def test_changed_item(self): previous = [ ChangeItem(index='test_index', account='test_account', name='item1_name', new_config={'config': 'test1'}), ChangeItem(index='test_index', account='test_account', name='item2_name', new_config={'config': 'test2'}) ] current = [ ChangeItem(index='test_index', account='test_account', name='item1_name', new_config={'config': 'test1'}), ChangeItem(index='test_index', account='test_account', name='item2_name', new_config={'config': 'test3'}) ] self._setup_account() watcher = Watcher(accounts=['test_account']) watcher.find_modified(previous, current) assert len(watcher.changed_items) == 1
def test_from_items(self): issue = ItemAudit() issue.score = 1 issue.justified = True issue.issue = 'test issue' issue.justification = 'test justification' old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True, audit_issues=[issue]) old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True) new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2, active=True) merged_item_w_issues = ChangeItem.from_items( old_item=old_item_w_issues, new_item=new_item) merged_item_wo_issues = ChangeItem.from_items( old_item=old_item_wo_issues, new_item=new_item) assert len(merged_item_w_issues.audit_issues) == 1 assert len(merged_item_wo_issues.audit_issues) == 0
def test_issue_presevation(self): """ Ensure that issues are not deleted and that justifications are preserved. new issue existing issue fixed issue regressed issue Context: PR 788 """ auditor = AuditorTestObj(accounts=['test_account']) item = ChangeItem(index='test_index', account='test_account', name='item_name') self.assertEqual(len(item.audit_issues), 0) auditor.items = [item] # New Issue auditor.audit_objects() self.assertEqual(len(item.audit_issues), 1) auditor.save_issues() self.assertEqual(item.audit_issues[0].fixed, False) self.assertEqual(item.audit_issues[0].justified, False) issue = item.audit_issues[0] # Justify this new issue. from security_monkey import db for issue in ItemAudit.query.all(): issue.justified = True issue.justification = 'This is okay because...' db.session.add(issue) db.session.commit() # Existing Issue auditor.audit_objects() self.assertEqual(len(item.audit_issues), 1) auditor.save_issues() self.assertEqual(item.audit_issues[0].fixed, False) self.assertEqual(item.audit_issues[0].justified, True) # Fixed Issue item.audit_issues = [] auditor.save_issues() self.assertEqual(issue.fixed, True) self.assertEqual(issue.justified, True) # Regressed Issue auditor.audit_objects() auditor.save_issues() self.assertEqual(issue.fixed, False) self.assertEqual(issue.justified, True)
def test_issue_presevation(self): """ Ensure that issues are not deleted and that justifications are preserved. new issue existing issue fixed issue regressed issue Context: PR 788 """ auditor = AuditorTestObj(accounts=['test_account']) item = ChangeItem(index='test_index', account='test_account', name='item_name') self.assertEquals(len(item.audit_issues), 0) auditor.items = [item] # New Issue auditor.audit_objects() self.assertEquals(len(item.audit_issues), 1) auditor.save_issues() self.assertEquals(item.audit_issues[0].fixed, False) self.assertEquals(item.audit_issues[0].justified, False) issue = item.audit_issues[0] # Justify this new issue. from security_monkey import db for issue in ItemAudit.query.all(): issue.justified = True issue.justification = 'This is okay because...' db.session.add(issue) db.session.commit() # Existing Issue auditor.audit_objects() self.assertEquals(len(item.audit_issues), 1) auditor.save_issues() self.assertEquals(item.audit_issues[0].fixed, False) self.assertEquals(item.audit_issues[0].justified, True) # Fixed Issue item.audit_issues = [] auditor.save_issues() self.assertEquals(issue.fixed, True) self.assertEquals(issue.justified, True) # Regressed Issue auditor.audit_objects() auditor.save_issues() self.assertEquals(issue.fixed, False) self.assertEquals(issue.justified, True)
def test_audit_item_method_account_pattern_score_override(self): account_pattern_score = AccountPatternAuditScore( account_type=self.account_type.name, account_field='name', account_pattern=self.test_account.name, score=2) item_audit_score = ItemAuditScore( technology='test_index', method='check_test (AuditorTestObj)', score=5, disabled=False, account_pattern_scores=[account_pattern_score]) db.session.add(account_pattern_score) db.session.add(item_audit_score) db.session.commit() item = ChangeItem(index='test_index', account=self.test_account.name, name='item_name') auditor = AuditorTestObj(accounts=[self.test_account.name]) self.assertEqual(len(item.audit_issues), 0) auditor.items = [item] auditor.audit_objects() self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].issue, 'Test issue') self.assertEqual(item.audit_issues[0].score, 2)
