def __register_auth_system(auth_system):
"""Register a given authentication system with the framework. Returns `True` if the `auth_system` is registered
as the active auth system, else `False`
Args:
auth_system (:obj:`BaseAuthPlugin`): A subclass of the `BaseAuthPlugin` class to register
Returns:
`bool`
"""
auth_system_settings = dbconfig.get('auth_system')
if auth_system.name not in auth_system_settings['available']:
auth_system_settings['available'].append(auth_system.name)
dbconfig.set('default', 'auth_system', DBCChoice(auth_system_settings))
if auth_system.name == auth_system_settings['enabled'][0]:
app.active_auth_system = auth_system
auth_system().bootstrap()
logger.debug('Registered {} as the active auth system'.format(
auth_system.name))
return True
else:
logger.debug(
'Not trying to load the {} auth system as it is disabled by config'
.format(auth_system.name))
return False
def prep_s3_testing(cinq_test_service, collect_only=False):
set_audit_scope('aws_s3_bucket')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', collect_only)
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'alert_settings',
DBCJSON(STANDARD_ALERT_SETTINGS))
cinq_test_service.start_mocking_services('cloudwatch', 's3')
def test_audit(cinq_test_service):
"""
:return:
"""
# Prep
recipient = NotificationContact(
type='email',
value=dbconfig.get('test_email', NS_CINQ_TEST)
)
cinq_test_service.start_mocking_services('ec2')
account = cinq_test_service.add_test_account(
account_type='AWS',
account_name=CINQ_TEST_ACCOUNT_NAME,
contacts=[{'type': 'email', 'value': dbconfig.get('test_email', NS_CINQ_TEST)}],
properties={
'account_number': CINQ_TEST_ACCOUNT_NO
}
)
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
# Add resources
client = aws_get_client('ec2')
resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)
# Collect resource
run_aws_collector(account)
# Start auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- Test if auditor will pick up non-compliant instances which is still in grace period
auditor.run()
assert auditor._cinq_test_notices == {}
# Test 2 --- Test if auditor will pick up non-compliant instances correctly
''' Modify resource property'''
assert cinq_test_service.modify_resource(
resource['Instances'][0]['InstanceId'],
'launch_date',
'2000-01-01T00:00:00'
) is True
auditor.run()
notices = auditor._cinq_test_notices
assert recipient in notices
assert notices[recipient]['not_fixed'][0]['resource'].resource_id == resource['Instances'][0]['InstanceId']
def test_basic_ops(cinq_test_service):
"""
Test will pass if:
1. Auditor can detect non-compliant EC2 instances
2. Auditor respect grace period settings
"""
# Prep
cinq_test_service.start_mocking_services('ec2')
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False)
# Add resources
client = aws_get_client('ec2')
resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)
# Collect resources
collect_resources(account=account, resource_types=['ec2'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- Test if auditor respect grace period settings
cinq_test_service.modify_resource(resource['Instances'][0]['InstanceId'],
'launch_date',
datetime.datetime.utcnow().isoformat())
auditor.run()
assert auditor._cinq_test_notices == {}
# Test 2 --- Test if auditor can pick up non-compliant resources correctly
''' Modify resource property'''
assert cinq_test_service.modify_resource(
resource['Instances'][0]['InstanceId'], 'launch_date',
'2000-01-01T00:00:00') is True
auditor.run()
notices = auditor._cinq_test_notices
assert recipient in notices
assert notices[recipient]['not_fixed'][0][
'resource'].resource_id == resource['Instances'][0]['InstanceId']
def test_audit(cinq_test_service):
"""
:return:
"""
# Prep
cinq_test_service.start_mocking_services('ec2')
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
# Tests
case_1(cinq_test_service, account, recipient)
def set_test_user_role(role):
dbconfig.set(NS_CINQ_TEST, 'user_role', role)
def prep_s3_testing(cinq_test_service, collect_only=False):
set_audit_scope('aws_s3_bucket')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', collect_only)
cinq_test_service.start_mocking_services('cloudwatch', 's3')
def set_audit_scope(*args):
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = args
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
def test_volume_ec2_s3(cinq_test_service):
"""
:return:
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
set_audit_scope('aws_ec2_instance', 'aws_s3_bucket')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False)
cinq_test_service.start_mocking_services('cloudwatch', 'ec2', 's3')
num_resources = 100
compliant_buckets = []
non_compliant_buckets = []
compliant_ec2 = []
non_compliant_ec2 = []
client_s3 = aws_get_client('s3')
client_ec2 = aws_get_client('ec2')
regions = get_aws_regions('s3')
# Workaround for a moto cloudwatch KeyError bug
regions.remove('eu-west-3')
# Setup resources
for i in range(0, num_resources):
bucket_name = uuid.uuid4().hex
client_s3.create_bucket(
Bucket=bucket_name,
CreateBucketConfiguration={'LocationConstraint': random.choice(regions)}
)
compliant_buckets.append(bucket_name) if random.randint(0, 1) else non_compliant_buckets.append(bucket_name)
resource = client_ec2.run_instances(ImageId='i-{}'.format(i), MinCount=1, MaxCount=1)
instance_id = resource['Instances'][0]['InstanceId']
compliant_ec2.append(instance_id) if random.randint(0, 1) else non_compliant_ec2.append(instance_id)
for instance_id in compliant_ec2:
client_ec2.create_tags(
Resources=[instance_id],
Tags=VALID_TAGSET
)
for item in compliant_buckets:
client_s3.put_bucket_tagging(
Bucket=item,
Tagging={'TagSet': VALID_TAGSET}
)
# collection
collect_resources(account=account, resource_types=['ec2', 's3'])
for item in compliant_buckets + non_compliant_buckets:
cinq_test_service.modify_resource(
item,
'creation_date',
'2000-01-01T00:00:00'
)
for instance_id in compliant_ec2 + non_compliant_ec2:
cinq_test_service.modify_resource(
instance_id,
'launch_date',
'2000-01-01T00:00:00'
)
auditor = MockRequiredTagsAuditor()
auditor.run()
compliant_resources = compliant_buckets + compliant_ec2
non_compliant_resources = non_compliant_buckets + non_compliant_ec2
for item in auditor._cinq_test_notices[recipient]['not_fixed']:
assert item['resource'].id not in compliant_resources
assert item['resource'].id in non_compliant_resources
assert len(non_compliant_resources) == len(auditor._cinq_test_notices[recipient]['not_fixed'])
def run(self, **kwargs):
for ep in CINQ_PLUGINS['cloud_inquisitor.plugins.auth']['plugins']:
if ep.module_name == 'cinq_auth_onelogin_saml':
cls = ep.load()
config_namespace = cls.ns
break
else:
self.log.error('The SAML authentication plugin is not installed')
return
try:
ns = {
'ds': 'http://www.w3.org/2000/09/xmldsig#',
'saml': 'urn:oasis:names:tc:SAML:2.0:metadata'
}
xml = etree.parse(kwargs['metadata'])
root = xml.getroot()
idp_entity_id = root.attrib['entityID']
idp_cert = root.find('.//ds:X509Certificate', ns).text
idp_sls = root.find('.//saml:SingleLogoutService',
ns).attrib['Location']
idp_ssos = root.find(
'.//saml:SingleSignOnService[@Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"]',
ns).attrib['Location']
sp_acs = 'https://{}/saml/login/consumer'.format(kwargs['fqdn'])
sp_sls = 'https://{}/saml/logout/consumer'.format(kwargs['fqdn'])
sp_entity_id = kwargs['fqdn']
dbconfig.set(config_namespace, 'idp_entity_id',
DBCString(idp_entity_id))
dbconfig.set(config_namespace, 'idp_sls', DBCString(idp_sls))
dbconfig.set(config_namespace, 'idp_ssos', DBCString(idp_ssos))
dbconfig.set(config_namespace, 'idp_x509cert',
DBCString(idp_cert.replace('\n', '')))
dbconfig.set(config_namespace, 'sp_entity_id',
DBCString(sp_entity_id))
dbconfig.set(config_namespace, 'sp_acs', DBCString(sp_acs))
dbconfig.set(config_namespace, 'sp_sls', DBCString(sp_sls))
self.log.info('Updated SAML configuration from {}'.format(
kwargs['metadata']))
except OSError as ex:
self.log.error('Unable to load metadata file {}: {}'.format(
kwargs['metadata'], ex))
return 1
except etree.ParseError as ex:
self.log.error('Failed reading metadata XML file: {}'.format(ex))
return 2
except Exception as ex:
self.log.error('Error while updating configuration: {}'.format(ex))
return 3
def prep_rds_testing(cinq_test_service, collect_only=False):
set_audit_scope('aws_rds_instance')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', collect_only)
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'alert_settings', DBCJSON(STANDARD_ALERT_SETTINGS))
