def test_get_list_attached_user_policies_error_call_list_attached_user_policies(
self):
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
# mock error call API list_attached_user_policies
with patch.object(client_connect_iam,
'list_attached_user_policies') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'error',
return_value=None) as mock_method_error:
with self.assertRaises(PmError) as exception:
IAMUtils.get_list_attached_user_policies(
trace_id, client_connect_iam, aws_account, user_name)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check message log error
mock_method_error.assert_any_call(
"[%s] IAMユーザー(%s)にアタッチされた管理ポリシー一覧情報の取得に失敗しました。", aws_account,
user_name)
def test_get_account_password_policy_error_connect_iam(self):
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
# mock error client
with patch.object(session, 'client') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'error',
return_value=None) as mock_method_error:
with self.assertRaises(PmError) as exception:
IAMUtils.get_account_password_policy(
trace_id, session, aws_account)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check message log error
mock_method_error.assert_any_call("[%s] IAMクライアント作成に失敗しました。",
aws_account)
def test_get_account_password_policy_error_no_such_entity(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
expected_error_response['Error']['Code'] = "NoSuchEntity"
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock error no such entity call API get_account_password_policy
with patch.object(client_connect_iam,
'get_account_password_policy') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'error',
return_value=None) as mock_method_error:
with self.assertRaises(PmError) as exception:
IAMUtils.get_account_password_policy(
trace_id, session, aws_account)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check message log error
mock_method_error.assert_any_call("[%s] アカウントパスワードポリシーが設定されていません。",
aws_account)
def test_list_virtual_mfa_devices_error_call_list_virtual_mfa_devices(
self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
# mock client
with patch.object(session, 'client') as mock_client:
mock_client.return_value = client_connect_iam
# mock error call API list_virtual_mfa_devices
with patch.object(client_connect_iam,
'list_virtual_mfa_devices') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'error',
return_value=None) as mock_method_error:
with self.assertRaises(PmError) as exception:
IAMUtils.list_virtual_mfa_devices(
trace_id, session, aws_account)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
# check message log error
mock_method_error.assert_any_call("[%s]仮想MFAデバイスリストの取得に失敗しました。",
aws_account)
def test_get_list_user_policies_success_response_is_truncate_true(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_list_user_policies = copy.deepcopy(
DataTestIAM.LIST_USER_POLICY_DATA)
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API list_user_policies
with patch.object(client_connect_iam,
'list_user_policies') as mock_method:
mock_method.side_effect = iam_utils.side_effect_list_user_policies
actual_list_user_policies = IAMUtils.get_list_user_policies(
trace_id, session, aws_account, user_name)
# check response
self.assertEqual(expected_list_user_policies,
actual_list_user_policies)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
# check call API list_user_policies
mock_method.assert_any_call(UserName=user_name)
def test_list_virtual_mfa_devices_success_response_is_truncate_false(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_list_virtual_mfa_devices = copy.deepcopy(
DataTestIAM.DATA_LIST_VIRTUAL_MFA_DEVICES_IS_TRUNCATED_FALSE)
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API list_virtual_mfa_devices
with patch.object(client_connect_iam,
'list_virtual_mfa_devices') as mock_method:
mock_method.return_value = expected_list_virtual_mfa_devices
actual_list_virtual_mfa_devices = IAMUtils.list_virtual_mfa_devices(
trace_id, session, aws_account)
# check response
self.assertEqual(
expected_list_virtual_mfa_devices['VirtualMFADevices'],
actual_list_virtual_mfa_devices)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def get_account_password_policy(trace_id, check_history_id, organization_id,
project_id, awsaccount, session,
result_json_path):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
s3_file_name = CommonConst.PATH_CHECK_RAW.format(
check_history_id, organization_id, project_id, awsaccount,
"IBP/IAM_AccountPasswordPolicy.json")
# リソース情報取得
if (aws_common.check_exists_file_s3(trace_id, "S3_CHECK_BUCKET",
s3_file_name)) is True:
try:
account_password_policy = FileUtils.read_json(
trace_id, "S3_CHECK_BUCKET", s3_file_name)
except PmError as e:
raise common_utils.write_log_pm_error(e, pm_logger)
else:
try:
