def test_unique_api_calls(self):
oil = Oil()
plugin_mock_1 = MagicMock()
plugin_mock_1.requirements = {
'distributions': ['aws', 'cloudfront', 'list_distributions'],
'instances': ['aws', 'ec2', 'describe_instances'],
}
plugin_mock_2 = MagicMock()
plugin_mock_2.requirements = {
'distributions': ['aws', 'cloudfront', 'list_distributions'],
'other_distributions': ['aws', 'cloudfront', 'other_distributions'],
'instances': ['aws', 'ec2', 'describe_instances'],
}
oil.plugins = {
'aws': {
'cloudfront': {
'plugin_1': plugin_mock_1,
'plugin_2': plugin_mock_2,
}
}
}
calls = oil._unique_api_calls()
self.assertEqual(
calls['aws']['cloudfront'],
set(['list_distributions', 'other_distributions'])
)
self.assertEqual(
calls['aws']['ec2'],
set(['describe_instances'])
)
def test_oil_can_scan_for_password_rotation_with_config(self):
plugin_config = {
'password_rotation_severity_2_threshold':
180,
'password_rotation_severity_1_threshold':
90,
'password_rotation_severity_2_message':
('{days} days since last rotation for {username} '),
'password_rotation_severity_1_message':
('{days} days since last rotation for {username}'),
'password_rotation_severity_0_message':
('{username} is not violating password rotation '
'best practices'),
'password_rotation_severity_0_message':
('No password for this user'),
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserPasswordRotationPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_password_rotation', [])
self.assertNotEqual(plugin_results, [])
def test_collect_api_data_organizes_data_correctly(self, get_barrel_mock):
barrel_mock = MagicMock()
barrel_mock.tap.return_value = {
'any_region': []
}
get_barrel_mock.return_value = barrel_mock
expected = {
'aws': {
'cloudfront': {
'any_region': {
'list_distributions': []
}
}
}
}
oil = Oil()
oil._collect_api_data('aws', 'cloudfront', 'list_distributions')
self.assertEqual(oil.cached_api_data, expected)
def test_oil_can_scan_for_access_key_usage(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(AccessKeyUsagePlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('access_key_usage', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_password_rotation_date_for_user(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserPasswordRotationPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_password_rotation', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_high_threat_ports_on_instances(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(InstanceHighThreatPortPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('instance_high_threat_port', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_https_usage(self):
oil = Oil()
oil.register_barrel(CloudFrontBarrel)
oil.register_plugin(HTTPSPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
cloudfront_results = aws_results.get('cloudfront', {})
plugin_results = cloudfront_results.get('https', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_name_tag_compliance(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(InstanceNameTagPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('instance_name_tag', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_public_ip_on_instances(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(PublicIpPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('public_ip', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_rds_public_db_instances(self):
oil = Oil()
oil.register_barrel(RDSBarrel)
oil.register_plugin(PublicDBInstancesPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
rds_results = aws_results.get('rds', {})
plugin_results = rds_results.get('public_db_instances', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_for_user(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserMFAPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_mfa', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_s3_origin_access_identity(self):
oil = Oil()
oil.register_barrel(CloudFrontBarrel)
oil.register_plugin(S3OriginAccessIdentityPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
cloudfront_results = aws_results.get('cloudfront', {})
plugin_results = cloudfront_results.get('s3_origin_access_identity',
[])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_access_key_usage_with_custom_config(self):
plugin_config = {
'access_key_last_used_severity_two_threshold': 90,
'access_key_last_used_severity_one_threshold': 60,
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(AccessKeyUsagePlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('access_key_usage', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users_with_config(self):
plugin_config = {
'total_users_severity_2_threshold': 50,
'total_users_severity_1_threshold': 20,
'total_users_severity_2_message': ('Total users: {total_users}'),
'total_users_severity_1_message': ('Total users: {total_users}'),
'total_users_severity_0_message': ('Total users: {total_users}'),
'no_users_message': ('No users in this AWS account'),
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(TotalUsersPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('total_users', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_with_config(self):
plugin_config = {
'root_user_enabled_message': 'Enabled: {username}',
'root_user_not_enabled_message': 'Not Enabled: {username}',
'root_user_not_enabled_severity_level': 1,
'enabled_message': 'Enabled: {username}',
'not_enabled_message': 'Not Enabled: {username}',
'not_enabled_severity_level': 1,
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserMFAPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_mfa', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users(self):
config = {
'aws': {
'iam': {
'plugins': [{
'name': 'total_users',
}]
}
}
}
oil = Oil(config)
oil.register_barrel(IAMBarrel)
oil.register_plugin(TotalUsersPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('total_users', [])
self.assertNotEqual(plugin_results, [])
def test_oil_throws_error_with_bad_kwargs(self):
with self.assertRaises(RuntimeError):
Oil(bad_arg='my_bad_arg')
def test_validate_kwargs_throws_error_with_bad_kwargs(self):
oil = Oil()
with self.assertRaises(RuntimeError):
oil._validate_kwargs(bad_arg='my_bad_arg')
