def test_run_with_interval_watcher_dependencies(self):
"""
If an interval is passed to reporter.run(), the reporter will run all watchers in the interval
along with their auditors. It will also reaudit all existing items of watchers that are not in
the interval but are dependent on watchers/auditors in the interval. This is done because any
changes to the dependencies could change the audit results even is the items have not changed.
In this case, index1 and index2 are in the interval and index3 is dependent on index1 watcher.
Expected result:
Watchers of index1 and index2 are run
New items of index1 and index2 are audited
Items of index3 are reaudited
"""
from security_monkey.reporter import Reporter
build_mock_result(watcher_configs, auditor_configs_with_watcher_dependencies)
reporter = Reporter(account="TEST_ACCOUNT")
reporter.run("TEST_ACCOUNT", 15)
watcher_keys = RUNTIME_WATCHERS.keys()
self.assertEqual(first=2, second=len(watcher_keys),
msg="Should run 2 watchers but ran {}"
.format(len(watcher_keys)))
self.assertTrue('index1' in watcher_keys,
msg="Watcher index1 not run")
self.assertTrue('index2' in watcher_keys,
msg="Watcher index2 not run")
self.assertEqual(first=1, second=len(RUNTIME_WATCHERS['index1']),
msg="Watcher index1 should have audited 1 item but audited {}"
.format(len(RUNTIME_WATCHERS['index1'])))
self.assertEqual(first=1, second=len(RUNTIME_WATCHERS['index2']),
msg="Watcher index2 should have audited 1 item but audited {}"
.format(len(RUNTIME_WATCHERS['index2'])))
auditor_keys = RUNTIME_AUDIT_COUNTS.keys()
self.assertEqual(first=3, second=len(auditor_keys),
msg="Should run 3 auditors but ran {}"
.format(len(auditor_keys)))
self.assertTrue('index1' in auditor_keys,
msg="Auditor index1 not run")
self.assertTrue('index2' in auditor_keys,
msg="Auditor index2 not run")
self.assertTrue('index3' in auditor_keys,
msg="Auditor index3 not run")
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index1'],
msg="Auditor index1 should run once but ran {} times"
.format(RUNTIME_AUDIT_COUNTS['index1']))
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index2'],
msg="Auditor index2 should run once but ran {} times"
.format(RUNTIME_AUDIT_COUNTS['index2']))
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index3'],
msg="Auditor index3 should run once but ran {} times"
.format(RUNTIME_AUDIT_COUNTS['index3']))
def test_run_with_interval_auditor_dependencies(self):
"""
If an interval is passed to reporter.run(), the reporter will run all watchers in the interval
along with their auditors. It will also reaudit all existing items of watchers that are not in
the interval but are dependent on watchers/auditors in the interval. This is done because any
changes to the dependencies could change the audit results even is the items have not changed.
In this case, index1 and index2 are in the interval and index3 is dependent on index1 auditor.
Expected result:
Watchers of index1 and index2 are run
New items of index1 and index2 are audited
Items of index3 are reaudited
"""
from security_monkey.reporter import Reporter
build_mock_result(watcher_configs, auditor_configs_with_auditor_dependencies)
reporter = Reporter(account="TEST_ACCOUNT")
reporter.run("TEST_ACCOUNT", 15)
watcher_keys = RUNTIME_WATCHERS.keys()
self.assertEqual(first=2, second=len(watcher_keys),
msg="Should run 2 watchers but ran {}"
.format(len(watcher_keys)))
self.assertTrue('index1' in watcher_keys,
msg="Watcher index1 not run")
self.assertTrue('index2' in watcher_keys,
msg="Watcher index2 not run")
self.assertEqual(first=1, second=len(RUNTIME_WATCHERS['index1']),
msg="Watcher index1 should run once but ran {} times"
.format(len(RUNTIME_WATCHERS['index1'])))
self.assertEqual(first=1, second=len(RUNTIME_WATCHERS['index2']),
msg="Watcher index2 should run once but ran {} times"
.format(len(RUNTIME_WATCHERS['index2'])))
auditor_keys = RUNTIME_AUDIT_COUNTS.keys()
self.assertEqual(first=3, second=len(auditor_keys),
msg="Should run 3 auditors but ran {}"
.format(len(auditor_keys)))
self.assertTrue('index1' in auditor_keys,
msg="Auditor index1 not run")
self.assertTrue('index2' in auditor_keys,
msg="Auditor index2 not run")
self.assertTrue('index3' in auditor_keys,
msg="Auditor index3 not run")
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index1'],
msg="Auditor index1 should have audited 1 item but audited {}"
.format(RUNTIME_AUDIT_COUNTS['index1']))
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index2'],
msg="Auditor index2 should have audited 1 item but audited {}"
.format(RUNTIME_AUDIT_COUNTS['index2']))
self.assertEqual(first=1, second=RUNTIME_AUDIT_COUNTS['index3'],
msg="Auditor index3 should have audited 1 item but audited {}"