account_password_policy = IAMUtils.get_account_password_policy(
trace_id, session, awsaccount)
except PmError as e:
raise common_utils.write_log_pm_error(e, pm_logger)
# アカウントパスワードポリシー情報をS3に保存します。
try:
FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET",
account_password_policy, s3_file_name)
except PmError as e:
pm_logger.error("[%s] アカウントパスワードポリシー情報のS3保存に失敗しました。", awsaccount)
raise common_utils.write_log_pm_error(e, pm_logger)
return account_password_policy
def check_ibp_item_02_01(trace_id, check_history_id, organization_id,
project_id, aws_account, session, result_json_path):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
check_results = []
# IAMユーザの一覧を取得する。
try:
list_users = IAMUtils.get_list_users(trace_id, session, aws_account)
except PmError as e:
pm_logger.error("[%s] IAMユーザー一覧情報取得に失敗しました。", aws_account)
return CheckResult.Error
try:
# 取得したユーザ一覧をS3に保存する(リソース情報ファイル)。
s3_file_name = CommonConst.PATH_CHECK_RAW.format(
check_history_id, organization_id, project_id, aws_account,
"IBP/IAM_ListUsers.json")
FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", list_users,
s3_file_name)
except PmError as e:
pm_logger.error("[%s] IAMユーザー一覧情報のS3保存に失敗しました。", aws_account)
return CheckResult.Error
# チェックルール
# Check-1. IAMユーザが存在するか
try:
if (len(list_users) == 0):
result = {
'Region': 'Global',
'Level': CommonConst.LEVEL_CODE_21,
'DetectionItem': {
'NoIAMUser': True
}
}
check_results.append(result)
except Exception as e:
pm_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account)
return CheckResult.Error
# Export File CHECK_IBP_ITEM_02_01.json
try:
current_date = date_utils.get_current_date_by_format(
date_utils.PATTERN_YYYYMMDDHHMMSS)
check_ibp_item_02_01 = {
'AWSAccount': aws_account,
'CheckResults': check_results,
'DateTime': current_date
}
FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET",
check_ibp_item_02_01, result_json_path)
except Exception as e:
pm_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account)
return CheckResult.Error
# チェック結果
if len(check_results) > 0:
return CheckResult.CriticalDefect
return CheckResult.Normal
def test_get_role_error_call_get_role(self):
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
# mock error call API get_role
with patch.object(client_connect_iam, 'get_role') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with self.assertRaises(PmError) as exception:
IAMUtils.get_role(trace_id, client_connect_iam, role_name)
# check error
actual_cause_error = exception.exception.cause_error
self.assertEqual(expected_error_response['Error'],
actual_cause_error.response['Error'])
self.assertEqual(expected_operation_name,
actual_cause_error.operation_name)
def test_get_role_success(self):
expected_role_data = copy.deepcopy(DataTestIAM.DATA_ROLE)
# mock response API get_role
with patch.object(client_connect_iam, 'get_role') as mock_method:
mock_method.return_value = expected_role_data
actual_role_data = IAMUtils.get_role(trace_id, client_connect_iam,
role_name)
# check response
self.assertEqual(expected_role_data, actual_role_data)
# check call API get_role
mock_method.assert_any_call(RoleName=role_name)
def test_get_iam_client_success(self):
# connect client
expected_client_connect_iam = iam_utils.client_connect()
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = expected_client_connect_iam
actual_client_connect_iam = IAMUtils.get_iam_client(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_client_connect_iam,
actual_client_connect_iam)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_list_attached_user_policies_success_response_is_truncate_true(
self):
expected_list_attached_user_policies = copy.deepcopy(
DataTestIAM.LIST_ATTACHED_USER_POLICIES_DATA)
# mock response API list_attached_user_policies
with patch.object(client_connect_iam,
'list_attached_user_policies') as mock_method:
mock_method.side_effect = iam_utils.side_effect_list_attached_user_policies
actual_list_attached_user_policies = IAMUtils.get_list_attached_user_policies(
trace_id, client_connect_iam, aws_account, user_name)
# check response
self.assertEqual(expected_list_attached_user_policies,
actual_list_attached_user_policies)
# check call API list_attached_user_policies
mock_method.assert_any_call(UserName=user_name)
def test_get_list_attached_user_policies_success_response_is_truncate_false(
self):
expected_list_attached_user_policies = copy.deepcopy(
DataTestIAM.DATA_ATTACHED_USER_POLICIES_IS_TRUNCATED_FALSE)
# mock response API list_attached_user_policies
with patch.object(client_connect_iam,
'list_attached_user_policies') as mock_method:
mock_method.return_value = expected_list_attached_user_policies
actual_list_attached_user_policies = IAMUtils.get_list_attached_user_policies(
trace_id, client_connect_iam, aws_account, user_name)
# check response
self.assertEqual(
