def test_inactivate_old_revisions(self): from security_monkey.datastore_utils import inactivate_old_revisions, hash_item, persist_item, result_from_item from security_monkey.datastore import ItemRevision, Item self.setup_db() # Need to create 3 items first before we can test deletions: for x in range(0, 3): modConf = dict(ACTIVE_CONF) modConf["name"] = "SomeRole{}".format(x) modConf["Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x) sti = SomeTestItem().from_slurp(modConf, account_name=self.account.name) # Get the hash: complete_hash, durable_hash = hash_item(sti.config, []) # persist: persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) # Add issues for these items: (just add two for testing purposes) db.session.add(ItemAudit(score=10, issue="IAM Role has full admin permissions.", notes=json.dumps(sti.config), item_id=db_item.id)) db.session.add(ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=db_item.id)) db.session.commit() # Now, actually test for deleted revisions: arns = [ "arn:aws:iam::012345678910:role/SomeRole", # <-- Does not exist in the list "arn:aws:iam::012345678910:role/SomeRole0", # <-- Does exist -- should not get deleted ] inactivate_old_revisions(SomeWatcher(), arns, self.account, self.technology) # Check that SomeRole1 and SomeRole2 are marked as inactive: for x in range(1, 3): item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == "arn:aws:iam::012345678910:role/SomeRole{}".format(x), ).one() assert not item_revision.active # Check that there are no issues associated with this item: assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 0 # Check that the SomeRole0 is still OK: item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == "arn:aws:iam::012345678910:role/SomeRole0".format(x), ).one() assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 2 assert item_revision.active
def test_persist_item(self): from security_monkey.datastore_utils import persist_item, hash_item, result_from_item self.setup_db() sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name) # Get the hash: complete_hash, durable_hash = hash_item(sti.config, []) # Persist a durable change: persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == durable_hash == complete_hash assert db_item.latest_revision_complete_hash == complete_hash == durable_hash # No changes: persist_item(sti, db_item, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == complete_hash == durable_hash assert db_item.latest_revision_complete_hash == complete_hash == durable_hash # Ephemeral change: mod_conf = dict(ACTIVE_CONF) mod_conf["IGNORE_ME"] = "I am ephemeral!" new_complete_hash, new_durable_hash = hash_item( mod_conf, ["IGNORE_ME"]) sti = SomeTestItem().from_slurp(mod_conf, account_name=self.account.name) persist_item(sti, db_item, self.technology, self.account, new_complete_hash, new_durable_hash, False) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == new_durable_hash == durable_hash assert db_item.latest_revision_complete_hash == new_complete_hash != complete_hash
def test_persist_item(self): from security_monkey.datastore_utils import persist_item, hash_item, result_from_item self.setup_db() sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name) # Get the hash: complete_hash, durable_hash = hash_item(sti.config, []) # Persist a durable change: persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == durable_hash == complete_hash assert db_item.latest_revision_complete_hash == complete_hash == durable_hash # No changes: persist_item(sti, db_item, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == complete_hash == durable_hash assert db_item.latest_revision_complete_hash == complete_hash == durable_hash # Ephemeral change: mod_conf = dict(ACTIVE_CONF) mod_conf["IGNORE_ME"] = "I am ephemeral!" new_complete_hash, new_durable_hash = hash_item(mod_conf, ["IGNORE_ME"]) sti = SomeTestItem().from_slurp(mod_conf, account_name=self.account.name) persist_item(sti, db_item, self.technology, self.account, new_complete_hash, new_durable_hash, False) db_item = result_from_item(sti, self.account, self.technology) assert db_item assert db_item.revisions.count() == 1 assert db_item.latest_revision_durable_hash == new_durable_hash == durable_hash assert db_item.latest_revision_complete_hash == new_complete_hash != complete_hash
def test_result_from_item(self): from security_monkey.datastore_utils import result_from_item from security_monkey.datastore import Item self.setup_db() item = Item(region="universal", name="SomeRole", arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole", tech_id=self.technology.id, account_id=self.account.id ) # This is actually what is passed into result_from_item: sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name) assert not result_from_item(sti, self.account, self.technology) db.session.add(item) db.session.commit() assert result_from_item(sti, self.account, self.technology).id == item.id
def test_result_from_item(self): from security_monkey.datastore_utils import result_from_item from security_monkey.datastore import Item self.setup_db() item = Item(region="universal", name="SomeRole", arn="arn:aws:iam::012345678910:role/SomeRole", tech_id=self.technology.id, account_id=self.account.id ) # This is actually what is passed into result_from_item: sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name) assert not result_from_item(sti, self.account, self.technology) db.session.add(item) db.session.commit() assert result_from_item(sti, self.account, self.technology).id == item.id