def test_schema_context_validation_type_field(): """Test schema context validation for type field""" from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.schema_context': { 'type': ['billing', 'security', 'shared-service', 'service'], } } swag = SWAGManager(**parse_swag_config_options(swag_opts)) data = { "aliases": ["test"], "contacts": ["*****@*****.**"], "description": "This is just a test.", "email": "*****@*****.**", "environment": "dev", "id": "012345678910", "name": "testaccount", "owner": "netflix", "provider": "aws", } # Test with invalid account type with pytest.raises(ValidationError): data['type'] = 'bad_type' swag.create(data) # Test with a valid account type data['type'] = 'billing' account = swag.create(data) assert account.get('type') == 'billing'
def test_s3_backend_get(s3_bucket_name): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 's3', 'swag.bucket_name': s3_bucket_name, 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { 'aliases': ['test'], 'contacts': ['*****@*****.**'], 'description': 'LOL, Test account', 'email': '*****@*****.**', 'environment': 'test', 'id': '012345678910', 'name': 'testaccount', 'owner': 'netflix', 'provider': 'aws', 'sensitive': False } swag.create(account) assert swag.get("[?id=='012345678910']")
def test_dynamodb_backend_create(dynamodb_table): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 'dynamodb', 'swag.namespace': 'accounts', 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { 'aliases': ['test'], 'contacts': ['*****@*****.**'], 'description': 'LOL, Test account', 'email': '*****@*****.**', 'environment': 'test', 'id': '012345678910', 'name': 'testaccount', 'owner': 'netflix', 'provider': 'aws', 'sensitive': False } assert not swag.get_all() item = swag.create(account) assert swag.get("[?id=='{id}']".format(id=item['id']))
def get_historical_accounts(): """Fetches valid accounts from SWAG if enabled or a list accounts.""" if os.environ.get('SWAG_BUCKET', False): swag_opts = { 'swag.type': 's3', 'swag.bucket_name': os.environ['SWAG_BUCKET'], 'swag.data_file': os.environ.get('SWAG_DATA_FILE', 'accounts.json'), 'swag.region': os.environ.get('SWAG_REGION', 'us-east-1') } swag = SWAGManager(**parse_swag_config_options(swag_opts)) search_filter = f"[?provider=='aws' && owner=='{os.environ['SWAG_OWNER']}' && account_status!='deleted'" if parse_boolean(os.environ.get('TEST_ACCOUNTS_ONLY')): search_filter += " && environment=='test'" search_filter += ']' accounts = swag.get_service_enabled('historical', search_filter=search_filter) else: accounts = [{ 'id': account_id } for account_id in os.environ['ENABLED_ACCOUNTS'].split(',')] return accounts
def test_schema_context_validation_owner_field(): """Test schema context validation for owner field""" from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.schema_context': { 'owner': ['netflix', 'dvd', 'aws', 'third-party'] } } swag = SWAGManager(**parse_swag_config_options(swag_opts)) data = { "aliases": ["test"], "contacts": ["*****@*****.**"], "description": "This is just a test.", "email": "*****@*****.**", "id": "012345678910", "name": "testaccount", "environment": "test", "provider": "aws", } # Test with invalid owner with pytest.raises(ValidationError): data['owner'] = 'bad_owner' swag.create(data) # Test with a valid owner data['owner'] = 'netflix' account = swag.create(data) assert account.get('owner') == 'netflix'
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, spinnaker): """Use the SWAG client to sync SWAG accounts to Security Monkey.""" from security_monkey.account_manager import account_registry swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': bucket_prefix, 'swag.region': bucket_region } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account_manager = account_registry[account_type]() for account in swag.get_all("[?provider=='{provider}']".format(provider=account_type.lower())): services = account.get('services', []) services_by_name = {s['name']: s for s in services} secmonkey_service = services_by_name.get('security_monkey', {}) all_region_status = {} for status in secmonkey_service.get('status', []): if status['region'] == 'all': all_region_status = status break active = all_region_status.get('enabled', False) thirdparty = account['owner'] != owner if spinnaker: spinnaker_name = swag.get_service_name('spinnaker', "[?id=='{id}']".format(id=account['id'])) if not spinnaker_name: name = account['name'] else: name = spinnaker_name else: name = account['name'] notes = account['description'] identifier = account['id'] custom_fields = {} s3_name = swag.get_service_name('s3', "[?id=='{id}']".format(id=account['id'])) if s3_name: custom_fields['s3_name'] = s3_name s3_service = services_by_name.get('s3', {}) if s3_service: c_id = s3_service['metadata'].get('canonicalId', None) if c_id: custom_fields['canonical_id'] = c_id role_name = secmonkey_service.get('metadata', {}).get('role_name', None) if role_name is not None: custom_fields['role_name'] = role_name account_manager.sync(account_manager.account_type, name, active, thirdparty, notes, identifier, custom_fields=custom_fields) db.session.close() app.logger.info('SWAG sync successful.')
