def pre_test_setup(self):
account_type_result = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
active=True,
third_party=False,
account_type_id=account_type_result.id)
self.technology = Technology(name="s3")
self.item = Item(region="us-west-2",
name="somebucket",
arn=ARN_PREFIX + ":s3:::somebucket",
technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(self.item)
db.session.commit()
mock_s3().start()
client = boto3.client("s3")
client.create_bucket(Bucket="somebucket")
client.create_bucket(Bucket="someotherbucket")
client.create_bucket(Bucket="someotherbucket2")
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="octocat",
account_type_id=self.account_type.id,
identifier="octocat",
active=True,
third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
self.gh_items = [
GitHubOrgItem(account="octocat",
name="Hello-World",
arn="octocat/Hello-World",
config=CONFIG_ONE),
GitHubOrgItem(account="octocat",
name="Repo-Private",
arn="octocat/Repo-Private",
config=CONFIG_TWO),
]
def prep_for_batch_slurp(self):
"""
Should be run before batching slurps to set the current account (and region).
This will load the DB objects for account and technology for where we are currently at in the process.
:return:
"""
self.prep_for_slurp()
# Which account are we currently on?
if not self.current_account:
index = 0
# Get the Technology
# If technology doesn't exist, then create it:
technology = Technology.query.filter(Technology.name == self.index).first()
if not technology:
technology = Technology(name=self.index)
db.session.add(technology)
db.session.commit()
app.logger.info("Technology: {} did not exist... created it...".format(self.index))
self.technology = technology
else:
index = self.current_account[1] + 1
self.current_account = (Account.query.filter(Account.name == self.accounts[index]).one(), index)
# We will not be using CloudAux's iter_account_region for multi-account -- we want
# to have per-account level of batching
self.total_list = [] # Reset the total list for a new account to run against.
self.done_slurping = False
self.batch_counter = 0
def _setup_one_two_revisions(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(number="012345678910", name="testing",
s3_name="testing", role_name="SecurityMonkey",
account_type_id=account_type_result.id)
technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn="arn:aws:iam::012345678910:role/testrole", technology=technology,
account=account)
self.now = datetime(2016, 11, 3)
self.yesterday = self.now - timedelta(days=1)
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now))
item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday))
db.session.add(account)
db.session.add(technology)
db.session.add(item)
db.session.commit()
items = Item.query.all()
for item in items:
latest_revision = item.revisions.first()
item.latest_revision_id = latest_revision.id
db.session.add(item)
db.session.commit()
def test_fix_orphaned_deletions(self):
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
technology = Technology(name="orphaned")
db.session.add(technology)
db.session.commit()
orphaned_item = Item(name="orphaned",
region="us-east-1",
tech_id=technology.id,
account_id=test_account.id)
db.session.add(orphaned_item)
db.session.commit()
assert not orphaned_item.latest_revision_id
assert not orphaned_item.revisions.count()
assert len(
Item.query.filter(Item.account_id == test_account.id, Item.tech_id
== technology.id, Item.latest_revision_id
== None).all()) == 1 # noqa
from security_monkey.task_scheduler.tasks import fix_orphaned_deletions
fix_orphaned_deletions(test_account.name, technology.name)
assert not Item.query.filter(
Item.account_id == test_account.id, Item.tech_id == technology.id,
Item.latest_revision_id == None).all() # noqa
assert orphaned_item.latest_revision_id
assert orphaned_item.revisions.count() == 1
assert orphaned_item.latest_config == {}
def pre_test_setup(self):
self.gh_items = [
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_ONE),
GitHubTeamItem(account="Org-one",
name="Org-one",
arn="Org-one",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="team")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
self.gh_items = [
GitHubOrgItem(account="Netflix",
name="Netflix",
arn="Netflix",
config=CONFIG_ONE),
GitHubOrgItem(account="Netflix-PRIVATE",
name="Netflix-PRIVATE",
arn="Netflix-PRIVATE",
config=CONFIG_TWO),
]
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
db.session.add(
Account(name="Netflix",
account_type_id=self.account_type.id,
identifier="Netflix",
active=True,
third_party=False))
db.session.add(
Account(name="Netflix-PRIVATE",
account_type_id=self.account_type.id,
identifier="Netflix-PRIVATE",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
third_party=False,
active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def setup_db(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
def fix_orphaned_deletions(account_name, technology_name):
"""
Possible issue with orphaned items. This will check if there are any, and will assume that the item
was deleted. This will create a deletion change record to it.
:param account_name:
:param technology_name:
:return:
"""
# If technology doesn't exist, then create it:
technology = Technology.query.filter(
Technology.name == technology_name).first()
if not technology:
technology = Technology(name=technology_name)
db.session.add(technology)
db.session.commit()
app.logger.info("Technology: {} did not exist... created it...".format(
technology_name))
account = Account.query.filter(Account.name == account_name).one()
# Query for orphaned items of the given technology/account pair:
orphaned_items = Item.query.filter(
Item.account_id == account.id, Item.tech_id == technology.id,
Item.latest_revision_id == None).all() # noqa
if not orphaned_items:
app.logger.info(
"[@] No orphaned items have been found. (This is good)")
return
# Fix the orphaned items:
for oi in orphaned_items:
app.logger.error(
"[?] Found an orphaned item: {}. Creating a deletion record for it"
.format(oi.name))
revision = ItemRevision(active=False, config={})
oi.revisions.append(revision)
db.session.add(revision)
db.session.add(oi)
db.session.commit()
# Update the latest revision id:
db.session.refresh(revision)
oi.latest_revision_id = revision.id
db.session.add(oi)
db.session.commit()
app.logger.info("[-] Created deletion record for item: {}.".format(
oi.name))
def pre_test_setup(self):
self.account_type = AccountType.query.filter(
AccountType.name == 'AWS').first()
if not self.account_type:
self.account_type = AccountType(name='AWS')
db.session.add(self.account_type)
db.session.commit()
self.test_account = Account(type=self.account_type,
name="test_account",
identifier="012345678910")
self.technology = Technology(name="testtech")
db.session.add(self.test_account)
db.session.add(self.technology)
db.session.commit()
def test_audit_specific_changes(self):
from security_monkey.task_scheduler.tasks import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy[
"Arn"] = ARN_PREFIX + ":iam::012345678910:role/roleNumber{}".format(
x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = CloudAuxChangeItem.from_item(name=role_policy['RoleName'],
item=role_policy,
record_region='universal',
account_name=test_account.name,
index='iamrole',
source_watcher=watcher)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def pre_test_setup(self):
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {
"Org-one": "token-one",
"FAILURE": "FAILURE",
"Netflix": "token-two"
}
db.session.add(Account(name="Org-one", account_type_id=self.account_type.id,
identifier="Org-one", active=True, third_party=False))
self.technology = Technology(name="repository")
db.session.add(self.technology)
db.session.commit()
def pre_test_setup(self):
account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first()
if not account_type_result:
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
item = Item(region="us-west-2", name="testrole",
arn=ARN_PREFIX + ":iam::012345678910:role/testrole", technology=self.technology,
account=self.account)
db.session.add(self.account)
db.session.add(self.technology)
db.session.add(item)
db.session.commit()
def test_audit_specific_changes(self):
from security_monkey.scheduler import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole, IAMRoleItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy[
"Arn"] = "arn:aws:iam::012345678910:role/roleNumber{}".format(
x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = IAMRoleItem.from_slurp(role_policy,
account_name=test_account.name)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def test_find_batch_changes(self, mock_fix_orphaned):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.task_scheduler.tasks import manual_run_change_finder
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
manual_run_change_finder([test_account.name], [watcher.index])
assert mock_fix_orphaned.called
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete one of the items:
# Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
mock_iam().stop()
mock_sts().stop()
self.add_roles(initial=False)
# Run the it again:
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be the same number of issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 11
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
[ARN_PREFIX + ":iam::012345678910:role/roleNumber9",
ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
import security_monkey.watchers.iam.iam_role
old_list_roles = security_monkey.watchers.iam.iam_role.list_roles
def mock_slurp_list_with_exception():
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
items, exception_map = original_slurp_list()
assert len(exception_map) > 0
return items, exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
security_monkey.watchers.iam.iam_role.list_roles = old_list_roles
mock_iam().stop()
mock_sts().stop()
def test_celery_skipabeat(self, mock_store_exception,
mock_expired_exceptions, mock_account_tech,
mock_purge, mock_setup):
from security_monkey.task_scheduler.beat import setup_the_tasks
from security_monkey.watchers.github.org import GitHubOrg
from security_monkey.auditors.github.org import GitHubOrgAuditor
# Stop the watcher registry from stepping on everyone's toes:
import security_monkey.watcher
import security_monkey.monitors
security_monkey.watcher.watcher_registry = {GitHubOrg.index: GitHubOrg}
security_monkey.monitors.watcher_registry = security_monkey.watcher.watcher_registry
app.config["GITHUB_CREDENTIALS"] = {}
# Set up the monitor:
self.account_type = AccountType(name="GitHub")
db.session.add(self.account_type)
db.session.commit()
app.config["GITHUB_CREDENTIALS"] = {"Org-one": "token-one"}
db.session.add(
Account(name="Org-one",
account_type_id=self.account_type.id,
identifier="Org-one",
active=True,
third_party=False))
self.technology = Technology(name="organization")
db.session.add(self.technology)
db.session.commit()
# Disable the other accounts:
disable_account_1 = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
disable_account_2 = Account.query.filter(
Account.name == "TEST_ACCOUNT2").one()
disable_account_1.active = False
disable_account_2.active = False
db.session.add(disable_account_1)
db.session.add(disable_account_2)
db.session.commit()
test_account = Account.query.filter(Account.name == "Org-one").one()
watcher = GitHubOrg(accounts=[test_account.name])
monitor = Monitor(GitHubOrg, test_account)
monitor.watcher = watcher
monitor.auditors = [GitHubOrgAuditor(accounts=[test_account.name])]
# This is externally executed (as in not with Celery):
db.session.add(
WatcherConfig(index=GitHubOrg.index, active=True, interval=0))
db.session.commit()
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
monitor
]
get_interval = mock.Mock()
monitor.watcher.get_interval = get_interval
setup_the_tasks(mock.Mock())
assert mock_setup.called
assert mock_purge.called
assert not mock_store_exception.called
# "apply_async" will NOT be called...
assert not mock_account_tech.apply_async.called
# The ".s" are the scheduled tasks. Too lazy to grab the intervals out.
assert not mock_account_tech.s.called # Will not be called
assert mock_expired_exceptions.s.called
assert mock_expired_exceptions.apply_async.called
# Cleanup:
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
disable_account_1.active = True
disable_account_2.active = True
test_account.active = False
db.session.add(disable_account_1)
db.session.add(disable_account_2)
db.session.add(test_account)
db.session.commit()
def test_find_batch_changes(self, mock_fix_orphaned):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.task_scheduler.tasks import manual_run_change_finder
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
## CREATE MOCK IAM ROLES ##
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
for x in range(0, 11):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(OPEN_POLICY,
indent=4))
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
manual_run_change_finder([test_account.name], [watcher.index])
assert mock_fix_orphaned.called
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete two of the items:
managedPolicy = client.list_attached_role_policies(
RoleName="roleNumber9")
for each in managedPolicy['AttachedPolicies']:
print("Detaching ", each)
client.detach_role_policy(RoleName="roleNumber9",
PolicyArn=each['PolicyArn'])
inlinePolicy = client.list_role_policies(RoleName="roleNumber9")
for each in inlinePolicy['PolicyNames']:
print("Deleting ", each)
client.delete_role_policy(RoleName="roleNumber9", PolicyName=each)
instanceProfiles = client.list_instance_profiles_for_role(
RoleName="roleNumber9")
for each in instanceProfiles['InstanceProfiles']:
print("Removing role from instance profile ", each)
client.remove_role_from_instance_profile(
RoleName="roleNumber9",
InstanceProfileName=each['InstanceProfileName'])
client.delete_role(RoleName="roleNumber9")
managedPolicy = client.list_attached_role_policies(
RoleName="roleNumber10")
for each in managedPolicy['AttachedPolicies']:
print("Detaching ", each)
client.detach_role_policy(RoleName="roleNumber10",
PolicyArn=each['PolicyArn'])
inlinePolicy = client.list_role_policies(RoleName="roleNumber10")
for each in inlinePolicy['PolicyNames']:
print("Deleting ", each)
client.delete_role_policy(RoleName="roleNumber10", PolicyName=each)
instanceProfiles = client.list_instance_profiles_for_role(
RoleName="roleNumber10")
for each in instanceProfiles['InstanceProfiles']:
print("Removing role from instance profile ", each)
client.remove_role_from_instance_profile(
RoleName="roleNumber10",
InstanceProfileName=each['InstanceProfileName'])
client.delete_role(RoleName="roleNumber10")
# Run the it again:
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be the same number of issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 11
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
[ARN_PREFIX + ":iam::012345678910:role/roleNumber9",
ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
import security_monkey.watchers.iam.iam_role
old_list_roles = security_monkey.watchers.iam.iam_role.list_roles
def mock_slurp_list_with_exception():
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
items, exception_map = original_slurp_list()
assert len(exception_map) > 0
return items, exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
security_monkey.watchers.iam.iam_role.list_roles = old_list_roles
