def test_cwe_update_config_and_code(self): # Originally this was testing the no update case.. but # That is tricky to record, any updates to the code end up # causing issues due to checksum mismatches which imply updating # the function code / which invalidate the recorded data and # the focus of the test. session_factory = self.replay_flight_data( 'test_cwe_update', zdata=True) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.addCleanup(mgr.remove, pl) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'memory': 256, 'events': [ "CreateBucket", {'event': 'PutBucketPolicy', 'ids': 'requestParameters.bucketName', 'source': 's3.amazonaws.com'}] }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) output = self.capture_logging('custodian.lambda', level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role) lines = output.getvalue().strip().split('\n') self.assertTrue( 'Updating function custodian-s3-bucket-policy code' in lines) self.assertTrue( 'Updating function: custodian-s3-bucket-policy config' in lines) self.assertEqual(result['FunctionName'], result2['FunctionName']) # drive by coverage functions = [i for i in mgr.list_functions() if i['FunctionName'] == 'custodian-s3-bucket-policy'] self.assertTrue(len(functions), 1) start = 0L end = long(time.time() * 1000) self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_cwe_update_config_and_code(self): # Originally this was testing the no update case.. but # That is tricky to record, any updates to the code end up # causing issues due to checksum mismatches which imply updating # the function code / which invalidate the recorded data and # the focus of the test. session_factory = self.replay_flight_data( 'test_cwe_update', zdata=True) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.addCleanup(mgr.remove, pl) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'memory': 256, 'events': [ "CreateBucket", {'event': 'PutBucketPolicy', 'ids': 'requestParameters.bucketName', 'source': 's3.amazonaws.com'}] }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) output = self.capture_logging('custodian.lambda', level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role) lines = output.getvalue().strip().split('\n') self.assertTrue( 'Updating function custodian-s3-bucket-policy code' in lines) self.assertTrue( 'Updating function: custodian-s3-bucket-policy config' in lines) self.assertEqual(result['FunctionName'], result2['FunctionName']) # drive by coverage functions = [i for i in mgr.list_functions() if i['FunctionName'] == 'custodian-s3-bucket-policy'] self.assertTrue(len(functions), 1) start = 0 end = time.time() * 1000 self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_sns_subscriber(self): self.patch(SNSSubscription, 'iam_delay', 0.01) session_factory = self.replay_flight_data('test_sns_subscriber') session = session_factory() client = session.client('sns') # create an sns topic tname = "custodian-test-sns-sub" topic_arn = client.create_topic(Name=tname)['TopicArn'] self.addCleanup(client.delete_topic, TopicArn=topic_arn) # provision a lambda via mu params = dict( session_factory=session_factory, name='c7n-hello-world', role='arn:aws:iam::644160558196:role/custodian-mu', events=[SNSSubscription(session_factory, [topic_arn])]) func = helloworld.get_function(**params) manager = LambdaManager(session_factory) manager.publish(func) self.addCleanup(manager.remove, func) # now publish to the topic and look for lambda log output client.publish(TopicArn=topic_arn, Message='Greetings, program!') #time.sleep(15) -- turn this back on when recording flight data log_events = manager.logs(func, '1970-1-1', '9170-1-1') messages = [e['message'] for e in log_events if e['message'].startswith('{"Records')] self.addCleanup( session.client('logs').delete_log_group, logGroupName='/aws/lambda/c7n-hello-world') self.assertEqual( json.loads(messages[0])['Records'][0]['Sns']['Message'], 'Greetings, program!')
def test_sqs_subscriber(self): session_factory = self.replay_flight_data('test_mu_sqs_subscriber') func_name = 'c7n-hello-sqs' queue_name = "my-dev-test-3" # Setup Queues session = session_factory() client = session.client('sqs') queue_url = client.create_queue(QueueName=queue_name).get('QueueUrl') queue_arn = client.get_queue_attributes( QueueUrl=queue_url, AttributeNames=['QueueArn'])['Attributes']['QueueArn'] self.addCleanup(client.delete_queue, QueueUrl=queue_url) # Setup Function params = dict( session_factory=session_factory, name=func_name, role="arn:aws:iam::644160558196:role/custodian-mu", events=[SQSSubscription(session_factory, [queue_arn])]) func = helloworld.get_function(**params) manager = LambdaManager(session_factory) manager.publish(func) self.addCleanup(manager.remove, func) # Send and Receive Check client.send_message( QueueUrl=queue_url, MessageBody=json.dumps({'jurassic': 'block'})) if self.recording: time.sleep(60) log_events = list(manager.logs(func, "1970-1-1 UTC", "9170-1-1")) messages = [ e["message"] for e in log_events if e["message"].startswith('{"Records') ] self.addCleanup( session.client("logs").delete_log_group, logGroupName="/aws/lambda/%s" % func_name) self.assertIn( 'jurassic', json.loads(messages[0])["Records"][0]["body"])