def swag_accounts(s3, retry): """Create mocked SWAG Accounts.""" from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options bucket_name = 'SWAG' data_file = 'accounts.json' region = 'us-east-1' owner = 'third-party' s3.create_bucket(Bucket=bucket_name) os.environ['SWAG_BUCKET'] = bucket_name os.environ['SWAG_DATA_FILE'] = data_file os.environ['SWAG_REGION'] = region os.environ['SWAG_OWNER'] = owner swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': data_file, 'swag.region': region, 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { 'aliases': ['test'], 'contacts': ['*****@*****.**'], 'description': 'LOL, Test account', 'email': '*****@*****.**', 'environment': 'test', 'id': '012345678910', 'name': 'testaccount', 'owner': 'third-party', 'provider': 'aws', 'sensitive': False, 'account_status': 'ready', 'services': [{ 'name': 'historical', 'status': [{ 'region': 'all', 'enabled': True }] }] } swag.create(account)
def _prep_accounts(account_names): """ Convert CLI provided account names into list of accounts from SWAG. Considers account aliases as well as account names. Returns a list of account numbers """ matching_accounts = list() account_names = account_names.split(',') account_names = {name.lower().strip() for name in account_names} # create a new copy of the account_names list so we can remove accounts as needed for account in list(account_names): if re.match('\d{12}', account): account_names.remove(account) matching_accounts.append(account) if not account_names: return matching_accounts try: current_app.logger.info('getting bucket {}'.format( current_app.config.get('SWAG_BUCKET'))) swag = SWAGManager(**parse_swag_config_options(current_app.config.get('SWAG_OPTS'))) all_accounts = swag.get_all(current_app.config.get('SWAG_FILTER')) service_enabled_requirement = current_app.config.get('SWAG_SERVICE_ENABLED_REQUIREMENT', None) if service_enabled_requirement: all_accounts = swag.get_service_enabled(service_enabled_requirement, accounts_list=all_accounts) except (KeyError, InvalidSWAGDataException, Exception) as e: current_app.logger.error('Account names passed but SWAG not configured or unavailable: {}'.format(e)) if 'all' in account_names: return [account['id'] for account in all_accounts] lookup = {account['name']: Bunch(account) for account in all_accounts} for account in all_accounts: # get the right key, depending on whether we're using swag v1 or v2 alias_key = 'aliases' if account['schemaVersion'] == '2' else 'alias' for alias in account[alias_key]: lookup[alias] = Bunch(account) for name in account_names: if name not in lookup: current_app.logger.warn('Could not find an account named %s' % name) continue account_number = lookup[name].get('id', None) if account_number: matching_accounts.append(account_number) return matching_accounts
def test_file_backend_get_all(vector_path): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.data_dir': vector_path, 'swag.namespace': 'valid_accounts_v2', 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) assert len(swag.get_all()) == 2
def test_get_by_name(s3_bucket_name): from swag_client.swag import get_by_name from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 's3', 'swag.bucket_name': s3_bucket_name, 'swag.schema_version': 1, 'swag.cache_expires': 0 } swagv1 = SWAGManager(**parse_swag_config_options(swag_opts)) account = { "bastion": "testaccount.net", "metadata": { "s3_name": "testaccounts3", "cloudtrail_index": "cloudtrail_testaccount[yyyymm]", "cloudtrail_kibana_url": "http://testaccount.cloudtrail.dashboard.net", "email": "*****@*****.**", "account_number": "012345678910" }, "schema_version": 1, "owners": ["*****@*****.**"], "email": "*****@*****.**", "ours": True, "description": "LOL, Test account", "cmc_required": False, "tags": ["testing"], "id": "aws-012345678910", "name": "testaccount", "type": "aws", "alias": [ "test", ] } swagv1.create(account) # Test getting account named: 'testaccount' account = get_by_name('testaccount', s3_bucket_name) assert account['name'] == 'testaccount' # Test by getting account that does not exist: assert not get_by_name('does not exist', s3_bucket_name) # With alias account = get_by_name('test', s3_bucket_name, alias=True) assert account['metadata']['account_number'] == '012345678910'