def test_link_to_support_item_issues(self): auditor = Auditor(accounts=['test_account']) sub_item_id = 2 issue1_text = 'This is test issue1' issue2_text = 'This is test issue2' issue1_score = 10 issue2_score = 5 item = ChangeItem(index='test_index', account='test_account', name='item_name') sub_item = Item(id=sub_item_id, tech_id=1, account_id=1, name='sub_item_name') sub_item.issues.append(ItemAudit(score=issue1_score, issue=issue1_text)) sub_item.issues.append(ItemAudit(score=issue2_score, issue=issue2_text)) auditor.link_to_support_item_issues(item, sub_item, issue_message="TEST") self.assertTrue(len(item.audit_issues) == 1) new_issue = item.audit_issues[0] self.assertTrue(new_issue.score == issue1_score + issue2_score) self.assertTrue(new_issue.issue == "TEST") self.assertTrue(len(new_issue.sub_items) == 1) self.assertTrue(new_issue.sub_items[0] == sub_item)
def test_save_ephemeral_changed_item(self): self._setup_account() datastore = Datastore() old_item = ChangeItem( index='test_index', account='test_account', name='item_name', active=True, new_config={ 'config': 'test1' } ) old_item.save(datastore) query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account') items = query.all() self.assertEquals(len(items), 1) revisions = items[0].revisions.all() self.assertEquals(len(revisions), 1) new_item = ChangeItem( index='test_index', account='test_account', name='item_name', active=True, new_config={ 'config': 'test2' } ) watcher = Watcher(accounts=['test_account']) watcher.index = 'test_index' watcher.honor_ephemerals = True watcher.ephemeral_paths = ["config"] watcher.find_changes(current=[new_item]) watcher.save() query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account') items = query.all() self.assertEquals(len(items), 1) revisions = items[0].revisions.all() self.assertEquals(len(revisions), 1)
def test_from_items(self): issue = ItemAudit() issue.score = 1 issue.justified = True issue.issue = 'test issue' issue.justification = 'test justification' old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True, audit_issues=[issue]) old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True) new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2, active=True) merged_item_w_issues = ChangeItem.from_items(old_item=old_item_w_issues, new_item=new_item) merged_item_wo_issues = ChangeItem.from_items(old_item=old_item_wo_issues, new_item=new_item) assert len(merged_item_w_issues.audit_issues) == 1 assert len(merged_item_wo_issues.audit_issues) == 0
def read_previous_items(self): """ Pulls the last-recorded configuration from the database. :return: List of all items for the given technology and the given account. """ prev_list = [] for account in self.accounts: prev = self.datastore.get_all_ctype_filtered(tech=self.index, account=account, include_inactive=False) # Returns a map of {Item: ItemRevision} for item in prev: item_revision = prev[item] new_item = ChangeItem(index=self.index, region=item.region, account=item.account.name, name=item.name, new_config=item_revision.config) new_item.audit_issues = [] new_item.db_item = item prev_list.append(new_item) return prev_list
def test_audit_item(self): auditor = AuditorTestObj(accounts=['test_account']) item = ChangeItem(index='test_index', account='test_account', name='item_name') self.assertEquals(len(item.audit_issues), 0) auditor.items = [item] auditor.audit_objects() self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].issue, 'Test issue') self.assertEquals(item.audit_issues[0].score, 10)
