def add_roles(self, initial=True):
mock_iam().start()
mock_sts().start()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
if initial:
last = 11
else:
last = 9 # Simulates 2 deleted roles...
for x in range(0, last):
# Create the IAM Role via Moto:
aspd["Statement"][0]["Resource"] = "arn:aws:iam:012345678910:role/roleNumber{}".format(x)
client.create_role(Path="/", RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd, indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy",
PolicyDocument=json.dumps(OPEN_POLICY, indent=4))
def test_get_canonical_ids(self):
accounts = Account.query.all()
get_canonical_ids(accounts)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Make it something else to test overrides:
account.custom_fields[0].value = "replaceme"
db.session.add(account)
db.session.commit()
# Test without override (nothing should be changed):
get_canonical_ids(accounts)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "replaceme"
# Test override:
get_canonical_ids(accounts, override=True)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
mock_sts().stop()
mock_s3().stop()
def test_slurp_list(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
_, exceptions = watcher.slurp_list()
assert len(exceptions) == 0
assert len(watcher.total_list) == self.total_roles
assert not watcher.done_slurping
mock_sts().stop()
def test_empty_slurp_list(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
watcher.list_method = lambda **kwargs: []
_, exceptions = watcher.slurp_list()
assert len(exceptions) == 0
assert len(watcher.total_list) == 0
assert watcher.done_slurping
mock_sts().stop()
def test_slurp_list_exceptions(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
def raise_exception():
raise Exception("LOL, HAY!")
watcher.list_method = lambda **kwargs: raise_exception()
_, exceptions = watcher.slurp_list()
assert len(exceptions) == 1
assert len(ExceptionLogs.query.all()) == 1
mock_sts().stop()
def pre_test_setup(self):
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
for x in range(0, 9):
db.session.add(Account(name="account{}".format(x), account_type_id=self.account_type.id,
identifier="01234567891{}".format(x), active=True))
db.session.commit()
mock_sts().start()
mock_s3().start()
self.s3_client = boto3.client("s3")
self.s3_client.create_bucket(Bucket="testBucket")
def setUpClass(cls):
cls.mock_sts = mock_sts()
cls.mock_sts.start()
cls._upload_creds_attrs = [
'_bucket',
'_key',
'_name',
'_profile_name',
'_resource_string',
'_upload_url',
'_external_policy',
]
cls._external_creds_keys = ['service', 'bucket', 'key', 'upload_credentials']
cls._credentials_keys = [
'session_token', 'access_key', 'expiration', 'secret_key',
'upload_url', 'federated_user_arn', 'federated_user_id', 'request_id',
]
cls._test_bucket = 'mock_bucket'
cls._test_key = 'mock_key'
cls._test_name = 'mock_name'
cls._test_profile_name = 'mock_profile_name'
cls._default_upload_creds = UploadCredentials(
cls._test_bucket,
cls._test_key,
cls._test_name,
cls._test_profile_name,
)
def test_slurp_list_exceptions(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
def raise_exception():
raise Exception("LOL, HAY!")
import security_monkey.watchers.iam.iam_role
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: raise_exception()
exceptions = watcher.slurp_list()
assert len(exceptions) == 1
assert len(ExceptionLogs.query.all()) == 1
mock_sts().stop()
def test_watcher_exceptions(self):
"""
Tests that if exceptions are encountered, the watcher continues.
Unfortunately -- moto lacks all of the S3 methods that we need. So this is just a
test to ensure that exception handling works OK.
:return:
"""
mock_sts().start()
s3_watcher = S3(accounts=[self.account.name])
s3_watcher.slurp()
assert len(ExceptionLogs.query.all()) == 3 # We created 3 buckets
mock_s3().stop()
mock_sts().stop()
def test_fetch_aws_canonical_ids_command(self):
accounts = Account.query.all()
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Make it something else to test overrides:
account.custom_fields[0].value = "replaceme"
db.session.add(account)
db.session.commit()
# Test without override (nothing should be changed):
fetch_aws_canonical_ids(False)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "replaceme"
# Test override:
fetch_aws_canonical_ids(True)
for account in accounts:
assert len(account.custom_fields) == 1
assert account.custom_fields[0].name == "canonical_id"
assert account.custom_fields[0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto.