def test_backend_get_service_name(vector_path): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.data_dir': vector_path, 'swag.namespace': 'valid_accounts_v2', 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) assert swag.get_service_name('myService', "[?name=='testaccount']") == 'testaccount'
def test_get_all_accounts(s3_bucket_name): from swag_client.swag import get_all_accounts from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 's3', 'swag.bucket_name': s3_bucket_name, 'swag.schema_version': 1, 'swag.cache_expires': 0 } swagv1 = SWAGManager(**parse_swag_config_options(swag_opts)) account = { "bastion": "test2.net", "metadata": { "s3_name": "testaccounts3", "cloudtrail_index": "cloudtrail_testaccount[yyyymm]", "cloudtrail_kibana_url": "http://testaccount.cloudtrail.dashboard.net", "email": "*****@*****.**", "account_number": "012345678910" }, "schema_version": 1, "owners": ["*****@*****.**"], "ours": True, "description": "LOL, Test account", "cmc_required": False, "email": "*****@*****.**", "tags": ["testing"], "id": "aws-012345678910", "name": "testaccount", "type": "aws", "alias": [ "test", ] } swagv1.create(account) data = get_all_accounts(s3_bucket_name) assert len(data['accounts']) == 1 data = get_all_accounts(s3_bucket_name, **{'owners': ['*****@*****.**']}) assert len(data['accounts']) == 1 data = get_all_accounts(s3_bucket_name, bastion="test2.net") assert len(data['accounts']) == 1
def test_file_backend_get_service_enabled_v1(vector_path): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.data_dir': vector_path, 'swag.namespace': 'valid_accounts_v1', 'swag.cache_expires': 0, 'swag.schema_version': 1 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) enabled = swag.get_service_enabled('myService') assert len(enabled) == 1 enabled = swag.get_service_enabled('myService', region='us-east-1') assert len(enabled) == 1 enabled = swag.get_service_enabled('myService1') assert len(enabled) == 1 enabled = swag.get_service_enabled('myService1', region='us-east-1') assert len(enabled) == 1 enabled = swag.get_service_enabled('myService2', region='us-east-1') assert len(enabled) == 0 enabled = swag.get_service_enabled('myService2') assert len(enabled) == 0
def get_all_accounts(bucket, region='us-west-2', json_path='accounts.json', **filters): """Fetches all the accounts from SWAG.""" swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket, 'swag.region': region, 'swag.data_file': json_path, 'swag.schema_version': 1 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) accounts = swag.get_all() accounts = [account for account in accounts['accounts'] if is_sub_dict(filters, account)] return {'accounts': accounts}
def test_file_backend_update(temp_file_name): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.data_file': str(temp_file_name), 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { 'aliases': ['test'], 'contacts': ['*****@*****.**'], 'description': 'LOL, Test account', 'email': '*****@*****.**', 'environment': 'test', 'id': '012345678910', 'name': 'testaccount', 'owner': 'netflix', 'provider': 'aws', 'sensitive': False } swag.create(account) account['aliases'] = ['test', 'prod'] swag.update(account) account = swag.get("[?id=='{id}']".format(id=account['id'])) assert account['aliases'] == ['test', 'prod']
def test_region_validation_field(s3_bucket_name): """Test schema context validation for owner field""" from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 's3', 'swag.bucket_name': s3_bucket_name, 'swag.schema_version': 2, 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) data = { "aliases": ["test"], "contacts": ["*****@*****.**"], "description": "This is just a test.", "email": "*****@*****.**", "id": "012345678910", "name": "testaccount", "environment": "test", "provider": "aws", "status": [{ "region": "us-west-2", "status": "created", "notes": [] }], "account_status": "created", "regions": { "us-east-1": { "status": "created", "az_mapping": [] } } } # Test with invalid account_status with pytest.raises(ValidationError): swag.create(data) # Test with a valid account_status data['regions']['us-east-1']['az_mapping'] = {} account = swag.create(data) assert account.get('account_status') == 'created'
def propagate(ctx): """Transfers SWAG data from one backend to another""" data = [] if ctx.type == 'file': if ctx.data_file: file_path = ctx.data_file else: file_path = os.path.join(ctx.data_dir, ctx.namespace + '.json') with open(file_path, 'r') as f: data = json.loads(f.read()) swag_opts = {'swag.type': 'dynamodb'} swag = SWAGManager(**parse_swag_config_options(swag_opts)) for item in data: time.sleep(2) swag.create(item, dry_run=ctx.dry_run)
def get_historical_accounts(): """Fetches valid accounts from SWAG if enabled or a list accounts.""" if os.environ.get('SWAG_BUCKET', False): swag_opts = { 'swag.type': 's3', 'swag.bucket_name': os.environ['SWAG_BUCKET'], 'swag.data_file': os.environ.get('SWAG_DATA_FILE', 'accounts.json'), 'swag.region': os.environ.get('SWAG_REGION', 'us-east-1') } swag = SWAGManager(**parse_swag_config_options(swag_opts)) accounts = swag.get_service_enabled( 'historical', search_filter="[?provider=='aws'] && [?owner=='{}']".format( os.environ['SWAG_OWNER'])) else: accounts = os.environ['ENABLED_ACCOUNTS'] return accounts
def dynamodb_table(aws_credentials): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options with mock_dynamodb2(): resource = boto3.resource('dynamodb', region_name='us-east-1') table = resource.create_table(TableName='accounts', KeySchema=[{ 'AttributeName': 'id', 'KeyType': 'HASH' }], AttributeDefinitions=[{ 'AttributeName': 'id', 'AttributeType': 'S' }], ProvisionedThroughput={ 'ReadCapacityUnits': 1, 'WriteCapacityUnits': 1 }) table.meta.client.get_waiter('table_exists').wait(TableName='accounts') swag_opts = { 'swag.type': 'dynamodb', 'swag.namespace': 'accounts', 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) cwd = os.path.dirname(os.path.realpath(__file__)) account_file = os.path.join(cwd, 'vectors/accounts.json') with open(account_file, 'r') as f: accounts = json.loads(f.read()) for account in accounts: swag.create(account) yield
def test_s3_backend_delete_v1(s3_bucket_name): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.type': 's3', 'swag.bucket_name': s3_bucket_name, 'swag.schema_version': 1, 'swag.cache_expires': 0 } swagv1 = SWAGManager(**parse_swag_config_options(swag_opts)) account = { "bastion": "testaccount.net", "metadata": { "s3_name": "testaccounts3", "cloudtrail_index": "cloudtrail_testaccount[yyyymm]", "cloudtrail_kibana_url": "http://testaccount.cloudtrail.dashboard.net", "email": "*****@*****.**", "account_number": "012345678910" }, "schema_version": 1, "owners": ["*****@*****.**"], "ours": True, "email": "*****@*****.**", "description": "LOL, Test account", "cmc_required": False, "tags": ["testing"], "id": "aws-012345678910", "name": "testaccount", "type": "aws", "alias": [ "test", ], "services": { "rolliepollie": { "enabled": True }, "awwwdit": { "enabled": True } } } swagv1.create(account) assert len(swagv1.get_all()['accounts']) == 1 swagv1.delete(account) assert len(swagv1.get_all()['accounts']) == 0
def swag_accounts(s3): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options bucket_name = "SWAG" data_file = "accounts.json" region = "us-east-1" owner = "third-party" s3.create_bucket(Bucket=bucket_name) os.environ["SWAG_BUCKET"] = bucket_name os.environ["SWAG_DATA_FILE"] = data_file os.environ["SWAG_REGION"] = region os.environ["SWAG_OWNER"] = owner swag_opts = { "swag.type": "s3", "swag.bucket_name": bucket_name, "swag.data_file": data_file, "swag.region": region, "swag.cache_expires": 0, } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { "aliases": ["test"], "contacts": ["*****@*****.**"], "description": "LOL, Test account", "email": "*****@*****.**", "environment": "test", "id": "012345678910", "name": "testaccount", "owner": "third-party", "provider": "aws", "sensitive": False, "services": [], } swag.create(account)
