def add_roles(self, initial=True):
mock_iam().start()
mock_sts().start()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
if initial:
last = 11
else:
last = 9 # Simulates 2 deleted roles...
for x in range(0, last):
# Create the IAM Role via Moto:
aspd["Statement"][0]["Resource"] = "arn:aws:iam:012345678910:role/roleNumber{}".format(x)
client.create_role(Path="/", RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd, indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy",
PolicyDocument=json.dumps(OPEN_POLICY, indent=4))
def add_roles(self, initial=True):
mock_sts().start()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
if initial:
last = 11
else:
last = 9 # Simulates 2 deleted roles...
for x in range(0, last):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(OPEN_POLICY,
indent=4))
def iam():
mock_iam().start()
client = boto3.client("iam")
yield client
mock_iam().stop()
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910",
name="testing",
third_party=False,
active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}
policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0][
"Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format(
x)
client.create_role(Path="/",
RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd,
indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x),
PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def create_lambda_for_config_rule():
"""Return the ARN of a lambda that can be used by a custom rule."""
role_name = "test-role"
lambda_role = None
with mock_iam():
iam_client = boto3.client("iam", region_name=TEST_REGION)
try:
lambda_role = iam_client.get_role(
RoleName=role_name)["Role"]["Arn"]
except ClientError:
lambda_role = iam_client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument="test policy",
Path="/",
)["Role"]["Arn"]
# Create the lambda function and identify its location.
lambda_client = boto3.client("lambda", region_name=TEST_REGION)
lambda_client.create_function(
FunctionName="test_config_rule",
Runtime="python3.8",
Role=lambda_role,
Handler="lambda_function.lambda_handler",
Code={"ZipFile": zipped_lambda_function()},
Description="Lambda test function for config rule",
Timeout=3,
MemorySize=128,
Publish=True,
)
def release_store(project_id, region_name, role_arn):
with moto.mock_dynamodb2(), moto.mock_sts(), moto.mock_iam():
store = DynamoReleaseStore(project_id=project_id,
region_name=region_name,
role_arn=role_arn)
store.initialise()
yield store
def test_create_service_role_already_exists(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()
)
self.assertTrue(
create_ecs_service_role(
context=self.context,
provider=self.provider,
)
)
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(
RoleName=role_name,
PolicyName=policy_name
)
def setUp(self):
super().setUp()
# Setup mock AWS
self.s3_mock = mock_s3()
self.s3_mock.start()
self.iam_mock = mock_iam()
self.iam_mock.start()
self.sqs_mock = mock_sqs()
self.sqs_mock.start()
if self.deployment_stage == 'local':
# When online, we need STS to access SecretsManager to access RDS.
# When offline, mock out STS/SecretsManager and use local Postgres.
# STS
self.sts_mock = mock_sts()
self.sts_mock.start()
# UploadDbConfig
self.upload_db_config = UploadDbConfig()
self.upload_db_config.set({
'database_uri':
'postgresql://:@localhost/upload_local',
'pgbouncer_uri':
'postgresql://:@localhost/upload_local'
})
# Upload Bucket
self.upload_bucket = boto3.resource('s3').Bucket(
self.upload_config.bucket_name)
self.upload_bucket.create()
self.sqs = boto3.resource('sqs')
self.sqs.create_queue(QueueName=f"bogo_url")
self.sqs.create_queue(QueueName=f"delete_sqs_url")
self.sqs.create_queue(QueueName=f"test_validation_q_url")
def pre_test_setup(self):
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
self.account = Account(identifier="012345678910", name="testing",
third_party=False, active=True,
account_type_id=account_type_result.id)
self.technology = Technology(name="iamrole")
self.total_roles = 75
db.session.add(self.account)
db.session.add(self.technology)
db.session.commit()
mock_iam().start()
client = boto3.client("iam")
aspd = {
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
policy = {
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}
for x in range(0, self.total_roles):
# Create the IAM Role via Moto:
aspd["Statement"][0]["Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format(x)
client.create_role(Path="/", RoleName="roleNumber{}".format(x),
AssumeRolePolicyDocument=json.dumps(aspd, indent=4))
client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy",
PolicyDocument=json.dumps(policy, indent=4))
def iam(aws_credentials):
"""Mocked IAM Fixture."""
