def test_slurp_items(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) # Or else this will take forever: watcher.batched_size = 10 watcher.slurp_list() items, exceptions = watcher.slurp() assert len(exceptions) == 0 assert self.total_roles > len(items) == watcher.batched_size assert watcher.batch_counter == 1 # Slurp again: items, exceptions = watcher.slurp() assert len(exceptions) == 0 assert self.total_roles > len(items) == watcher.batched_size assert watcher.batch_counter == 2
def test_slurp_items_with_exceptions(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) # Or else this will take forever: watcher.batched_size = 10 watcher.slurp_list() def raise_exception(): raise Exception("LOL, HAY!") watcher.get_method = lambda *args, **kwargs: raise_exception() items, exceptions = watcher.slurp() assert len(exceptions) == self.total_roles assert len(items) == 0 mock_sts().stop()
def test_slurp_items_with_exceptions(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) # Or else this will take forever: watcher.batched_size = 10 watcher.slurp_list() def raise_exception(): raise Exception("LOL, HAY!") import security_monkey.watchers.iam.iam_role security_monkey.watchers.iam.iam_role.get_role = lambda **kwargs: raise_exception() items, exceptions = watcher.slurp() assert len(exceptions) == self.total_roles assert len(items) == 0 mock_sts().stop()
def test_slurp_items_with_exceptions(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) # Or else this will take forever: watcher.batched_size = 10 watcher.slurp_list() def raise_exception(): raise Exception("LOL, HAY!") watcher.get_method = lambda *args, **kwargs: raise_exception() items, exceptions = watcher.slurp() assert len(exceptions) == watcher.batched_size assert len(items) == 0 assert watcher.batch_counter == 1 mock_sts().stop()
def test_slurp_items(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) # Or else this will take forever: watcher.batched_size = 10 watcher.slurp_list() items, exceptions = watcher.slurp() assert len(exceptions) == 0 assert self.total_roles > len(items) == watcher.batched_size assert watcher.batch_counter == 1 # Slurp again: items, exceptions = watcher.slurp() assert len(exceptions) == 0 assert self.total_roles > len(items) == watcher.batched_size assert watcher.batch_counter == 2 mock_sts().stop()
def test_slurp_items_with_skipped(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) watcher.batched_size = 5 watcher.slurp_list() watcher.ignore_list = [ IgnoreListEntry(prefix="roleNumber0"), IgnoreListEntry(prefix="roleNumber1"), IgnoreListEntry(prefix="roleNumber6") ] first_batch, exceptions = watcher.slurp() item_sum = len(first_batch) assert len(exceptions) == 0 assert watcher.batch_counter == 1 batch_lookup = {} # Ensure we aren't processing duplicates for r in first_batch: assert r.name not in watcher.ignore_list # Ensure we properly ignore the things batch_lookup[r.name] = True # Slurp again: second_batch, exceptions = watcher.slurp() item_sum += len(second_batch) assert len(exceptions) == 0 assert watcher.batch_counter == 2 for r in second_batch: assert r.name not in watcher.ignore_list assert not batch_lookup.get(r.name) batch_lookup[r.name] = True # Sum of items should be total items - length of the ignored items: assert self.total_roles - len( watcher.ignore_list) == item_sum == len(batch_lookup) mock_sts().stop()
def test_slurp_items_with_skipped(self): mock_sts().start() watcher = IAMRole(accounts=[self.account.name]) watcher.batched_size = 5 watcher.slurp_list() watcher.ignore_list = [ IgnoreListEntry(prefix="roleNumber0"), IgnoreListEntry(prefix="roleNumber1"), IgnoreListEntry(prefix="roleNumber6") ] first_batch, exceptions = watcher.slurp() item_sum = len(first_batch) assert len(exceptions) == 0 assert watcher.batch_counter == 1 batch_lookup = {} # Ensure we aren't processing duplicates for r in first_batch: assert r.name not in watcher.ignore_list # Ensure we properly ignore the things batch_lookup[r.name] = True # Slurp again: second_batch, exceptions = watcher.slurp() item_sum += len(second_batch) assert len(exceptions) == 0 assert watcher.batch_counter == 2 for r in second_batch: assert r.name not in watcher.ignore_list assert not batch_lookup.get(r.name) batch_lookup[r.name] = True # Sum of items should be total items - length of the ignored items: assert self.total_roles - len(watcher.ignore_list) == item_sum == len(batch_lookup) mock_sts().stop()