# Create an inactive account:
inactive = Account(name="inactive", account_type_id=self.account_type.id,
identifier="109876543210")
db.session.add(inactive)
db.session.commit()
# Run the change again:
fetch_aws_canonical_ids(True)
# Ensure that nothing happened to the inactive account:
assert len(inactive.custom_fields) == 0
# Also verify that no exceptions were encountered:
assert len(ExceptionLogs.query.all()) == 0
mock_sts().stop()
mock_s3().stop()
def test_slurp_items_with_exceptions(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
# Or else this will take forever:
watcher.batched_size = 10
watcher.slurp_list()
def raise_exception():
raise Exception("LOL, HAY!")
import security_monkey.watchers.iam.iam_role
security_monkey.watchers.iam.iam_role.get_role = lambda **kwargs: raise_exception()
items, exceptions = watcher.slurp()
assert len(exceptions) == self.total_roles
assert len(items) == 0
mock_sts().stop()
def test_slurp_items(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
# Or else this will take forever:
watcher.batched_size = 10
watcher.slurp_list()
items, exceptions = watcher.slurp()
assert len(exceptions) == 0
assert self.total_roles > len(items) == watcher.batched_size
assert watcher.batch_counter == 1
# Slurp again:
items, exceptions = watcher.slurp()
assert len(exceptions) == 0
assert self.total_roles > len(items) == watcher.batched_size
assert watcher.batch_counter == 2
mock_sts().stop()
def test_slurp_items_with_exceptions(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
# Or else this will take forever:
watcher.batched_size = 10
watcher.slurp_list()
def raise_exception():
raise Exception("LOL, HAY!")
watcher.get_method = lambda *args, **kwargs: raise_exception()
items, exceptions = watcher.slurp()
assert len(exceptions) == watcher.batched_size
assert len(items) == 0
assert watcher.batch_counter == 1
mock_sts().stop()
def setUp(self):
f = tempfile.NamedTemporaryFile(mode='wb', delete=False)
self.tempFileContents = (
b"I'm a temporary file for testing\nAnd this is the second line\n"
b"This is the third.")
self.tempFilePath = f.name
f.write(self.tempFileContents)
f.close()
self.mock_s3 = mock_s3()
self.mock_s3.start()
self.mock_sts = mock_sts()
self.mock_sts.start()
def test_slurp_items_with_skipped(self):
mock_sts().start()
watcher = IAMRole(accounts=[self.account.name])
watcher.batched_size = 5
watcher.slurp_list()
watcher.ignore_list = [
IgnoreListEntry(prefix="roleNumber0"),
IgnoreListEntry(prefix="roleNumber1"),
IgnoreListEntry(prefix="roleNumber6")
]
first_batch, exceptions = watcher.slurp()
item_sum = len(first_batch)
assert len(exceptions) == 0
assert watcher.batch_counter == 1
batch_lookup = {} # Ensure we aren't processing duplicates
for r in first_batch:
assert r.name not in watcher.ignore_list # Ensure we properly ignore the things
batch_lookup[r.name] = True
# Slurp again:
second_batch, exceptions = watcher.slurp()
item_sum += len(second_batch)
assert len(exceptions) == 0
assert watcher.batch_counter == 2
for r in second_batch:
assert r.name not in watcher.ignore_list
assert not batch_lookup.get(r.name)
batch_lookup[r.name] = True
# Sum of items should be total items - length of the ignored items:
assert self.total_roles - len(watcher.ignore_list) == item_sum == len(batch_lookup)
mock_sts().stop()
def setUp(self):
f = tempfile.NamedTemporaryFile(mode='wb', delete=False)
self.tempFilePath = f.name
self.tempFileContents = b"I'm a temporary file for testing\n"
f.write(self.tempFileContents)
f.close()
self.addCleanup(os.remove, self.tempFilePath)
self.mock_s3 = mock_s3()
self.mock_s3.start()
self.mock_sts = mock_sts()
self.mock_sts.start()
self.addCleanup(self.mock_s3.stop)
self.addCleanup(self.mock_sts.stop)
def moto_sts():
with moto.mock_sts():
yield True
def sts(aws_credentials):
"""Mocked STS Fixture."""
