def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT1",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT1",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="123123123123", name="TEST_ACCOUNT2",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT2",
third_party=False, active=True)
db.session.add(account)
account = Account(identifier="109876543210", name="TEST_ACCOUNT3",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT3",
third_party=False, active=False)
db.session.add(account)
account = Account(identifier="456456456456", name="TEST_ACCOUNT4",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT4",
third_party=False, active=False)
db.session.add(account)
db.session.commit()
RUNTIME_WATCHERS.clear()
RUNTIME_AUDIT_COUNTS.clear()
def pre_test_setup(self):
RDSSnapshotAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
self.gh_items = [
GitHubOrgItem(account="Netflix",
name="Netflix",
arn="Netflix",
config=CONFIG_ONE),
GitHubOrgItem(account="Netflix-PRIVATE",
name="Netflix-PRIVATE",
arn="Netflix-PRIVATE",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Netflix",
account_type_id=self.account_type.id,
identifier="Netflix",
active=True,
third_party=False))
db.session.add(
Account(name="Netflix-PRIVATE",
account_type_id=self.account_type.id,
identifier="Netflix-PRIVATE",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
def add_account(number,
third_party,
name,
s3_name,
active,
notes,
role_name='SecurityMonkey',
edit=False):
''' Adds an account. If one with the same number already exists, do nothing,
unless edit is True, in which case, override the existing account. Returns True
if an action is taken, False otherwise. '''
query = Account.query
query = query.filter(Account.number == number)
if query.count():
if not edit:
return False
else:
query.delete()
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.role_name = role_name
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
return True
def test_slurp(self, mock_get):
from security_monkey.watchers.github.org import GitHubOrg
org_watcher = GitHubOrg(accounts=["Org-one"])
result, exc = org_watcher.slurp()
assert exc == {}
assert len(result) == 1
assert result[0].account == "Org-one"
assert result[0].name == "Org-one"
assert result[0].index == "organization"
assert len(ExceptionLogs.query.all()) == 0
# And failures:
db.session.add(
Account(name="FAILURE",
account_type_id=self.account_type.id,
identifier="FAILURE",
active=True,
third_party=False))
db.session.commit()
org_watcher = GitHubOrg(accounts=["FAILURE"])
result, exc = org_watcher.slurp()
assert len(exc) == 1
assert len(ExceptionLogs.query.all()) == 1
def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(number="012345678910", name="testing",
s3_name="testing", role_name="SecurityMonkey",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def pre_test_setup(self):
# Delete any remaining test cruft:
if app.config.get("GITHUB_CREDENTIALS"):
del app.config["GITHUB_CREDENTIALS"]
self.account_type = AccountType(name="GitHub")
self.accounts = []
db.session.add(self.account_type)
db.session.commit()
# Tests need to be run from the working dir such that `security_monkey/tests/utilities/templates/github_creds`
# can be found!
for x in ["one", "two", "three"]:
account = Account(name="Org-{}".format(x),
account_type_id=self.account_type.id,
identifier="Org-{}".format(x),
active=True)
account.custom_fields.append(
AccountTypeCustomValues(name="access_token_file",
value="security_monkey/tests/"
"utilities/templates/github_creds"))
db.session.add(account)
self.accounts.append(account)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="octocat",
account_type_id=self.account_type.id,
identifier="octocat",
active=True,
third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
self.gh_items = [
GitHubOrgItem(account="octocat",
name="Hello-World",
arn="octocat/Hello-World",
config=CONFIG_ONE),
GitHubOrgItem(account="octocat",
name="Repo-Private",
arn="octocat/Repo-Private",
config=CONFIG_TWO),
]
def pre_test_setup(self):
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
active=True,
third_party=False,
account_type_id=account_type_result.id)
self.technology = Technology(name="s3")
self.item = Item(region="us-west-2",
name="somebucket",
arn=ARN_PREFIX + ":s3:::somebucket",
technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(self.item)
db.session.commit()
mock_s3().start()
client = boto3.client("s3")
client.create_bucket(Bucket="somebucket")
client.create_bucket(Bucket="someotherbucket")
client.create_bucket(Bucket="someotherbucket2")
def pre_test_setup(self):
self.gh_items = [
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_ONE),
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="team")
db.session.add(self.technology)
db.session.commit()
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_route53('the_key', 'the_secret')
zone = conn.create_hosted_zone("testdns.aws.com")
zone_id = zone["CreateHostedZoneResponse"][
"HostedZone"]["Id"].split("/")[-1]
changes = boto.route53.record.ResourceRecordSets(conn, zone_id)
change = changes.add_change("CREATE", "testdns.aws.com", "A")
