def test_clean_stale_issues(self): from security_monkey.common.audit_issue_cleanup import clean_stale_issues items = Item.query.all() assert len(items) == 1 item = items[0] item.issues.append(ItemAudit(score=1, issue='Test Issue', item_id=item.id, auditor_setting=AuditorSettings(disabled=False, technology=self.technology, account=self.account, auditor_class='MockAuditor1'))) item.issues.append(ItemAudit(score=1, issue='Issue with missing auditor', item_id=item.id, auditor_setting=AuditorSettings(disabled=False, technology=self.technology, account=self.account, auditor_class='MissingAuditor'))) db.session.commit() clean_stale_issues() items = Item.query.all() assert len(items) == 1 item = items[0] assert len(item.issues) == 1 assert item.issues[0].issue == 'Test Issue'
def test_link_to_support_item_issues(self): auditor = Auditor(accounts=['test_account']) sub_item_id = 2 issue1_text = 'This is test issue1' issue2_text = 'This is test issue2' issue1_score = 10 issue2_score = 5 item = ChangeItem(index='test_index', account='test_account', name='item_name') sub_item = Item(id=sub_item_id, tech_id=1, account_id=1, name='sub_item_name') sub_item.issues.append(ItemAudit(score=issue1_score, issue=issue1_text)) sub_item.issues.append(ItemAudit(score=issue2_score, issue=issue2_text)) auditor.link_to_support_item_issues(item, sub_item, issue_message="TEST") self.assertTrue(len(item.audit_issues) == 1) new_issue = item.audit_issues[0] self.assertTrue(new_issue.score == issue1_score + issue2_score) self.assertTrue(new_issue.issue == "TEST") self.assertTrue(len(new_issue.sub_items) == 1) self.assertTrue(new_issue.sub_items[0] == sub_item)
def test_inactivate_old_revisions(self): from security_monkey.datastore_utils import inactivate_old_revisions, hash_item, persist_item, result_from_item from security_monkey.datastore import ItemRevision, Item self.setup_db() # Need to create 3 items first before we can test deletions: for x in range(0, 3): modConf = dict(ACTIVE_CONF) modConf["name"] = "SomeRole{}".format(x) modConf["Arn"] = "arn:aws:iam::012345678910:role/SomeRole{}".format(x) sti = SomeTestItem().from_slurp(modConf, account_name=self.account.name) # Get the hash: complete_hash, durable_hash = hash_item(sti.config, []) # persist: persist_item(sti, None, self.technology, self.account, complete_hash, durable_hash, True) db_item = result_from_item(sti, self.account, self.technology) # Add issues for these items: (just add two for testing purposes) db.session.add(ItemAudit(score=10, issue="IAM Role has full admin permissions.", notes=json.dumps(sti.config), item_id=db_item.id)) db.session.add(ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=db_item.id)) db.session.commit() # Now, actually test for deleted revisions: arns = [ "arn:aws:iam::012345678910:role/SomeRole", # <-- Does not exist in the list "arn:aws:iam::012345678910:role/SomeRole0", # <-- Does exist -- should not get deleted ] inactivate_old_revisions(SomeWatcher(), arns, self.account, self.technology) # Check that SomeRole1 and SomeRole2 are marked as inactive: for x in range(1, 3): item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == "arn:aws:iam::012345678910:role/SomeRole{}".format(x), ).one() assert not item_revision.active # Check that there are no issues associated with this item: assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 0 # Check that the SomeRole0 is still OK: item_revision = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == "arn:aws:iam::012345678910:role/SomeRole0".format(x), ).one() assert len(ItemAudit.query.filter(ItemAudit.item_id == item_revision.item_id).all()) == 2 assert item_revision.active
def test_from_items(self): issue = ItemAudit() issue.score = 1 issue.justified = True issue.issue = 'test issue' issue.justification = 'test justification' old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True, audit_issues=[issue]) old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True) new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2, active=True) merged_item_w_issues = ChangeItem.from_items(old_item=old_item_w_issues, new_item=new_item) merged_item_wo_issues = ChangeItem.from_items(old_item=old_item_wo_issues, new_item=new_item) assert len(merged_item_w_issues.audit_issues) == 1 assert len(merged_item_wo_issues.audit_issues) == 0
