def test_3_sns_slurp(self, test_patch):
class MockSNS(object):
def get_all_topics(self):
return {'ListTopicsResponse':
{'ListTopicsResult':
{'Topics':
[
{'TopicArn': 'arn:aws:sns:us-west-2:000000000000:NameZero'
}
]
}
}
}
def get_topic_attributes(self, arn):
return {'GetTopicAttributesResponse':
{'GetTopicAttributesResult':
{'Attributes':
{'Policy': '{"json": "value"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
test_patch.return_value = MockSNS()
cw = SNS(debug=True)
(items, el) = cw.slurp()
for item in items:
name = item.config['Name']['Name']
self.assertEqual(name, 'NameZero')
policy = item.config['policy']
self.assertDictEqual(policy, {"json": "value"})
def test_3_sns_slurp(self, test_patch):
class MockSNS(object):
def get_all_topics(self):
return {'ListTopicsResponse':
{'ListTopicsResult':
{'Topics':
[
{'TopicArn': 'arn:aws:sns:us-west-2:000000000000:NameZero'
}
]
}
}
}
def get_topic_attributes(self, arn):
return {'GetTopicAttributesResponse':
{'GetTopicAttributesResult':
{'Attributes':
{'Policy': '{"json": "value"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
test_patch.return_value = MockSNS()
cw = SNS(debug=True)
(items, el) = cw.slurp()
for item in items:
name = item.config['Name']['Name']
self.assertEqual(name, 'NameZero')
policy = item.config['SNSPolicy']
self.assertDictEqual(policy, {"json": "value"})
def test_0_sns_slurp(self, test_patch):
"""Should add an exception to the exception map when
slurping accounts that don't exist."""
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = None
accounts = ['doesntexist1', 'doesntexist2']
cw = SNS(accounts=accounts, debug=True)
#with self.assertRaises(BotoConnectionIssue):
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(('sns', account, region.name), el)
def test_0_sns_slurp(self, test_patch):
"""Should add an exception to the exception map when
slurping accounts that don't exist."""
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = None
accounts = ['doesntexist1', 'doesntexist2']
cw = SNS(accounts=accounts, debug=True)
#with self.assertRaises(BotoConnectionIssue):
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(('sns', account, region.name), el)
def __init__(self, accounts=None, alert_accounts=None, debug=False):
self.account_watchers = {}
self.account_alerters = {}
if not alert_accounts:
alert_accounts = accounts
for account in accounts:
self.account_watchers[account] = [
(SQS(accounts=[account], debug=debug), None),
(ELB(accounts=[account], debug=debug), None),
(IAMSSL(accounts=[account], debug=debug), None),
(RDSSecurityGroup(accounts=[account], debug=debug),
RDSSecurityGroupAuditor(accounts=[account], debug=debug)),
(SecurityGroup(accounts=[account], debug=debug),
SecurityGroupAuditor(accounts=[account], debug=debug)),
(S3(accounts=[account],
debug=debug), S3Auditor(accounts=[account], debug=debug)),
(IAMUser(accounts=[account], debug=debug),
IAMUserAuditor(accounts=[account], debug=debug)),
(IAMGroup(accounts=[account], debug=debug), None),
(IAMRole(accounts=[account], debug=debug), None),
(Keypair(accounts=[account], debug=debug), None),
(SNS(accounts=[account],
debug=debug), SNSAuditor(accounts=[account], debug=debug))
]
if account in alert_accounts:
self.account_alerters[account] = Alerter(
watchers_auditors=self.account_watchers[account],
account=account)
def test_1_sns_slurp(self, test_patch):
"""Should add an exception to the exception map when provided with invalid JSON."""