def test_find_batch_changes(self, mock_fix_orphaned): """ Runs through a full find job via the IAMRole watcher, as that supports batching. However, this is mostly testing the logic through each function call -- this is not going to do any boto work and that will instead be mocked out. :return: """ from security_monkey.task_scheduler.tasks import manual_run_change_finder from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account(name="TEST_ACCOUNT1") watcher = IAMRole(accounts=[test_account.name]) technology = Technology(name="iamrole") db.session.add(technology) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] import security_monkey.task_scheduler.tasks old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp manual_run_change_finder([test_account.name], [watcher.index]) assert mock_fix_orphaned.called # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 # Delete one of the items: # Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again... mock_iam().stop() mock_sts().stop() self.add_roles(initial=False) # Run the it again: watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) # Check that nothing new was added: assert len(Item.query.all()) == 11 # There should be the same number of issues and 2 more revisions: assert len(ItemAudit.query.all()) == 11 assert len(ItemRevision.query.all()) == 13 # Check that the deleted roles show as being inactive: ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \ .filter(Item.arn.in_( [ARN_PREFIX + ":iam::012345678910:role/roleNumber9", ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all() assert len(ir) == 2 assert not ir[0].active assert not ir[1].active # Finally -- test with a slurp list exception (just checking that things don't blow up): import security_monkey.watchers.iam.iam_role old_list_roles = security_monkey.watchers.iam.iam_role.list_roles def mock_slurp_list_with_exception(): security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0 items, exception_map = original_slurp_list() assert len(exception_map) > 0 return items, exception_map watcher.slurp_list = mock_slurp_list_with_exception watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors security_monkey.watchers.iam.iam_role.list_roles = old_list_roles mock_iam().stop() mock_sts().stop()
def test_report_batch_changes(self, mock_fix_orphaned): from security_monkey.task_scheduler.tasks import manual_run_change_reporter from security_monkey.datastore import Item, ItemRevision, ItemAudit from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account.query.filter( Account.name == "TEST_ACCOUNT1").one() watcher = IAMRole(accounts=[test_account.name]) watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] # Set up the Reporter: import security_monkey.reporter old_all_monitors = security_monkey.reporter.all_monitors security_monkey.reporter.all_monitors = lambda x, y: [batched_monitor] import security_monkey.task_scheduler.tasks old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp manual_run_change_reporter([test_account.name]) assert mock_fix_orphaned.called # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 mock_iam().stop() mock_sts().stop() security_monkey.reporter.all_monitors = old_all_monitors security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
def test_report_batch_changes(self): from security_monkey.alerter import Alerter from security_monkey.reporter import Reporter from security_monkey.datastore import Item, ItemRevision, ItemAudit from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor account_type_result = AccountType.query.filter( AccountType.name == "AWS").one() db.session.add(account_type_result) db.session.commit() test_account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT1", third_party=False, active=True) watcher = IAMRole(accounts=[test_account.name]) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] # Set up the Reporter: import security_monkey.reporter old_all_monitors = security_monkey.reporter.all_monitors security_monkey.reporter.all_monitors = lambda x, y: [] test_reporter = Reporter() test_reporter.all_monitors = [batched_monitor] test_reporter.account_alerter = Alerter( watchers_auditors=test_reporter.all_monitors, account=test_account.name) import security_monkey.scheduler # import security_monkey.monitors # old_get_monitors = security_monkey.scheduler.get_monitors security_monkey.scheduler.