def test_inactivate_old_revisions(self):
from security_monkey.datastore_utils import inactivate_old_revisions, hash_item, persist_item, result_from_item
from security_monkey.datastore import ItemRevision, Item
self.setup_db()
# Need to create 3 items first before we can test deletions:
for x in range(0, 3):
modConf = dict(ACTIVE_CONF)
modConf["name"] = "SomeRole{}".format(x)
modConf["Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x)
sti = SomeTestItem().from_slurp(modConf, account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# persist:
persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
# Add issues for these items: (just add two for testing purposes)
db.session.add(ItemAudit(score=10,
issue="IAM Role has full admin permissions.",
notes=json.dumps(sti.config),
item_id=db_item.id))
db.session.add(ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=db_item.id))
db.session.commit()
# Now, actually test for deleted revisions:
arns = [
"arn:aws:iam::012345678910:role/SomeRole", # <-- Does not exist in the list
"arn:aws:iam::012345678910:role/SomeRole0", # <-- Does exist -- should not get deleted
]
inactivate_old_revisions(SomeWatcher(), arns, self.account, self.technology)
# Check that SomeRole1 and SomeRole2 are marked as inactive:
for x in range(1, 3):
item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == "arn:aws:iam::012345678910:role/SomeRole{}".format(x),
).one()
assert not item_revision.active
# Check that there are no issues associated with this item:
assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 0
# Check that the SomeRole0 is still OK:
item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter(
Item.arn == "arn:aws:iam::012345678910:role/SomeRole0".format(x),
).one()
assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 2
assert item_revision.active
def test_persist_item(self):
from security_monkey.datastore_utils import persist_item, hash_item, result_from_item
self.setup_db()
sti = SomeTestItem().from_slurp(ACTIVE_CONF,
account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Persist a durable change:
persist_item(sti, None, self.technology, self.account, complete_hash,
durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == durable_hash == complete_hash
assert db_item.latest_revision_complete_hash == complete_hash == durable_hash
# No changes:
persist_item(sti, db_item, self.technology, self.account,
complete_hash, durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == complete_hash == durable_hash
assert db_item.latest_revision_complete_hash == complete_hash == durable_hash
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
new_complete_hash, new_durable_hash = hash_item(
mod_conf, ["IGNORE_ME"])
sti = SomeTestItem().from_slurp(mod_conf,
account_name=self.account.name)
persist_item(sti, db_item, self.technology, self.account,
new_complete_hash, new_durable_hash, False)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == new_durable_hash == durable_hash
assert db_item.latest_revision_complete_hash == new_complete_hash != complete_hash
def test_persist_item(self):
from security_monkey.datastore_utils import persist_item, hash_item, result_from_item
self.setup_db()
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Persist a durable change:
persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == durable_hash == complete_hash
assert db_item.latest_revision_complete_hash == complete_hash == durable_hash
# No changes:
persist_item(sti, db_item, self.technology, self.account, complete_hash, durable_hash, True)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == complete_hash == durable_hash
assert db_item.latest_revision_complete_hash == complete_hash == durable_hash
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
new_complete_hash, new_durable_hash = hash_item(mod_conf, ["IGNORE_ME"])
sti = SomeTestItem().from_slurp(mod_conf, account_name=self.account.name)
persist_item(sti, db_item, self.technology, self.account, new_complete_hash, new_durable_hash, False)
db_item = result_from_item(sti, self.account, self.technology)
assert db_item
assert db_item.revisions.count() == 1
assert db_item.latest_revision_durable_hash == new_durable_hash == durable_hash
assert db_item.latest_revision_complete_hash == new_complete_hash != complete_hash
def test_result_from_item(self):
from security_monkey.datastore_utils import result_from_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id
)
# This is actually what is passed into result_from_item:
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
assert not result_from_item(sti, self.account, self.technology)
db.session.add(item)
db.session.commit()
assert result_from_item(sti, self.account, self.technology).id == item.id
def test_result_from_item(self):
from security_monkey.datastore_utils import result_from_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(region="universal",
name="SomeRole",
arn="arn:aws:iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id
)
# This is actually what is passed into result_from_item:
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
assert not result_from_item(sti, self.account, self.technology)
db.session.add(item)
db.session.commit()
assert result_from_item(sti, self.account, self.technology).id == item.id