from consoleme.config import config
with mock_iam():
yield boto3.client(
"iam", region_name="us-east-1", **config.get("boto3.client_kwargs", {})
)
def _get_role_name(region_name):
with mock_iam():
iam = boto3.client("iam", region_name=region_name)
try:
return iam.get_role(RoleName="test-role")["Role"]["Arn"]
except ClientError:
return iam.create_role(
RoleName="test-role", AssumeRolePolicyDocument="test policy", Path="/"
)["Role"]["Arn"]
def sim_iam():
mock_iam_instance = mock_iam()
mock_iam_instance.start()
mock_sts_instance = mock_sts()
mock_sts_instance.start()
yield
mock_iam_instance.stop()
mock_sts_instance.stop()
def get_role_arn():
with mock_iam():
iam = boto3.client("iam", region_name="us-west-2")
try:
return iam.get_role(RoleName="my-role")["Role"]["Arn"]
except ClientError:
return iam.create_role(
RoleName="my-role",
AssumeRolePolicyDocument="some policy",
Path="/my-path/",
)["Role"]["Arn"]
def single_iam_role(iam_service):
"""Return a single IAM Role.
Be warned, you can ONLY access properties on the resultant role that do not entail additional API calls.
Even if you add @mock_iam decorator to your test method the role will not exist in that context.
To mock additional API calls use the @iam_service and @mock_iam fixtures on your test function and call
create_iam_role within that.
"""
with mock_iam():
create_iam_role()
return list(iam_service.collection("role").all())[0]
def get_role_arn():
with mock_iam():
iam = boto3.client("iam", region_name="us-west-2")
try:
iam.create_role(
RoleName="my-role",
AssumeRolePolicyDocument="some policy",
Path="/my-path/",
)
except ClientError:
pass # Will fail second/third time - difficult to execute once with parallel tests
return iam.get_role(RoleName="my-role")["Role"]["Arn"]
def start():
"""
Entrypoint for mocking IAM.
:return: nothing
"""
# start IAM mocking with moto
mock = mock_iam()
mock.start()
""" Monkey-patching of moto """
# create new field in AccessKey model for LastUsedDate attribute
moto.iam.models.AccessKey.last_used = None
# create hook for GetAccessKeyLastUsed API call
moto.iam.responses.IamResponse.get_access_key_last_used = get_access_key_last_used
""" Monkey-patching is done """
def test_obtain_new_iam_token(monkeypatch, without_aws_env):
import moto
from sqlalchemy.engine.url import URL
url = URL.create(
'postgresql',
host="fakehost",
database="fake_db",
port=5432,
username="******",
password="******",
)
monkeypatch.setenv("AWS_ACCESS_KEY_ID", "fake-key-id")
monkeypatch.setenv("AWS_SECRET_ACCESS_KEY", "fake-secret")
with moto.mock_iam():
token = obtain_new_iam_auth_token(url, region_name='us-west-1')
assert isinstance(token, str)
def test_create_service_role(self) -> None:
"""Test create service role."""