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = "arn:aws:iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = "arn:aws:iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp test_reporter.run(account=test_account.name) # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 mock_iam().stop() mock_sts().stop() # Something isn't cleaning itself up properly and causing other core tests to fail. # This is the solution: security_monkey.reporter.all_monitors = old_all_monitors import monitor_mock security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def test_report_batch_changes(self): from security_monkey.alerter import Alerter from security_monkey.reporter import Reporter from security_monkey.datastore import Item, ItemRevision, ItemAudit from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor account_type_result = AccountType.query.filter(AccountType.name == "AWS").one() db.session.add(account_type_result) db.session.commit() test_account = Account(name="TEST_ACCOUNT") watcher = IAMRole(accounts=[test_account.name]) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])] # Set up the Reporter: import security_monkey.reporter old_all_monitors = security_monkey.reporter.all_monitors security_monkey.reporter.all_monitors = lambda x, y: [] test_reporter = Reporter() test_reporter.all_monitors = [batched_monitor] test_reporter.account_alerter = Alerter(watchers_auditors=test_reporter.all_monitors, account=test_account.name) import security_monkey.scheduler # import security_monkey.monitors # old_get_monitors = security_monkey.scheduler.get_monitors security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"]) return exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp test_reporter.run(account=test_account.name) # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 mock_iam().stop() mock_sts().stop() # Something isn't cleaning itself up properly and causing other core tests to fail. # This is the solution: security_monkey.reporter.all_monitors = old_all_monitors import monitor_mock security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def test_find_batch_changes(self, mock_fix_orphaned): """ Runs through a full find job via the IAMRole watcher, as that supports batching. However, this is mostly testing the logic through each function call -- this is not going to do any boto work and that will instead be mocked out. :return: """ from security_monkey.task_scheduler.tasks import manual_run_change_finder from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account(name="TEST_ACCOUNT1") watcher = IAMRole(accounts=[test_account.name]) technology = Technology(name="iamrole") db.session.add(technology) db.session.commit() watcher.batched_size = 3 # should loop 4 times ## CREATE MOCK IAM ROLES ## client = boto3.client("iam") aspd = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } }] } for x in range(0, 11): # Create the IAM Role via Moto: aspd["Statement"][0][ "Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format( x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(OPEN_POLICY, indent=4)) # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [ IAMRoleAuditor(accounts=[test_account.name]) ] import security_monkey.task_scheduler.tasks old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [ batched_monitor ] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): items, exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format( item["RoleName"]) return items, exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format( item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp manual_run_change_finder([test_account.name], [watcher.index]) assert mock_fix_orphaned.called # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 # Delete two of the items: managedPolicy = client.list_attached_role_policies( RoleName="roleNumber9") for each in managedPolicy['AttachedPolicies']: print("Detaching ", each) client.detach_role_policy(RoleName="roleNumber9", PolicyArn=each['PolicyArn']) inlinePolicy = client.list_role_policies(RoleName="roleNumber9") for each in inlinePolicy['PolicyNames']: print("Deleting ", each) client.delete_role_policy(RoleName="roleNumber9", PolicyName=each) instanceProfiles = client.list_instance_profiles_for_role( RoleName="roleNumber9") for each in instanceProfiles['InstanceProfiles']: print("Removing role from instance profile ", each) client.remove_role_from_instance_profile( RoleName="roleNumber9", InstanceProfileName=each['InstanceProfileName']) client.delete_role(RoleName="roleNumber9") managedPolicy = client.list_attached_role_policies( RoleName="roleNumber10") for each in managedPolicy['AttachedPolicies']: print("Detaching ", each) client.detach_role_policy(RoleName="roleNumber10", PolicyArn=each['PolicyArn']) inlinePolicy = client.list_role_policies(RoleName="roleNumber10") for each in inlinePolicy['PolicyNames']: print("Deleting ", each) client.delete_role_policy(RoleName="roleNumber10", PolicyName=each) instanceProfiles = client.list_instance_profiles_for_role( RoleName="roleNumber10") for each in instanceProfiles['InstanceProfiles']: print("Removing role from instance profile ", each) client.remove_role_from_instance_profile( RoleName="roleNumber10", InstanceProfileName=each['InstanceProfileName']) client.delete_role(RoleName="roleNumber10") # Run the it again: watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) # Check that nothing new was added: assert len(Item.query.all()) == 11 # There should be the same number of issues and 2 more revisions: assert len(ItemAudit.query.all()) == 11 assert len(ItemRevision.query.all()) == 13 # Check that the deleted roles show as being inactive: ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \ .filter(Item.arn.in_( [ARN_PREFIX + ":iam::012345678910:role/roleNumber9", ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all() assert len(ir) == 2 assert not ir[0].active assert not ir[1].active # Finally -- test with a slurp list exception (just checking that things don't blow up): import security_monkey.watchers.iam.iam_role old_list_roles = security_monkey.watchers.iam.iam_role.list_roles def mock_slurp_list_with_exception(): security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0 items, exception_map = original_slurp_list() assert len(exception_map) > 0 return items, exception_map watcher.slurp_list = mock_slurp_list_with_exception watcher.current_account = None # Need to reset the watcher manual_run_change_finder([test_account.name], [watcher.index]) security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors security_monkey.watchers.iam.iam_role.list_roles = old_list_roles
def test_find_batch_changes(self): """ Runs through a full find job via the IAMRole watcher, as that supports batching. However, this is mostly testing the logic through each function call -- this is not going to do any boto work and that will instead be mocked out. :return: """ from security_monkey.scheduler import find_changes from security_monkey.monitors import Monitor from security_monkey.watchers.iam.iam_role import IAMRole from security_monkey.auditors.iam.iam_role import IAMRoleAuditor test_account = Account(name="TEST_ACCOUNT1") watcher = IAMRole(accounts=[test_account.name]) technology = Technology(name="iamrole") db.session.add(technology) db.session.commit() watcher.batched_size = 3 # should loop 4 times self.add_roles() # Set up the monitor: batched_monitor = Monitor(IAMRole, test_account) batched_monitor.watcher = watcher batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])] import security_monkey.scheduler security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor] # Moto screws up the IAM Role ARN -- so we need to fix it: original_slurp_list = watcher.slurp_list original_slurp = watcher.slurp def mock_slurp_list(): exception_map = original_slurp_list() for item in watcher.total_list: item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"]) return exception_map def mock_slurp(): batched_items, exception_map = original_slurp() for item in batched_items: item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name) item.config["Arn"] = item.arn item.config["RoleId"] = item.name # Need this to stay the same return batched_items, exception_map watcher.slurp_list = mock_slurp_list watcher.slurp = mock_slurp find_changes([test_account.name], test_account.name) # Check that all items were added to the DB: assert len(Item.query.all()) == 11 # Check that we have exactly 11 item revisions: assert len(ItemRevision.query.all()) == 11 # Check that there are audit issues for all 11 items: assert len(ItemAudit.query.all()) == 11 # Delete one of the items: # Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again... mock_iam().stop() mock_sts().stop() self.add_roles(initial=False) # Run the it again: watcher.current_account = None # Need to reset the watcher find_changes([test_account.name], test_account.name) # Check that nothing new was added: assert len(Item.query.all()) == 11 # There should be 2 less issues and 2 more revisions: assert len(ItemAudit.query.all()) == 9 assert len(ItemRevision.query.all()) == 13 # Check that the deleted roles show as being inactive: ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \ .filter(Item.arn.in_( ["arn:aws:iam::012345678910:role/roleNumber9", "arn:aws:iam::012345678910:role/roleNumber10"])).all() assert len(ir) == 2 assert not ir[0].active assert not ir[1].active # Finally -- test with a slurp list exception (just checking that things don't blow up): def mock_slurp_list_with_exception(): import security_monkey.watchers.iam.iam_role security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0 exception_map = original_slurp_list() assert len(exception_map) > 0 return exception_map watcher.slurp_list = mock_slurp_list_with_exception watcher.current_account = None # Need to reset the watcher find_changes([test_account.name], test_account.name) mock_iam().stop() mock_sts().stop()