def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_route53('the_key', 'the_secret') zone = conn.create_hosted_zone("testdns.aws.com") zone_id = zone["CreateHostedZoneResponse"][ "HostedZone"]["Id"].split("/")[-1] changes = boto.route53.record.ResourceRecordSets(conn, zone_id) change = changes.add_change("CREATE", "testdns.aws.com", "A") change.add_value("10.1.1.1") changes.commit() watcher = Route53(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client('lambda', 'us-east-1') conn.create_function( FunctionName='testFunction', Runtime='python2.7', Role='test-iam-role', Handler='lambda_function.handler', Code={ 'ZipFile': get_test_zip_file() }, Description='test lambda function', Timeout=3, MemorySize=128, Publish=True, ) watcher = LambdaFunction(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def add_account(number, third_party, name, s3_name, active, notes, role_name='SecurityMonkey', edit=False): ''' Adds an account. If one with the same number already exists, do nothing, unless edit is True, in which case, override the existing account. Returns True if an action is taken, False otherwise. ''' query = Account.query query = query.filter(Account.number == number) if query.count(): if not edit: return False else: query.delete() account = Account() account.name = name account.s3_name = s3_name account.number = number account.role_name = role_name account.notes = notes account.active = active account.third_party = third_party db.session.add(account) db.session.commit() return True
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) ec2 = boto3.resource('ec2', region_name='us-east-1') ec2.create_dhcp_options(DhcpConfigurations=[{ 'Key': 'domain-name', 'Values': ['example.com'] }, { 'Key': 'domain-name-servers', 'Values': ['10.0.10.2'] }]) watcher = DHCP(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def setUp(self): self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] # Add the fake source account into the database: test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" db.session.add(test_account) db.session.commit()
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_vpc("the_key", "the secret") conn.create_vpc("10.0.0.0/16") watcher = RouteTable(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client("ec2", "us-east-1") reservation = conn.run_instances(ImageId="ami-1234abcd", MinCount=1, MaxCount=1) instance = reservation["Instances"][0] conn.create_image(InstanceId=instance["InstanceId"], Name="test-ami", Description="this is a test ami") watcher = EC2Image(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_ec2('the_key', 'the_secret') conn.create_volume(50, "us-east-1a") watcher = EBSVolume(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client('ec2', 'us-east-1') conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1) watcher = EC2Instance(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client('ec2', 'us-east-1') conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1) watcher = EC2Instance(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.rds.connect_to_region('us-east-1') conn.create_dbsecurity_group('db_sg1', 'DB Security Group') watcher = RDSSecurityGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.rds.connect_to_region('us-east-1') conn.create_dbsecurity_group('db_sg1', 'DB Security Group') watcher = RDSSecurityGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.rds.connect_to_region('us-east-1') conn.create_dbinstance("db-master-1", 10, 'db.m1.small', 'root', 'hunter2') watcher = RDSDBInstance(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def setUp(self): self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account)
def add_account(number, third_party, name, s3_name, active, notes, edit=False): ''' Adds an account. If one with the same number already exists, do nothing, unless edit is True, in which case, override the existing account. Returns True if an action is taken, False otherwise. ''' query = Account.query query = query.filter(Account.number == number) if query.count(): if not edit: return False else: query.delete() account = Account() account.name = name account.s3_name = s3_name account.number = number account.notes = notes account.active = active account.third_party = third_party db.session.add(account) db.session.commit() return True
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) vpc_conn = boto.vpc.connect_to_region("us-east-1") vpc = vpc_conn.create_vpc("10.0.0.0/16") subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24") subnet_ids = [subnet.id] conn = boto.rds.connect_to_region("us-east-1") conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids) watcher = RDSSubnetGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_route53("the_key", "the_secret") zone = conn.create_hosted_zone("testdns.aws.com") zone_id = zone["CreateHostedZoneResponse"]["HostedZone"]["Id"].split("/")[-1] changes = boto.route53.record.ResourceRecordSets(conn, zone_id) change = changes.add_change("CREATE", "testdns.aws.com", "A") change.add_value("10.1.1.1") changes.commit() watcher = Route53(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_vpc('the_key', 'the secret') vpc = conn.create_vpc("10.0.0.0/16") peer_vpc = conn.create_vpc("10.0.0.0/16") conn.create_vpc_peering_connection(vpc.id, peer_vpc.id) watcher = Peering(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) ec2 = boto3.resource('ec2', region_name='us-east-1') ec2.create_dhcp_options(DhcpConfigurations=[ {'Key': 'domain-name', 'Values': ['example.com']}, {'Key': 'domain-name-servers', 'Values': ['10.0.10.2']} ]) watcher = DHCP(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) vpc_conn = boto.vpc.connect_to_region("us-east-1") vpc = vpc_conn.create_vpc("10.0.0.0/16") subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24") subnet_ids = [subnet.id] conn = boto.rds.connect_to_region("us-east-1") conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids) watcher = RDSSubnetGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def post(self): """ .. http:post:: /api/1/account/ Create a new account. **Example Request**: .. sourcecode:: http POST /api/1/account/ HTTP/1.1 Host: example.com Accept: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'role_name': 'CustomRole', 'active': true, 'third_party': false } **Example Response**: .. sourcecode:: http HTTP/1.1 201 Created Vary: Accept Content-Type: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'role_name': 'CustomRole', 'active': true, 'third_party': false } :statuscode 201: created :statuscode 401: Authentication Error. Please Login. """ auth, retval = __check_auth__(self.auth_dict) if auth: return retval self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json') self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json') self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json') self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json') self.reqparse.add_argument('role_name', required=False, type=unicode, help='Custom role name.', location='json') self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json') self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json') args = self.reqparse.parse_args() account = Account() account.name = args['name'] account.s3_name = args.get('s3_name', args['name']) account.number = args['number'] account.notes = args['notes'] account.active = args['active'] account.third_party = args['third_party'] db.session.add(account) db.session.commit() db.session.refresh(account) marshaled_account = marshal(account.__dict__, ACCOUNT_FIELDS) marshaled_account['auth'] = self.auth_dict return marshaled_account, 201
def audit_all_objects(self): RUNTIME_AUDITORS[self.__class__.__name__].append(self) def save_issues(self): pass mock_query = MockAccountQuery() mock_db_session = MockDBSession() test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" test_account.third_party = False test_account.active = True mock_query.add_account(test_account) test_account2 = Account() test_account2.name = "TEST_ACCOUNT2" test_account2.notes = "TEST ACCOUNT2" test_account2.s3_name = "TEST_ACCOUNT2" test_account2.number = "123123123123" test_account2.role_name = "TEST_ACCOUNT" test_account2.third_party = False test_account2.active = True mock_query.add_account(test_account2)
def post(self): """ .. http:post:: /api/1/account/ Create a new account. **Example Request**: .. sourcecode:: http POST /api/1/account/ HTTP/1.1 Host: example.com Accept: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'active': true, 'third_party': false } **Example Response**: .. sourcecode:: http HTTP/1.1 201 Created Vary: Accept Content-Type: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'active': true, 'third_party': false } :statuscode 201: created :statuscode 401: Authentication Error. Please Login. """ auth, retval = __check_auth__(self.auth_dict) if auth: return retval self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json') self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json') self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json') self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json') self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json') self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json') args = self.reqparse.parse_args() name = args['name'] s3_name = args.get('s3_name', name) number = args.get('number', None) notes = args.get('notes', None) active = args.get('active', True) third_party = args.get('third_party', False) account = Account() account.name = name account.s3_name = s3_name account.number = number account.notes = notes account.active = active account.third_party = third_party db.session.add(account) db.session.commit() updated_account = Account.query.filter(Account.id == account.id).first() marshaled_account = marshal(updated_account.__dict__, ACCOUNT_FIELDS) marshaled_account['auth'] = self.auth_dict return marshaled_account, 201
def save_issues(self): pass def applies_to_account(self, account): return True mock_query = MockAccountQuery() mock_db_session = MockDBSession() test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" test_account.account_type = AccountType(name='AWS') test_account.third_party = False test_account.active = True mock_query.add_account(test_account) test_account2 = Account() test_account2.name = "TEST_ACCOUNT2" test_account2.notes = "TEST ACCOUNT2" test_account2.s3_name = "TEST_ACCOUNT2" test_account2.number = "123123123123" test_account2.role_name = "TEST_ACCOUNT" test_account2.account_type = AccountType(name='AWS') test_account2.third_party = False