with mock_sts():
yield boto3.client("sts", region_name="us-east-1")
def test_find_batch_changes(self):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.scheduler import find_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
import security_monkey.scheduler
security_monkey.scheduler.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
find_changes([test_account.name], test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete one of the items:
# Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
mock_iam().stop()
mock_sts().stop()
self.add_roles(initial=False)
# Run the it again:
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be the same number of issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 11
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
["arn:aws:iam::012345678910:role/roleNumber9",
"arn:aws:iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
def mock_slurp_list_with_exception():
import security_monkey.watchers.iam.iam_role
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
items, exception_map = original_slurp_list()
assert len(exception_map) > 0
return items, exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
mock_iam().stop()
mock_sts().stop()
def sts_resource_objects(region=default_region):
session = boto3.Session(profile_name=setup_profilename)
client = session.client('sts', region_name=region)
yield client
moto.mock_sts().stop()
def pytest_sessionstart(session):
if session.config.option.verbose > 2:
set_logging(level=logging.DEBUG) #, logfile="tests.log")
mock_sts().start()
def setup_s3_and_ddb(aws_credentials):
mock_cloudformation().start()
mock_dynamodb2().start()
mock_s3().start()
mock_ses().start()
mock_sts().start()
dynamodb_client = awshelper.get_resource(awshelper.ServiceName.dynamodb)
table = dynamodb_client.create_table(
TableName=config.DefaultValue.config_table_name,
KeySchema=[
{
'AttributeName': 'partitionkey',
'KeyType': 'HASH'
},
{
'AttributeName': 'sortkey',
'KeyType': 'RANGE'
}
],
AttributeDefinitions=[
{
'AttributeName': 'partitionkey',
'AttributeType': 'S'
},
{
'AttributeName': 'sortkey',
'AttributeType': 'S'
}
]
)
s3_client = awshelper.get_client(awshelper.ServiceName.s3)
s3_client.create_bucket(
Bucket=TestValues.test_bucket_1_name,
CreateBucketConfiguration={
'LocationConstraint': 'us-west-2'})
s3_client.create_bucket(
Bucket=TestValues.test_bucket_2_name,
CreateBucketConfiguration={
'LocationConstraint': 'us-west-2'})
body = bytes('hello world', 'utf-8')
s3_client.put_object(
Bucket=TestValues.test_bucket_1_name,
Key='sampleobject',
Body=body)
s3_client.create_bucket(
Bucket=config.DeploymentDetails.consolidated_inventory_bucket_name,
CreateBucketConfiguration={
'LocationConstraint': 'us-west-2'})
index = config.ServiceParameters.iterator_count
ddb.store_iterator_index(
config.ServiceParameters.inventory_monitor_iterator_name,
index)
yield TestResources(table, None, None)
mock_sts().stop()
mock_ses().stop()
mock_s3().stop()
mock_dynamodb2().stop()
mock_cloudformation().stop()
def test_find_batch_changes(self):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.scheduler import find_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
import security_monkey.scheduler
security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"])
return exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
find_changes([test_account.name], test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete one of the items:
# Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
mock_iam().stop()
mock_sts().stop()
self.add_roles(initial=False)
# Run the it again:
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be 2 less issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 9
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
["arn:aws:iam::012345678910:role/roleNumber9",
"arn:aws:iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
def mock_slurp_list_with_exception():
import security_monkey.watchers.iam.iam_role
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
exception_map = original_slurp_list()
assert len(exception_map) > 0
return exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
mock_iam().stop()
mock_sts().stop()
def sts(aws_credentials):
with mock_sts():
yield boto3.client("sts", region_name="us-east-1")
def sh(self):
with moto.mock_ec2(), moto.mock_sts():
sh = security_hub_rules.SecurityHubRules(logging)
yield sh
def setup(self):
with moto.mock_dynamodb2(), moto.mock_sts():
setup = lambda_handler.Setup(logging)
yield setup
def account_id():
account_id = "123456789"
os.environ["MOTO_ACCOUNT_ID"] = account_id
with mock_sts():
yield account_id
def sts(conn_dict):
with mock_sts():
yield boto3.client("sts", region_name="us-east-1")
def sim_iam(request):
mock_iam_instance = mock_iam()
mock_iam_instance.start()
mock_sts_instance = mock_sts()
mock_sts_instance.start()
# Create a user with attached policies
user = clients.iam_resource.create_user(UserName='******')
group = clients.iam_resource.create_group(GroupName='jgroup')
group_policy = clients.iam_resource.create_policy(
PolicyName='group-managed-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:CreatePolicyVersion',
'Resource': '*',
'Effect': 'Allow'
}, {
'Action': 'iam:ListPolicyVersions',
'Resource': '*',
'Effect': 'Allow'
}]))
group.attach_policy(PolicyArn=group_policy.arn)
group.create_policy(PolicyName='group-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutGroupPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
user.add_group(GroupName='jgroup')
user_policy = clients.iam_resource.create_policy(
PolicyName='user-managed-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:CreatePolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
user.attach_policy(PolicyArn=user_policy.arn)
user.create_policy(PolicyName='user-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutUserPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
if request.param >= 'role-empty':
role = clients.iam_resource.create_role(
RoleName='u-john',
AssumeRolePolicyDocument=utils.make_iam_policy([{
'Effect': 'Allow',
'Action': 'sts:AssumeRole',
'Principal': {
'AWS': 'arn:aws:iam::123456789012:role/*'
}
}]))
if request.param >= 'role-full':
role.attach_policy(PolicyArn=user_policy.arn)
role.attach_policy(PolicyArn=group_policy.arn)
role.Policy('user-policy').put(
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutUserPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
role.Policy('group-policy').put(
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutGroupPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
if request.param >= 'role-overfull':
extra_policy = clients.iam_resource.create_policy(
PolicyName='extra-managed-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'ec2:*',
'Resource': '*',
'Effect': 'Deny'
}]))
role.attach_policy(PolicyArn=extra_policy.arn)
role.Policy('extra-policy').put(
PolicyDocument=utils.make_iam_policy([{
'Action': 's3:*',
'Resource': '*',
'Effect': 'Deny'
}]))
yield request.param
mock_sts_instance.stop()
mock_iam_instance.stop()
def boto3_client():
with mock_sts():
yield Boto3Client("123456789", "eu-west-1", "stack-id")
def setUp(self):
self.mock_s3 = mock_s3()
self.mock_sts = mock_sts()
self.mock_s3.start()
self.mock_sts.start()
self.team = 'a-team'
self.component_name = 'a-service'
self.raw_scheme = {
'accounts': {
'dev': {
'id': '123456789',
'role': 'admin',
},
'prod': {
'id': '987654321',
'role': 'admin',
},
'release': {
'id': '98754321',
'role': 'admin',
},
},
'release-bucket': 'release-bucket',
'lambda-bucket': 'lambda-bucket',
'release-account': 'dev',
'default-region': 'eu-west-1',
'environments': {},
'terraform-backend-s3-bucket': 'backend-s3-bucket',
'terraform-backend-s3-dynamodb-table': 'backend-s3-dynamodb-table',
}
self.old_raw_scheme = {
'accounts': {
'dev': {
'id': '123456789',
'role': 'admin',
},
'prod': {
'id': '987654321',
'role': 'admin',
},
},
'release-bucket': 'release-bucket',
'lambda-bucket': 'lambda-bucket',
'release-account': 'dev',
'default-region': 'eu-west-1',
'environments': {},
'classic-metadata-handling': True,
}
self.s3_resource = boto3.resource('s3', region_name='eu-west-1')
self.s3_client = boto3.client('s3', region_name='eu-west-1')
self.old_state_bucket = 'cdflow-tfstate'
self.new_state_bucket = 'backend-s3-bucket'
self.s3_client.create_bucket(
Bucket=self.old_state_bucket,
CreateBucketConfiguration={
'LocationConstraint': 'eu-west-1',
},
)
self.s3_client.put_bucket_tagging(Bucket=self.old_state_bucket,