def test_from_items(self): issue = ItemAudit() issue.score = 1 issue.justified = True issue.issue = 'test issue' issue.justification = 'test justification' old_item_w_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True, audit_issues=[issue]) old_item_wo_issues = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_1, active=True) new_item = ChangeItem(index='testtech', region='us-west-2', account='testaccount', new_config=CONFIG_2, active=True) merged_item_w_issues = ChangeItem.from_items( old_item=old_item_w_issues, new_item=new_item) merged_item_wo_issues = ChangeItem.from_items( old_item=old_item_wo_issues, new_item=new_item) assert len(merged_item_w_issues.audit_issues) == 1 assert len(merged_item_wo_issues.audit_issues) == 0
def test_save_issues(self): item = Item(region="us-west-2", name="testitem", technology=self.technology, account=self.test_account) revision = ItemRevision(item=item, config={}, active=True) item_audit = ItemAudit(item=item, issue="test issue") db.session.add(item) db.session.add(revision) db.session.add(item_audit) db.session.commit() auditor = Auditor(accounts=[self.test_account.name]) auditor.index = self.technology.name auditor.i_am_singular = self.technology.name auditor.items = auditor.read_previous_items() auditor.audit_objects() try: auditor.save_issues() except AttributeError as e: self.fail( "Auditor.save_issues() raised AttributeError unexpectedly: {}". format(e.message))
def test_find_deleted_batch(self): """ This will use the IAMRole watcher, since that already has batching support. :return: """ from security_monkey.watchers.iam.iam_role import IAMRole self.setup_batch_db() # Set everything up: watcher = IAMRole(accounts=[self.account.name]) watcher.current_account = (self.account, 0) watcher.technology = self.technology items = [] for x in range(0, 5): mod_conf = dict(ACTIVE_CONF) mod_conf["name"] = "SomeRole{}".format(x) mod_conf[ "Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format( x) items.append(SomeTestItem().from_slurp( mod_conf, account_name=self.account.name)) mod_aspd = dict(ASPD) mod_aspd[ "Arn"] = ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format( x) mod_aspd["RoleName"] = "SomeRole{}".format(x) watcher.total_list.append(mod_aspd) watcher.find_changes(items) # Check for deleted items: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 0 # Check that nothing was deleted: for x in range(0, 5): item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == ARN_PREFIX + ":iam::012345678910:role/SomeRole{}".format(x), ).one() assert item_revision.active # Create some issues for testing purposes: db.session.add( ItemAudit(score=10, issue="IAM Role has full admin permissions.", notes=json.dumps(item_revision.config), item_id=item_revision.item_id)) db.session.add( ItemAudit(score=9001, issue="Some test issue", notes="{}", item_id=item_revision.item_id)) db.session.commit() assert len(ItemAudit.query.all()) == len(items) * 2 # Remove the last two items: removed_arns = [] removed_arns.append(watcher.total_list.pop()["Arn"]) removed_arns.append(watcher.total_list.pop()["Arn"]) # Check for deleted items again: watcher.find_deleted_batch({}) assert len(watcher.deleted_items) == 2 # Check that the last two items were deleted: for arn in removed_arns: item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == arn, ).one() assert not item_revision.active # Check that the current ones weren't deleted: for current_item in watcher.total_list: item_revision = ItemRevision.query.join( (Item, ItemRevision.id == Item.latest_revision_id)).filter( Item.arn == current_item["Arn"], ).one() assert item_revision.active assert len( ItemAudit.query.filter( ItemAudit.item_id == item_revision.item_id).all()) == 2