def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(number="012345678910", name="testing",
s3_name="testing", role_name="SecurityMonkey",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def test_detect_change(self):
from security_monkey.datastore_utils import detect_change, hash_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(
region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id,
)
sti = SomeTestItem().from_slurp(ACTIVE_CONF,
account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Item does not exist in the DB yet:
assert (True, 'durable', None,
'created') == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# Add the item to the DB:
db.session.add(item)
db.session.commit()
# Durable change (nothing hashed in DB yet)
assert (True, 'durable', item,
'changed') == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# No change:
item.latest_revision_complete_hash = complete_hash
item.latest_revision_durable_hash = durable_hash
db.session.add(item)
db.session.commit()
assert (False, None, item,
None) == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
complete_hash, durable_hash = hash_item(mod_conf, ["IGNORE_ME"])
assert (True, 'ephemeral', item,
None) == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
def pre_test_setup(self):
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
active=True,
third_party=False,
account_type_id=account_type_result.id)
self.technology = Technology(name="s3")
self.item = Item(region="us-west-2",
name="somebucket",
arn=ARN_PREFIX + ":s3:::somebucket",
technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(self.item)
db.session.commit()
mock_s3().start()
client = boto3.client("s3")
client.create_bucket(Bucket="somebucket")
client.create_bucket(Bucket="someotherbucket")
client.create_bucket(Bucket="someotherbucket2")
def test_fix_orphaned_deletions(self):
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
technology = Technology(name="orphaned")
db.session.add(technology)
db.session.commit()
orphaned_item = Item(name="orphaned",
region="us-east-1",
tech_id=technology.id,
account_id=test_account.id)
db.session.add(orphaned_item)
db.session.commit()
assert not orphaned_item.latest_revision_id
assert not orphaned_item.revisions.count()
assert len(
Item.query.filter(Item.account_id == test_account.id, Item.tech_id
== technology.id, Item.latest_revision_id
== None).all()) == 1 # noqa
from security_monkey.task_scheduler.tasks import fix_orphaned_deletions
fix_orphaned_deletions(test_account.name, technology.name)
assert not Item.query.filter(
Item.account_id == test_account.id, Item.tech_id == technology.id,
Item.latest_revision_id == None).all() # noqa
assert orphaned_item.latest_revision_id
assert orphaned_item.revisions.count() == 1
assert orphaned_item.latest_config == {}
def create_item_aws(item, technology, account):
arn = ARN(item.config.get('Arn'))
return Item(region=arn.region or 'universal',
name=arn.parsed_name or arn.name,
arn=item.config.get('Arn'),
tech_id=technology.id,
account_id=account.id)
def test_link_to_support_item_issues(self):
auditor = Auditor(accounts=['test_account'])
sub_item_id = 2
issue1_text = 'This is test issue1'
issue2_text = 'This is test issue2'
issue1_score = 10
issue2_score = 5
item = ChangeItem(index='test_index',
account='test_account',
name='item_name')
sub_item = Item(id=sub_item_id,
tech_id=1,
account_id=1,
name='sub_item_name')
sub_item.issues.append(ItemAudit(score=issue1_score,
issue=issue1_text))
sub_item.issues.append(ItemAudit(score=issue2_score,
issue=issue2_text))
auditor.link_to_support_item_issues(item,
sub_item,
issue_message="TEST")
self.assertTrue(len(item.audit_issues) == 1)
new_issue = item.audit_issues[0]
self.assertTrue(new_issue.score == issue1_score + issue2_score)
self.assertTrue(new_issue.issue == "TEST")
self.assertTrue(len(new_issue.sub_items) == 1)
self.assertTrue(new_issue.sub_items[0] == sub_item)
def test_detect_change(self):
from security_monkey.datastore_utils import detect_change, hash_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id,
)
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Item does not exist in the DB yet:
assert (True, 'durable', None, 'created') == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# Add the item to the DB:
db.session.add(item)
db.session.commit()
# Durable change (nothing hashed in DB yet)
assert (True, 'durable', item, 'changed') == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# No change:
item.latest_revision_complete_hash = complete_hash
item.latest_revision_durable_hash = durable_hash
db.session.add(item)
db.session.commit()
assert (False, None, item, None) == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
complete_hash, durable_hash = hash_item(mod_conf, ["IGNORE_ME"])
assert (True, 'ephemeral', item, None) == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
def test_save_issues(self):
mixer.init_app(self.app)
test_account = mixer.blend(Account, name='test_account')
technology = mixer.blend(Technology, name='testtech')
item = Item(region="us-west-2", name="testitem", technology=technology, account=test_account)
revision = mixer.blend(ItemRevision, item=item, config={}, active=True)
item.latest_revision_id = revision.id
mixer.blend(ItemAudit, item=item, issue='test issue')
auditor = Auditor(accounts=[test_account.name])
auditor.index = technology.name
auditor.i_am_singular = technology.name
auditor.items = auditor.read_previous_items()
auditor.audit_objects()
try:
auditor.save_issues()
except AttributeError as e:
self.fail("Auditor.save_issues() raised AttributeError unexpectedly: {}".format(e.message))
def pre_test_setup(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn=ARN_PREFIX + ":iam::012345678910:role/testrole", technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(item)
db.session.commit()
def test_create_revision(self):
from security_monkey.datastore_utils import create_revision
from security_monkey.datastore import Item
self.setup_db()
db_item = Item(region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id)
db.session.add(db_item)
db.session.commit()
revision = create_revision(ACTIVE_CONF, db_item)
assert revision
assert revision.active
assert json.dumps(revision.config) == json.dumps(ACTIVE_CONF)
assert revision.item_id == db_item.id
def test_result_from_item(self):
from security_monkey.datastore_utils import result_from_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(region="universal",
name="SomeRole",
arn="arn:aws:iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id
)
# This is actually what is passed into result_from_item:
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
assert not result_from_item(sti, self.account, self.technology)
db.session.add(item)
db.session.commit()
assert result_from_item(sti, self.account, self.technology).id == item.id
def test_save_issues(self):
item = Item(region="us-west-2",
name="testitem",
technology=self.technology,
account=self.test_account)
revision = ItemRevision(item=item, config={}, active=True)
item_audit = ItemAudit(item=item, issue="test issue")
db.session.add(item)
db.session.add(revision)
db.session.add(item_audit)
db.session.commit()
auditor = Auditor(accounts=[self.test_account.name])
auditor.index = self.technology.name
auditor.i_am_singular = self.technology.name
auditor.items = auditor.read_previous_items()
auditor.audit_objects()
try:
auditor.save_issues()
except AttributeError as e:
self.fail(
"Auditor.save_issues() raised AttributeError unexpectedly: {}".
format(e.message))
def test_ensure_item_has_latest_revision_id(self):
"""
Test that items always have a proper current revision set. Otherwise, the item needs to be deleted.
:return:
"""
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.watcher import ensure_item_has_latest_revision_id
from security_monkey.datastore import Datastore
# Stop the watcher registry from stepping on everyone's toes:
import security_monkey.watcher
old_watcher_registry = security_monkey.watcher.watcher_registry
security_monkey.watcher.watcher_registry = {IAMRole.index: IAMRole}
# Set everything up:
self.setup_batch_db()
watcher = IAMRole(accounts=[self.account.name])
watcher.current_account = (self.account, 0)
watcher.technology = self.technology
# Test case #1: Create an item in the DB that has no current revision ID:
no_revision_item = Item(region="us-east-1",
name="NOREVISION",
account_id=self.account.id,
tech_id=self.technology.id)
db.session.add(no_revision_item)
db.session.commit()
assert db.session.query(Item).filter(
Item.name == no_revision_item.name).one()
# Should delete the item from the DB:
result = ensure_item_has_latest_revision_id(no_revision_item)
assert not result
assert not db.session.query(Item).filter(
Item.name == no_revision_item.name).first()
# Test case #2: Create two item revisions for the given item, but don't attach them to the item.
# After the fixer runs, it should return the item with proper hashes and a proper
# link to the latest version.
ds = Datastore()
no_revision_item = Item(region="us-east-1",
name="NOREVISION",
account_id=self.account.id,
tech_id=self.technology.id)
db.session.add(no_revision_item)
db.session.commit()
ir_one = ItemRevision(config=ACTIVE_CONF,
date_created=datetime.datetime.utcnow(),
item_id=no_revision_item.id)
ir_two = ItemRevision(config=ACTIVE_CONF,
date_created=(datetime.datetime.utcnow() -
timedelta(days=1)),
item_id=no_revision_item.id)
db.session.add(ir_one)
db.session.add(ir_two)
db.session.commit()
assert len(
db.session.query(ItemRevision).filter(
ItemRevision.item_id == no_revision_item.id).all()) == 2
result = ensure_item_has_latest_revision_id(no_revision_item)
assert result
assert result.latest_revision_id == ir_one.id
assert ds.hash_config(
ACTIVE_CONF) == no_revision_item.latest_revision_complete_hash
assert ds.durable_hash(
ACTIVE_CONF, watcher.ephemeral_paths
) == no_revision_item.latest_revision_durable_hash
# Undo the mock:
security_monkey.watcher.watcher_registry = old_watcher_registry
def create_item(item, technology, account):
return Item(region=item.region or 'universal',
name=item.name,
arn=item.arn,
tech_id=technology.id,
account_id=account.id)
