def test_get_bucket_encryption_error_access_denied(self):
# create mock throw error when called function get_bucket_encryption
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
expected_error_response['Error']['Code'] = 'AccessDenied'
with patch.object(client_s3, 'get_bucket_encryption') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'warning',
return_value=None) as mock_method_warning:
with self.assertRaises(PmError) as exception:
# call function test
S3Utils.get_bucket_encryption(trace_id, client_s3,
bucket_name, aws_account,
region_name)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check write log warning
mock_method_warning.assert_any_call(
'[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)', aws_account,
region_name, bucket_name)
def test_get_bucket_encryption_error_server_side_encryption_configuration_not_found_error(self):
# create mock throw error when called function get_bucket_encryption
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
expected_error_response['Error'][
'Code'] = 'ServerSideEncryptionConfigurationNotFoundError'
with patch.object(client_s3, 'get_bucket_encryption') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'info',
return_value=None) as mock_method_info:
with self.assertRaises(PmError) as exception:
# call function test
S3Utils.get_bucket_encryption(trace_id, client_s3,
bucket_name, aws_account,
region_name)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check write log info
mock_method_info.assert_any_call('[%s]S3バケット暗号化情報がありません。(%s/%s)',
aws_account, region_name, bucket_name)
def test_get_bucket_encryption_success_response_not_exists_server_side_encryption_configuration_and_rules(self):
# create mock data return when called function get_bucket_encryption
with patch.object(client_s3, 'get_bucket_encryption') as mock_method:
mock_method.return_value = {}
# call function test
actual_bucket_encryption = S3Utils.get_bucket_encryption(
trace_id, client_s3, bucket_name, aws_account, region_name)
# check result
expected_bucket_encryption = []
self.assertEqual(expected_bucket_encryption, actual_bucket_encryption)
def test_get_bucket_encryption_success_response_exists_server_side_encryption_configuration_and_rules(self):
expected_bucket_encryption = copy.deepcopy(
DataTestS3.BUCKET_ENCRYPTION)
# create mock data return when called function get_bucket_encryption
with patch.object(client_s3, 'get_bucket_encryption') as mock_method:
mock_method.return_value = expected_bucket_encryption
# call function test
actual_bucket_encryption = S3Utils.get_bucket_encryption(
trace_id, client_s3, bucket_name, aws_account, region_name)
# check result
self.assertEqual(
expected_bucket_encryption['ServerSideEncryptionConfiguration']
['Rules'], actual_bucket_encryption)
def check_asc_item_13_01(trace_id, check_history_id, organization_id,
project_id, aws_account, session, result_json_path):
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
check_results = []
is_authorized = True
s3_client = S3Utils.get_s3_client(trace_id, session, aws_account,
is_cw_logger=True)
try:
list_buckets = asc_item_common_logic.get_list_buckets(
trace_id, check_history_id, organization_id, project_id, s3_client,
aws_account)
except PmError as e:
return CheckResult.Error
# 取得したS3バケットのアクセスコントロールリスト情報をS3に保存する(リソース情報ファイル)。
for bucket in list_buckets['Buckets']:
bucket_name = bucket['Name']
region_name = None
try:
region_name = S3Utils.get_bucket_location(
trace_id, s3_client, bucket_name, aws_account)
if region_name is None:
region_name = CommonConst.US_EAST_REGION
bucket_encryption_rules = S3Utils.get_bucket_encryption(
trace_id, s3_client, bucket_name, aws_account,
region_name, is_cw_logger=True)
except PmError as e:
if e.cause_error.response['Error'][
'Code'] in CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
check_results.append(get_check_asc_item_13_01_result(
region_name, bucket_name))
continue
elif e.cause_error.response['Error'][
'Code'] in CommonConst.S3_SKIP_EXCEPTION:
error_operation = e.cause_error.operation_name,
error_code = e.cause_error.response['Error']['Code'],
error_message = e.cause_error.response['Error']['Message']
if region_name is None:
region_name = CommonConst.ERROR
check_results.append(
asc_item_common_logic.get_error_authorized_result(
region_name, bucket_name, error_operation,
error_code, error_message))
is_authorized = False
continue
else:
return CheckResult.Error
if len(bucket_encryption_rules) == 0:
continue
try:
s3_file_name = CommonConst.PATH_CHECK_RAW.format(
check_history_id, organization_id, project_id, aws_account,
"ASC/S3_Encryption_" + region_name + "_" + bucket_name +
".json")
FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET",
bucket_encryption_rules, s3_file_name,
is_cw_logger=True)
except PmError as e:
cw_logger.error("[%s] S3バケット暗号化情報のS3保存に失敗しました。(%s/%s)",
aws_account, region_name, bucket_name)
return CheckResult.Error
# チェック処理
try:
for bucket_encryption_rule in bucket_encryption_rules:
if (common_utils.check_key(
"SSEAlgorithm",
bucket_encryption_rule['ApplyServerSideEncryptionByDefault']
) is False):
check_results.append(get_check_asc_item_13_01_result(
region_name, bucket_name))
break
except Exception as e:
cw_logger.error("[%s] チェック処理中にエラーが発生しました。(%s/%s)", aws_account,
region_name, bucket_name)
return CheckResult.Error
# Export File json
try:
current_date = date_utils.get_current_date_by_format(
date_utils.PATTERN_YYYYMMDDHHMMSS)
check_asc_item_13_01 = {
'AWSAccount': aws_account,
'CheckResults': check_results,
'DateTime': current_date
}
FileUtils.upload_s3(trace_id, check_asc_item_13_01, result_json_path,
format_json=True, is_cw_logger=True)
except Exception as e:
cw_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account)
return CheckResult.Error
# チェック結果
if is_authorized is False:
return CheckResult.Error
if len(check_results) > 0:
return CheckResult.CriticalDefect
return CheckResult.Normal