def prep_s3_testing(cinq_test_service, collect_only=False):
set_audit_scope('aws_s3_bucket')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', collect_only)
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'alert_settings',
DBCJSON(STANDARD_ALERT_SETTINGS))
cinq_test_service.start_mocking_services('cloudwatch', 's3')
def _to_dbc_class(args):
if args['type'] == 'choice':
if type(args['value']) == str:
return DBCChoice(json.loads(args['value']))
return DBCChoice(args['value'])
elif args['type'] == 'string':
return DBCString(args['value'])
elif args['type'] == 'int':
return DBCInt(args['value'])
elif args['type'] == 'float':
return DBCFloat(args['value'])
elif args['type'] == 'array':
return DBCArray(args['value'])
elif args['type'] == 'json':
return DBCJSON(json.loads(args['value']))
elif args['type'] == 'bool':
if isinstance(args['value'], bool):
return args['value']
return True if args['value'].lower() == 'true' else False
else:
raise ValueError('Invalid config type: {}'.format(type(args['type'])))
def test_audit(cinq_test_service):
"""
:return:
"""
# Prep
recipient = NotificationContact(
type='email',
value=dbconfig.get('test_email', NS_CINQ_TEST)
)
cinq_test_service.start_mocking_services('ec2')
account = cinq_test_service.add_test_account(
account_type='AWS',
account_name=CINQ_TEST_ACCOUNT_NAME,
contacts=[{'type': 'email', 'value': dbconfig.get('test_email', NS_CINQ_TEST)}],
properties={
'account_number': CINQ_TEST_ACCOUNT_NO
}
)
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
# Add resources
client = aws_get_client('ec2')
resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)
# Collect resource
run_aws_collector(account)
# Start auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- Test if auditor will pick up non-compliant instances which is still in grace period
auditor.run()
assert auditor._cinq_test_notices == {}
# Test 2 --- Test if auditor will pick up non-compliant instances correctly
''' Modify resource property'''
assert cinq_test_service.modify_resource(
resource['Instances'][0]['InstanceId'],
'launch_date',
'2000-01-01T00:00:00'
) is True
auditor.run()
notices = auditor._cinq_test_notices
assert recipient in notices
assert notices[recipient]['not_fixed'][0]['resource'].resource_id == resource['Instances'][0]['InstanceId']
def test_basic_ops(cinq_test_service):
"""
Test will pass if:
1. Auditor can detect non-compliant EC2 instances
2. Auditor respect grace period settings
"""
# Prep
cinq_test_service.start_mocking_services('ec2')
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False)
# Add resources
client = aws_get_client('ec2')
resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)
# Collect resources
collect_resources(account=account, resource_types=['ec2'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- Test if auditor respect grace period settings
cinq_test_service.modify_resource(resource['Instances'][0]['InstanceId'],
'launch_date',
datetime.datetime.utcnow().isoformat())
auditor.run()
assert auditor._cinq_test_notices == {}
# Test 2 --- Test if auditor can pick up non-compliant resources correctly
''' Modify resource property'''
assert cinq_test_service.modify_resource(
resource['Instances'][0]['InstanceId'], 'launch_date',
'2000-01-01T00:00:00') is True
auditor.run()
notices = auditor._cinq_test_notices
assert recipient in notices
assert notices[recipient]['not_fixed'][0][
'resource'].resource_id == resource['Instances'][0]['InstanceId']
def test_audit(cinq_test_service):
"""
:return:
"""
# Prep
cinq_test_service.start_mocking_services('ec2')
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = ['aws_ec2_instance']
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
# Tests
case_1(cinq_test_service, account, recipient)
def set_audit_scope(*args):
db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
db_setting['enabled'] = args
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
def prep_rds_testing(cinq_test_service, collect_only=False):
set_audit_scope('aws_rds_instance')
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', collect_only)
dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'alert_settings', DBCJSON(STANDARD_ALERT_SETTINGS))