def test_root_account_mfa_is_active(self):
user_fixture = {
'arn': 'arn1',
'user': '******',
'mfa_active': 'true'
}
users = [user_fixture]
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': users
}
}
}
}
plugin = UserMFAPlugin({})
results = plugin.run(data_fixture)
expected = [
{
'resource': 'arn1',
'region': 'aws-global',
'severity': 0,
'message': 'MFA enabled for <root_account>'
}
]
self.assertEqual(results, expected)
def test_creates_results_with_correct_fields_for_multiple_users(self):
user1_fixture = {
'arn': 'arn1',
'user': '******',
'mfa_active': 'true'
}
user2_fixture = {
'arn': 'arn2',
'user': '******',
'mfa_active': 'true'
}
users = [user1_fixture, user2_fixture]
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': users
}
}
}
}
plugin = UserMFAPlugin({})
results = plugin.run(data_fixture)
results_keys = list(results[0].keys())
expected = [
'resource',
'severity',
'message',
'region'
]
self.assertCountEqual(results_keys, expected)
def test_configure_not_enabled_severity_level(self):
user_fixture = {
'arn': 'arn1',
'user': '******',
'mfa_active': 'false',
}
users = [user_fixture]
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': users
}
}
}
}
config = {
'not_enabled_severity_level': 1
}
plugin = UserMFAPlugin({}, config)
results = plugin.run(data_fixture)
expected = [
{
'resource': 'arn1',
'region': 'aws-global',
'severity': 1,
'message': 'MFA not enabled for user1'
}
]
self.assertEqual(results, expected)
def test_configure_enabled_message(self):
user_fixture = {
'arn': 'arn1',
'user': '******',
'mfa_active': 'true',
}
users = [user_fixture]
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': users
}
}
}
}
config = {
'enabled_message': 'Enabled: {username}'
}
plugin = UserMFAPlugin({}, config)
results = plugin.run(data_fixture)
expected = [
{
'resource': 'arn1',
'region': 'aws-global',
'severity': 0,
'message': 'Enabled: user1'
}
]
self.assertEqual(results, expected)
def test_configure_root_user_not_enabled_message(self):
user_fixture = {
'arn': 'arn1',
'user': '******',
'mfa_active': 'false',
}
users = [user_fixture]
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': users
}
}
}
}
config = {
'root_user_not_enabled_message': 'Not Enabled: root account'
}
plugin = UserMFAPlugin({}, config)
results = plugin.run(data_fixture)
expected = [
{
'resource': 'arn1',
'region': 'aws-global',
'severity': 2,
'message': 'Not Enabled: root account'
}
]
self.assertEqual(results, expected)
def test_can_be_initialized_and_run_with_no_config(self):
data_fixture = {
'aws': {
'iam': {
'aws-global': {
'get_credential_report': [
]
}
}
}
}
plugin = UserMFAPlugin({})
results = plugin.run(data_fixture)
results_keys = list(results[0].keys())
expected = [
'resource',
'severity',
'message',
'region'
]
self.assertCountEqual(results_keys, expected)