def test_get_list_attached_user_policies_error_call_list_attached_user_policies( self): expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) # mock error call API list_attached_user_policies with patch.object(client_connect_iam, 'list_attached_user_policies') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'error', return_value=None) as mock_method_error: with self.assertRaises(PmError) as exception: IAMUtils.get_list_attached_user_policies( trace_id, client_connect_iam, aws_account, user_name) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check message log error mock_method_error.assert_any_call( "[%s] IAMユーザー(%s)にアタッチされた管理ポリシー一覧情報の取得に失敗しました。", aws_account, user_name)
def test_get_account_password_policy_error_connect_iam(self): expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) # mock error client with patch.object(session, 'client') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'error', return_value=None) as mock_method_error: with self.assertRaises(PmError) as exception: IAMUtils.get_account_password_policy( trace_id, session, aws_account) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check message log error mock_method_error.assert_any_call("[%s] IAMクライアント作成に失敗しました。", aws_account)
def test_get_account_password_policy_error_no_such_entity(self): # connect client client_connect_iam = iam_utils.client_connect() expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) expected_error_response['Error']['Code'] = "NoSuchEntity" # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock error no such entity call API get_account_password_policy with patch.object(client_connect_iam, 'get_account_password_policy') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'error', return_value=None) as mock_method_error: with self.assertRaises(PmError) as exception: IAMUtils.get_account_password_policy( trace_id, session, aws_account) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check message log error mock_method_error.assert_any_call("[%s] アカウントパスワードポリシーが設定されていません。", aws_account)
def test_list_virtual_mfa_devices_error_call_list_virtual_mfa_devices( self): # connect client client_connect_iam = iam_utils.client_connect() expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) # mock client with patch.object(session, 'client') as mock_client: mock_client.return_value = client_connect_iam # mock error call API list_virtual_mfa_devices with patch.object(client_connect_iam, 'list_virtual_mfa_devices') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'error', return_value=None) as mock_method_error: with self.assertRaises(PmError) as exception: IAMUtils.list_virtual_mfa_devices( trace_id, session, aws_account) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check message log error mock_method_error.assert_any_call("[%s]仮想MFAデバイスリストの取得に失敗しました。", aws_account)
def test_get_list_user_policies_success_response_is_truncate_true(self): # connect client client_connect_iam = iam_utils.client_connect() expected_list_user_policies = copy.deepcopy( DataTestIAM.LIST_USER_POLICY_DATA) # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API list_user_policies with patch.object(client_connect_iam, 'list_user_policies') as mock_method: mock_method.side_effect = iam_utils.side_effect_list_user_policies actual_list_user_policies = IAMUtils.get_list_user_policies( trace_id, session, aws_account, user_name) # check response self.assertEqual(expected_list_user_policies, actual_list_user_policies) # check connect client mock_method_client.assert_any_call(service_name="iam") # check call API list_user_policies mock_method.assert_any_call(UserName=user_name)
def test_list_virtual_mfa_devices_success_response_is_truncate_false(self): # connect client client_connect_iam = iam_utils.client_connect() expected_list_virtual_mfa_devices = copy.deepcopy( DataTestIAM.DATA_LIST_VIRTUAL_MFA_DEVICES_IS_TRUNCATED_FALSE) # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API list_virtual_mfa_devices with patch.object(client_connect_iam, 'list_virtual_mfa_devices') as mock_method: mock_method.return_value = expected_list_virtual_mfa_devices actual_list_virtual_mfa_devices = IAMUtils.list_virtual_mfa_devices( trace_id, session, aws_account) # check response self.assertEqual( expected_list_virtual_mfa_devices['VirtualMFADevices'], actual_list_virtual_mfa_devices) # check connect client mock_method_client.assert_any_call(service_name="iam")
