示例#1
0
    def setUp(self):
        self.session = FakeSession({'config_file': 'myconfigfile'})
        self.subscribe = CloudTrailSubscribe(self.session)
        self.subscribe.region_name = 'us-east-1'

        self.subscribe.iam = Mock()
        self.subscribe.iam.get_user = Mock(
            return_value={'User': {
                'Arn': '::::123:456'
            }})

        self.subscribe.s3 = Mock()
        self.subscribe.s3.meta.region_name = 'us-east-1'
        policy_template = six.BytesIO(six.b(u'{"Statement": []}'))
        self.subscribe.s3.get_object = Mock(
            return_value={'Body': policy_template})
        self.subscribe.s3.head_bucket.return_value = {}

        self.subscribe.sns = Mock()
        self.subscribe.sns.meta.region_name = 'us-east-1'
        self.subscribe.sns.list_topics = Mock(
            return_value={'Topics': [{
                'TopicArn': ':test2'
            }]})
        self.subscribe.sns.create_topic = Mock(
            return_value={'TopicArn': 'foo'})
        self.subscribe.sns.get_topic_attributes = Mock(
            return_value={'Attributes': {
                'Policy': '{"Statement": []}'
            }})
示例#2
0
 def test_clients_all_from_same_session(self):
     session = Mock()
     subscribe_command = CloudTrailSubscribe(session)
     parsed_globals = Mock(region=None, verify_ssl=None, endpoint_url=None)
     subscribe_command.setup_services(None, parsed_globals)
     create_client_calls = session.create_client.call_args_list
     self.assertEqual(create_client_calls, [
         call('iam', verify=None, region_name=None),
         call('s3', verify=None, region_name=None),
         call('sns', verify=None, region_name=None),
         call('cloudtrail', verify=None, region_name=None),
     ])
示例#3
0
 def test_clients_all_from_same_session(self):
     session = Mock()
     subscribe_command = CloudTrailSubscribe(session)
     parsed_globals = Mock(region=None, verify_ssl=None,
                           endpoint_url=None)
     subscribe_command.setup_services(None, parsed_globals)
     create_client_calls = session.create_client.call_args_list
     self.assertEqual(
         create_client_calls, [
             call('iam', verify=None, region_name=None),
             call('s3', verify=None, region_name=None),
             call('sns', verify=None, region_name=None),
             call('cloudtrail', verify=None, region_name=None),
         ]
     )
示例#4
0
 def test_clients_all_from_same_session(self):
     session = Mock()
     subscribe_command = CloudTrailSubscribe(session)
     parsed_globals = Mock(region=None, verify_ssl=None, endpoint_url=None)
     subscribe_command.setup_services(None, parsed_globals)
     create_client_calls = session.create_client.call_args_list
     self.assertEqual(create_client_calls, [
         call('iam', verify=None, region_name=None),
         call('s3', verify=None, region_name=None),
         call('sns', verify=None, region_name=None),
         call('cloudtrail', verify=None, region_name=None),
     ])
     # We should also remove the error handler for S3.
     # This can be removed once the client switchover is done.
     subscribe_command.s3.meta.events.unregister.assert_called_with(
         'after-call', unique_id='awscli-error-handler')
示例#5
0
 def test_endpoint_url_is_only_used_for_cloudtrail(self):
     endpoint_url = 'https://mycloudtrail.awsamazon.com/'
     session = Mock()
     subscribe_command = CloudTrailSubscribe(session)
     parsed_globals = Mock(region=None, verify_ssl=None,
                           endpoint_url=endpoint_url)
     subscribe_command.setup_services(None, parsed_globals)
     create_client_calls = session.create_client.call_args_list
     self.assertEqual(
         create_client_calls, [
             call('iam', verify=None, region_name=None),
             call('s3', verify=None, region_name=None),
             call('sns', verify=None, region_name=None),
             # Here we should inject the endpoint_url only for cloudtrail.
             call('cloudtrail', verify=None, region_name=None,
                  endpoint_url=endpoint_url),
         ]
     )
示例#6
0
 def test_clients_all_from_same_session(self):
     session = Mock()
     subscribe_command = CloudTrailSubscribe(session)
     parsed_globals = Mock(region=None, verify_ssl=None,
                           endpoint_url=None)
     subscribe_command.setup_services(None, parsed_globals)
     create_client_calls = session.create_client.call_args_list
     self.assertEqual(
         create_client_calls, [
             call('iam', verify=None, region_name=None),
             call('s3', verify=None, region_name=None),
             call('sns', verify=None, region_name=None),
             call('cloudtrail', verify=None, region_name=None),
         ]
     )
     # We should also remove the error handler for S3.
     # This can be removed once the client switchover is done.
     subscribe_command.s3.meta.events.unregister.assert_called_with(
         'after-call', unique_id='awscli-error-handler')
示例#7
0
    def setUp(self):
        self.session = FakeSession({'config_file': 'myconfigfile'})
        self.subscribe = CloudTrailSubscribe(self.session)
        self.subscribe.region_name = 'us-east-1'

        self.subscribe.iam = Mock()
        self.subscribe.iam.get_user = Mock(
            return_value={'User': {'Arn': '::::123:456'}})

        self.subscribe.s3 = Mock()
        self.subscribe.s3.meta.region_name = 'us-east-1'
        policy_template = six.BytesIO(six.b(u'{"Statement": []}'))
        self.subscribe.s3.get_object = Mock(
            return_value={'Body': policy_template})
        self.subscribe.s3.head_bucket.return_value = {}

        self.subscribe.sns = Mock()
        self.subscribe.sns.meta.region_name = 'us-east-1'
        self.subscribe.sns.list_topics = Mock(
            return_value={'Topics': [{'TopicArn': ':test2'}]})
        self.subscribe.sns.create_topic = Mock(
            return_value={'TopicArn': 'foo'})
        self.subscribe.sns.get_topic_attributes = Mock(
            return_value={'Attributes': {'Policy': '{"Statement": []}'}})
示例#8
0
class TestCloudTrailCommand(unittest.TestCase):
    def setUp(self):
        self.session = FakeSession({'config_file': 'myconfigfile'})
        self.subscribe = CloudTrailSubscribe(self.session)
        self.subscribe.region_name = 'us-east-1'

        self.subscribe.iam = Mock()
        self.subscribe.iam.get_user = Mock(
            return_value={'User': {'Arn': '::::123:456'}})

        self.subscribe.s3 = Mock()
        self.subscribe.s3.meta.region_name = 'us-east-1'
        policy_template = six.BytesIO(six.b(u'{"Statement": []}'))
        self.subscribe.s3.get_object = Mock(
            return_value={'Body': policy_template})
        self.subscribe.s3.head_bucket.return_value = {}

        self.subscribe.sns = Mock()
        self.subscribe.sns.meta.region_name = 'us-east-1'
        self.subscribe.sns.list_topics = Mock(
            return_value={'Topics': [{'TopicArn': ':test2'}]})
        self.subscribe.sns.create_topic = Mock(
            return_value={'TopicArn': 'foo'})
        self.subscribe.sns.get_topic_attributes = Mock(
            return_value={'Attributes': {'Policy': '{"Statement": []}'}})

    def test_clients_all_from_same_session(self):
        session = Mock()
        subscribe_command = CloudTrailSubscribe(session)
        parsed_globals = Mock(region=None, verify_ssl=None,
                              endpoint_url=None)
        subscribe_command.setup_services(None, parsed_globals)
        create_client_calls = session.create_client.call_args_list
        self.assertEqual(
            create_client_calls, [
                call('iam', verify=None, region_name=None),
                call('s3', verify=None, region_name=None),
                call('sns', verify=None, region_name=None),
                call('cloudtrail', verify=None, region_name=None),
            ]
        )
        # We should also remove the error handler for S3.
        # This can be removed once the client switchover is done.
        subscribe_command.s3.meta.events.unregister.assert_called_with(
            'after-call', unique_id='awscli-error-handler')

    def test_endpoint_url_is_only_used_for_cloudtrail(self):
        endpoint_url = 'https://mycloudtrail.awsamazon.com/'
        session = Mock()
        subscribe_command = CloudTrailSubscribe(session)
        parsed_globals = Mock(region=None, verify_ssl=None,
                              endpoint_url=endpoint_url)
        subscribe_command.setup_services(None, parsed_globals)
        create_client_calls = session.create_client.call_args_list
        self.assertEqual(
            create_client_calls, [
                call('iam', verify=None, region_name=None),
                call('s3', verify=None, region_name=None),
                call('sns', verify=None, region_name=None),
                # Here we should inject the endpoint_url only for cloudtrail.
                call('cloudtrail', verify=None, region_name=None,
                     endpoint_url=endpoint_url),
            ]
        )

    def test_s3_create(self):
        iam = self.subscribe.iam
        s3 = self.subscribe.s3
        s3.head_bucket.side_effect = ClientError(
            {'Error': {'Code': '404', 'Message': ''}}, 'HeadBucket')

        self.subscribe.setup_new_bucket('test', 'logs')

        iam.get_user.assert_called_with()

