def test_alert_schedule(cinq_test_service):
"""
Test whether the auditor respects the alert schedule
"""
setup_info = setup_test_aws(cinq_test_service)
account = setup_info['account']
prep_s3_testing(cinq_test_service)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name',
NS_CINQ_TEST,
default='testbucket')
client.create_bucket(Bucket=bucket_name)
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- The auditor should not alert again as we are not at the next scheduled alert time
auditor.run()
assert auditor._cinq_test_notices
auditor.run()
assert not auditor._cinq_test_notices
def test_collect_only(cinq_test_service):
"""
Test if the auditor respects "collect_only" config item
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
account = setup_info['account']
prep_s3_testing(cinq_test_service, collect_only=True)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name',
NS_CINQ_TEST,
default='testbucket')
client.create_bucket(Bucket=bucket_name)
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Setup test
cinq_test_service.modify_resource(bucket_name, 'creation_date',
'2000-01-01T00:00:00')
auditor.run()
assert not auditor._cinq_test_notices
def test_basic_ops(cinq_test_service):
"""
Test will pass if for an S3 bucket meet the following condition:
- Bucket is empty
- No Bucket Policy was set
- No Lifecycle Policy was set
- No tag was set
The Auditor will:
- Detect non-compliant S3 buckets
- Respect grace period settings
- Be able to remove an empty bucket successfully when the "REMOVE" criteria are met
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
prep_s3_testing(cinq_test_service)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name',
NS_CINQ_TEST,
default='testbucket')
client.create_bucket(Bucket=bucket_name)
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Test 1 --- Test if auditor respect grace period settings
cinq_test_service.modify_resource(bucket_name, 'creation_date',
datetime.datetime.utcnow().isoformat())
auditor.run()
assert auditor._cinq_test_notices == {}
# Test 2 --- Test if auditor can pick up non-compliant resources correctly
cinq_test_service.modify_resource(bucket_name, 'creation_date',
'2000-01-01T00:00:00')
auditor.run()
notices = auditor._cinq_test_notices
assert bucket_name == notices[recipient]['not_fixed'][0]['resource'].id
# Test 3 --- Modify the issue creation date so it will meet the criteria of "remove" action
cinq_test_service.modify_issue(
auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
'created', 0)
auditor.run()
notices = auditor._cinq_test_notices
''' Check if the action is correct'''
assert notices[recipient]['not_fixed'][0]['action'] == AuditActions.REMOVE
''' Check if the bucket is actually removed '''
assert len(client.list_buckets()['Buckets']) == 0
def test_remove_non_empty_bucket(cinq_test_service):
"""
Test will pass if for an S3 bucket meet the following condition:
- Bucket is NOT empty
- No Bucket Policy was set
- No Lifecycle Policy was set
- No tag was set
The Auditor will:
- Apply Cinq lifecycle policy to the bucket
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
prep_s3_testing(cinq_test_service)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
client.create_bucket(Bucket=bucket_name)
s3_upload_file_from_string(client, bucket_name, 'sample', 'sample text')
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Setup test case
cinq_test_service.modify_resource(
bucket_name,
'creation_date',
'2000-01-01T00:00:00'
)
auditor.run()
with pytest.raises(ClientError):
client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules']
cinq_test_service.modify_issue(
auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
'created',
0
)
auditor.run()
# Verify if the Lifecycle policy is added
current_policy = client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules'][0]
assert current_policy['ID'] == 'cloudInquisitor'
assert current_policy['Status'] == 'Enabled'
assert current_policy['Expiration'] == {
'Days': dbconfig.get('lifecycle_expiration_days', NS_AUDITOR_REQUIRED_TAGS, 3)
}
'''
def test_fixed_buckets(cinq_test_service):
"""
Test will pass if for an S3 bucket meet the following condition:
- Bucket is empty
- No Bucket Policy was set
- No Lifecycle Policy was set
- There was no tag doing the initial audit but missing tags were added during the second audit
The Auditor will:
- Detect non-compliant S3 buckets during the first audit
- Detect Fixed Buckets correctly
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
recipient = setup_info['recipient']
account = setup_info['account']
prep_s3_testing(cinq_test_service)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
client.create_bucket(Bucket=bucket_name)
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Setup test case
cinq_test_service.modify_resource(
bucket_name,
'creation_date',
'2000-01-01T00:00:00'
)
auditor.run()
notices = auditor._cinq_test_notices
assert notices[recipient]['not_fixed'][0]['resource']['resource_id'] == bucket_name
client.put_bucket_tagging(
Bucket=bucket_name,
Tagging={'TagSet': VALID_TAGSET}
)
collect_resources(account=account, resource_types=['s3'])
auditor.run()
notices = auditor._cinq_test_notices
# Verify if the auditor will report the issue fixed
assert notices[recipient]['fixed'][0]['action'] == AuditActions.FIXED
assert notices[recipient]['fixed'][0]['resource'].resource_id == bucket_name
def test_compliant_bucket(cinq_test_service):
"""
Test will pass if for an S3 bucket meet the following condition:
- Is compliant
The Auditor will:
- Not mark compliant buckets as non-compliant
"""
# Prep
setup_info = setup_test_aws(cinq_test_service)
account = setup_info['account']
prep_s3_testing(cinq_test_service)
# Add resources
client = aws_get_client('s3')
bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
client.create_bucket(Bucket=bucket_name)
client.put_bucket_tagging(
Bucket=bucket_name,
Tagging={'TagSet': VALID_TAGSET}
)
# Collect resources
collect_resources(account=account, resource_types=['s3'])
# Initialize auditor
auditor = MockRequiredTagsAuditor()
# Setup test case
cinq_test_service.modify_resource(
bucket_name,
'creation_date',
'2000-01-01T00:00:00'
)
auditor.run()
assert auditor._cinq_test_notices == {}