def get_account_password_policy(trace_id, check_history_id, organization_id, project_id, awsaccount, session, result_json_path): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) s3_file_name = CommonConst.PATH_CHECK_RAW.format( check_history_id, organization_id, project_id, awsaccount, "IBP/IAM_AccountPasswordPolicy.json") # リソース情報取得 if (aws_common.check_exists_file_s3(trace_id, "S3_CHECK_BUCKET", s3_file_name)) is True: try: account_password_policy = FileUtils.read_json( trace_id, "S3_CHECK_BUCKET", s3_file_name) except PmError as e: raise common_utils.write_log_pm_error(e, pm_logger) else: try: account_password_policy = IAMUtils.get_account_password_policy( trace_id, session, awsaccount) except PmError as e: raise common_utils.write_log_pm_error(e, pm_logger) # アカウントパスワードポリシー情報をS3に保存します。 try: FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", account_password_policy, s3_file_name) except PmError as e: pm_logger.error("[%s] アカウントパスワードポリシー情報のS3保存に失敗しました。", awsaccount) raise common_utils.write_log_pm_error(e, pm_logger) return account_password_policy
def check_ibp_item_02_01(trace_id, check_history_id, organization_id, project_id, aws_account, session, result_json_path): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) check_results = [] # IAMユーザの一覧を取得する。 try: list_users = IAMUtils.get_list_users(trace_id, session, aws_account) except PmError as e: pm_logger.error("[%s] IAMユーザー一覧情報取得に失敗しました。", aws_account) return CheckResult.Error try: # 取得したユーザ一覧をS3に保存する(リソース情報ファイル)。 s3_file_name = CommonConst.PATH_CHECK_RAW.format( check_history_id, organization_id, project_id, aws_account, "IBP/IAM_ListUsers.json") FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", list_users, s3_file_name) except PmError as e: pm_logger.error("[%s] IAMユーザー一覧情報のS3保存に失敗しました。", aws_account) return CheckResult.Error # チェックルール # Check-1. IAMユーザが存在するか try: if (len(list_users) == 0): result = { 'Region': 'Global', 'Level': CommonConst.LEVEL_CODE_21, 'DetectionItem': { 'NoIAMUser': True } } check_results.append(result) except Exception as e: pm_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account) return CheckResult.Error # Export File CHECK_IBP_ITEM_02_01.json try: current_date = date_utils.get_current_date_by_format( date_utils.PATTERN_YYYYMMDDHHMMSS) check_ibp_item_02_01 = { 'AWSAccount': aws_account, 'CheckResults': check_results, 'DateTime': current_date } FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", check_ibp_item_02_01, result_json_path) except Exception as e: pm_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account) return CheckResult.Error # チェック結果 if len(check_results) > 0: return CheckResult.CriticalDefect return CheckResult.Normal
def test_get_role_error_call_get_role(self): expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) # mock error call API get_role with patch.object(client_connect_iam, 'get_role') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with self.assertRaises(PmError) as exception: IAMUtils.get_role(trace_id, client_connect_iam, role_name) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name)
def test_get_role_success(self): expected_role_data = copy.deepcopy(DataTestIAM.DATA_ROLE) # mock response API get_role with patch.object(client_connect_iam, 'get_role') as mock_method: mock_method.return_value = expected_role_data actual_role_data = IAMUtils.get_role(trace_id, client_connect_iam, role_name) # check response self.assertEqual(expected_role_data, actual_role_data) # check call API get_role mock_method.assert_any_call(RoleName=role_name)
def test_get_iam_client_success(self): # connect client expected_client_connect_iam = iam_utils.client_connect() # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = expected_client_connect_iam actual_client_connect_iam = IAMUtils.get_iam_client( trace_id, session, aws_account) # check response self.assertEqual(expected_client_connect_iam, actual_client_connect_iam) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_list_attached_user_policies_success_response_is_truncate_true( self): expected_list_attached_user_policies = copy.deepcopy( DataTestIAM.LIST_ATTACHED_USER_POLICIES_DATA) # mock response API list_attached_user_policies with patch.object(client_connect_iam, 'list_attached_user_policies') as mock_method: mock_method.side_effect = iam_utils.side_effect_list_attached_user_policies actual_list_attached_user_policies = IAMUtils.get_list_attached_user_policies( trace_id, client_connect_iam, aws_account, user_name) # check response self.assertEqual(expected_list_attached_user_policies, actual_list_attached_user_policies) # check call API list_attached_user_policies mock_method.assert_any_call(UserName=user_name)
def test_get_list_attached_user_policies_success_response_is_truncate_false( self): expected_list_attached_user_policies = copy.deepcopy( DataTestIAM.DATA_ATTACHED_USER_POLICIES_IS_TRUNCATED_FALSE) # mock response API list_attached_user_policies with patch.object(client_connect_iam, 'list_attached_user_policies') as mock_method: mock_method.return_value = expected_list_attached_user_policies actual_list_attached_user_policies = IAMUtils.get_list_attached_user_policies( trace_id, client_connect_iam, aws_account, user_name) # check response self.assertEqual( expected_list_attached_user_policies['AttachedPolicies'], actual_list_attached_user_policies) # check call API list_attached_user_policies mock_method.assert_any_call(UserName=user_name)