        s3.get_object.assert_called_with(
            Bucket='awscloudtrail-policy-us-east-1',
            Key='policy/S3/AWSCloudTrail-S3BucketPolicy-2014-12-17.json',
        )
        s3.create_bucket.assert_called_with(Bucket='test')
        s3.put_bucket_policy.assert_called_with(
            Bucket='test', Policy=u'{"Statement": []}'
        )

        self.assertFalse(s3.delete_bucket.called)

        args, kwargs = s3.create_bucket.call_args
        self.assertNotIn('create_bucket_configuration', kwargs)

    def test_s3_uses_regionalized_policy(self):
        s3 = self.subscribe.s3
        s3.head_bucket.side_effect = ClientError(
            {'Error': {'Code': '404', 'Message': ''}}, 'HeadBucket')

        self.subscribe.setup_new_bucket('test', 'logs')

        s3.get_object.assert_called_with(
            Bucket='awscloudtrail-policy-us-east-1', Key=ANY)

    def test_s3_create_non_us_east_1(self):
        # Because this is outside of us-east-1, it should create
        # a bucket configuration with a location constraint.
        s3 = self.subscribe.s3
        self.subscribe.region_name = 'us-west-2'
        s3.head_bucket.side_effect = ClientError(
            {'Error': {'Code': '404', 'Message': ''}}, 'HeadBucket')

        self.subscribe.setup_new_bucket('test', 'logs')

        args, kwargs = s3.create_bucket.call_args
        self.assertIn('CreateBucketConfiguration', kwargs)

        bucket_config = kwargs['CreateBucketConfiguration']
        self.assertEqual(bucket_config['LocationConstraint'],
                         'us-west-2')

    def test_s3_create_already_exists(self):
        with self.assertRaises(Exception):
            self.subscribe.setup_new_bucket('test2', 'logs')

    def test_s3_custom_policy(self):
        s3 = self.subscribe.s3
        s3.head_bucket.side_effect = ClientError(
            {'Error': {'Code': '404', 'Message': ''}}, 'HeadBucket')

        self.subscribe.setup_new_bucket('test', 'logs', custom_policy='{}')

        s3.get_object.assert_not_called()
        s3.put_bucket_policy.assert_called_with(Bucket='test', Policy='{}')

    def test_s3_create_set_policy_fail(self):
        s3 = self.subscribe.s3
        orig = s3.put_bucket_policy
        s3.put_bucket_policy = Mock(side_effect=Exception('Error!'))

        with self.assertRaises(Exception):
            self.subscribe.setup_new_bucket('test', 'logs')

    def test_s3_get_policy_fail(self):
        self.subscribe.s3.get_object = Mock(side_effect=Exception('Foo!'))

        with self.assertRaises(CloudTrailError) as cm:
            self.subscribe.setup_new_bucket('test', 'logs')

        # Exception should contain its custom message, the region
        # where there is an issue, and the original exception message.
        self.assertIn('us-east-1', str(cm.exception))
        self.assertIn('Foo!', str(cm.exception))

    def test_get_policy_read_timeout(self):
        response = {
            'Body': Mock()
        }
        response['Body'].read.side_effect = Exception('Error!')
        self.subscribe.s3.get_object.return_value = response

        with self.assertRaises(CloudTrailError):
            self.subscribe.setup_new_bucket('test', 'logs')

    def test_sns_get_policy_fail(self):
        self.subscribe.s3.get_object = Mock(side_effect=Exception('Error!'))

        with self.assertRaises(Exception):
            self.subscribe.setup_new_bucket('test', 'logs')

    def test_sns_create(self):
        s3 = self.subscribe.s3
        sns = self.subscribe.sns

        self.subscribe.setup_new_topic('test')

        s3.get_object.assert_called_with(
            Bucket='awscloudtrail-policy-us-east-1',
            Key='policy/SNS/AWSCloudTrail-SnsTopicPolicy-2014-12-17.json',
        )
        sns.list_topics.assert_called_with()
        sns.create_topic.assert_called_with(Name='test')
        sns.set_topic_attributes.assert_called_with(
            AttributeName='Policy',
            AttributeValue='{"Statement": []}',
            TopicArn='foo',
        )

        self.assertFalse(sns.delete_topic.called)

    def test_sns_uses_regionalized_policy(self):
        s3 = self.subscribe.s3

        self.subscribe.setup_new_topic('test')

        s3.get_object.assert_called_with(
            Bucket='awscloudtrail-policy-us-east-1', Key=ANY)

    def test_sns_custom_policy(self):
        s3 = self.subscribe.s3
        sns = self.subscribe.sns
        sns.get_topic_attributes.return_value = {
            'Attributes': {
                'Policy': '{"Statement": []}'
            }
        }

