def test_changed_item(self):

        previous = [
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item1_name',
                       new_config={'config': 'test1'}),
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item2_name',
                       new_config={'config': 'test2'})
        ]

        current = [
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item1_name',
                       new_config={'config': 'test1'}),
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item2_name',
                       new_config={'config': 'test3'})
        ]

        self._setup_account()
        watcher = Watcher(accounts=['test_account'])

        watcher.find_modified(previous, current)
        assert len(watcher.changed_items) == 1
    def test_from_items(self):
        issue = ItemAudit()
        issue.score = 1
        issue.justified = True
        issue.issue = 'test issue'
        issue.justification = 'test justification'

        old_item_w_issues = ChangeItem(index='testtech',
                                       region='us-west-2',
                                       account='testaccount',
                                       new_config=CONFIG_1,
                                       active=True,
                                       audit_issues=[issue])
        old_item_wo_issues = ChangeItem(index='testtech',
                                        region='us-west-2',
                                        account='testaccount',
                                        new_config=CONFIG_1,
                                        active=True)
        new_item = ChangeItem(index='testtech',
                              region='us-west-2',
                              account='testaccount',
                              new_config=CONFIG_2,
                              active=True)

        merged_item_w_issues = ChangeItem.from_items(
            old_item=old_item_w_issues, new_item=new_item)
        merged_item_wo_issues = ChangeItem.from_items(
            old_item=old_item_wo_issues, new_item=new_item)

        assert len(merged_item_w_issues.audit_issues) == 1
        assert len(merged_item_wo_issues.audit_issues) == 0
    def test_issue_presevation(self):
        """
        Ensure that issues are not deleted and that justifications are preserved.
            new issue
            existing issue
            fixed issue
            regressed issue
        Context: PR 788
        """
        auditor = AuditorTestObj(accounts=['test_account'])
        item = ChangeItem(index='test_index',
                          account='test_account',
                          name='item_name')

        self.assertEqual(len(item.audit_issues), 0)
        auditor.items = [item]

        # New Issue
        auditor.audit_objects()
        self.assertEqual(len(item.audit_issues), 1)
        auditor.save_issues()
        self.assertEqual(item.audit_issues[0].fixed, False)
        self.assertEqual(item.audit_issues[0].justified, False)

        issue = item.audit_issues[0]

        # Justify this new issue.
        from security_monkey import db
        for issue in ItemAudit.query.all():
            issue.justified = True
            issue.justification = 'This is okay because...'
            db.session.add(issue)
        db.session.commit()

        # Existing Issue
        auditor.audit_objects()
        self.assertEqual(len(item.audit_issues), 1)
        auditor.save_issues()
        self.assertEqual(item.audit_issues[0].fixed, False)
        self.assertEqual(item.audit_issues[0].justified, True)

        # Fixed Issue
        item.audit_issues = []
        auditor.save_issues()
        self.assertEqual(issue.fixed, True)
        self.assertEqual(issue.justified, True)

        # Regressed Issue
        auditor.audit_objects()
        auditor.save_issues()
        self.assertEqual(issue.fixed, False)
        self.assertEqual(issue.justified, True)
예제 #4
0
    def test_issue_presevation(self):
        """
        Ensure that issues are not deleted and that justifications are preserved.
            new issue
            existing issue
            fixed issue
            regressed issue
        Context: PR 788
        """
        auditor = AuditorTestObj(accounts=['test_account'])
        item = ChangeItem(index='test_index',
                          account='test_account', name='item_name')

        self.assertEquals(len(item.audit_issues), 0)
        auditor.items = [item]

        # New Issue
        auditor.audit_objects()
        self.assertEquals(len(item.audit_issues), 1)
        auditor.save_issues()
        self.assertEquals(item.audit_issues[0].fixed, False)
        self.assertEquals(item.audit_issues[0].justified, False)

        issue = item.audit_issues[0]

        # Justify this new issue.
        from security_monkey import db
        for issue in ItemAudit.query.all():
            issue.justified = True
            issue.justification = 'This is okay because...'
            db.session.add(issue)
        db.session.commit()