def test_get_membership_aws_account_error_call_get_role(self): cause_error = PmError cause_error.response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_status_member = status_member['Disable'] # mock error call function get_role with patch('premembers.common.IAMUtils.get_role') as mock_method: mock_method.side_effect = PmError(cause_error=cause_error, message=copy.deepcopy( DataCommon.OPERATION_NAME)) with patch.object(PmLogAdapter, 'warning', return_value=None) as mock_method_warning: actual_response = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) # check response self.assertEqual(expected_status_member, actual_response) # check message log warning mock_method_warning.assert_any_call("[%s] IAMロール「%s」の取得に失敗しました。", aws_account, cm_members_role_name)
def test_get_list_policies_success_response_not_exists_policies(self): # connect client client_connect_iam = iam_utils.client_connect() expected_list_policies = [] # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock API list_policies with patch.object(client_connect_iam, 'list_policies') as mock_method: mock_method.return_value = {'IsTruncated': False} actual_list_policies = IAMUtils.get_list_policies( trace_id, session, aws_account) # check response self.assertEqual(expected_list_policies, actual_list_policies) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_error_connect_iam(self): expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) expected_status_member = status_member['Disable'] # mock error client with patch.object(session, 'client') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'error', return_value=None) as mock_method_error: actual_response = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) # check response self.assertEqual(expected_status_member, actual_response) # check message log error mock_method_error.assert_any_call("[%s] IAMクライアント作成に失敗しました。", aws_account)
def test_get_credential_report_success_response_not_exists_content(self): # connect client client_connect_iam = iam_utils.client_connect() expected_data_credential_report = [] # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API get_credential_report with patch.object(client_connect_iam, 'get_credential_report') as mock_method: mock_method.return_value = {} actual_credential_report = IAMUtils.get_credential_report( trace_id, session, aws_account) # check response self.assertEqual(expected_data_credential_report, actual_credential_report) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_error_no_such_entity(self): cause_error = PmError expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) expected_error_response['Error']['Code'] = "NoSuchEntity" cause_error.response = expected_error_response expected_status_member = status_member['Disable'] # mock error no such entity call function get_role with patch('premembers.common.IAMUtils.get_role') as mock_method: mock_method.side_effect = PmError(cause_error=cause_error, message=expected_operation_name) with patch.object(PmLogAdapter, 'info', return_value=None) as mock_method_info: actual_response = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) # check response self.assertEqual(expected_status_member, actual_response) # check message log info mock_method_info.assert_any_call("[%s] IAMロール「%s」が存在しません。", aws_account, cm_members_role_name)
def test_get_credential_report_success_response_exists_content(self): # connect client client_connect_iam = iam_utils.client_connect() expected_credential_report = copy.deepcopy( DataTestIAM.DATA_GET_CREDENTIAL_REPORT) # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API get_credential_report with patch.object(client_connect_iam, 'get_credential_report') as mock_method: mock_method.return_value = expected_credential_report actual_credential_report = IAMUtils.get_credential_report( trace_id, session, aws_account) # check response self.assertEqual(expected_credential_report['Content'].decode(), actual_credential_report) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_account_summary_success_by_response_not_exists_attribute_summary_map( self): # connect client client_connect_iam = iam_utils.client_connect() expected_data_account_summary = [] # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API get_account_summary with patch.object(client_connect_iam, 'get_account_summary') as mock_method: mock_method.return_value = {} actual_data_account_summary = IAMUtils.get_account_summary( trace_id, session, aws_account) # check response self.assertEqual(expected_data_account_summary, actual_data_account_summary) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_success(self): role_data = copy.deepcopy(DataTestIAM.DATA_ROLE) expected_status_member = status_member['Enable'] # mock client with patch.object(session, 'client') as mock_method_client: # mock response function get_role with patch('premembers.common.IAMUtils.get_role') as mock_method: mock_method.return_value = role_data with