def test_alert_schedule(cinq_test_service): """ Test whether the auditor respects the alert schedule """ setup_info = setup_test_aws(cinq_test_service) account = setup_info['account'] prep_s3_testing(cinq_test_service) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Test 1 --- The auditor should not alert again as we are not at the next scheduled alert time auditor.run() assert auditor._cinq_test_notices auditor.run() assert not auditor._cinq_test_notices
def test_collect(cinq_test_service): """ :return: """ # Prep setup_info = setup_test_aws(cinq_test_service) account = setup_info['account'] cinq_test_service.start_mocking_services('ec2') # Add resources client = aws_get_client('ec2') resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1) # Start collector collect_resources(account=account, resource_types=['ec2']) # verify assert cinq_test_service.has_resource('non-exist-id') is False assert cinq_test_service.has_resource( resource['Instances'][0]['InstanceId']) is True cinq_test_service.stop_mocking_services('ec2')
def test_collect_only(cinq_test_service): """ Test if the auditor respects "collect_only" config item """ # Prep setup_info = setup_test_aws(cinq_test_service) account = setup_info['account'] prep_s3_testing(cinq_test_service, collect_only=True) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Setup test cinq_test_service.modify_resource(bucket_name, 'creation_date', '2000-01-01T00:00:00') auditor.run() assert not auditor._cinq_test_notices
def test_basic_ops(cinq_test_service): """ Test will pass if for an S3 bucket meet the following condition: - Bucket is empty - No Bucket Policy was set - No Lifecycle Policy was set - No tag was set The Auditor will: - Detect non-compliant S3 buckets - Respect grace period settings - Be able to remove an empty bucket successfully when the "REMOVE" criteria are met """ # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] prep_s3_testing(cinq_test_service) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Test 1 --- Test if auditor respect grace period settings cinq_test_service.modify_resource(bucket_name, 'creation_date', datetime.datetime.utcnow().isoformat()) auditor.run() assert auditor._cinq_test_notices == {} # Test 2 --- Test if auditor can pick up non-compliant resources correctly cinq_test_service.modify_resource(bucket_name, 'creation_date', '2000-01-01T00:00:00') auditor.run() notices = auditor._cinq_test_notices assert bucket_name == notices[recipient]['not_fixed'][0]['resource'].id # Test 3 --- Modify the issue creation date so it will meet the criteria of "remove" action cinq_test_service.modify_issue( auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id, 'created', 0) auditor.run() notices = auditor._cinq_test_notices ''' Check if the action is correct''' assert notices[recipient]['not_fixed'][0]['action'] == AuditActions.REMOVE ''' Check if the bucket is actually removed ''' assert len(client.list_buckets()['Buckets']) == 0
def test_remove_non_empty_bucket(cinq_test_service): """ Test will pass if for an S3 bucket meet the following condition: - Bucket is NOT empty - No Bucket Policy was set - No Lifecycle Policy was set - No tag was set The Auditor will: - Apply Cinq lifecycle policy to the bucket """ # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] prep_s3_testing(cinq_test_service) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) s3_upload_file_from_string(client, bucket_name, 'sample', 'sample text') # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Setup test case cinq_test_service.modify_resource( bucket_name, 'creation_date', '2000-01-01T00:00:00' ) auditor.run() with pytest.raises(ClientError): client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules'] cinq_test_service.modify_issue( auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id, 'created', 0 ) auditor.run() # Verify if the Lifecycle policy is added current_policy = client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules'][0] assert current_policy['ID'] == 'cloudInquisitor' assert current_policy['Status'] == 'Enabled' assert current_policy['Expiration'] == { 'Days': dbconfig.get('lifecycle_expiration_days', NS_AUDITOR_REQUIRED_TAGS, 3) } '''