        # Existing Issue
        auditor.audit_objects()
        self.assertEquals(len(item.audit_issues), 1)
        auditor.save_issues()
        self.assertEquals(item.audit_issues[0].fixed, False)
        self.assertEquals(item.audit_issues[0].justified, True)

        # Fixed Issue
        item.audit_issues = []
        auditor.save_issues()
        self.assertEquals(issue.fixed, True)
        self.assertEquals(issue.justified, True)

        # Regressed Issue
        auditor.audit_objects()
        auditor.save_issues()
        self.assertEquals(issue.fixed, False)
        self.assertEquals(issue.justified, True)
    def test_audit_item_method_account_pattern_score_override(self):
        account_pattern_score = AccountPatternAuditScore(
            account_type=self.account_type.name,
            account_field='name',
            account_pattern=self.test_account.name,
            score=2)

        item_audit_score = ItemAuditScore(
            technology='test_index',
            method='check_test (AuditorTestObj)',
            score=5,
            disabled=False,
            account_pattern_scores=[account_pattern_score])
        db.session.add(account_pattern_score)
        db.session.add(item_audit_score)
        db.session.commit()

        item = ChangeItem(index='test_index',
                          account=self.test_account.name,
                          name='item_name')

        auditor = AuditorTestObj(accounts=[self.test_account.name])
        self.assertEqual(len(item.audit_issues), 0)
        auditor.items = [item]
        auditor.audit_objects()
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Test issue')
        self.assertEqual(item.audit_issues[0].score, 2)
    def test_link_to_support_item_issues(self):
        auditor = Auditor(accounts=['test_account'])
        sub_item_id = 2
        issue1_text = 'This is test issue1'
        issue2_text = 'This is test issue2'
        issue1_score = 10
        issue2_score = 5

        item = ChangeItem(index='test_index',
                          account='test_account',
                          name='item_name')
        sub_item = Item(id=sub_item_id,
                        tech_id=1,
                        account_id=1,
                        name='sub_item_name')
        sub_item.issues.append(ItemAudit(score=issue1_score,
                                         issue=issue1_text))
        sub_item.issues.append(ItemAudit(score=issue2_score,
                                         issue=issue2_text))

        auditor.link_to_support_item_issues(item,
                                            sub_item,
                                            issue_message="TEST")
        self.assertTrue(len(item.audit_issues) == 1)
        new_issue = item.audit_issues[0]

        self.assertTrue(new_issue.score == issue1_score + issue2_score)
        self.assertTrue(new_issue.issue == "TEST")
        self.assertTrue(len(new_issue.sub_items) == 1)
        self.assertTrue(new_issue.sub_items[0] == sub_item)
예제 #7
0
    def test_save_ephemeral_changed_item(self):
        self._setup_account()

        datastore = Datastore()

        old_item = ChangeItem(
                index='test_index',
                account='test_account',
                name='item_name',
                active=True,
                new_config={
                    'config': 'test1'
                }
            )

        old_item.save(datastore)

        query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account')
        items = query.all()
        self.assertEquals(len(items), 1)
        revisions = items[0].revisions.all()
        self.assertEquals(len(revisions), 1)

        new_item = ChangeItem(
                index='test_index',
                account='test_account',
                name='item_name',
                active=True,
                new_config={
                    'config': 'test2'
                }
            )
        watcher = Watcher(accounts=['test_account'])
        watcher.index = 'test_index'
        watcher.honor_ephemerals = True
        watcher.ephemeral_paths = ["config"]

        watcher.find_changes(current=[new_item])
        watcher.save()

        query = Item.query.filter(Technology.name == 'test_index').filter(Account.name == 'test_account')
        items = query.all()
        self.assertEquals(len(items), 1)
        revisions = items[0].revisions.all()
        self.assertEquals(len(revisions), 1)
예제 #8
0
    def test_from_items(self):
        issue = ItemAudit()
        issue.score = 1
        issue.justified = True
        issue.issue = 'test issue'
        issue.justification = 'test justification'

        old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount',
                                      new_config=CONFIG_1, active=True, audit_issues=[issue])
        old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount',
                                        new_config=CONFIG_1, active=True)
        new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2,
                              active=True)

        merged_item_w_issues = ChangeItem.from_items(old_item=old_item_w_issues, new_item=new_item)
        merged_item_wo_issues = ChangeItem.from_items(old_item=old_item_wo_issues, new_item=new_item)

        assert len(merged_item_w_issues.audit_issues) == 1
        assert len(merged_item_wo_issues.audit_issues) == 0
예제 #9
0
 def read_previous_items(self):
     """
     Pulls the last-recorded configuration from the database.
     :return: List of all items for the given technology and the given account.
     """
     prev_list = []
     for account in self.accounts:
         prev = self.datastore.get_all_ctype_filtered(tech=self.index, account=account, include_inactive=False)
         # Returns a map of {Item: ItemRevision}
         for item in prev:
             item_revision = prev[item]
             new_item = ChangeItem(index=self.index,
                                   region=item.region,
                                   account=item.account.name,
                                   name=item.name,
                                   new_config=item_revision.config)
             new_item.audit_issues = []
             new_item.db_item = item
             prev_list.append(new_item)
     return prev_list
예제 #10
0
 def read_previous_items(self):
     """
     Pulls the last-recorded configuration from the database.
     :return: List of all items for the given technology and the given account.
     """
     prev_list = []
     for account in self.accounts:
         prev = self.datastore.get_all_ctype_filtered(tech=self.index, account=account, include_inactive=False)
         # Returns a map of {Item: ItemRevision}
         for item in prev:
             item_revision = prev[item]
             new_item = ChangeItem(index=self.index,
                                   region=item.region,
                                   account=item.account.name,
                                   name=item.name,
                                   new_config=item_revision.config)
             new_item.audit_issues = []
             new_item.db_item = item
             prev_list.append(new_item)
     return prev_list
예제 #11
0
    def test_audit_item(self):
        auditor = AuditorTestObj(accounts=['test_account'])
        item = ChangeItem(index='test_index',
                          account='test_account', name='item_name')

        self.assertEquals(len(item.audit_issues), 0)
        auditor.items = [item]
        auditor.audit_objects()
        self.assertEquals(len(item.audit_issues), 1)
        self.assertEquals(item.audit_issues[0].issue, 'Test issue')
        self.assertEquals(item.audit_issues[0].score, 10)
    def test_save_ephemeral_changed_item(self):
        self._setup_account()

        datastore = Datastore()

        old_item = ChangeItem(index='test_index',
                              account='test_account',
                              name='item_name',
                              active=True,
                              new_config={'config': 'test1'})

        old_item.save(datastore)

        query = Item.query.filter(Technology.name == 'test_index').filter(
            Account.name == 'test_account')
        items = query.all()
        self.assertEqual(len(items), 1)
        revisions = items[0].revisions.all()
        self.assertEqual(len(revisions), 1)

        new_item = ChangeItem(index='test_index',
                              account='test_account',
                              name='item_name',
                              active=True,
                              new_config={'config': 'test2'})
        watcher = Watcher(accounts=['test_account'])
        watcher.index = 'test_index'
        watcher.honor_ephemerals = True
        watcher.ephemeral_paths = ["config"]

        watcher.find_changes(current=[new_item])
        watcher.save()

        query = Item.query.filter(Technology.name == 'test_index').filter(
            Account.name == 'test_account')
        items = query.all()
        self.assertEqual(len(items), 1)
        revisions = items[0].revisions.all()
        self.assertEqual(len(revisions), 1)
    def test_check_root_cross_account(self):
        rpa = ResourcePolicyAuditor(accounts=['TEST_ACCOUNT'])
        rpa.prep_for_audit()

        key0_friendly_cross_account = deepcopy(key0)
        key0_friendly_cross_account['Policy'][0]['Statement'][0]['Principal']['AWS'] \
            = 'arn:aws:iam::222222222222:root'
        item = ChangeItem(account='TEST_ACCOUNT',
                          arn='arn:aws:kms:us-east-1:012345678910:key/key_id',
                          new_config=key0_friendly_cross_account)
        rpa.check_root_cross_account(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].score, 6)
예제 #14
0
    def test_audit_item_method_disabled(self):
        mixer.init_app(self.app)
        mixer.blend(ItemAuditScore, technology='test_index', method='check_test (AuditorTestObj)',
                    score=0, disabled=True)

        auditor = AuditorTestObj(accounts=['test_account'])
        item = ChangeItem(index='test_index',
                          account='test_account', name='item_name')

        self.assertEquals(len(item.audit_issues), 0)
        auditor.items = [item]
        auditor.audit_objects()
        self.assertEquals(len(item.audit_issues), 0)
def _delete_issues(settings):
    account = Account.query.filter(Account.id == settings.account_id).first()
    tech = Technology.query.filter(Technology.id == settings.tech_id).first()
    if account and tech:
        # Report issues as fixed
        db_items = Datastore().get_all_ctype_filtered(tech=tech.name, account=account.name, include_inactive=False)
        items = []
        for item in db_items:
            new_item = ChangeItem(index=tech.name,
                                  region=item.region,
                                  account=account.name,
                                  name=item.name,
                                  arn=item.arn)
            new_item.audit_issues = []
            new_item.db_item = item
            items.append(new_item)

        for item in items:
            for issue in item.db_item.issues:
                if issue.auditor_setting_id == settings.id:
                    item.confirmed_fixed_issues.append(issue)

    db.session.delete(settings)
    def test_ephemeral_change(self):

        previous = [
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item1_name',
                       new_config={'normal': True}),
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item2_name',
                       new_config={
                           'normal': False,
                           'test_ephemeral': 'previous ephemeral'
                       })
        ]

        current = [
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item1_name',
                       new_config={'normal': True}),
            ChangeItem(index='test_index',
                       account='test_account',
                       name='item2_name',
                       new_config={
                           'normal': False,
                           'test_ephemeral': 'current ephemeral'
                       })
        ]

        self._setup_account()
        watcher = Watcher(accounts=['test_account'])
        watcher.honor_ephemerals = True
        watcher.ephemeral_paths = ['test_ephemeral']

        watcher.find_modified(previous, current)
        assert len(watcher.changed_items) == 0
예제 #17
0
    def test_audit_item_method_score_override(self):
        mixer.init_app(self.app)
        mixer.blend(ItemAuditScore, technology='test_index', method='check_test (AuditorTestObj)',
                    score=5, disabled=False)
        test_account_type = mixer.blend(AccountType, name='AWS')
        test_account = mixer.blend(Account, name='test_account', account_type=test_account_type)

        item = ChangeItem(index='test_index',
                          account=test_account.name, name='item_name')

        auditor = AuditorTestObj(accounts=[test_account.name])
        self.assertEquals(len(item.audit_issues), 0)
        auditor.items = [item]
        auditor.audit_objects()
        self.assertEquals(len(item.audit_issues), 1)
        self.assertEquals(item.audit_issues[0].issue, 'Test issue')
        self.assertEquals(item.audit_issues[0].score, 5)
    def test_audit_item_method_disabled(self):
        item_audit_score = ItemAuditScore(technology='test_index',
                                          method='check_test (AuditorTestObj)',
                                          score=0,
                                          disabled=True)
        db.session.add(item_audit_score)
        db.session.commit()

        auditor = AuditorTestObj(accounts=['test_account'])
        item = ChangeItem(index='test_index',
                          account='test_account',
                          name='item_name')

        self.assertEqual(len(item.audit_issues), 0)
        auditor.items = [item]
        auditor.audit_objects()
        self.assertEqual(len(item.audit_issues), 0)
예제 #19
0
 def read_previous_items(self):
     return [ChangeItem(index=self.index)]
예제 #20
0
 def find_changes(self, current=[], exception_map={}):
     self.created_items.append(ChangeItem(index=self.index))