expected_list_attached_user_policies['AttachedPolicies'],
actual_list_attached_user_policies)
# check call API list_attached_user_policies
mock_method.assert_any_call(UserName=user_name)
def test_get_membership_aws_account_error_call_get_role(self):
cause_error = PmError
cause_error.response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_status_member = status_member['Disable']
# mock error call function get_role
with patch('premembers.common.IAMUtils.get_role') as mock_method:
mock_method.side_effect = PmError(cause_error=cause_error,
message=copy.deepcopy(
DataCommon.OPERATION_NAME))
with patch.object(PmLogAdapter, 'warning',
return_value=None) as mock_method_warning:
actual_response = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_status_member, actual_response)
# check message log warning
mock_method_warning.assert_any_call("[%s] IAMロール「%s」の取得に失敗しました。",
aws_account, cm_members_role_name)
def test_get_list_policies_success_response_not_exists_policies(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_list_policies = []
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock API list_policies
with patch.object(client_connect_iam,
'list_policies') as mock_method:
mock_method.return_value = {'IsTruncated': False}
actual_list_policies = IAMUtils.get_list_policies(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_list_policies, actual_list_policies)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_error_connect_iam(self):
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
expected_status_member = status_member['Disable']
# mock error client
with patch.object(session, 'client') as mock_method:
mock_method.side_effect = ClientError(
error_response=expected_error_response,
operation_name=expected_operation_name)
with patch.object(PmLogAdapter, 'error',
return_value=None) as mock_method_error:
actual_response = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_status_member, actual_response)
# check message log error
mock_method_error.assert_any_call("[%s] IAMクライアント作成に失敗しました。",
aws_account)
def test_get_credential_report_success_response_not_exists_content(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_data_credential_report = []
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API get_credential_report
with patch.object(client_connect_iam,
'get_credential_report') as mock_method:
mock_method.return_value = {}
actual_credential_report = IAMUtils.get_credential_report(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_data_credential_report,
actual_credential_report)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_error_no_such_entity(self):
cause_error = PmError
expected_error_response = copy.deepcopy(DataCommon.ERROR_RESPONSE)
expected_operation_name = copy.deepcopy(DataCommon.OPERATION_NAME)
expected_error_response['Error']['Code'] = "NoSuchEntity"
cause_error.response = expected_error_response
expected_status_member = status_member['Disable']
# mock error no such entity call function get_role
with patch('premembers.common.IAMUtils.get_role') as mock_method:
mock_method.side_effect = PmError(cause_error=cause_error,
message=expected_operation_name)
with patch.object(PmLogAdapter, 'info',
return_value=None) as mock_method_info:
actual_response = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_status_member, actual_response)
# check message log info
mock_method_info.assert_any_call("[%s] IAMロール「%s」が存在しません。",
aws_account, cm_members_role_name)
def test_get_credential_report_success_response_exists_content(self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_credential_report = copy.deepcopy(
DataTestIAM.DATA_GET_CREDENTIAL_REPORT)
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API get_credential_report
with patch.object(client_connect_iam,
'get_credential_report') as mock_method:
mock_method.return_value = expected_credential_report
actual_credential_report = IAMUtils.get_credential_report(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_credential_report['Content'].decode(),
actual_credential_report)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_account_summary_success_by_response_not_exists_attribute_summary_map(
self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_data_account_summary = []
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API get_account_summary
with patch.object(client_connect_iam,
'get_account_summary') as mock_method:
mock_method.return_value = {}
actual_data_account_summary = IAMUtils.get_account_summary(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_data_account_summary,
actual_data_account_summary)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_membership_aws_account_success(self):
role_data = copy.deepcopy(DataTestIAM.DATA_ROLE)
expected_status_member = status_member['Enable']