class MockSNS(object):
def get_all_topics(self, next_token=None):
return {
'ListTopicsResponse': {
'ListTopicsResult': {
'NextToken':
False,
'Topics': [{
'TopicArn':
'arn:aws:sns:us-west-2:000000000000:NameZero'
}, {
'TopicArn':
'arn:aws:sns:us-east-1:111111111111:NameOne'
}]
}
}
}
def get_topic_attributes(self, arn):
return {
'GetTopicAttributesResponse': {
'GetTopicAttributesResult': {
'Attributes': {
'Policy': '{"json": "that": "won\'t": "parse"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = MockSNS()
accounts = ['testaccount']
cw = SNS(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(
('sns', account, region.name,
'arn:aws:sns:us-west-2:000000000000:NameZero'), el)
self.assertIn(
('sns', account, region.name,
'arn:aws:sns:us-east-1:111111111111:NameOne'), el)
def test_2_sns_slurp(self, test_patch):
class MockSNS(object):
def get_all_topics(self, next_token=None):
return {
'ListTopicsResponse': {
'ListTopicsResult': {
'NextToken':
False,
'Topics': [
{
'TopicArn':
'arn:aws:sns:us-west-2:000000000000:NameZero'
}, # Invalid ARN is missing region:
{
'TopicArn':
'arn:aws:sns::111111111111:NameOne'
}
]
}
}
}
def get_topic_attributes(self, arn):
return {
'GetTopicAttributesResponse': {
'GetTopicAttributesResult': {
'Attributes': {
'Policy': '{"json": "is_fun"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = MockSNS()
accounts = ['testaccount']
cw = SNS(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(('sns', account, region.name,
'arn:aws:sns::111111111111:NameOne'), el)
def test_1_sns_slurp(self, test_patch):
"""Should add an exception to the exception map when provided with invalid JSON."""
class MockSNS(object):
def get_all_topics(self, next_token=None):
return {'ListTopicsResponse':
{'ListTopicsResult':
{'NextToken': False,
'Topics':
[
{'TopicArn': 'arn:aws:sns:us-west-2:000000000000:NameZero'
},
{'TopicArn': 'arn:aws:sns:us-east-1:111111111111:NameOne'
}
]
}
}
}
def get_topic_attributes(self, arn):
return {'GetTopicAttributesResponse':
{'GetTopicAttributesResult':
{'Attributes':
{'Policy': '{"json": "that": "won\'t": "parse"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = MockSNS()
accounts = ['testaccount']
cw = SNS(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(('sns', account, region.name, 'arn:aws:sns:us-west-2:000000000000:NameZero'), el)
self.assertIn(('sns', account, region.name, 'arn:aws:sns:us-east-1:111111111111:NameOne'), el)
def test_2_sns_slurp(self, test_patch):
class MockSNS(object):
def get_all_topics(self, next_token=None):
return {'ListTopicsResponse':
{'ListTopicsResult':
{'NextToken': False,
'Topics':
[
{'TopicArn': 'arn:aws:sns:us-west-2:000000000000:NameZero'
}, # Invalid ARN is missing region:
{'TopicArn': 'arn:aws:sns::111111111111:NameOne'
}
]
}
}
}
def get_topic_attributes(self, arn):
return {'GetTopicAttributesResponse':
{'GetTopicAttributesResult':
{'Attributes':
{'Policy': '{"json": "is_fun"}'
}
}
}
}
from security_monkey.watchers.sns import SNS
import boto.sns
test_patch.return_value = MockSNS()
accounts = ['testaccount']
cw = SNS(accounts=accounts, debug=True)
(items, el) = cw.slurp()
for account in accounts:
for region in boto.sns.regions():
if region.name not in TROUBLE_REGIONS:
self.assertIn(('sns', account, region.name, 'arn:aws:sns::111111111111:NameOne'), el)
def find_sns_changes(accounts):
""" Runs watchers/sns """
accounts = __prep_accounts__(accounts)
cw = SNS(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
snsitem = SNSItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(snsitem)
au = SNSAuditor(accounts=accounts, debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
def find_sns_changes(accounts):
""" Runs watchers/sns """
accounts = __prep_accounts__(accounts)
cw = SNS(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
snsitem = SNSItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(snsitem)
au = SNSAuditor(debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
