def test_not_configured(mocker): #-------------------------- # Test data # event = utils.load_test_data(test_data + 'cis29.json', my_region) ssmc = boto3.client('ssm', region_name=my_region) ssmc_s = Stubber(ssmc) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.activate() mocker.patch('lib.metrics.Metrics.connect_to_ssm', return_value=ssmc) post_metrics = mocker.patch('lib.metrics.Metrics.post_metrics_to_api', return_value=None) # Mock Notifier init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') update = mocker.patch('lib.sechub_findings.Finding.update_text') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) cis29.lambda_handler(event, None) resolve.assert_not_called() init.assert_not_called()
def test_not_remediated(mocker): #-------------------------- # Test data # test_event = open(test_data + 'cis29.json') event = json.loads(test_event.read()) test_event.close() os.environ['AWS_SESSION_TOKEN'] = 'FAKETOKEN' os.environ['FLOW_LOG_ROLE_ARN'] = 'FAKELOGROLEARN' #-------------------------- # Mock/stub # # Mock the constructor. We don't need the session created mocker.patch('lib.awsapi_helpers.BotoSession.__init__', return_value=None) mocker.patch('lib.awsapi_helpers.AWSClient.connect', return_value=None) awsc = [boto3.client('logs'), boto3.client('ec2')] def mock_select(thing1, thing2): if thing2 == 'logs': return awsc[0] else: return awsc[1] awsc_s = Stubber(awsc[0]) awsc_s.add_response('create_log_group', {}) awsc_s.activate() aws2c_s = Stubber(awsc[1]) aws2c_s.add_response('create_flow_logs', {}) aws2c_s.add_response('describe_flow_logs', {'FlowLogs': []}) aws2c_s.activate() # redirect to mock_select above to return the proper stub mocker.patch('lib.awsapi_helpers.BotoSession.client', new=mock_select) # Mock notifications init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') update = mocker.patch('lib.sechub_findings.Finding.update_text') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) #-------------------------- # Run the lambda # cis29.lambda_handler(event, None) init.assert_called_once_with( 'INITIAL: "Enable VPC flow logging in all VPCs" remediation started') update.assert_called_once_with( 'FAILED: "Enable VPC flow logging in all VPCs" remediation failed. Please remediate manually' ) resolve.assert_not_called()
def test_not_configured(mocker): #-------------------------- # Test data # event = utils.load_test_data(test_data + 'cis29.json', my_region) # Mock Notifier init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') update = mocker.patch('lib.sechub_findings.Finding.update_text') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) cis29.lambda_handler(event, None) resolve.assert_not_called() init.assert_not_called()
def test_not_configured(mocker): #-------------------------- # Test data # test_event = open(test_data + 'cis29.json') event = json.loads(test_event.read()) test_event.close() # Mock Notifier init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') update = mocker.patch('lib.sechub_findings.Finding.update_text') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) cis29.lambda_handler(event, None) resolve.assert_not_called() init.assert_not_called()
def test_event_good(mocker): #-------------------------- # Test data # event = utils.load_test_data(test_data + 'cis29.json', my_region) sns_message = { 'Note': '"Enable VPC flow logging in all VPCs" remediation was successful', 'State': 'RESOLVED', 'Account': '111111111111', 'Remediation': 'Enable VPC flow logging in all VPCs', 'AffectedObject': 'VPC Flow Logs for VPC: vpc-d1a07fba', 'metrics_data': mocker.ANY } os.environ['AWS_SESSION_TOKEN'] = 'FAKETOKEN' os.environ['FLOW_LOG_ROLE_ARN'] = 'FAKELOGROLEARN' post_metrics_expected_parms = { 'Solution': 'SO0111', 'UUID': '12345678-1234-1234-1234-123412341234', 'TimeStamp': mocker.ANY, 'Data': { 'generator_id': 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9', 'type': '2.9 Ensure VPC flow logging is enabled in all VPCs', 'productArn': mocker.ANY, 'finding_triggered_by': 'Security Hub Findings - Custom Action', 'region': mocker.ANY, 'status': 'RESOLVED' }, 'Version': 'v1.2.0TEST' } ssmc = boto3.client('ssm', region_name=my_region) ssmc_s = Stubber(ssmc) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.activate() mocker.patch('lib.metrics.Metrics.connect_to_ssm', return_value=ssmc) post_metrics = mocker.patch('lib.metrics.Metrics.post_metrics_to_api', return_value=None) # Mock the constructor. We don't need the session created mocker.patch('lib.awsapi_helpers.BotoSession.__init__', return_value=None) mocker.patch('lib.awsapi_helpers.AWSClient.connect', return_value=None) awsc = [boto3.client('logs'), boto3.client('ec2')] def mock_select(thing1, thing2): if thing2 == 'logs': return awsc[0] else: return awsc[1] # Mock the boto clients and replace the BotoSession client with our stub awsc_s = Stubber(awsc[0]) awsc_s.add_response('create_log_group', {}) awsc_s.activate() aws2c_s = Stubber(awsc[1]) aws2c_s.add_response('create_flow_logs', {}) aws2c_s.add_response('describe_flow_logs', {'FlowLogs': [{ 'FlowLogStatus': 'ACTIVE' }]}) aws2c_s.activate() sns = mocker.patch('lib.awsapi_helpers.AWSClient.postit', return_value=None) # redirect to mock_select above to return the proper stub mocker.patch('lib.awsapi_helpers.BotoSession.client', new=mock_select) # Mock notifications init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) #-------------------------- # Run the lambda # cis29.lambda_handler(event, None) init.assert_called_once_with( 'INITIAL: "Enable VPC flow logging in all VPCs" remediation started') resolve.assert_called_once_with( 'RESOLVED: "Enable VPC flow logging in all VPCs" remediation was successful' ) sns.assert_called_with('SO0111-SHARR_Topic', sns_message, my_region) post_metrics.assert_called_with(post_metrics_expected_parms)
def test_not_remediated(mocker): #-------------------------- # Test data # event = utils.load_test_data(test_data + 'cis29.json', my_region) post_metrics_expected_parms = { 'Solution': 'SO0111', 'UUID': '12345678-1234-1234-1234-123412341234', 'TimeStamp': mocker.ANY, 'Data': { 'generator_id': 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9', 'type': '2.9 Ensure VPC flow logging is enabled in all VPCs', 'productArn': mocker.ANY, 'finding_triggered_by': 'Security Hub Findings - Custom Action', 'region': mocker.ANY, 'status': 'FAILED' }, 'Version': 'v1.2.0TEST' } os.environ['AWS_SESSION_TOKEN'] = 'FAKETOKEN' os.environ['FLOW_LOG_ROLE_ARN'] = 'FAKELOGROLEARN' ssmc = boto3.client('ssm', region_name=my_region) ssmc_s = Stubber(ssmc) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_uuid) ssmc_s.add_response('get_parameter', mock_ssm_get_parameter_version) ssmc_s.activate() mocker.patch('lib.metrics.Metrics.connect_to_ssm', return_value=ssmc) post_metrics = mocker.patch('lib.metrics.Metrics.post_metrics_to_api', return_value=None) mocker.patch('lib.awsapi_helpers.BotoSession.__init__', return_value=None) mocker.patch('lib.awsapi_helpers.AWSClient.connect', return_value=None) awsc = [boto3.client('logs'), boto3.client('ec2')] def mock_select(thing1, thing2): if thing2 == 'logs': return awsc[0] else: return awsc[1] awsc_s = Stubber(awsc[0]) awsc_s.add_response('create_log_group', {}) awsc_s.activate() aws2c_s = Stubber(awsc[1]) aws2c_s.add_response('create_flow_logs', {}) aws2c_s.add_response('describe_flow_logs', {'FlowLogs': []}) aws2c_s.activate() # redirect to mock_select above to return the proper stub mocker.patch('lib.awsapi_helpers.BotoSession.client', new=mock_select) # Mock notifications init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') update = mocker.patch('lib.sechub_findings.Finding.update_text') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) #-------------------------- # Run the lambda # cis29.lambda_handler(event, None) init.assert_called_once_with( 'INITIAL: "Enable VPC flow logging in all VPCs" remediation started') update.assert_called_once_with( 'FAILED: "Enable VPC flow logging in all VPCs" remediation failed. Please remediate manually', status='FAILED') resolve.assert_not_called() post_metrics.assert_called_with(post_metrics_expected_parms)
def test_event_good(mocker): #-------------------------- # Test data # test_event = open(test_data + 'cis29.json') event = json.loads(test_event.read()) test_event.close() sns_message = { 'Note': '"Enable VPC flow logging in all VPCs" remediation was successful', 'State': 'RESOLVED', 'Account': '111111111111', 'Remediation': 'Enable VPC flow logging in all VPCs', 'AffectedObject': 'VPC Flow Logs for VPC: vpc-d1a07fba', 'metrics_data': { 'status': 'RESOLVED' } } os.environ['AWS_SESSION_TOKEN'] = 'FAKETOKEN' os.environ['FLOW_LOG_ROLE_ARN'] = 'FAKELOGROLEARN' #-------------------------- # Mock/stub # # Mock the constructor. We don't need the session created mocker.patch('lib.awsapi_helpers.BotoSession.__init__', return_value=None) mocker.patch('lib.awsapi_helpers.AWSClient.connect', return_value=None) awsc = [boto3.client('logs'), boto3.client('ec2')] def mock_select(thing1, thing2): if thing2 == 'logs': return awsc[0] else: return awsc[1] # Mock the boto clients and replace the BotoSession client with our stub awsc_s = Stubber(awsc[0]) awsc_s.add_response('create_log_group', {}) awsc_s.activate() aws2c_s = Stubber(awsc[1]) aws2c_s.add_response('create_flow_logs', {}) aws2c_s.add_response('describe_flow_logs', {'FlowLogs': [{ 'FlowLogStatus': 'ACTIVE' }]}) aws2c_s.activate() sns = mocker.patch('lib.awsapi_helpers.AWSClient.postit', return_value=None) # redirect to mock_select above to return the proper stub mocker.patch('lib.awsapi_helpers.BotoSession.client', new=mock_select) # Mock notifications init = mocker.patch('lib.sechub_findings.Finding.flag') resolve = mocker.patch('lib.sechub_findings.Finding.resolve') mocker.patch('lib.applogger.LogHandler.flush', return_value=None) #-------------------------- # Run the lambda # cis29.lambda_handler(event, None) init.assert_called_once_with( 'INITIAL: "Enable VPC flow logging in all VPCs" remediation started') resolve.assert_called_once_with( 'RESOLVED: "Enable VPC flow logging in all VPCs" remediation was successful' ) sns.assert_called_with('SO0111-SHARR_Topic', sns_message, 'us-east-1')