# mock client
with patch.object(session, 'client') as mock_method_client:
# mock response function get_role
with patch('premembers.common.IAMUtils.get_role') as mock_method:
mock_method.return_value = role_data
with patch.object(PmLogAdapter, 'info',
return_value=None) as mock_method_info:
actual_response = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_status_member, actual_response)
# check message log info
mock_method_info.assert_any_call("[%s] IAMロール「%s」が存在します。", aws_account,
cm_members_role_name)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_account_password_policy_success_response_not_exists_password_policy(
self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_list_password_policy = []
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock API get_account_password_policy
with patch.object(client_connect_iam,
'get_account_password_policy') as mock_method:
mock_method.return_value = {}
actual_list_password_policy = IAMUtils.get_account_password_policy(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_list_password_policy,
actual_list_password_policy)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_account_summary_success_by_response_exists_attribute_summary_map(
self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_data_account_summary = copy.deepcopy(
DataTestIAM.DATA_ACCOUNT_SUMMARY_EXISTS_ATTRIBUTE)
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock response API get_account_summary
with patch.object(client_connect_iam,
'get_account_summary') as mock_method:
mock_method.return_value = expected_data_account_summary
actual_data_account_summary = IAMUtils.get_account_summary(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_data_account_summary['SummaryMap'],
actual_data_account_summary)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def test_get_account_password_policy_success_response_exists_password_policy(
self):
# connect client
client_connect_iam = iam_utils.client_connect()
expected_list_password_policy = copy.deepcopy(
DataTestIAM.LIST_PASSWORD_POLICY)
# mock client
with patch.object(session, 'client') as mock_method_client:
mock_method_client.return_value = client_connect_iam
# mock API get_account_password_policy
with patch.object(client_connect_iam,
'get_account_password_policy') as mock_method:
mock_method.return_value = expected_list_password_policy
actual_list_password_policy = IAMUtils.get_account_password_policy(
trace_id, session, aws_account)
# check response
self.assertEqual(expected_list_password_policy['PasswordPolicy'],
actual_list_password_policy)
# check connect client
mock_method_client.assert_any_call(service_name="iam")
def update_awscoop(trace_id, project_id, organization_id, coop_id, data_body):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# Parse JSON
try:
body_object = json.loads(data_body)
aws_account = body_object["awsAccount"]
role_name = body_object["roleName"]
description = body_object["description"]
aws_account_name = body_object['awsAccountName']
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
# Validate
list_error = validate_update_awscoop(aws_account, role_name)
if list_error:
return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
HTTPStatus.UNPROCESSABLE_ENTITY,
list_error, pm_logger)
# Get data AWSアカウント連携
try:
awscoops_item = pm_awsAccountCoops.get_awscoops_update(
trace_id, coop_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if awscoops_item is None:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# ロールのアクセス確認
if common_utils.is_null(description):
description = None
if common_utils.is_null(aws_account_name):
aws_account_name = None
external_id = awscoops_item['ExternalID']
effective = Effective.Disable.value
members = None
if (checkaccess.check_access_to_aws(trace_id, aws_account, role_name,
external_id)):
effective = Effective.Enable.value
# IAMクライアントを用いて、IAMロールcm-membersportalを取得します。
try:
session = aws_common.create_session_client(trace_id, aws_account,
role_name, external_id)
members = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
except PmError as e:
common_utils.write_log_pm_error(e, pm_logger, exc_info=True)
# update project
attribute = {
'AWSAccount': {
"Value": aws_account
},
'RoleName': {
"Value": role_name
},
'Description': {
"Value": description
},
'Effective': {
"Value": effective
},
'AWSAccountName': {
"Value": aws_account_name
}
}
if (members is not None):
attribute['Members'] = {"Value": members}
updated_at = awscoops_item['UpdatedAt']
try:
pm_awsAccountCoops.update_awscoops(trace_id, coop_id, attribute,
updated_at)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# Get data response
try:
awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id, convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, awscoops_item)
return common_utils.response(response, pm_logger)