patch.object(PmLogAdapter, 'info', return_value=None) as mock_method_info: actual_response = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) # check response self.assertEqual(expected_status_member, actual_response) # check message log info mock_method_info.assert_any_call("[%s] IAMロール「%s」が存在します。", aws_account, cm_members_role_name) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_account_password_policy_success_response_not_exists_password_policy( self): # connect client client_connect_iam = iam_utils.client_connect() expected_list_password_policy = [] # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock API get_account_password_policy with patch.object(client_connect_iam, 'get_account_password_policy') as mock_method: mock_method.return_value = {} actual_list_password_policy = IAMUtils.get_account_password_policy( trace_id, session, aws_account) # check response self.assertEqual(expected_list_password_policy, actual_list_password_policy) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_account_summary_success_by_response_exists_attribute_summary_map( self): # connect client client_connect_iam = iam_utils.client_connect() expected_data_account_summary = copy.deepcopy( DataTestIAM.DATA_ACCOUNT_SUMMARY_EXISTS_ATTRIBUTE) # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock response API get_account_summary with patch.object(client_connect_iam, 'get_account_summary') as mock_method: mock_method.return_value = expected_data_account_summary actual_data_account_summary = IAMUtils.get_account_summary( trace_id, session, aws_account) # check response self.assertEqual(expected_data_account_summary['SummaryMap'], actual_data_account_summary) # check connect client mock_method_client.assert_any_call(service_name="iam")
def test_get_account_password_policy_success_response_exists_password_policy( self): # connect client client_connect_iam = iam_utils.client_connect() expected_list_password_policy = copy.deepcopy( DataTestIAM.LIST_PASSWORD_POLICY) # mock client with patch.object(session, 'client') as mock_method_client: mock_method_client.return_value = client_connect_iam # mock API get_account_password_policy with patch.object(client_connect_iam, 'get_account_password_policy') as mock_method: mock_method.return_value = expected_list_password_policy actual_list_password_policy = IAMUtils.get_account_password_policy( trace_id, session, aws_account) # check response self.assertEqual(expected_list_password_policy['PasswordPolicy'], actual_list_password_policy) # check connect client mock_method_client.assert_any_call(service_name="iam")
def update_awscoop(trace_id, project_id, organization_id, coop_id, data_body): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # Parse JSON try: body_object = json.loads(data_body) aws_account = body_object["awsAccount"] role_name = body_object["roleName"] description = body_object["description"] aws_account_name = body_object['awsAccountName'] except Exception as e: return common_utils.error_exception(MsgConst.ERR_REQUEST_202, HTTPStatus.BAD_REQUEST, e, pm_logger, True) # Validate list_error = validate_update_awscoop(aws_account, role_name) if list_error: return common_utils.error_validate(MsgConst.ERR_REQUEST_201, HTTPStatus.UNPROCESSABLE_ENTITY, list_error, pm_logger) # Get data AWSアカウント連携 try: awscoops_item = pm_awsAccountCoops.get_awscoops_update( trace_id, coop_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if awscoops_item is None: return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # ロールのアクセス確認 if common_utils.is_null(description): description = None if common_utils.is_null(aws_account_name): aws_account_name = None external_id = awscoops_item['ExternalID'] effective = Effective.Disable.value members = None if (checkaccess.check_access_to_aws(trace_id, aws_account, role_name, external_id)): effective = Effective.Enable.value # IAMクライアントを用いて、IAMロールcm-membersportalを取得します。 try: session = aws_common.create_session_client(trace_id, aws_account, role_name, external_id) members = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) except PmError as e: common_utils.write_log_pm_error(e, pm_logger, exc_info=True) # update project attribute = { 'AWSAccount': { "Value": aws_account }, 'RoleName': { "Value": role_name }, 'Description': { "Value": description }, 'Effective': { "Value": effective }, 'AWSAccountName': { "Value": aws_account_name } } if (members is not None): attribute['Members'] = {"Value": members} updated_at = awscoops_item['UpdatedAt'] try: pm_awsAccountCoops.update_awscoops(trace_id, coop_id, attribute, updated_at) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # Get data response try: awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key( trace_id, coop_id, convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response response = common_utils.get_response_by_response_body( HTTPStatus.OK, awscoops_item) return common_utils.response(response, pm_logger)