change.add_value("10.1.1.1")
changes.commit()
watcher = Route53(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
ec2 = boto3.resource('ec2', region_name='us-east-1')
ec2.create_dhcp_options(DhcpConfigurations=[{
'Key': 'domain-name',
'Values': ['example.com']
}, {
'Key': 'domain-name-servers',
'Values': ['10.0.10.2']
}])
watcher = DHCP(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(
len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('lambda', 'us-east-1')
conn.create_function(
FunctionName='testFunction',
Runtime='python2.7',
Role='test-iam-role',
Handler='lambda_function.handler',
Code={
'ZipFile': get_test_zip_file()
},
Description='test lambda function',
Timeout=3,
MemorySize=128,
Publish=True,
)
watcher = LambdaFunction(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def amazon_accounts():
""" Pre-populates standard AWS owned accounts """
import os
import json
from security_monkey.datastore import Account, AccountType
data_file = os.path.join(os.path.dirname(__file__), "data",
"aws_accounts.json")
data = json.load(open(data_file, 'r'))
app.logger.info('Adding / updating Amazon owned accounts')
try:
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
db.session.refresh(account_type_result)
for group, info in data.items():
for aws_account in info['accounts']:
acct_name = "{group} ({region})".format(
group=group, region=aws_account['region'])
account = Account.query.filter(
Account.number == aws_account['account_id']).first()
if not account:
app.logger.debug(
' Adding account {0}'.format(acct_name))
account = Account()
else:
app.logger.debug(
' Updating account {0}'.format(acct_name))
account.number = aws_account['account_id']
account.identifier = aws_account['account_id']
account.account_type_id = account_type_result.id
account.active = False
account.third_party = True
account.name = acct_name
account.notes = info['url']
db.session.add(account)
db.session.commit()
app.logger.info('Finished adding Amazon owned accounts')
except Exception as e:
app.logger.exception("An error occured while adding accounts")
store_exception("manager-amazon-accounts", None, e)
def _setup_account(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="test_account",
account_type_id=account_type_result.id)
db.session.add(account)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
third_party=False,
active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def setup_db(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def amazon_accounts():
""" Pre-populates standard AWS owned accounts """
import os
import json
from security_monkey.datastore import Account
data_file = os.path.join(os.path.dirname(__file__), "data", "aws_accounts.json")
data = json.load(open(data_file, 'r'))
app.logger.info('Adding / updating Amazon owned accounts')
try:
for group, info in data.items():
for aws_account in info['accounts']:
acct_name = "{group} ({region})".format(group=group, region=aws_account['region'])
account = Account.query.filter(Account.number == aws_account['account_id']).first()
if not account:
app.logger.debug(' Adding account {0}'.format(acct_name))
account = Account()
else:
app.logger.debug(' Updating account {0}'.format(acct_name))
account.number = aws_account['account_id']
account.active = False
account.third_party = True
account.name = acct_name
account.notes = info['url']
db.session.add(account)
db.session.commit()
app.logger.info('Finished adding Amazon owned accounts')
except Exception as e:
app.logger.exception("An error occured while adding accounts")
store_exception("manager-amazon-accounts", None, e)
def pre_test_setup(self):
account_result = Account.query.filter(
Account.name == 'TEST_ACCOUNT').first()
if not account_result:
account_type = AccountType(name='AWS')
db.session.add(account_type)
db.session.commit()
account_result = Account(name='TEST_ACCOUNT',
identifier='012345678910',
account_type_id=account_type.id)
db.session.add(account_result)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
db.session.add(account)
db.session.commit()
mock_file_system.clear()
build_mock_result(watcher_configs, [])
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(self.account)
db.session.commit()
def test_fetch_aws_canonical_ids_command(self):
accounts = Account.query.all()
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[
0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Make it something else to test overrides:
account.custom_fields[0].value = "replaceme"
db.session.add(account)
db.session.commit()
# Test without override (nothing should be changed):
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "replaceme"
# Test override:
fetch_aws_canonical_ids(True)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[
0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Create an inactive account:
inactive = Account(name="inactive",
account_type_id=self.account_type.id,
identifier="109876543210")
db.session.add(inactive)
db.session.commit()
# Run the change again:
fetch_aws_canonical_ids(True)
# Ensure that nothing happened to the inactive account:
assert len(inactive.custom_fields) == 0
# Also verify that no exceptions were encountered:
assert len(ExceptionLogs.query.all()) == 0
mock_sts().stop()
mock_s3().stop()
def pre_test_setup(self):
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
from security_monkey.datastore import Account, AccountType
from security_monkey import db
IAMRoleAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
# friendly
account2 = Account(identifier="222222222222",
name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_TWO",
third_party=False,
active=True)
# third party
account3 = Account(identifier="333333333333",
name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT_THREE",
third_party=True,
active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def pre_test_setup(self):
self.account_type = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not self.account_type:
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
self.test_account = Account(type=self.account_type,
name="test_account",
identifier="012345678910")
self.technology = Technology(name="testtech")
db.session.add(self.test_account)
db.session.add(self.technology)
db.session.commit()
def test_slurp(self, mock_get):
db.session.add(Account(name="Netflix", account_type_id=self.account_type.id,
identifier="Netflix", active=True, third_party=False))
db.session.commit()
repo_watcher = GitHubRepo(accounts=["Netflix"])
repo_watcher.slurp_list()
result, exc = repo_watcher.slurp()
assert len(result) == 2
assert result[0].account == "Netflix"
assert result[0].arn == "Netflix/security_monkey"
assert result[0].index == "repository"
assert len(exc) == 0
assert len(ExceptionLogs.query.all()) == 0
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
# Add the fake source account into the database:
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
db.session.add(test_account)
db.session.commit()
def test_get_creds_file(self):
# Load the creds file:
creds = get_github_creds(["Org-one", "Org-two", "Org-three"])
for x in ["one", "two", "three"]:
assert creds["Org-{}".format(x)] == "token-{}".format(x)
# And without one specified:
db.session.add(
Account(name="Org-BAD",
account_type_id=self.account_type.id,
identifier="Org-BAD",
active=True))
db.session.commit()
with self.assertRaises(GitHubCredsError) as _:
get_github_creds(["Org-BAD"])
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {
"Org-one": "token-one",
"FAILURE": "FAILURE",
"Netflix": "token-two"
}
db.session.add(Account(name="Org-one", account_type_id=self.account_type.id,
identifier="Org-one", active=True, third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def test_slurp_list(self, mock_get):
repo_watcher = GitHubRepo(accounts=["Org-one"])
result, exc = repo_watcher.slurp_list()
assert exc == {}
assert len(result) == len(repo_watcher.total_list) == 2
assert result[0]["name"] == "security_monkey"
assert result[1]["name"] == "hubcommander"
assert len(ExceptionLogs.query.all()) == 0
# And failures:
db.session.add(Account(name="FAILURE", account_type_id=self.account_type.id,
identifier="FAILURE", active=True, third_party=False))
db.session.commit()
repo_watcher = GitHubRepo(accounts=["FAILURE"])
result, exc = repo_watcher.slurp()
assert len(exc) == 1
assert len(ExceptionLogs.query.all()) == 1
def add_account(number, third_party, name, s3_name, active, notes, role_name='SecurityMonkey', edit=False):
''' Adds an account. If one with the same number already exists, do nothing,
unless edit is True, in which case, override the existing account. Returns True
if an action is taken, False otherwise. '''
query = Account.query
query = query.filter(Account.number == number)
if query.count():
if not edit:
return False
else:
query.delete()
account = Account()
account.name = name
account.s3_name = s3_name
account.number = number
account.role_name = role_name
account.notes = notes
account.active = active
account.third_party = third_party
db.session.add(account)
db.session.commit()
return True
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_vpc("the_key", "the secret")
conn.create_vpc("10.0.0.0/16")
watcher = RouteTable(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def amazon_accounts():
""" Pre-populates standard AWS owned accounts """
import json
from security_monkey.datastore import Account, AccountType
data = json.load(open("data/aws_accounts.json", 'r'))
app.logger.info('Adding / updating Amazon owned accounts')
try:
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
db.session.refresh(account_type_result)
for group, info in data.items():
for aws_account in info['accounts']:
acct_name = "{group} ({region})".format(group=group, region=aws_account['region'])
account = Account.query.filter(Account.identifier == aws_account['account_id']).first()
if not account:
app.logger.debug(' Adding account {0}'.format(acct_name))
account = Account()
else:
app.logger.debug(' Updating account {0}'.format(acct_name))
account.identifier = aws_account['account_id']
account.account_type_id = account_type_result.id
account.active = False
account.third_party = True
account.name = acct_name
account.notes = info['url']
db.session.add(account)
db.session.commit()
app.logger.info('Finished adding Amazon owned accounts')
except Exception as e:
app.logger.exception("An error occured while adding accounts")
store_exception("manager-amazon-accounts", None, e)
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client("ec2", "us-east-1")
reservation = conn.run_instances(ImageId="ami-1234abcd", MinCount=1, MaxCount=1)
instance = reservation["Instances"][0]
conn.create_image(InstanceId=instance["InstanceId"], Name="test-ami", Description="this is a test ami")
watcher = EC2Image(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.rds.connect_to_region('us-east-1')
conn.create_dbsecurity_group('db_sg1', 'DB Security Group')
watcher = RDSSecurityGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_ec2('the_key', 'the_secret')
conn.create_volume(50, "us-east-1a")
watcher = EBSVolume(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto3.client('ec2', 'us-east-1')
conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1)
watcher = EC2Instance(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE),
]
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
vpc_conn = boto.vpc.connect_to_region("us-east-1")
vpc = vpc_conn.create_vpc("10.0.0.0/16")
subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24")
subnet_ids = [subnet.id]
conn = boto.rds.connect_to_region("us-east-1")
conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids)
watcher = RDSSubnetGroup(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
conn = boto.connect_route53("the_key", "the_secret")
zone = conn.create_hosted_zone("testdns.aws.com")
zone_id = zone["CreateHostedZoneResponse"]["HostedZone"]["Id"].split("/")[-1]
changes = boto.route53.record.ResourceRecordSets(conn, zone_id)
change = changes.add_change("CREATE", "testdns.aws.com", "A")
change.add_value("10.1.1.1")
changes.commit()
watcher = Route53(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self):
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
mock_query.add_account(test_account)
ec2 = boto3.resource('ec2', region_name='us-east-1')
ec2.create_dhcp_options(DhcpConfigurations=[
{'Key': 'domain-name', 'Values': ['example.com']},
{'Key': 'domain-name-servers', 'Values': ['10.0.10.2']}
])
watcher = DHCP(accounts=[test_account.name])
item_list, exception_map = watcher.slurp()
self.assertIs(
expr1=len(item_list),
expr2=1,
msg="Watcher should have 1 item but has {}".format(len(item_list)))
def setUp(self):
self.es_items = [
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE),
]
# Add the fake source account into the database:
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
db.session.add(test_account)
db.session.commit()
def save(self):
pass
def audit_all_objects(self):
RUNTIME_AUDITORS[self.__class__.__name__].append(self)
def save_issues(self):
pass
mock_query = MockAccountQuery()
mock_db_session = MockDBSession()
test_account = Account()
test_account.name = "TEST_ACCOUNT"
test_account.notes = "TEST ACCOUNT"
test_account.s3_name = "TEST_ACCOUNT"
test_account.number = "012345678910"
test_account.role_name = "TEST_ACCOUNT"
test_account.third_party = False
test_account.active = True
mock_query.add_account(test_account)
test_account2 = Account()
test_account2.name = "TEST_ACCOUNT2"
test_account2.notes = "TEST ACCOUNT2"
test_account2.s3_name = "TEST_ACCOUNT2"
test_account2.number = "123123123123"
test_account2.role_name = "TEST_ACCOUNT"
def post(self):
"""
.. http:post:: /api/1/account/
Create a new account.
**Example Request**:
.. sourcecode:: http
POST /api/1/account/ HTTP/1.1
Host: example.com
Accept: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'role_name': 'CustomRole',
'active': true,
'third_party': false
}
**Example Response**:
.. sourcecode:: http
HTTP/1.1 201 Created
Vary: Accept
Content-Type: application/json
{
'name': 'new_account'
's3_name': 'new_account',
'number': '0123456789',
'notes': 'this account is for ...',
'role_name': 'CustomRole',
'active': true,
'third_party': false
}
:statuscode 201: created
:statuscode 401: Authentication Error. Please Login.
"""
auth, retval = __check_auth__(self.auth_dict)
if auth:
return retval
self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json')
self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json')
self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json')
self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json')
self.reqparse.add_argument('role_name', required=False, type=unicode, help='Custom role name.', location='json')
self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json')
self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json')
args = self.reqparse.parse_args()
account = Account()
account.name = args['name']
account.s3_name = args.get('s3_name', args['name'])
account.number = args['number']
account.notes = args['notes']
account.active = args['active']
account.third_party = args['third_party']
db.session.add(account)
db.session.commit()
db.session.refresh(account)
marshaled_account = marshal(account.__dict__, ACCOUNT_FIELDS)
marshaled_account['auth'] = self.auth_dict
return marshaled_account, 201