def test_save_ephemeral_changed_item(self): self._setup_account() datastore = Datastore() old_item = ChangeItem(index='test_index', account='test_account', name='item_name', active=True, new_config={'config': 'test1'}) old_item.save(datastore) query = Item.query.filter(Technology.name == 'test_index').filter( Account.name == 'test_account') items = query.all() self.assertEqual(len(items), 1) revisions = items[0].revisions.all() self.assertEqual(len(revisions), 1) new_item = ChangeItem(index='test_index', account='test_account', name='item_name', active=True, new_config={'config': 'test2'}) watcher = Watcher(accounts=['test_account']) watcher.index = 'test_index' watcher.honor_ephemerals = True watcher.ephemeral_paths = ["config"] watcher.find_changes(current=[new_item]) watcher.save() query = Item.query.filter(Technology.name == 'test_index').filter( Account.name == 'test_account') items = query.all() self.assertEqual(len(items), 1) revisions = items[0].revisions.all() self.assertEqual(len(revisions), 1)
def test_check_root_cross_account(self): rpa = ResourcePolicyAuditor(accounts=['TEST_ACCOUNT']) rpa.prep_for_audit() key0_friendly_cross_account = deepcopy(key0) key0_friendly_cross_account['Policy'][0]['Statement'][0]['Principal']['AWS'] \ = 'arn:aws:iam::222222222222:root' item = ChangeItem(account='TEST_ACCOUNT', arn='arn:aws:kms:us-east-1:012345678910:key/key_id', new_config=key0_friendly_cross_account) rpa.check_root_cross_account(item) self.assertEqual(len(item.audit_issues), 1) self.assertEqual(item.audit_issues[0].score, 6)
def test_audit_item_method_disabled(self): mixer.init_app(self.app) mixer.blend(ItemAuditScore, technology='test_index', method='check_test (AuditorTestObj)', score=0, disabled=True) auditor = AuditorTestObj(accounts=['test_account']) item = ChangeItem(index='test_index', account='test_account', name='item_name') self.assertEquals(len(item.audit_issues), 0) auditor.items = [item] auditor.audit_objects() self.assertEquals(len(item.audit_issues), 0)
def _delete_issues(settings): account = Account.query.filter(Account.id == settings.account_id).first() tech = Technology.query.filter(Technology.id == settings.tech_id).first() if account and tech: # Report issues as fixed db_items = Datastore().get_all_ctype_filtered(tech=tech.name, account=account.name, include_inactive=False) items = [] for item in db_items: new_item = ChangeItem(index=tech.name, region=item.region, account=account.name, name=item.name, arn=item.arn) new_item.audit_issues = [] new_item.db_item = item items.append(new_item) for item in items: for issue in item.db_item.issues: if issue.auditor_setting_id == settings.id: item.confirmed_fixed_issues.append(issue) db.session.delete(settings)
def test_ephemeral_change(self): previous = [ ChangeItem(index='test_index', account='test_account', name='item1_name', new_config={'normal': True}), ChangeItem(index='test_index', account='test_account', name='item2_name', new_config={ 'normal': False, 'test_ephemeral': 'previous ephemeral' }) ] current = [ ChangeItem(index='test_index', account='test_account', name='item1_name', new_config={'normal': True}), ChangeItem(index='test_index', account='test_account', name='item2_name', new_config={ 'normal': False, 'test_ephemeral': 'current ephemeral' }) ] self._setup_account() watcher = Watcher(accounts=['test_account']) watcher.honor_ephemerals = True watcher.ephemeral_paths = ['test_ephemeral'] watcher.find_modified(previous, current) assert len(watcher.changed_items) == 0
def test_audit_item_method_score_override(self): mixer.init_app(self.app) mixer.blend(ItemAuditScore, technology='test_index', method='check_test (AuditorTestObj)', score=5, disabled=False) test_account_type = mixer.blend(AccountType, name='AWS') test_account = mixer.blend(Account, name='test_account', account_type=test_account_type) item = ChangeItem(index='test_index', account=test_account.name, name='item_name') auditor = AuditorTestObj(accounts=[test_account.name]) self.assertEquals(len(item.audit_issues), 0) auditor.items = [item] auditor.audit_objects() self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].issue, 'Test issue') self.assertEquals(item.audit_issues[0].score, 5)
def test_audit_item_method_disabled(self): item_audit_score = ItemAuditScore(technology='test_index', method='check_test (AuditorTestObj)', score=0, disabled=True) db.session.add(item_audit_score) db.session.commit() auditor = AuditorTestObj(accounts=['test_account']) item = ChangeItem(index='test_index', account='test_account', name='item_name') self.assertEqual(len(item.audit_issues), 0) auditor.items = [item] auditor.audit_objects() self.assertEqual(len(item.audit_issues), 0)
def read_previous_items(self): return [ChangeItem(index=self.index)]
def find_changes(self, current=[], exception_map={}): self.created_items.append(ChangeItem(index=self.index))