(
{
"resource": "s3",
"name": "s3-bucket-policy",
"mode": {
"type": "cloudtrail",
"memory": 256,
'runtime': 'python2.7',
"events": [
"CreateBucket",
{
"event": "PutBucketPolicy",
"ids": "requestParameters.bucketName",
"source": "s3.amazonaws.com",
},
],
},
"filters": [
{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}
],
"actions": ["no-op"],
},
Config.empty(),
)
output = self.capture_logging("custodian.serverless", level=logging.DEBUG)
result2 = mgr.publish(PolicyLambda(p), "Dev", role=ROLE)
lines = output.getvalue().strip().split("\n")
self.assertTrue("Updating function custodian-s3-bucket-policy code" in lines)
self.assertTrue(
"Updating function: custodian-s3-bucket-policy config MemorySize" in lines)
self.assertEqual(result["FunctionName"], result2["FunctionName"])
# drive by coverage
functions = [
i
for i in mgr.list_functions()
if i["FunctionName"] == "custodian-s3-bucket-policy"
]
self.assertTrue(len(functions), 1)
start = 0
end = time.time() * 1000
self.assertEqual(list(mgr.logs(pl, start, end)), [])