with mock_iam():
client = boto3.client("iam", region_name=REGION)
role_name = "ecsServiceRole"
with self.assertRaises(ClientError):
client.get_role(RoleName=role_name)
self.assertTrue(
create_ecs_service_role(context=self.context,
provider=self.provider))
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
policy_name = "AmazonEC2ContainerServiceRolePolicy"
client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def test_create_service_role_already_exists(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
self.assertTrue(
create_ecs_service_role(
context=self.context,
provider=self.provider,
))
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def test_create_service_role(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
with self.assertRaises(ClientError):
client.get_role(RoleName=role_name)
self.assertTrue(
create_ecs_service_role(region=REGION,
namespace="fake",
mappings={},
parameters={}))
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def setUp(self):
with warnings.catch_warnings():
warnings.filterwarnings("ignore", category=DeprecationWarning)
current_account_id = "111122223333"
region = "us-east-1"
self.mock = mock_iam()
self.mock.start()
self.client = get_boto3_client(profile=None,
service="iam",
region=region)
self.client.create_role(RoleName=MY_RESOURCE,
AssumeRolePolicyDocument=json.dumps(
constants.EC2_ASSUME_ROLE_POLICY))
self.example = IAMRole(name=MY_RESOURCE,
region=region,
client=self.client,
current_account_id=current_account_id)
self.roles = IAMRoles(client=self.client,
current_account_id=current_account_id,
region=region)
def test_create_service_role(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
with self.assertRaises(ClientError):
client.get_role(RoleName=role_name)
self.assertTrue(
create_ecs_service_role(
context=self.context,
provider=self.provider,
)
)
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(
RoleName=role_name,
PolicyName=policy_name
)
def iam_client(aws_region):
with mock_iam():
yield boto3.client("iam", region_name=aws_region)
def iam():
with mock_iam():
yield boto3.client('iam', region_name='us-east-1')
def test_find_batch_changes(self):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.scheduler import find_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
import security_monkey.scheduler
security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"])
return exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
find_changes([test_account.name], test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete one of the items:
# Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
mock_iam().stop()
mock_sts().stop()
self.add_roles(initial=False)
# Run the it again:
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be 2 less issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 9
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
["arn:aws:iam::012345678910:role/roleNumber9",
"arn:aws:iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
def mock_slurp_list_with_exception():
import security_monkey.watchers.iam.iam_role
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
exception_map = original_slurp_list()
assert len(exception_map) > 0
return exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
find_changes([test_account.name], test_account.name)
mock_iam().stop()
mock_sts().stop()
def iam():
with mock_iam():
yield boto3.client("iam", region_name="us-east-1")
def test_report_batch_changes(self, mock_fix_orphaned):
from security_monkey.task_scheduler.tasks import manual_run_change_reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
watcher = IAMRole(accounts=[test_account.name])
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: [batched_monitor]
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
manual_run_change_reporter([test_account.name])
assert mock_fix_orphaned.called
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
security_monkey.reporter.all_monitors = old_all_monitors
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
def test_find_batch_changes(self, mock_fix_orphaned):
"""
Runs through a full find job via the IAMRole watcher, as that supports batching.
However, this is mostly testing the logic through each function call -- this is
not going to do any boto work and that will instead be mocked out.
:return:
"""
from security_monkey.task_scheduler.tasks import manual_run_change_finder
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
