def test_get_with_region(self):
in_five_min_epoch = int(time.time()) + 5 * 60
aws_credentials = AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=in_five_min_epoch,
)
cache = AWSCredentialsCache()
cache.put(
credentials=aws_credentials,
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn",
)
session = cache.get(
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn",
region_name="us-east-4",
)
self.assertEqual(session.region_name, "us-east-4")
creds = session.get_credentials()
self.assertEqual(creds.access_key, "test_aki")
self.assertEqual(
creds.secret_key,
"test_sak",
)
self.assertEqual(creds.token, "test_st")
def test_put(self):
in_five_min_epoch = int(time.time()) + 5 * 60
aws_credentials = AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=in_five_min_epoch,
)
cache = AWSCredentialsCache()
cache.put(
credentials=aws_credentials,
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn",
)
keys_values = cache.cache.items()
self.assertEqual(len(keys_values), 1)
for key, value in keys_values:
self.assertEqual(
key,
AWSCredentialsCache.build_cache_key(
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn"),
)
self.assertEqual(
value,
AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=in_five_min_epoch,
),
)
def test(self):
key = AWSCredentialsCache.build_cache_key(
account_id="1234",
role_name="test_role",
role_session_name="test_role_session")
expected_str = "1234:test_role:test_role_session"
self.assertEqual(str(key), expected_str)
def test_put_wrong_account_id(self):
in_five_min_epoch = int(time.time()) + 5 * 60
aws_credentials = AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=in_five_min_epoch,
)
cache = AWSCredentialsCache()
with self.assertRaises(ValueError):
cache.put(
credentials=aws_credentials,
account_id="987654321098",
role_name="test_rn",
role_session_name="test_rsn",
)
def from_file(cls: Type["Accessor"],
filepath: Path,
cache_creds: bool = True) -> "Accessor":
"""Create an Accessor from json content in a file
Args:
filepath: Path to json accessor definition
Returns:
Accessor
"""
with filepath.open("r") as fp:
config_dict = json.load(fp)
if cache_creds:
credentials_cache = AWSCredentialsCache()
config_dict["credentials_cache"] = credentials_cache.to_dict()
return cls.from_dict(config_dict)
def from_dict(cls: Type["Accessor"],
data: Dict[str, Any],
cache_creds: bool = True) -> "Accessor":
mhas = data.get("multi_hop_accessors", [])
credentials_cache = None
credentials_cache_dict = data.get("credentials_cache")
if credentials_cache_dict is None:
if cache_creds:
credentials_cache = AWSCredentialsCache()
else:
credentials_cache = AWSCredentialsCache.from_dict(
credentials_cache_dict)
return cls(
multi_hop_accessors=[
MultiHopAccessor.from_dict(mha) for mha in mhas
],
credentials_cache=credentials_cache,
)
def test_get_expired_returns_none(self):
five_min_ago_epoch = int(time.time()) - 5 * 60
aws_credentials = AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=five_min_ago_epoch,
)
cache = AWSCredentialsCache()
cache.put(
credentials=aws_credentials,
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn",
)
session = cache.get(account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn")
self.assertIsNone(session)
def test_get_session_with_cache(self):
cache = AWSCredentialsCache()
access_steps = [
AccessStep(role_name="test_role_name1", account_id="123456789012", external_id="abcd"),
AccessStep(role_name="test_role_name2", account_id="123456789012"),
AccessStep(role_name="test_role_name3"),
]
mha = MultiHopAccessor(
role_session_name="test_role_session_name", access_steps=access_steps
)
session = mha.get_session("123456789012", credentials_cache=cache)
self.assertIsNone(session.region_name)
self.assertEqual(
sorted(cache.to_dict()["cache"].keys()),
[
"123456789012:test_role_name1:test_role_session_name",
"123456789012:test_role_name2:test_role_session_name",
"123456789012:test_role_name3:test_role_session_name",
],
)
def test_get_session_with_primed_cache(self):
cache = AWSCredentialsCache()
access_steps = [
AccessStep(role_name="test_role_name1", account_id="123456789012", external_id="abcd"),
AccessStep(role_name="test_role_name2", account_id="123456789012"),
AccessStep(role_name="test_role_name3"),
]
mha = MultiHopAccessor(
role_session_name="test_role_session_name", access_steps=access_steps
)
session = mha.get_session("123456789012", credentials_cache=cache)
frozen_creds = session.get_credentials().get_frozen_credentials()
