def test_changed_item(self):
previous = [
ChangeItem(index='test_index',
account='test_account',
name='item1_name',
new_config={'config': 'test1'}),
ChangeItem(index='test_index',
account='test_account',
name='item2_name',
new_config={'config': 'test2'})
]
current = [
ChangeItem(index='test_index',
account='test_account',
name='item1_name',
new_config={'config': 'test1'}),
ChangeItem(index='test_index',
account='test_account',
name='item2_name',
new_config={'config': 'test3'})
]
self._setup_account()
watcher = Watcher(accounts=['test_account'])
watcher.find_modified(previous, current)
assert len(watcher.changed_items) == 1
def test_ephemeral_change(self):
previous = [
ChangeItem(
index='test_index',
account='test_account',
name='item1_name',
new_config={
'normal': True
}
),
ChangeItem(
index='test_index',
account='test_account',
name='item2_name',
new_config={
'normal': False,
'test_ephemeral': 'previous ephemeral'
}
)
]
current = [
ChangeItem(
index='test_index',
account='test_account',
name='item1_name',
new_config={
'normal': True
}
),
ChangeItem(
index='test_index',
account='test_account',
name='item2_name',
new_config={
'normal': False,
'test_ephemeral': 'current ephemeral'
}
)
]
self._setup_account()
watcher = Watcher(accounts=['test_account'])
watcher.honor_ephemerals = True
watcher.ephemeral_paths = ['test_ephemeral']
watcher.find_modified(previous, current)
assert len(watcher.changed_items) == 0
def test_audit_specific_changes(self):
from security_monkey.task_scheduler.tasks import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy[
"Arn"] = ARN_PREFIX + ":iam::012345678910:role/roleNumber{}".format(
x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = CloudAuxChangeItem.from_item(name=role_policy['RoleName'],
item=role_policy,
record_region='universal',
account_name=test_account.name,
index='iamrole',
source_watcher=watcher)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def test_changed_item(self):
previous = [
ChangeItem(
index='test_index',
account='test_account',
name='item1_name',
new_config={
'config': 'test1'
}
),
ChangeItem(
index='test_index',
account='test_account',
name='item2_name',
new_config={
'config': 'test2'
}
)
]
current = [
ChangeItem(
index='test_index',
account='test_account',
name='item1_name',
new_config={
'config': 'test1'
}
),
ChangeItem(
index='test_index',
account='test_account',
name='item2_name',
new_config={
'config': 'test3'
}
)
]
self._setup_account()
watcher = Watcher(accounts=['test_account'])
watcher.find_modified(previous, current)
assert len(watcher.changed_items) == 1
def test_audit_specific_changes(self):
from security_monkey.scheduler import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole, IAMRoleItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy[
"Arn"] = "arn:aws:iam::012345678910:role/roleNumber{}".format(
x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = IAMRoleItem.from_slurp(role_policy,
account_name=test_account.name)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def test_audit_specific_changes(self):
from security_monkey.scheduler import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole, IAMRoleItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy["Arn"] = "arn:aws:iam::012345678910:role/roleNumber{}".format(x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = IAMRoleItem.from_slurp(role_policy, account_name=test_account.name)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def test_save_ephemeral_changed_item(self):
self._setup_account()
datastore = Datastore()
old_item = ChangeItem(
index='test_index',
account='test_account',
name='item_name',
active=True,
new_config={
'config': 'test1'
}
)
old_item.save(datastore)
query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account')
items = query.all()
self.assertEquals(len(items), 1)
revisions = items[0].revisions.all()
self.assertEquals(len(revisions), 1)
new_item = ChangeItem(
index='test_index',
account='test_account',
name='item_name',
active=True,
new_config={
'config': 'test2'
}
)
watcher = Watcher(accounts=['test_account'])
watcher.index = 'test_index'
watcher.honor_ephemerals = True
watcher.ephemeral_paths = ["config"]
watcher.find_changes(current=[new_item])
watcher.save()
query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account')
items = query.all()
self.assertEquals(len(items), 1)
revisions = items[0].revisions.all()
self.assertEquals(len(revisions), 1)
def test_save_ephemeral_changed_item(self):
self._setup_account()
datastore = Datastore()
old_item = ChangeItem(index='test_index',
account='test_account',
name='item_name',
active=True,
new_config={'config': 'test1'})
old_item.save(datastore)
query = Item.query.filter(Technology.name == 'test_index').filter(
Account.name == 'test_account')
items = query.all()
self.assertEqual(len(items), 1)
revisions = items[0].revisions.all()
self.assertEqual(len(revisions), 1)
new_item = ChangeItem(index='test_index',
account='test_account',
name='item_name',
active=True,
new_config={'config': 'test2'})
watcher = Watcher(accounts=['test_account'])
watcher.index = 'test_index'
watcher.honor_ephemerals = True
watcher.ephemeral_paths = ["config"]
watcher.find_changes(current=[new_item])
watcher.save()
query = Item.query.filter(Technology.name == 'test_index').filter(
Account.name == 'test_account')
items = query.all()
self.assertEqual(len(items), 1)
revisions = items[0].revisions.all()
self.assertEqual(len(revisions), 1)
def test_ephemeral_change(self):
previous = [
ChangeItem(index='test_index',
account='test_account',
name='item1_name',
new_config={'normal': True}),
ChangeItem(index='test_index',
account='test_account',
name='item2_name',
new_config={
'normal': False,
'test_ephemeral': 'previous ephemeral'
})
]
current = [
ChangeItem(index='test_index',
account='test_account',
name='item1_name',
new_config={'normal': True}),
ChangeItem(index='test_index',
account='test_account',
name='item2_name',
new_config={
'normal': False,
'test_ephemeral': 'current ephemeral'
})
]
self._setup_account()
watcher = Watcher(accounts=['test_account'])
watcher.honor_ephemerals = True
watcher.ephemeral_paths = ['test_ephemeral']
watcher.find_modified(previous, current)
assert len(watcher.changed_items) == 0