def swag_accounts(s3): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options bucket_name = 'SWAG' data_file = 'accounts.json' region = 'us-east-1' owner = 'third-party' s3.create_bucket(Bucket=bucket_name) os.environ['SWAG_BUCKET'] = bucket_name os.environ['SWAG_DATA_FILE'] = data_file os.environ['SWAG_REGION'] = region os.environ['SWAG_OWNER'] = owner swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': data_file, 'swag.region': region, 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account = { 'aliases': ['test'], 'contacts': ['*****@*****.**'], 'description': 'LOL, Test account', 'email': '*****@*****.**', 'environment': 'test', 'id': '012345678910', 'name': 'testaccount', 'owner': 'third-party', 'provider': 'aws', 'sensitive': False, 'services': [] } swag.create(account)
def get_swag(): """ Get account data from SWAG (via S3) :return: """ swag_opts = { 'swag.type': 's3', 'swag.bucket_name': CONFIG.swag_bucket, 'swag.data_file': CONFIG.swag_data_file, 'swag.region': CONFIG.swag_region, 'swag.cache_expires': 0 } return SWAGManager(**parse_swag_config_options(swag_opts))
def create_swag_from_ctx(ctx): """Creates SWAG client from the current context.""" swag_opts = {} if ctx.type == 'file': swag_opts = { 'swag.type': 'file', 'swag.data_dir': ctx.data_dir, 'swag.data_file': ctx.data_file } elif ctx.type == 's3': swag_opts = { 'swag.type': 's3', 'swag.bucket_name': ctx.bucket_name, 'swag.data_file': ctx.data_file, 'swag.region': ctx.region } elif ctx.type == 'dynamodb': swag_opts = {'swag.type': 'dynamodb', 'swag.region': ctx.region} return SWAGManager(**parse_swag_config_options(swag_opts))
def test_backend_get_by_name(vector_path): from swag_client.backend import SWAGManager from swag_client.util import parse_swag_config_options swag_opts = { 'swag.data_dir': vector_path, 'swag.namespace': 'valid_accounts_v2', 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) assert swag.get_by_name('testaccount') assert not swag.get_by_name('test') assert swag.get_by_name('test', alias=True) assert swag.get_by_name('testaccount', alias=True)
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, spinnaker): """Use the SWAG client to sync SWAG accounts to Security Monkey.""" from security_monkey.account_manager import account_registry swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': bucket_prefix, 'swag.region': bucket_region } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account_manager = account_registry[account_type]() for account in swag.get_all( "[?provider=='{provider}']".format(provider=account_type.lower())): services = account.get('services', []) services_by_name = {s['name']: s for s in services} # Check if the account is active or not: # With the current SWAG schema, need to do the following: # 1. Check if the 'account_status' field is set to 'ready'. # 2. Loop through all the services for "security_monkey" and if the status is "active", then the account # is active. check_active = active = False if account['account_status'] == 'ready': check_active = True if check_active: secmonkey_service = services_by_name.get('security_monkey', {}) for status in secmonkey_service.get('status', []): if status['region'] == 'all': active = status.get('enabled', False) break thirdparty = account['owner'] != owner if spinnaker: spinnaker_name = swag.get_service_name( 'spinnaker', "[?id=='{id}']".format(id=account['id'])) if not spinnaker_name: name = account['name'] else: name = spinnaker_name else: name = account['name'] notes = account['description'] identifier = account['id'] custom_fields = {} s3_name = swag.get_service_name( 's3', "[?id=='{id}']".format(id=account['id'])) if s3_name: custom_fields['s3_name'] = s3_name s3_service = services_by_name.get('s3', {}) if s3_service: c_id = s3_service['metadata'].get('canonicalId', None) if c_id: custom_fields['canonical_id'] = c_id role_name = secmonkey_service.get('metadata', {}).get('role_name', None) if role_name is not None: custom_fields['role_name'] = role_name account_manager.sync(account_manager.account_type, name, active, thirdparty, notes, identifier, custom_fields=custom_fields) db.session.close() app.logger.info('SWAG sync successful.')