def test_fixed_buckets(cinq_test_service): """ Test will pass if for an S3 bucket meet the following condition: - Bucket is empty - No Bucket Policy was set - No Lifecycle Policy was set - There was no tag doing the initial audit but missing tags were added during the second audit The Auditor will: - Detect non-compliant S3 buckets during the first audit - Detect Fixed Buckets correctly """ # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] prep_s3_testing(cinq_test_service) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Setup test case cinq_test_service.modify_resource( bucket_name, 'creation_date', '2000-01-01T00:00:00' ) auditor.run() notices = auditor._cinq_test_notices assert notices[recipient]['not_fixed'][0]['resource']['resource_id'] == bucket_name client.put_bucket_tagging( Bucket=bucket_name, Tagging={'TagSet': VALID_TAGSET} ) collect_resources(account=account, resource_types=['s3']) auditor.run() notices = auditor._cinq_test_notices # Verify if the auditor will report the issue fixed assert notices[recipient]['fixed'][0]['action'] == AuditActions.FIXED assert notices[recipient]['fixed'][0]['resource'].resource_id == bucket_name
def test_basic_ops(cinq_test_service): """ Test will pass if: 1. Auditor can detect non-compliant EC2 instances 2. Auditor respect grace period settings """ # Prep cinq_test_service.start_mocking_services('ec2') setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS) db_setting['enabled'] = ['aws_ec2_instance'] dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting)) dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False) # Add resources client = aws_get_client('ec2') resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1) # Collect resources collect_resources(account=account, resource_types=['ec2']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Test 1 --- Test if auditor respect grace period settings cinq_test_service.modify_resource(resource['Instances'][0]['InstanceId'], 'launch_date', datetime.datetime.utcnow().isoformat()) auditor.run() assert auditor._cinq_test_notices == {} # Test 2 --- Test if auditor can pick up non-compliant resources correctly ''' Modify resource property''' assert cinq_test_service.modify_resource( resource['Instances'][0]['InstanceId'], 'launch_date', '2000-01-01T00:00:00') is True auditor.run() notices = auditor._cinq_test_notices assert recipient in notices assert notices[recipient]['not_fixed'][0][ 'resource'].resource_id == resource['Instances'][0]['InstanceId']
def test_rds_corrupted_data(cinq_test_service): # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] auditor = MockRequiredTagsAuditor() new_resource = create_resource(resource_type=RDSInstance, resource_id=uuid.uuid4().hex, account_id=account.account_id, properties={}, tags={}, auto_add=True, auto_commit=True) auditor.run(enable_process_action=False) assert auditor._cinq_test_notices == {}
def test_audit(cinq_test_service): """ :return: """ # Prep cinq_test_service.start_mocking_services('ec2') setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS) db_setting['enabled'] = ['aws_ec2_instance'] dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting)) # Tests case_1(cinq_test_service, account, recipient)
def test_compliant_bucket(cinq_test_service): """ Test will pass if for an S3 bucket meet the following condition: - Is compliant The Auditor will: - Not mark compliant buckets as non-compliant """ # Prep setup_info = setup_test_aws(cinq_test_service) account = setup_info['account'] prep_s3_testing(cinq_test_service) # Add resources client = aws_get_client('s3') bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket') client.create_bucket(Bucket=bucket_name) client.put_bucket_tagging( Bucket=bucket_name, Tagging={'TagSet': VALID_TAGSET} ) # Collect resources collect_resources(account=account, resource_types=['s3']) # Initialize auditor auditor = MockRequiredTagsAuditor() # Setup test case cinq_test_service.modify_resource( bucket_name, 'creation_date', '2000-01-01T00:00:00' ) auditor.run() assert auditor._cinq_test_notices == {}