test_account = Account(name="TEST_ACCOUNT1")
watcher = IAMRole(accounts=[test_account.name])
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
batched_monitor
]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
items, exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item["RoleName"])
return items, exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = ARN_PREFIX + ":iam::012345678910:role/{}".format(
item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
manual_run_change_finder([test_account.name], [watcher.index])
assert mock_fix_orphaned.called
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
# Delete one of the items:
# Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
mock_iam().stop()
mock_sts().stop()
self.add_roles(initial=False)
# Run the it again:
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
# Check that nothing new was added:
assert len(Item.query.all()) == 11
# There should be the same number of issues and 2 more revisions:
assert len(ItemAudit.query.all()) == 11
assert len(ItemRevision.query.all()) == 13
# Check that the deleted roles show as being inactive:
ir = ItemRevision.query.join((Item, ItemRevision.id == Item.latest_revision_id)) \
.filter(Item.arn.in_(
[ARN_PREFIX + ":iam::012345678910:role/roleNumber9",
ARN_PREFIX + ":iam::012345678910:role/roleNumber10"])).all()
assert len(ir) == 2
assert not ir[0].active
assert not ir[1].active
# Finally -- test with a slurp list exception (just checking that things don't blow up):
import security_monkey.watchers.iam.iam_role
old_list_roles = security_monkey.watchers.iam.iam_role.list_roles
def mock_slurp_list_with_exception():
security_monkey.watchers.iam.iam_role.list_roles = lambda **kwargs: 1 / 0
items, exception_map = original_slurp_list()
assert len(exception_map) > 0
return items, exception_map
watcher.slurp_list = mock_slurp_list_with_exception
watcher.current_account = None # Need to reset the watcher
manual_run_change_finder([test_account.name], [watcher.index])
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
security_monkey.watchers.iam.iam_role.list_roles = old_list_roles
mock_iam().stop()
mock_sts().stop()
def iam(aws_credentials):
with mock_iam():
yield boto3.client("iam", region_name="us-east-1")
def create_release_store(self, project_id):
with moto.mock_dynamodb2(), moto.mock_sts(), moto.mock_iam():
yield DynamoReleaseStore(
project_id=project_id,
region_name="eu-west-1",
role_arn="arn:aws:iam::0123456789:role/example_role")
def iam(aws_creds):
with moto.mock_iam():
yield boto3.resource('iam')
def setUp(self):
with warnings.catch_warnings():
warnings.filterwarnings("ignore", category=DeprecationWarning)
self.mock_kms = mock_kms()
self.mock_iam = mock_iam()
self.mock_ecr = mock_ecr()
self.mock_kms.start()
self.mock_ecr.start()
self.mock_iam.start()
self.current_account_id = "123456789012"
# Set up KMS keys in 3 regions
self.ue1_kms_client = get_boto3_client(profile=None,
service="kms",
region="us-east-1")
self.ue2_kms_client = get_boto3_client(profile=None,
service="kms",
region="us-east-2")
self.euw1_kms_client = get_boto3_client(profile=None,
service="kms",
region="eu-west-1")
region = "us-east-1"
self.iam_client = get_boto3_client(profile=None,
service="iam",
region=region)
# self.iam_client = get_boto3_client(profile=None, service="iam", region="us-east-1")
self.uw1_ecr_client = get_boto3_client(profile=None,
service="ecr",
region="us-west-1")
# Get the ARNs so you can test them later
self.ue1_key_arn = self.ue1_kms_client.create_key(
)["KeyMetadata"]["Arn"]
self.ue2_key_arn = self.ue2_kms_client.create_key(
)["KeyMetadata"]["Arn"]
self.euw1_key_arn = self.euw1_kms_client.create_key(
)["KeyMetadata"]["Arn"]
iam_role = self.iam_client.create_role(
RoleName="yolo",
AssumeRolePolicyDocument=json.dumps(
constants.EC2_ASSUME_ROLE_POLICY))
self.iam_role_arn = iam_role["Role"]["Arn"]
self.ecr_arn = self.uw1_ecr_client.create_repository(
repositoryName="alpine")["repository"]["repositoryArn"]
# Create the objects that will store our results
self.service_resources_single_region = ServiceResourcesSingleRegion(
user_provided_service="kms",
region="us-east-1",
current_account_id=self.current_account_id,
profile=None,
cloak=False)
self.service_resources_multi_region = ServiceResourcesMultiRegion(
user_provided_service="kms",
user_provided_region="all",
current_account_id=self.current_account_id,
profile=None,
cloak=False)