.format(RUNTIME_AUDIT_COUNTS['index3']))
def run_change_reporter(account_names, interval=None):
""" Runs Reporter """
try:
for account in account_names:
reporter = Reporter(account=account, debug=True)
reporter.run(account, interval)
except (OperationalError, InvalidRequestError, StatementError) as e:
app.logger.exception("Database error processing accounts %s, cleaning up session.", account_names)
db.session.remove()
store_exception("scheduler-run-change-reporter", None, e)
def run_change_reporter(account_names, interval=None):
""" Runs Reporter """
try:
for account in account_names:
reporter = Reporter(account=account, alert_accounts=account_names, debug=True)
reporter.run(account, interval)
except (OperationalError, InvalidRequestError, StatementError) as e:
app.logger.exception("Database error processing accounts %s, cleaning up session.", account_names)
db.session.remove()
store_exception("scheduler-run-change-reporter", None, e)
def run_change_reporter(accounts, interval=None):
""" Runs Reporter """
try:
accounts = __prep_accounts__(accounts)
reporter = Reporter(accounts=accounts, alert_accounts=accounts, debug=True)
for account in accounts:
reporter.run(account, interval)
except (OperationalError, InvalidRequestError, StatementError):
app.logger.exception("Database error processing accounts %s, cleaning up session.", accounts)
db.session.remove()
def run_change_reporter(accounts, interval=None):
""" Runs Reporter """
try:
accounts = __prep_accounts__(accounts)
reporter = Reporter(accounts=accounts,
alert_accounts=accounts,
debug=True)
for account in accounts:
reporter.run(account, interval)
except (OperationalError, InvalidRequestError, StatementError):
app.logger.exception(
"Database error processing accounts %s, cleaning up session.",
accounts)
db.session.remove()
def run_change_reporter(accounts):
""" Runs Reporter """
accounts = __prep_accounts__(accounts)
reporter = Reporter(accounts=accounts, alert_accounts=accounts, debug=True)
for account in accounts:
reporter.run(account)
def run_change_reporter(accounts):
""" Runs Reporter """
accounts = __prep_accounts__(accounts)
reporter = Reporter(accounts=accounts, alert_accounts=accounts, debug=True)
for account in accounts:
reporter.run(account)
def test_report_batch_changes(self):
from security_monkey.alerter import Alerter
from security_monkey.reporter import Reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
account_type_result = AccountType.query.filter(
AccountType.name == "AWS").one()
db.session.add(account_type_result)
db.session.commit()
test_account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT1",
third_party=False,
active=True)
watcher = IAMRole(accounts=[test_account.name])
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: []
test_reporter = Reporter()
test_reporter.all_monitors = [batched_monitor]
test_reporter.account_alerter = Alerter(
watchers_auditors=test_reporter.all_monitors,
account=test_account.name)
import security_monkey.scheduler
# import security_monkey.monitors
# old_get_monitors = security_monkey.scheduler.get_monitors
security_monkey.scheduler.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
test_reporter.run(account=test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
# Something isn't cleaning itself up properly and causing other core tests to fail.
# This is the solution:
security_monkey.reporter.all_monitors = old_all_monitors
import monitor_mock
security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def test_report_batch_changes(self):
from security_monkey.alerter import Alerter
from security_monkey.reporter import Reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
account_type_result = AccountType.query.filter(AccountType.name == "AWS").one()
db.session.add(account_type_result)
db.session.commit()
test_account = Account(name="TEST_ACCOUNT")
watcher = IAMRole(accounts=[test_account.name])
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: []
test_reporter = Reporter()
test_reporter.all_monitors = [batched_monitor]
test_reporter.account_alerter = Alerter(watchers_auditors=test_reporter.all_monitors, account=test_account.name)
import security_monkey.scheduler
# import security_monkey.monitors
# old_get_monitors = security_monkey.scheduler.get_monitors
security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"])
return exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
test_reporter.run(account=test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
# Something isn't cleaning itself up properly and causing other core tests to fail.
# This is the solution:
security_monkey.reporter.all_monitors = old_all_monitors
import monitor_mock
security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors