def test_find_changes_batch(self): """ This will test the entry point via the find_changes() method vs. the find_changes_batch() method. This will also use the IAMRole watcher, since that already has batching support. :return: """ from security_monkey.watchers.iam.iam_role import IAMRole self.setup_batch_db() watcher = IAMRole(accounts=[self.account.name]) watcher.current_account = (self.account, 0) watcher.technology = self.technology items = [] for x in range(0, 5): mod_conf = dict(ACTIVE_CONF) mod_conf["name"] = "SomeRole{}".format(x) mod_conf[ "Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x) items.append(SomeTestItem().from_slurp( mod_conf, account_name=self.account.name)) assert len(watcher.find_changes(items)) == 5 # Try again -- audit_items should be 0 since nothing was changed: assert len(watcher.find_changes(items)) == 0
def test_find_changes_batch(self): """ This will test the entry point via the find_changes() method vs. the find_changes_batch() method. This will also use the IAMRole watcher, since that already has batching support. :return: """ from security_monkey.watchers.iam.iam_role import IAMRole self.setup_batch_db() watcher = IAMRole(accounts=[self.account.name]) watcher.current_account = (self.account, 0) watcher.technology = self.technology items = [] for x in range(0, 5): mod_conf = dict(ACTIVE_CONF) mod_conf["name"] = "SomeRole{}".format(x) mod_conf["Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x) items.append(SomeTestItem().from_slurp(mod_conf, account_name=self.account.name)) assert len(watcher.find_changes(items)) == 5 # Try again -- audit_items should be 0 since nothing was changed: assert len(watcher.find_changes(items)) == 0
def test_find_deleted_batch(self): """ This will use the IAMRole watcher, since that already has batching support. :return: """ from security_monkey.watchers.iam.iam_role import IAMRole self.setup_batch_db() # Set everything up: watcher = IAMRole(accounts=[self.account.name]) watcher.current_account = (self.account, 0) watcher.technology = self.technology items = [] for x in range(0, 5): mod_conf = dict(ACTIVE_CONF) mod_conf["name"] = "SomeRole{}".format(x) mod_conf[ "Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format( x) items.append(SomeTestItem().from_slurp( mod_conf, account_name=self.account.name)) mod_aspd = dict(ASPD) mod_aspd[ "Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format( x) mod_aspd["RoleName"] = "SomeRole{}".format(x) watcher.total_list.append(mod_aspd) watcher.find_changes(items) # Check for deleted items: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 0 # Check that nothing was deleted: for x in range(0, 5): item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(x), ).one() assert item_revision.active # Create some issues for testing purposes: db.session.add( ItemAudit(score=10, issue="IAM Role has full admin permissions.", notes=json.dumps(item_revision.config), item_id=item_revision.item_id)) db.session.add( ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=item_revision.item_id)) db.session.commit() assert len(ItemAudit.query.all()) == len(items) * 2 # Remove the last two items: removed_arns = [] removed_arns.append(watcher.total_list.pop()["Arn"]) removed_arns.append(watcher.total_list.pop()["Arn"]) # Check for deleted items again: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 2 # Check that the last two items were deleted: for arn in removed_arns: item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == arn, ).one() assert not item_revision.active # Check that the current ones weren't deleted: for current_item in watcher.total_list: item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == current_item["Arn"], ).one() assert item_revision.active assert len( ItemAudit.query.filter( ItemAudit.item_id == item_revision.item_id).all()) == 2
def test_find_deleted_batch(self): """ This will use the IAMRole watcher, since that already has batching support. :return: """ from security_monkey.watchers.iam.iam_role import IAMRole self.setup_batch_db() # Set everything up: watcher = IAMRole(accounts=[self.account.name]) watcher.current_account = (self.account, 0) watcher.technology = self.technology items = [] for x in range(0, 5): mod_conf = dict(ACTIVE_CONF) mod_conf["name"] = "SomeRole{}".format(x) mod_conf["Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(x) items.append(SomeTestItem().from_slurp(mod_conf, account_name=self.account.name)) mod_aspd = dict(ASPD) mod_aspd["Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(x) mod_aspd["RoleName"] = "SomeRole{}".format(x) watcher.total_list.append(mod_aspd) watcher.find_changes(items) # Check for deleted items: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 0 # Check that nothing was deleted: for x in range(0, 5): item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(x), ).one() assert item_revision.active # Create some issues for testing purposes: db.session.add(ItemAudit(score=10, issue="IAM Role has full admin permissions.", notes=json.dumps(item_revision.config), item_id=item_revision.item_id)) db.session.add(ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=item_revision.item_id)) db.session.commit() assert len(ItemAudit.query.all()) == len(items) * 2 # Remove the last two items: removed_arns = [] removed_arns.append(watcher.total_list.pop()["Arn"]) removed_arns.append(watcher.total_list.pop()["Arn"]) # Check for deleted items again: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 2 # Check that the last two items were deleted: for arn in removed_arns: item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == arn, ).one() assert not item_revision.active # Check that the current ones weren't deleted: for current_item in watcher.total_list: item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == current_item["Arn"], ).one() assert item_revision.active assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 2