# Let's exclude all the services that do not match the ones we specified above.
# That way, we can avoid an issue where moto tries to make API calls it does not support
excluded_services = []
for supported_service in constants.SUPPORTED_AWS_SERVICES:
if supported_service not in ["all", "iam", "ecr", "kms"]:
excluded_services.append(supported_service)
print(f"Excluded services: {excluded_services}")
self.resource_results = ResourceResults(
user_provided_service="all",
user_provided_region="all",
current_account_id=self.current_account_id,
profile=None,
cloak=False,
excluded_names=[],
excluded_services=excluded_services)
def iam(sts, conn_dict):
with mock_iam():
yield boto3_cached_conn("iam", **conn_dict)
def sim_iam():
mock_iam_instance = mock_iam()
mock_iam_instance.start()
# Create a user and role with attached policies
user = clients.iam_resource.create_user(UserName='******')
group = clients.iam_resource.create_group(GroupName='testgroup')
group_policy = clients.iam_resource.create_policy(
PolicyName='group-managed-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:CreatePolicyVersion',
'Resource': '*',
'Effect': 'Allow'
}, {
'Action': 'iam:ListPolicyVersions',
'Resource': '*',
'Effect': 'Allow'
}]))
group.attach_policy(PolicyArn=group_policy.arn)
group.create_policy(PolicyName='group-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutGroupPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
user.add_group(GroupName='testgroup')
user_policy = clients.iam_resource.create_policy(
PolicyName='user-managed-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:CreatePolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
user.attach_policy(PolicyArn=user_policy.arn)
user.create_policy(PolicyName='user-policy',
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutUserPolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
role = clients.iam_resource.create_role(
RoleName='trl',
AssumeRolePolicyDocument=utils.make_iam_policy([{
'Effect':
'Allow',
'Principal': {
'Service': ['ec2.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]))
role_policy = clients.iam_resource.create_policy(
PolicyName='role-managed-policy',
PolicyDocument=utils.make_iam_policy([
{
'Action': 'iam:ListPolicyVersions',
'Resource': '*',
'Effect': 'Allow'
},
{
'Action': 's3:*',
'Resource': '*',
'Effect': 'Deny'
},
]))
role.attach_policy(PolicyArn=role_policy.arn)
role.Policy('role-policy').put(
PolicyDocument=utils.make_iam_policy([{
'Action': 'iam:PutRolePolicy',
'Resource': '*',
'Effect': 'Allow'
}]))
yield
mock_iam_instance.stop()
def iam_client(aws_credentials):
"""Yield a mock IAM client that will not affect a real AWS account."""
with mock_iam():
yield boto3.client("iam", region_name=AWS_REGION)
def test_report_batch_changes(self):
from security_monkey.alerter import Alerter
from security_monkey.reporter import Reporter
from security_monkey.datastore import Item, ItemRevision, ItemAudit
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
account_type_result = AccountType.query.filter(AccountType.name == "AWS").one()
db.session.add(account_type_result)
db.session.commit()
test_account = Account(name="TEST_ACCOUNT")
watcher = IAMRole(accounts=[test_account.name])
db.session.commit()
watcher.batched_size = 3 # should loop 4 times
self.add_roles()
# Set up the monitor:
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = watcher
batched_monitor.auditors = [IAMRoleAuditor(accounts=[test_account.name])]
# Set up the Reporter:
import security_monkey.reporter
old_all_monitors = security_monkey.reporter.all_monitors
security_monkey.reporter.all_monitors = lambda x, y: []
test_reporter = Reporter()
test_reporter.all_monitors = [batched_monitor]
test_reporter.account_alerter = Alerter(watchers_auditors=test_reporter.all_monitors, account=test_account.name)
import security_monkey.scheduler
# import security_monkey.monitors
# old_get_monitors = security_monkey.scheduler.get_monitors
security_monkey.scheduler.get_monitors = lambda x, y, z: [batched_monitor]
# Moto screws up the IAM Role ARN -- so we need to fix it:
original_slurp_list = watcher.slurp_list
original_slurp = watcher.slurp
def mock_slurp_list():
exception_map = original_slurp_list()
for item in watcher.total_list:
item["Arn"] = "arn:aws:iam::012345678910:role/{}".format(item["RoleName"])
return exception_map
def mock_slurp():
batched_items, exception_map = original_slurp()
for item in batched_items:
item.arn = "arn:aws:iam::012345678910:role/{}".format(item.name)
item.config["Arn"] = item.arn
item.config["RoleId"] = item.name # Need this to stay the same
return batched_items, exception_map
watcher.slurp_list = mock_slurp_list
watcher.slurp = mock_slurp
test_reporter.run(account=test_account.name)
# Check that all items were added to the DB:
assert len(Item.query.all()) == 11
# Check that we have exactly 11 item revisions:
assert len(ItemRevision.query.all()) == 11
# Check that there are audit issues for all 11 items:
assert len(ItemAudit.query.all()) == 11
mock_iam().stop()
mock_sts().stop()
# Something isn't cleaning itself up properly and causing other core tests to fail.
# This is the solution:
security_monkey.reporter.all_monitors = old_all_monitors
import monitor_mock
security_monkey.scheduler.get_monitors = monitor_mock.mock_get_monitors
def iam(aws_credentials):
"""Get mocked API for AWS IAM"""
with mock_iam():
yield boto3.resource('iam')