# cache is now primed, the next call should use cached creds. record them so we can
# compare.
new_session = mha.get_session("123456789012", credentials_cache=cache)
self.assertEqual(frozen_creds, new_session.get_credentials().get_frozen_credentials())
def test_from_dict(self):
cache = AWSCredentialsCache()
in_five_min_epoch = int(time.time()) + 5 * 60
aws_credentials = AWSCredentials(
access_key_id="test_aki",
secret_access_key="test_sak",
session_token="test_st",
expiration=in_five_min_epoch,
)
cache.put(
credentials=aws_credentials,
account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn",
)
aws_credentials = AWSCredentials(
access_key_id="test_aki2",
secret_access_key="test_sak2",
session_token="test_st2",
expiration=in_five_min_epoch,
)
cache.put(
credentials=aws_credentials,
account_id="123456789012",
role_name="test_rn2",
role_session_name="test_rsn2",
)
data = {
"cache": {
"123456789012:test_rn:test_rsn": {
"access_key_id": "test_aki",
"secret_access_key": "test_sak",
"session_token": "test_st",
"expiration": in_five_min_epoch,
},
"123456789012:test_rn2:test_rsn2": {
"access_key_id": "test_aki2",
"secret_access_key": "test_sak2",
"session_token": "test_st2",
"expiration": in_five_min_epoch,
},
}
}
from_data_cache = AWSCredentialsCache(**data)
self.assertEqual(from_data_cache, cache)
def test_from_dict_to_dict(self):
in_five_min_epoch = int(time.time()) + 5 * 60
data = {
"cache": {
"123456789012:test_rn:test_rsn": {
"access_key_id": "test_aki",
"secret_access_key": "test_sak",
"session_token": "test_st",
"expiration": in_five_min_epoch,
},
"123456789012:test_rn2:test_rsn2": {
"access_key_id": "test_aki2",
"secret_access_key": "test_sak2",
"session_token": "test_st2",
"expiration": in_five_min_epoch,
},
}
}
self.assertDictEqual(data, AWSCredentialsCache(**data).dict())
def test_get_miss(self):
cache = AWSCredentialsCache()
session = cache.get(account_id="123456789012",
role_name="test_rn",
role_session_name="test_rsn")
self.assertIsNone(session)
def test(self):
with tempfile.TemporaryDirectory() as temp_dir:
resource_region_name = "us-east-1"
# get moto"s enabled regions
ec2_client = boto3.client("ec2", region_name=resource_region_name)
all_regions = ec2_client.describe_regions(
Filters=[{
"Name": "opt-in-status",
"Values": ["opt-in-not-required", "opted-in"]
}])["Regions"]
account_id = get_account_id()
all_region_names = tuple(region["RegionName"]
for region in all_regions)
enabled_region_names = tuple(
region["RegionName"] for region in all_regions
if region["OptInStatus"] != "not-opted-in")
delete_vpcs(all_region_names)
# add a diverse set of resources which are supported by moto
## dynamodb
# TODO moto is not returning TableId in list/describe
# dynamodb_table_1_arn = create_dynamodb_table(
# name="test_table_1",
# attr_name="test_hash_key_attr_1",
# attr_type="S",
# key_type="HASH",
# region_name=region_name,
# )
## s3
bucket_1_name = "test_bucket"
bucket_1_arn, bucket_1_creation_date = create_bucket(
name=bucket_1_name,
account_id=account_id,
region_name=resource_region_name)
## ec2
vpc_1_cidr = "10.0.0.0/16"
vpc_1_id = create_vpc(cidr_block=vpc_1_cidr,
region_name=resource_region_name)
vpc_1_arn = VPCResourceSpec.generate_arn(
resource_id=vpc_1_id,
account_id=account_id,
region=resource_region_name)
subnet_1_cidr = "10.0.0.0/24"
subnet_1_cidr_network = ipaddress.IPv4Network(subnet_1_cidr,
strict=False)
subnet_1_first_ip, subnet_1_last_ip = (
int(subnet_1_cidr_network[0]),
int(subnet_1_cidr_network[-1]),
)
subnet_1_id = create_subnet(cidr_block=subnet_1_cidr,
vpc_id=vpc_1_id,
region_name=resource_region_name)
subnet_1_arn = SubnetResourceSpec.generate_arn(
resource_id=subnet_1_id,
account_id=account_id,
region=resource_region_name)
fixed_bucket_1_arn = f"arn:aws:s3:::{bucket_1_name}"
flow_log_1_id, flow_log_1_creation_time = create_flow_log(
vpc_id=vpc_1_id,
dest_bucket_arn=fixed_bucket_1_arn,
region_name=resource_region_name,
)
flow_log_1_arn = FlowLogResourceSpec.generate_arn(
resource_id=flow_log_1_id,
account_id=account_id,
region=resource_region_name)
ebs_volume_1_size = 128
ebs_volume_1_az = f"{resource_region_name}a"
ebs_volume_1_arn, ebs_volume_1_create_time = create_volume(
size=ebs_volume_1_size,
az=ebs_volume_1_az,
region_name=resource_region_name)
## iam
policy_1_name = "test_policy_1"
policy_1_arn, policy_1_id = create_iam_policy(
name=policy_1_name,
policy_doc={
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "*"
},
],
},
)
role_1_name = "test_role_1"
role_1_assume_role_policy_doc = {
"Version":
"2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Sid": "",
}],
}
role_1_description = "Test Role 1"
role_1_max_session_duration = 3600
role_1_arn = create_iam_role(
name=role_1_name,
assume_role_policy_doc=role_1_assume_role_policy_doc,
description=role_1_description,
max_session_duration=role_1_max_session_duration,
)
## lambda
lambda_function_1_name = "test_lambda_function_1"
lambda_function_1_runtime = "python3.7"
lambda_function_1_handler = "lambda_function.lambda_handler"
lambda_function_1_description = "Test Lambda Function 1"
lambda_function_1_timeout = 30
lambda_function_1_memory_size = 256
lambda_function_1_arn = create_lambda_function(
name=lambda_function_1_name,
runtime=lambda_function_1_runtime,
role_name=role_1_arn,
handler=lambda_function_1_handler,
description=lambda_function_1_description,
timeout=lambda_function_1_timeout,
memory_size=lambda_function_1_memory_size,
publish=False,
region_name=resource_region_name,
)
# scan
test_scan_id = "test_scan_id"
aws_config = AWSConfig(
artifact_path=temp_dir,
pruner_max_age_min=4320,
graph_name="alti",
concurrency=ConcurrencyConfig(max_account_scan_threads=1,
max_svc_scan_threads=1,
max_account_scan_tries=2),
scan=ScanConfig(
accounts=(),
regions=(),
scan_sub_accounts=False,
preferred_account_scan_regions=(
"us-west-1",
"us-west-2",
"us-east-1",
"us-east-2",
),
),
accessor=Accessor(
credentials_cache=AWSCredentialsCache(cache={}),
multi_hop_accessors=[],
cache_creds=True,
),
write_master_json=True,
)
resource_spec_classes = (
# DynamoDbTableResourceSpec, TODO moto
EBSVolumeResourceSpec,
FlowLogResourceSpec,
IAMPolicyResourceSpec,
IAMRoleResourceSpec,
LambdaFunctionResourceSpec,
S3BucketResourceSpec,
SubnetResourceSpec,
VPCResourceSpec,
)
muxer = LocalAWSScanMuxer(
scan_id=test_scan_id,
config=aws_config,
resource_spec_classes=resource_spec_classes,
)
with unittest.mock.patch(
"altimeter.aws.scan.account_scanner.get_all_enabled_regions"
) as mock_get_all_enabled_regions:
mock_get_all_enabled_regions.return_value = enabled_region_names
aws2n_result = aws2n(
scan_id=test_scan_id,
config=aws_config,
muxer=muxer,
load_neptune=False,
)
graph_set = GraphSet.from_json_file(
Path(aws2n_result.json_path))
self.assertEqual(len(graph_set.errors), 0)
self.assertEqual(graph_set.name, "alti")
self.assertEqual(graph_set.version, "2")
# now check each resource type
self.maxDiff = None
## Accounts
expected_account_resources = [
Resource(
resource_id=f"arn:aws::::account/{account_id}",
type="aws:account",
link_collection=LinkCollection(
simple_links=(SimpleLink(pred="account_id",
obj=account_id), ), ),
)
]
account_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:account"
]
self.assertCountEqual(account_resources,
expected_account_resources)
## Regions
expected_region_resources = [
Resource(
resource_id=
f"arn:aws:::{account_id}:region/{region['RegionName']}",
type="aws:region",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name",
obj=region["RegionName"]),
SimpleLink(pred="opt_in_status",
obj=region["OptInStatus"]),
),
resource_links=(ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"), ),
),
) for region in all_regions
]
region_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:region"
]
self.assertCountEqual(region_resources,
expected_region_resources)
## IAM Policies
expected_iam_policy_resources = [
Resource(
resource_id=policy_1_arn,
type="aws:iam:policy",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=policy_1_name),
SimpleLink(pred="policy_id", obj=policy_1_id),
SimpleLink(pred="default_version_id",
obj="v1"),
SimpleLink(
pred="default_version_policy_document_text",
obj=
'{"Statement": [{"Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": "*"}], "Version": "2012-10-17"}',
),
),
resource_links=(ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"), ),
),
)
]
iam_policy_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:iam:policy"
]
self.assertCountEqual(iam_policy_resources,
expected_iam_policy_resources)
## IAM Roles
expected_iam_role_resources = [
Resource(
resource_id=role_1_arn,
type="aws:iam:role",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=role_1_name),
SimpleLink(pred="max_session_duration",
obj=role_1_max_session_duration),
SimpleLink(pred="description",
obj=role_1_description),
SimpleLink(
pred="assume_role_policy_document_text",
obj=policy_doc_dict_to_sorted_str(
role_1_assume_role_policy_doc),
),
),
multi_links=(MultiLink(
pred="assume_role_policy_document",
obj=LinkCollection(
simple_links=(SimpleLink(
pred="version", obj="2012-10-17"), ),
multi_links=(MultiLink(
pred="statement",
obj=LinkCollection(
simple_links=(
SimpleLink(pred="effect",
obj="Allow"),
SimpleLink(
pred="action",
obj="sts:AssumeRole"),
),
multi_links=(MultiLink(
pred="principal",
obj=LinkCollection(
simple_links=(SimpleLink(
pred="service",
obj=
"lambda.amazonaws.com",
), )),
), ),
),
), ),
),
), ),
resource_links=(ResourceLink(
pred="account",
obj="arn:aws::::account/123456789012"), ),
),
)
]
iam_role_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:iam:role"
]
self.assertCountEqual(iam_role_resources,
expected_iam_role_resources)
## Lambda functions
expected_lambda_function_resources = [
Resource(
resource_id=lambda_function_1_arn,
type="aws:lambda:function",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="function_name",
obj=lambda_function_1_name),
SimpleLink(pred="runtime",
obj=lambda_function_1_runtime),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
transient_resource_links=(ResourceLink(
pred="role",
obj="arn:aws:iam::123456789012:role/test_role_1"
), ),
),
),
]
lambda_function_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:lambda:function"
]
self.assertCountEqual(lambda_function_resources,
expected_lambda_function_resources)
## EC2 VPCs
expected_ec2_vpc_resources = [
Resource(
resource_id=vpc_1_arn,
type="aws:ec2:vpc",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="is_default", obj=True),
SimpleLink(pred="cidr_block", obj=vpc_1_cidr),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_vpc_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:vpc"
]
self.assertCountEqual(ec2_vpc_resources,
expected_ec2_vpc_resources)
## EC2 VPC Flow Logs
expected_ec2_vpc_flow_log_resources = [
Resource(
resource_id=flow_log_1_arn,
type="aws:ec2:flow-log",
link_collection=LinkCollection(
simple_links=(
SimpleLink(
pred="creation_time",
obj=flow_log_1_creation_time.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
SimpleLink(pred="deliver_logs_status",
obj="SUCCESS"),
SimpleLink(pred="flow_log_status",
obj="ACTIVE"),
SimpleLink(pred="traffic_type", obj="ALL"),
SimpleLink(pred="log_destination_type",
obj="s3"),
SimpleLink(pred="log_destination",
obj=fixed_bucket_1_arn),
SimpleLink(
pred="log_format",
obj=
"${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}",
),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
transient_resource_links=(TransientResourceLink(
pred="vpc",
obj=vpc_1_arn,
), ),
),
)
]
ec2_vpc_flow_log_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:flow-log"
]
self.assertCountEqual(ec2_vpc_flow_log_resources,
expected_ec2_vpc_flow_log_resources)
## EC2 Subnets
expected_ec2_subnet_resources = [
Resource(
resource_id=subnet_1_arn,
type="aws:ec2:subnet",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="cidr_block",
obj=subnet_1_cidr),
SimpleLink(pred="first_ip",
obj=subnet_1_first_ip),
SimpleLink(pred="last_ip",
obj=subnet_1_last_ip),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(pred="vpc", obj=vpc_1_arn),
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_subnet_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:subnet"
]
self.assertCountEqual(ec2_subnet_resources,
expected_ec2_subnet_resources)
## EC2 EBS Volumes
expected_ec2_ebs_volume_resources = [
Resource(
resource_id=ebs_volume_1_arn,
type="aws:ec2:volume",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="availability_zone",
obj=ebs_volume_1_az),
SimpleLink(
pred="create_time",
obj=ebs_volume_1_create_time.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
SimpleLink(pred="size", obj=ebs_volume_1_size),
SimpleLink(pred="state", obj="available"),
SimpleLink(pred="volume_type", obj="gp2"),
SimpleLink(pred="encrypted", obj=False),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_ebs_volume_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:volume"
]
self.assertCountEqual(ec2_ebs_volume_resources,
expected_ec2_ebs_volume_resources)
## S3 Buckets
expected_s3_bucket_resources = [
Resource(
resource_id=bucket_1_arn,
type="aws:s3:bucket",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=bucket_1_name),
SimpleLink(
pred="creation_date",
obj=bucket_1_creation_date.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
s3_bucket_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:s3:bucket"
]
self.assertCountEqual(s3_bucket_resources,
expected_s3_bucket_resources)
expected_num_graph_set_resources = (
0 + len(expected_account_resources) +
len(expected_region_resources) +
len(expected_iam_policy_resources) +
len(expected_iam_role_resources) +
len(expected_lambda_function_resources) +
len(expected_ec2_ebs_volume_resources) +
len(expected_ec2_subnet_resources) +
len(expected_ec2_vpc_resources) +
len(expected_ec2_vpc_flow_log_resources) +
len(expected_s3_bucket_resources))
self.assertEqual(len(graph_set.resources),
expected_num_graph_set_resources)