def test_get_bucket_encryption_error_access_denied(self): # create mock throw error when called function get_bucket_encryption expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) expected_error_response['Error']['Code'] = 'AccessDenied' with patch.object(client_s3, 'get_bucket_encryption') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'warning', return_value=None) as mock_method_warning: with self.assertRaises(PmError) as exception: # call function test S3Utils.get_bucket_encryption(trace_id, client_s3, bucket_name, aws_account, region_name) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check write log warning mock_method_warning.assert_any_call( '[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)', aws_account, region_name, bucket_name)
def test_get_bucket_encryption_error_server_side_encryption_configuration_not_found_error(self): # create mock throw error when called function get_bucket_encryption expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE) expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME) expected_error_response['Error'][ 'Code'] = 'ServerSideEncryptionConfigurationNotFoundError' with patch.object(client_s3, 'get_bucket_encryption') as mock_method: mock_method.side_effect = ClientError( error_response=expected_error_response, operation_name=expected_operation_name) with patch.object(PmLogAdapter, 'info', return_value=None) as mock_method_info: with self.assertRaises(PmError) as exception: # call function test S3Utils.get_bucket_encryption(trace_id, client_s3, bucket_name, aws_account, region_name) # check error actual_cause_error = exception.exception.cause_error self.assertEqual(expected_error_response['Error'], actual_cause_error.response['Error']) self.assertEqual(expected_operation_name, actual_cause_error.operation_name) # check write log info mock_method_info.assert_any_call('[%s]S3バケット暗号化情報がありません。(%s/%s)', aws_account, region_name, bucket_name)
def test_get_bucket_encryption_success_response_not_exists_server_side_encryption_configuration_and_rules(self): # create mock data return when called function get_bucket_encryption with patch.object(client_s3, 'get_bucket_encryption') as mock_method: mock_method.return_value = {} # call function test actual_bucket_encryption = S3Utils.get_bucket_encryption( trace_id, client_s3, bucket_name, aws_account, region_name) # check result expected_bucket_encryption = [] self.assertEqual(expected_bucket_encryption, actual_bucket_encryption)
def test_get_bucket_encryption_success_response_exists_server_side_encryption_configuration_and_rules(self): expected_bucket_encryption = copy.deepcopy( DataTestS3.BUCKET_ENCRYPTION) # create mock data return when called function get_bucket_encryption with patch.object(client_s3, 'get_bucket_encryption') as mock_method: mock_method.return_value = expected_bucket_encryption # call function test actual_bucket_encryption = S3Utils.get_bucket_encryption( trace_id, client_s3, bucket_name, aws_account, region_name) # check result self.assertEqual( expected_bucket_encryption['ServerSideEncryptionConfiguration'] ['Rules'], actual_bucket_encryption)
def check_asc_item_13_01(trace_id, check_history_id, organization_id, project_id, aws_account, session, result_json_path): cw_logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) check_results = [] is_authorized = True s3_client = S3Utils.get_s3_client(trace_id, session, aws_account, is_cw_logger=True) try: list_buckets = asc_item_common_logic.get_list_buckets( trace_id, check_history_id, organization_id, project_id, s3_client, aws_account) except PmError as e: return CheckResult.Error # 取得したS3バケットのアクセスコントロールリスト情報をS3に保存する(リソース情報ファイル)。 for bucket in list_buckets['Buckets']: bucket_name = bucket['Name'] region_name = None try: region_name = S3Utils.get_bucket_location( trace_id, s3_client, bucket_name, aws_account) if region_name is None: region_name = CommonConst.US_EAST_REGION bucket_encryption_rules = S3Utils.get_bucket_encryption( trace_id, s3_client, bucket_name, aws_account, region_name, is_cw_logger=True) except PmError as e: if e.cause_error.response['Error'][ 'Code'] in CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR: check_results.append(get_check_asc_item_13_01_result( region_name, bucket_name)) continue elif e.cause_error.response['Error'][ 'Code'] in CommonConst.S3_SKIP_EXCEPTION: error_operation = e.cause_error.operation_name, error_code = e.cause_error.response['Error']['Code'], error_message = e.cause_error.response['Error']['Message'] if region_name is None: region_name = CommonConst.ERROR check_results.append( asc_item_common_logic.get_error_authorized_result( region_name, bucket_name, error_operation, error_code, error_message)) is_authorized = False continue else: return CheckResult.Error if len(bucket_encryption_rules) == 0: continue try: s3_file_name = CommonConst.PATH_CHECK_RAW.format( check_history_id, organization_id, project_id, aws_account, "ASC/S3_Encryption_" + region_name + "_" + bucket_name + ".json") FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", bucket_encryption_rules, s3_file_name, is_cw_logger=True) except PmError as e: cw_logger.error("[%s] S3バケット暗号化情報のS3保存に失敗しました。(%s/%s)", aws_account, region_name, bucket_name) return CheckResult.Error # チェック処理 try: for bucket_encryption_rule in bucket_encryption_rules: if (common_utils.check_key( "SSEAlgorithm", bucket_encryption_rule['ApplyServerSideEncryptionByDefault'] ) is False): check_results.append(get_check_asc_item_13_01_result( region_name, bucket_name)) break except Exception as e: cw_logger.error("[%s] チェック処理中にエラーが発生しました。(%s/%s)", aws_account, region_name, bucket_name) return CheckResult.Error # Export File json try: current_date = date_utils.get_current_date_by_format( date_utils.PATTERN_YYYYMMDDHHMMSS) check_asc_item_13_01 = { 'AWSAccount': aws_account, 'CheckResults': check_results, 'DateTime': current_date } FileUtils.upload_s3(trace_id, check_asc_item_13_01, result_json_path, format_json=True, is_cw_logger=True) except Exception as e: cw_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account) return CheckResult.Error # チェック結果 if is_authorized is False: return CheckResult.Error if len(check_results) > 0: return CheckResult.CriticalDefect return CheckResult.Normal