        policy = '{"Statement": []}'

        self.subscribe.setup_new_topic('test', custom_policy=policy)

        s3.get_object.assert_not_called()
        sns.set_topic_attributes.assert_called_with(
          TopicArn=ANY, AttributeName='Policy', AttributeValue=policy)

    def test_sns_create_already_exists(self):
        with self.assertRaises(Exception):
            self.subscribe.setup_new_topic('test2')

    def test_cloudtrail_new_call_format(self):
        self.subscribe.cloudtrail = Mock()
        self.subscribe.cloudtrail.create_trail = Mock(return_value={})
        self.subscribe.cloudtrail.describe_trail = Mock(return_value={})

        self.subscribe.upsert_cloudtrail_config('test', 'bucket', 'prefix',
                                                'topic', True)

        self.subscribe.cloudtrail.create_trail.assert_called_with(
            Name='test',
            S3BucketName='bucket',
            S3KeyPrefix='prefix',
            SnsTopicName='topic',
            IncludeGlobalServiceEvents=True
        )

    def test_sns_policy_merge(self):
        left = '''
{
   "Version":"2008-10-17",
   "Id":"us-east-1/698519295917/test__default_policy_ID",
   "Statement":[
      {
         "Effect":"Allow",
         "Sid":"us-east-1/698519295917/test__default_statement_ID",
         "Principal":{
            "AWS":"*"
         },
         "Action":[
            "SNS:GetTopicAttributes",
            "SNS:SetTopicAttributes",
            "SNS:AddPermission",
            "SNS:RemovePermission",
            "SNS:DeleteTopic",
            "SNS:Subscribe",
            "SNS:ListSubscriptionsByTopic",
            "SNS:Publish",
            "SNS:Receive"
         ],
         "Resource":"arn:aws:sns:us-east-1:698519295917:test",
         "Condition":{
            "StringLike":{
               "AWS:SourceArn":"arn:aws:*:*:698519295917:*"
            }
         }
      }
   ]
}'''
        right = '''
{
   "Version":"2008-10-17",
   "Id":"us-east-1/698519295917/test_foo",
   "Statement":[
      {
         "Effect":"Allow",
         "Sid":"us-east-1/698519295917/test_foo_ID",
         "Principal":{
            "AWS":"*"
         },
         "Action":[
            "SNS:GetTopicAttributes",
            "SNS:SetTopicAttributes",
            "SNS:AddPermission",
            "SNS:RemovePermission",
            "SNS:DeleteTopic",
            "SNS:Subscribe",
            "SNS:ListSubscriptionsByTopic",
            "SNS:Publish",
            "SNS:Receive"
         ],
         "Resource":"arn:aws:sns:us-east-1:698519295917:test",
         "Condition":{
            "StringLike":{
               "AWS:SourceArn":"arn:aws:*:*:698519295917:*"
            }
         }
      }
   ]
}'''
        expected = '''
{
   "Version":"2008-10-17",
   "Id":"us-east-1/698519295917/test__default_policy_ID",
   "Statement":[
      {
         "Effect":"Allow",
         "Sid":"us-east-1/698519295917/test__default_statement_ID",
         "Principal":{
            "AWS":"*"
         },
         "Action":[
            "SNS:GetTopicAttributes",
            "SNS:SetTopicAttributes",
            "SNS:AddPermission",
            "SNS:RemovePermission",
            "SNS:DeleteTopic",
            "SNS:Subscribe",
            "SNS:ListSubscriptionsByTopic",
            "SNS:Publish",
            "SNS:Receive"
         ],
         "Resource":"arn:aws:sns:us-east-1:698519295917:test",
         "Condition":{
            "StringLike":{
               "AWS:SourceArn":"arn:aws:*:*:698519295917:*"
            }
         }
      },
      {
         "Effect":"Allow",
         "Sid":"us-east-1/698519295917/test_foo_ID",
         "Principal":{
            "AWS":"*"
         },
         "Action":[
            "SNS:GetTopicAttributes",
            "SNS:SetTopicAttributes",
            "SNS:AddPermission",
            "SNS:RemovePermission",
            "SNS:DeleteTopic",
            "SNS:Subscribe",
            "SNS:ListSubscriptionsByTopic",
            "SNS:Publish",
            "SNS:Receive"
         ],
         "Resource":"arn:aws:sns:us-east-1:698519295917:test",
         "Condition":{
            "StringLike":{
               "AWS:SourceArn":"arn:aws:*:*:698519295917:*"
            }
         }
      }
   ]
}'''

        merged = self.subscribe.merge_sns_policy(left, right)

        self.assertEqual(json.loads(expected), json.loads(merged))