def test_get_only_test_accounts(swag_accounts): """Tests that the SWAG logic will only return 'test' accounts if specified.""" from historical.common.accounts import get_historical_accounts # Setup: bucket_name = 'SWAG' data_file = 'accounts.json' region = 'us-east-1' owner = 'third-party' os.environ['SWAG_BUCKET'] = bucket_name os.environ['SWAG_DATA_FILE'] = data_file os.environ['SWAG_REGION'] = region os.environ['SWAG_OWNER'] = owner swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': data_file, 'swag.region': region, 'swag.cache_expires': 0 } swag = SWAGManager(**parse_swag_config_options(swag_opts)) # Production account: account = { 'aliases': ['prod'], 'contacts': ['*****@*****.**'], 'description': 'LOL, PROD account', 'email': '*****@*****.**', 'environment': 'prod', 'id': '999999999999', 'name': 'prodaccount', 'owner': 'third-party', 'provider': 'aws', 'sensitive': False, 'account_status': 'ready', 'services': [{ 'name': 'historical', 'status': [{ 'region': 'all', 'enabled': True }] }] } swag.create(account) # Get all the swag accounts: result = get_historical_accounts() assert len(result) == 2 assert result[1]['environment'] == 'prod' assert result[1]['id'] == '999999999999' # Only test accounts: os.environ['TEST_ACCOUNTS_ONLY'] = 'True' result = get_historical_accounts() assert len(result) == 1 assert result[0]['environment'] == 'test' assert result[0]['id'] != '999999999999' # Test the boolean logic: os.environ['TEST_ACCOUNTS_ONLY'] = '' result = get_historical_accounts() assert len(result) == 2 os.environ['TEST_ACCOUNTS_ONLY'] = 'false' result = get_historical_accounts() assert len(result) == 2 # Make sure that disabled/deleted accounts are not in the results: account['account_status'] = 'deleted' swag.update(account) result = get_historical_accounts() assert len(result) == 1
""" .. module: swag_api.extensions :copyright: (c) 2017 by Netflix Inc., see AUTHORS for more :license: Apache, see LICENSE for more details. """ from raven.contrib.flask import Sentry from swag_client.backend import SWAGManager sentry = Sentry() swag = SWAGManager()
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, spinnaker): """Use the SWAG client to sync SWAG accounts to Security Monkey.""" from security_monkey.account_manager import account_registry swag_opts = { 'swag.type': 's3', 'swag.bucket_name': bucket_name, 'swag.data_file': bucket_prefix, 'swag.region': bucket_region } swag = SWAGManager(**parse_swag_config_options(swag_opts)) account_manager = account_registry[account_type]() for account in swag.get_all("[?provider=='{provider}']".format(provider=account_type.lower())): services = account.get('services', []) services_by_name = {s['name']: s for s in services} # Check if the account is active or not: # With the current SWAG schema, need to do the following: # 1. Check if the 'account_status' field is set to 'ready'. # 2. Loop through all the services for "security_monkey" and if the status is "active", then the account # is active. check_active = active = False if account['account_status'] == 'ready': check_active = True if check_active: secmonkey_service = services_by_name.get('security_monkey', {}) for status in secmonkey_service.get('status', []): if status['region'] == 'all': active = status.get('enabled', False) break thirdparty = account['owner'] != owner if spinnaker: spinnaker_name = swag.get_service_name('spinnaker', "[?id=='{id}']".format(id=account['id'])) if not spinnaker_name: name = account['name'] else: name = spinnaker_name else: name = account['name'] notes = account['description'] identifier = account['id'] custom_fields = {} s3_name = swag.get_service_name('s3', "[?id=='{id}']".format(id=account['id'])) if s3_name: custom_fields['s3_name'] = s3_name s3_service = services_by_name.get('s3', {}) if s3_service: c_id = s3_service['metadata'].get('canonicalId', None) if c_id: custom_fields['canonical_id'] = c_id role_name = secmonkey_service.get('metadata', {}).get('role_name', None) if role_name is not None: custom_fields['role_name'] = role_name account_manager.sync(account_manager.account_type, name, active, thirdparty, notes, identifier, custom_fields=custom_fields) db.session.close() app.logger.info('SWAG sync successful.')