def test_sns_subscriber_and_ipaddress(self): self.patch(SNSSubscription, "iam_delay", 0.01) session_factory = self.replay_flight_data( "test_sns_subscriber_and_ipaddress") session = session_factory() client = session.client("sns") # create an sns topic tname = "custodian-test-sns-sub" topic_arn = client.create_topic(Name=tname)["TopicArn"] self.addCleanup(client.delete_topic, TopicArn=topic_arn) # provision a lambda via mu params = dict( session_factory=session_factory, name="c7n-hello-world", role="arn:aws:iam::644160558196:role/custodian-mu", events=[SNSSubscription(session_factory, [topic_arn])], ) func = helloworld.get_function(**params) manager = LambdaManager(session_factory) manager.publish(func) self.addCleanup(manager.remove, func) # now publish to the topic and look for lambda log output client.publish(TopicArn=topic_arn, Message="Greetings, program!") if self.recording: time.sleep(30) log_events = manager.logs(func, "1970-1-1 UTC", "2037-1-1") messages = [ e["message"] for e in log_events if e["message"].startswith('{"Records') ] self.addCleanup( session.client("logs").delete_log_group, logGroupName="/aws/lambda/c7n-hello-world", ) self.assertEqual( json.loads(messages[0])["Records"][0]["Sns"]["Message"], "Greetings, program!", )
def test_sns_subscriber_and_ipaddress(self): self.patch(SNSSubscription, "iam_delay", 0.01) session_factory = self.replay_flight_data("test_sns_subscriber_and_ipaddress") session = session_factory() client = session.client("sns") # create an sns topic tname = "custodian-test-sns-sub" topic_arn = client.create_topic(Name=tname)["TopicArn"] self.addCleanup(client.delete_topic, TopicArn=topic_arn) # provision a lambda via mu params = dict( session_factory=session_factory, name="c7n-hello-world", role="arn:aws:iam::644160558196:role/custodian-mu", events=[SNSSubscription(session_factory, [topic_arn])], ) func = helloworld.get_function(**params) manager = LambdaManager(session_factory) manager.publish(func) self.addCleanup(manager.remove, func) # now publish to the topic and look for lambda log output client.publish(TopicArn=topic_arn, Message="Greetings, program!") if self.recording: time.sleep(30) log_events = manager.logs(func, "1970-1-1 UTC", "9170-1-1") messages = [ e["message"] for e in log_events if e["message"].startswith('{"Records') ] self.addCleanup( session.client("logs").delete_log_group, logGroupName="/aws/lambda/c7n-hello-world", ) self.assertEqual( json.loads(messages[0])["Records"][0]["Sns"]["Message"], "Greetings, program!", )
def test_cwe_update_config_and_code(self): # Originally this was testing the no update case.. but # That is tricky to record, any updates to the code end up # causing issues due to checksum mismatches which imply updating # the function code / which invalidate the recorded data and # the focus of the test. session_factory = self.replay_flight_data("test_cwe_update", zdata=True) p = self.load_policy({ "resource": "s3", "name": "s3-bucket-policy", "mode": { "type": "cloudtrail", "events": ["CreateBucket"], 'runtime': 'python2.7' }, "filters": [ { "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"] }, ], "actions": ["no-op"], }) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, "Dev", role=ROLE) self.addCleanup(mgr.remove, pl) p = self.load_policy( { "resource": "s3", "name": "s3-bucket-policy", "mode": { "type": "cloudtrail", "memory": 256, 'runtime': 'python2.7', "events": [ "CreateBucket", { "event": "PutBucketPolicy", "ids": "requestParameters.bucketName", "source": "s3.amazonaws.com", }, ], }, "filters": [{ "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"], }], "actions": ["no-op"], }, ) output = self.capture_logging("custodian.serverless", level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), "Dev", role=ROLE) lines = output.getvalue().strip().split("\n") self.assertTrue( "Updating function custodian-s3-bucket-policy code" in lines) self.assertTrue( "Updating function: custodian-s3-bucket-policy config MemorySize" in lines) self.assertEqual(result["FunctionName"], result2["FunctionName"]) # drive by coverage functions = [ i for i in mgr.list_functions() if i["FunctionName"] == "custodian-s3-bucket-policy" ] self.assertTrue(len(functions), 1) start = 0 end = time.time() * 1000 self.assertEqual(list(mgr.logs(pl, start, end)), [])
def test_cwe_update_config_and_code(self): # Originally this was testing the no update case.. but # That is tricky to record, any updates to the code end up # causing issues due to checksum mismatches which imply updating # the function code / which invalidate the recorded data and # the focus of the test. session_factory = self.replay_flight_data("test_cwe_update", zdata=True) p = Policy( { "resource": "s3", "name": "s3-bucket-policy", "mode": {"type": "cloudtrail", "events": ["CreateBucket"], 'runtime': 'python2.7'}, "filters": [ { "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"], } ], "actions": ["no-op"], }, Config.empty(), ) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, "Dev", role=ROLE) self.addCleanup(mgr.remove, pl) p = Policy( { "resource": "s3", "name": "s3-bucket-policy", "mode": { "type": "cloudtrail", "memory": 256, 'runtime': 'python2.7', "events": [ "CreateBucket", { "event": "PutBucketPolicy", "ids": "requestParameters.bucketName", "source": "s3.amazonaws.com", }, ], }, "filters": [ { "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"], } ], "actions": ["no-op"], }, Config.empty(), ) output = self.capture_logging("custodian.serverless", level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), "Dev", role=ROLE) lines = output.getvalue().strip().split("\n") self.assertTrue("Updating function custodian-s3-bucket-policy code" in lines) self.assertTrue( "Updating function: custodian-s3-bucket-policy config MemorySize" in lines) self.assertEqual(result["FunctionName"], result2["FunctionName"]) # drive by coverage functions = [ i for i in mgr.list_functions() if i["FunctionName"] == "custodian-s3-bucket-policy" ] self.assertTrue(len(functions), 1) start = 0 end = time.time() * 1000 self.assertEqual(list(mgr.logs(pl, start, end)), [])