def test_rds_generic(cinq_test_service): """ 1. We will generate batch of compliant and non-compliant RDS resources, run the auditor and check if it works as expected 2. We will make random non-compliant RDS instance meets the FIXED, STOP or REMOVE criteria and check if it works as expected """ # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] compliant_resources = [] non_compliant_resources = [] prep_rds_testing(cinq_test_service) # Add resources num_resources = 50 for i in range(0, num_resources): compliance_selector = random.randint(0, 1) if compliance_selector: tags = VALID_TAGS else: tags = {} new_resource = create_resource(resource_type=RDSInstance, resource_id=uuid.uuid4().hex, account_id=account.account_id, properties={ 'creation_date': datetime.datetime(2000, 1, 1), 'metrics': {}, 'engine': 'mysql' }, tags=tags, auto_add=True, auto_commit=True) if compliance_selector: compliant_resources.append(new_resource.id) else: non_compliant_resources.append(new_resource.id) # Initialize auditor auditor = MockRequiredTagsAuditor() auditor.run(enable_process_action=False) issue_not_fixed = auditor._cinq_test_notices[recipient]['not_fixed'] for item in issue_not_fixed: assert item['resource'].id not in compliant_resources assert item['resource'].id in non_compliant_resources assert item['action'] == AuditActions.ALERT resources_to_terminate = [] resources_to_stop = [] resources_fixed = [] for item in issue_not_fixed: mock_selector = random.randint(0, 3) if mock_selector == 3: # Mock resources that should be terminated cinq_test_service.modify_issue(item['issue'].id, 'created', 0) resources_to_terminate.append(item['resource'].id) elif mock_selector == 2: # Mock resources that should be stopped cinq_test_service.modify_issue( item['issue'].id, 'created', item['issue'].created - STANDARD_ALERT_SETTINGS_STOP - 1) resources_to_stop.append(item['resource'].id) elif mock_selector == 1: set_tags(item['resource'], VALID_TAGS) resources_fixed.append(item['resource'].id) else: # Leave the issue as-is pass auditor.run(enable_process_action=False) issue_not_fixed = auditor._cinq_test_notices[recipient]['not_fixed'] issue_fixed = auditor._cinq_test_notices[recipient]['fixed'] for item in issue_not_fixed: if item['action'] == AuditActions.STOP: resources_to_stop.remove(item['resource'].id) elif item['action'] == AuditActions.REMOVE: resources_to_terminate.remove(item['resource'].id) for item in issue_fixed: resources_fixed.remove(item['resource'].resource_id) assert resources_to_stop == [] assert resources_to_terminate == [] assert resources_fixed == []
def test_volume_ec2_s3(cinq_test_service): """ :return: """ # Prep setup_info = setup_test_aws(cinq_test_service) recipient = setup_info['recipient'] account = setup_info['account'] set_audit_scope('aws_ec2_instance', 'aws_s3_bucket') dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False) cinq_test_service.start_mocking_services('cloudwatch', 'ec2', 's3') num_resources = 100 compliant_buckets = [] non_compliant_buckets = [] compliant_ec2 = [] non_compliant_ec2 = [] client_s3 = aws_get_client('s3') client_ec2 = aws_get_client('ec2') regions = get_aws_regions('s3') # Workaround for a moto cloudwatch KeyError bug regions.remove('eu-west-3') # Setup resources for i in range(0, num_resources): bucket_name = uuid.uuid4().hex client_s3.create_bucket( Bucket=bucket_name, CreateBucketConfiguration={'LocationConstraint': random.choice(regions)} ) compliant_buckets.append(bucket_name) if random.randint(0, 1) else non_compliant_buckets.append(bucket_name) resource = client_ec2.run_instances(ImageId='i-{}'.format(i), MinCount=1, MaxCount=1) instance_id = resource['Instances'][0]['InstanceId'] compliant_ec2.append(instance_id) if random.randint(0, 1) else non_compliant_ec2.append(instance_id) for instance_id in compliant_ec2: client_ec2.create_tags( Resources=[instance_id], Tags=VALID_TAGSET ) for item in compliant_buckets: client_s3.put_bucket_tagging( Bucket=item, Tagging={'TagSet': VALID_TAGSET} ) # collection collect_resources(account=account, resource_types=['ec2', 's3']) for item in compliant_buckets + non_compliant_buckets: cinq_test_service.modify_resource( item, 'creation_date', '2000-01-01T00:00:00' ) for instance_id in compliant_ec2 + non_compliant_ec2: cinq_test_service.modify_resource( instance_id, 'launch_date', '2000-01-01T00:00:00' ) auditor = MockRequiredTagsAuditor() auditor.run() compliant_resources = compliant_buckets + compliant_ec2 non_compliant_resources = non_compliant_buckets + non_compliant_ec2 for item in auditor._cinq_test_notices[recipient]['not_fixed']: assert item['resource'].id not in compliant_resources assert item['resource'].id in non_compliant_resources assert len(non_compliant_resources) == len(auditor._cinq_test_notices[recipient]['not_fixed'])