Tagging={
'TagSet': [{
'Key': TFSTATE_TAG_NAME,
'Value': TAG_VALUE,
}]
})
self.s3_client.create_bucket(
Bucket=self.new_state_bucket,
CreateBucketConfiguration={
'LocationConstraint': 'eu-west-1',
},
)
def sts(aws_credentials):
with mock_sts():
yield boto3.resource("sts", region_name="eu-west-1")
}
)
mock_env.start()
region = os.environ['REGION']
function_name = os.environ['FUNCTION_NAME']
from cfn_auto_update_broker import (get_lambda_arn,
create_event,
put_targets,
delete_event,
lambda_add_resource_policy,
lambda_remove_resource_policy,
lambda_handler)
mock = mock_sts()
mock.start()
account_id = boto3.client('sts').get_caller_identity().get('Account')
mock.stop()
# TestFunction plagarized from:
# https://github.com/spulec/moto/issues/1338
def _process_lambda(func_str):
zip_output = io.BytesIO()
zip_file = zipfile.ZipFile(zip_output, 'w', zipfile.ZIP_DEFLATED)
zip_file.writestr('lambda_function.py', func_str)
zip_file.close()
zip_output.seek(0)
return zip_output.read()
def sts():
with mock_sts():
yield boto3.client('sts', region_name='us-east-1')
def sts():
with mock_sts():
yield boto3.client('sts', region_name='us-east-1')
def mock_s3(app, bucket=None):
with moto.mock_s3(), moto.mock_sts():
s3 = boto3.resource('s3', app.config['LOCH_S3_REGION'])
s3.create_bucket(Bucket=bucket or app.config['LOCH_S3_BUCKET'])
yield s3
def test_report_batch_changes(self):
from security_monkey.alerter import Alerter
from security_monkey.reporter import Reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
account_type_result = AccountType.query.filter(
AccountType.name == "AWS").one()
db.session.add(account_type_result)
db.session.commit()
test_account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT1",
third_party=False,
active=True)
watcher = IAMRole(accounts=[test_account.name])
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: []
test_reporter = Reporter()
test_reporter.all_monitors = [batched_monitor]
test_reporter.account_alerter = Alerter(
watchers_auditors=test_reporter.all_monitors,
account=test_account.name)
import security_monkey.scheduler
# import security_monkey.monitors
# old_get_monitors = security_monkey.scheduler.get_monitors
security_monkey.scheduler.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
test_reporter.run(account=test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
# Something isn't cleaning itself up properly and causing other core tests to fail.
# This is the solution:
security_monkey.reporter.all_monitors = old_all_monitors
import monitor_mock
security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def fake_sts(app):
"""Fake the AWS security token service used to deliver S3 content (photos, note attachments)."""
mock_sts().start()
yield
mock_sts().stop()
def sts():
with mock_sts():
yield boto3.client("sts", region_name="us-east-1")
def sts_client(aws_credentials):
"""Yield a mock STS client that will not affect a real AWS account."""
with mock_sts():
yield boto3.client("sts", region_name=AWS_REGION)
def test_report_batch_changes(self):
from security_monkey.alerter import Alerter
from security_monkey.reporter import Reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
account_type_result = AccountType.query.filter(AccountType.name == "AWS").one()
db.session.add(account_type_result)
db.session.commit()
test_account = Account(name="TEST_ACCOUNT")
watcher = IAMRole(accounts=[test_account.name])
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: []
test_reporter = Reporter()
test_reporter.all_monitors = [batched_monitor]
test_reporter.account_alerter = Alerter(watchers_auditors=test_reporter.all_monitors, account=test_account.name)
import security_monkey.scheduler
# import security_monkey.monitors
# old_get_monitors = security_monkey.scheduler.get_monitors
security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"])
return exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
test_reporter.run(account=test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
# Something isn't cleaning itself up properly and causing other core tests to fail.
# This is the solution:
security_monkey.reporter.all_monitors = old_all_monitors
import monitor_mock
security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors