def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="TEST_ACCOUNT1", account_type_id=account_type_result.id, notes="TEST_ACCOUNT1", third_party=False, active=True) db.session.add(account) account = Account(identifier="123123123123", name="TEST_ACCOUNT2", account_type_id=account_type_result.id, notes="TEST_ACCOUNT2", third_party=False, active=True) db.session.add(account) account = Account(identifier="109876543210", name="TEST_ACCOUNT3", account_type_id=account_type_result.id, notes="TEST_ACCOUNT3", third_party=False, active=False) db.session.add(account) account = Account(identifier="456456456456", name="TEST_ACCOUNT4", account_type_id=account_type_result.id, notes="TEST_ACCOUNT4", third_party=False, active=False) db.session.add(account) db.session.commit() RUNTIME_WATCHERS.clear() RUNTIME_AUDIT_COUNTS.clear()
def pre_test_setup(self): RDSSnapshotAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() # main account = Account(identifier="123456789123", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) # friendly account2 = Account(identifier="222222222222", name="TEST_ACCOUNT_TWO", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_TWO", third_party=False, active=True) # third party account3 = Account(identifier="333333333333", name="TEST_ACCOUNT_THREE", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_THREE", third_party=True, active=True) db.session.add(account) db.session.add(account2) db.session.add(account3) db.session.commit()
def pre_test_setup(self): self.gh_items = [ GitHubOrgItem(account="Netflix", name="Netflix", arn="Netflix", config=CONFIG_ONE), GitHubOrgItem(account="Netflix-PRIVATE", name="Netflix-PRIVATE", arn="Netflix-PRIVATE", config=CONFIG_TWO), ] self.account_type = AccountType(name="GitHub") db.session.add(self.account_type) db.session.commit() db.session.add( Account(name="Netflix", account_type_id=self.account_type.id, identifier="Netflix", active=True, third_party=False)) db.session.add( Account(name="Netflix-PRIVATE", account_type_id=self.account_type.id, identifier="Netflix-PRIVATE", active=True, third_party=False)) self.technology = Technology(name="organization") db.session.add(self.technology) db.session.commit()
def add_account(number, third_party, name, s3_name, active, notes, role_name='SecurityMonkey', edit=False): ''' Adds an account. If one with the same number already exists, do nothing, unless edit is True, in which case, override the existing account. Returns True if an action is taken, False otherwise. ''' query = Account.query query = query.filter(Account.number == number) if query.count(): if not edit: return False else: query.delete() account = Account() account.name = name account.s3_name = s3_name account.number = number account.role_name = role_name account.notes = notes account.active = active account.third_party = third_party db.session.add(account) db.session.commit() return True
def test_slurp(self, mock_get): from security_monkey.watchers.github.org import GitHubOrg org_watcher = GitHubOrg(accounts=["Org-one"]) result, exc = org_watcher.slurp() assert exc == {} assert len(result) == 1 assert result[0].account == "Org-one" assert result[0].name == "Org-one" assert result[0].index == "organization" assert len(ExceptionLogs.query.all()) == 0 # And failures: db.session.add( Account(name="FAILURE", account_type_id=self.account_type.id, identifier="FAILURE", active=True, third_party=False)) db.session.commit() org_watcher = GitHubOrg(accounts=["FAILURE"]) result, exc = org_watcher.slurp() assert len(exc) == 1 assert len(ExceptionLogs.query.all()) == 1
def _setup_one_two_revisions(self): account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first() if not account_type_result: account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(number="012345678910", name="testing", s3_name="testing", role_name="SecurityMonkey", account_type_id=account_type_result.id) technology = Technology(name="iamrole") item = Item(region="us-west-2", name="testrole", arn="arn:aws:iam::012345678910:role/testrole", technology=technology, account=account) self.now = datetime(2016, 11, 3) self.yesterday = self.now - timedelta(days=1) item.revisions.append(ItemRevision(active=True, config={}, date_created=self.now)) item.revisions.append(ItemRevision(active=True, config={}, date_created=self.yesterday)) db.session.add(account) db.session.add(technology) db.session.add(item) db.session.commit() items = Item.query.all() for item in items: latest_revision = item.revisions.first() item.latest_revision_id = latest_revision.id db.session.add(item) db.session.commit()
def pre_test_setup(self): # Delete any remaining test cruft: if app.config.get("GITHUB_CREDENTIALS"): del app.config["GITHUB_CREDENTIALS"] self.account_type = AccountType(name="GitHub") self.accounts = [] db.session.add(self.account_type) db.session.commit() # Tests need to be run from the working dir such that `security_monkey/tests/utilities/templates/github_creds` # can be found! for x in ["one", "two", "three"]: account = Account(name="Org-{}".format(x), account_type_id=self.account_type.id, identifier="Org-{}".format(x), active=True) account.custom_fields.append( AccountTypeCustomValues(name="access_token_file", value="security_monkey/tests/" "utilities/templates/github_creds")) db.session.add(account) self.accounts.append(account) db.session.commit()
def pre_test_setup(self): self.account_type = AccountType(name="GitHub") db.session.add(self.account_type) db.session.commit() db.session.add( Account(name="octocat", account_type_id=self.account_type.id, identifier="octocat", active=True, third_party=False)) self.technology = Technology(name="repository") db.session.add(self.technology) db.session.commit() self.gh_items = [ GitHubOrgItem(account="octocat", name="Hello-World", arn="octocat/Hello-World", config=CONFIG_ONE), GitHubOrgItem(account="octocat", name="Repo-Private", arn="octocat/Repo-Private", config=CONFIG_TWO), ]
def pre_test_setup(self): account_type_result = AccountType.query.filter( AccountType.name == 'AWS').first() if not account_type_result: account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="testing", active=True, third_party=False, account_type_id=account_type_result.id) self.technology = Technology(name="s3") self.item = Item(region="us-west-2", name="somebucket", arn=ARN_PREFIX + ":s3:::somebucket", technology=self.technology, account=self.account) db.session.add(self.account) db.session.add(self.technology) db.session.add(self.item) db.session.commit() mock_s3().start() client = boto3.client("s3") client.create_bucket(Bucket="somebucket") client.create_bucket(Bucket="someotherbucket") client.create_bucket(Bucket="someotherbucket2")
def pre_test_setup(self): self.gh_items = [ GitHubTeamItem(account="Org-one", name="Org-one", arn="Org-one", config=CONFIG_ONE), GitHubTeamItem(account="Org-one", name="Org-one", arn="Org-one", config=CONFIG_TWO), ] self.account_type = AccountType(name="GitHub") db.session.add(self.account_type) db.session.commit() db.session.add( Account(name="Org-one", account_type_id=self.account_type.id, identifier="Org-one", active=True, third_party=False)) self.technology = Technology(name="team") db.session.add(self.technology) db.session.commit()
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_route53('the_key', 'the_secret') zone = conn.create_hosted_zone("testdns.aws.com") zone_id = zone["CreateHostedZoneResponse"][ "HostedZone"]["Id"].split("/")[-1] changes = boto.route53.record.ResourceRecordSets(conn, zone_id) change = changes.add_change("CREATE", "testdns.aws.com", "A") change.add_value("10.1.1.1") changes.commit() watcher = Route53(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) ec2 = boto3.resource('ec2', region_name='us-east-1') ec2.create_dhcp_options(DhcpConfigurations=[{ 'Key': 'domain-name', 'Values': ['example.com'] }, { 'Key': 'domain-name-servers', 'Values': ['10.0.10.2'] }]) watcher = DHCP(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format( len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client('lambda', 'us-east-1') conn.create_function( FunctionName='testFunction', Runtime='python2.7', Role='test-iam-role', Handler='lambda_function.handler', Code={ 'ZipFile': get_test_zip_file() }, Description='test lambda function', Timeout=3, MemorySize=128, Publish=True, ) watcher = LambdaFunction(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def amazon_accounts(): """ Pre-populates standard AWS owned accounts """ import os import json from security_monkey.datastore import Account, AccountType data_file = os.path.join(os.path.dirname(__file__), "data", "aws_accounts.json") data = json.load(open(data_file, 'r')) app.logger.info('Adding / updating Amazon owned accounts') try: account_type_result = AccountType.query.filter( AccountType.name == 'AWS').first() if not account_type_result: account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() db.session.refresh(account_type_result) for group, info in data.items(): for aws_account in info['accounts']: acct_name = "{group} ({region})".format( group=group, region=aws_account['region']) account = Account.query.filter( Account.number == aws_account['account_id']).first() if not account: app.logger.debug( ' Adding account {0}'.format(acct_name)) account = Account() else: app.logger.debug( ' Updating account {0}'.format(acct_name)) account.number = aws_account['account_id'] account.identifier = aws_account['account_id'] account.account_type_id = account_type_result.id account.active = False account.third_party = True account.name = acct_name account.notes = info['url'] db.session.add(account) db.session.commit() app.logger.info('Finished adding Amazon owned accounts') except Exception as e: app.logger.exception("An error occured while adding accounts") store_exception("manager-amazon-accounts", None, e)
def _setup_account(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="test_account", account_type_id=account_type_result.id) db.session.add(account) db.session.commit()
def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="testing", third_party=False, active=True, account_type_id=account_type_result.id) self.technology = Technology(name="iamrole") self.total_roles = 75 db.session.add(self.account) db.session.add(self.technology) db.session.commit() mock_iam().start() client = boto3.client("iam") aspd = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } }] } policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "*", "Resource": "*" }] } for x in range(0, self.total_roles): # Create the IAM Role via Moto: aspd["Statement"][0][ "Resource"] = ARN_PREFIX + "arn:aws:iam:012345678910:role/roleNumber{}".format( x) client.create_role(Path="/", RoleName="roleNumber{}".format(x), AssumeRolePolicyDocument=json.dumps(aspd, indent=4)) client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy", PolicyDocument=json.dumps(policy, indent=4))
def setup_db(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="testing", account_type_id=account_type_result.id) self.technology = Technology(name="iamrole") db.session.add(self.account) db.session.add(self.technology) db.session.commit()
def pre_test_setup(self): self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit()
def amazon_accounts(): """ Pre-populates standard AWS owned accounts """ import os import json from security_monkey.datastore import Account data_file = os.path.join(os.path.dirname(__file__), "data", "aws_accounts.json") data = json.load(open(data_file, 'r')) app.logger.info('Adding / updating Amazon owned accounts') try: for group, info in data.items(): for aws_account in info['accounts']: acct_name = "{group} ({region})".format(group=group, region=aws_account['region']) account = Account.query.filter(Account.number == aws_account['account_id']).first() if not account: app.logger.debug(' Adding account {0}'.format(acct_name)) account = Account() else: app.logger.debug(' Updating account {0}'.format(acct_name)) account.number = aws_account['account_id'] account.active = False account.third_party = True account.name = acct_name account.notes = info['url'] db.session.add(account) db.session.commit() app.logger.info('Finished adding Amazon owned accounts') except Exception as e: app.logger.exception("An error occured while adding accounts") store_exception("manager-amazon-accounts", None, e)
def pre_test_setup(self): account_result = Account.query.filter( Account.name == 'TEST_ACCOUNT').first() if not account_result: account_type = AccountType(name='AWS') db.session.add(account_type) db.session.commit() account_result = Account(name='TEST_ACCOUNT', identifier='012345678910', account_type_id=account_type.id) db.session.add(account_result) db.session.commit()
def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit() mock_file_system.clear() build_mock_result(watcher_configs, [])
def pre_test_setup(self): account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() self.account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(self.account) db.session.commit()
def test_fetch_aws_canonical_ids_command(self): accounts = Account.query.all() fetch_aws_canonical_ids(False) for account in accounts: assert len(account.custom_fields) == 1 assert account.custom_fields[0].name == "canonical_id" assert account.custom_fields[ 0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto. # Make it something else to test overrides: account.custom_fields[0].value = "replaceme" db.session.add(account) db.session.commit() # Test without override (nothing should be changed): fetch_aws_canonical_ids(False) for account in accounts: assert len(account.custom_fields) == 1 assert account.custom_fields[0].name == "canonical_id" assert account.custom_fields[0].value == "replaceme" # Test override: fetch_aws_canonical_ids(True) for account in accounts: assert len(account.custom_fields) == 1 assert account.custom_fields[0].name == "canonical_id" assert account.custom_fields[ 0].value == "bcaf1ffd86f41161ca5fb16fd081034f" # Default from moto. # Create an inactive account: inactive = Account(name="inactive", account_type_id=self.account_type.id, identifier="109876543210") db.session.add(inactive) db.session.commit() # Run the change again: fetch_aws_canonical_ids(True) # Ensure that nothing happened to the inactive account: assert len(inactive.custom_fields) == 0 # Also verify that no exceptions were encountered: assert len(ExceptionLogs.query.all()) == 0 mock_sts().stop() mock_s3().stop()
def pre_test_setup(self): from security_monkey.auditors.iam.iam_role import IAMRoleAuditor from security_monkey.datastore import Account, AccountType from security_monkey import db IAMRoleAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() # main account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) # friendly account2 = Account(identifier="222222222222", name="TEST_ACCOUNT_TWO", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_TWO", third_party=False, active=True) # third party account3 = Account(identifier="333333333333", name="TEST_ACCOUNT_THREE", account_type_id=account_type_result.id, notes="TEST_ACCOUNT_THREE", third_party=True, active=True) db.session.add(account) db.session.add(account2) db.session.add(account3) db.session.commit()
def pre_test_setup(self): self.account_type = AccountType.query.filter( AccountType.name == 'AWS').first() if not self.account_type: self.account_type = AccountType(name='AWS') db.session.add(self.account_type) db.session.commit() self.test_account = Account(type=self.account_type, name="test_account", identifier="012345678910") self.technology = Technology(name="testtech") db.session.add(self.test_account) db.session.add(self.technology) db.session.commit()
def test_slurp(self, mock_get): db.session.add(Account(name="Netflix", account_type_id=self.account_type.id, identifier="Netflix", active=True, third_party=False)) db.session.commit() repo_watcher = GitHubRepo(accounts=["Netflix"]) repo_watcher.slurp_list() result, exc = repo_watcher.slurp() assert len(result) == 2 assert result[0].account == "Netflix" assert result[0].arn == "Netflix/security_monkey" assert result[0].index == "repository" assert len(exc) == 0 assert len(ExceptionLogs.query.all()) == 0
def setUp(self): self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] # Add the fake source account into the database: test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" db.session.add(test_account) db.session.commit()
def test_get_creds_file(self): # Load the creds file: creds = get_github_creds(["Org-one", "Org-two", "Org-three"]) for x in ["one", "two", "three"]: assert creds["Org-{}".format(x)] == "token-{}".format(x) # And without one specified: db.session.add( Account(name="Org-BAD", account_type_id=self.account_type.id, identifier="Org-BAD", active=True)) db.session.commit() with self.assertRaises(GitHubCredsError) as _: get_github_creds(["Org-BAD"])
def pre_test_setup(self): self.account_type = AccountType(name="GitHub") db.session.add(self.account_type) db.session.commit() app.config["GITHUB_CREDENTIALS"] = { "Org-one": "token-one", "FAILURE": "FAILURE", "Netflix": "token-two" } db.session.add(Account(name="Org-one", account_type_id=self.account_type.id, identifier="Org-one", active=True, third_party=False)) self.technology = Technology(name="repository") db.session.add(self.technology) db.session.commit()
def pre_test_setup(self): SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() # main account = Account(identifier="123456789123", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit()
def test_slurp_list(self, mock_get): repo_watcher = GitHubRepo(accounts=["Org-one"]) result, exc = repo_watcher.slurp_list() assert exc == {} assert len(result) == len(repo_watcher.total_list) == 2 assert result[0]["name"] == "security_monkey" assert result[1]["name"] == "hubcommander" assert len(ExceptionLogs.query.all()) == 0 # And failures: db.session.add(Account(name="FAILURE", account_type_id=self.account_type.id, identifier="FAILURE", active=True, third_party=False)) db.session.commit() repo_watcher = GitHubRepo(accounts=["FAILURE"]) result, exc = repo_watcher.slurp() assert len(exc) == 1 assert len(ExceptionLogs.query.all()) == 1
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_vpc("the_key", "the secret") conn.create_vpc("10.0.0.0/16") watcher = RouteTable(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def amazon_accounts(): """ Pre-populates standard AWS owned accounts """ import json from security_monkey.datastore import Account, AccountType data = json.load(open("data/aws_accounts.json", 'r')) app.logger.info('Adding / updating Amazon owned accounts') try: account_type_result = AccountType.query.filter(AccountType.name == 'AWS').first() if not account_type_result: account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() db.session.refresh(account_type_result) for group, info in data.items(): for aws_account in info['accounts']: acct_name = "{group} ({region})".format(group=group, region=aws_account['region']) account = Account.query.filter(Account.identifier == aws_account['account_id']).first() if not account: app.logger.debug(' Adding account {0}'.format(acct_name)) account = Account() else: app.logger.debug(' Updating account {0}'.format(acct_name)) account.identifier = aws_account['account_id'] account.account_type_id = account_type_result.id account.active = False account.third_party = True account.name = acct_name account.notes = info['url'] db.session.add(account) db.session.commit() app.logger.info('Finished adding Amazon owned accounts') except Exception as e: app.logger.exception("An error occured while adding accounts") store_exception("manager-amazon-accounts", None, e)
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client("ec2", "us-east-1") reservation = conn.run_instances(ImageId="ami-1234abcd", MinCount=1, MaxCount=1) instance = reservation["Instances"][0] conn.create_image(InstanceId=instance["InstanceId"], Name="test-ami", Description="this is a test ami") watcher = EC2Image(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.rds.connect_to_region('us-east-1') conn.create_dbsecurity_group('db_sg1', 'DB Security Group') watcher = RDSSecurityGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_ec2('the_key', 'the_secret') conn.create_volume(50, "us-east-1a") watcher = EBSVolume(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto3.client('ec2', 'us-east-1') conn.run_instances(ImageId='ami-1234abcd', MinCount=1, MaxCount=1) watcher = EC2Instance(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def setUp(self): self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account)
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) vpc_conn = boto.vpc.connect_to_region("us-east-1") vpc = vpc_conn.create_vpc("10.0.0.0/16") subnet = vpc_conn.create_subnet(vpc.id, "10.1.0.0/24") subnet_ids = [subnet.id] conn = boto.rds.connect_to_region("us-east-1") conn.create_db_subnet_group("db_subnet", "my db subnet", subnet_ids) watcher = RDSSubnetGroup(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) conn = boto.connect_route53("the_key", "the_secret") zone = conn.create_hosted_zone("testdns.aws.com") zone_id = zone["CreateHostedZoneResponse"]["HostedZone"]["Id"].split("/")[-1] changes = boto.route53.record.ResourceRecordSets(conn, zone_id) change = changes.add_change("CREATE", "testdns.aws.com", "A") change.add_value("10.1.1.1") changes.commit() watcher = Route53(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs(expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def test_slurp(self): test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" mock_query.add_account(test_account) ec2 = boto3.resource('ec2', region_name='us-east-1') ec2.create_dhcp_options(DhcpConfigurations=[ {'Key': 'domain-name', 'Values': ['example.com']}, {'Key': 'domain-name-servers', 'Values': ['10.0.10.2']} ]) watcher = DHCP(accounts=[test_account.name]) item_list, exception_map = watcher.slurp() self.assertIs( expr1=len(item_list), expr2=1, msg="Watcher should have 1 item but has {}".format(len(item_list)))
def save(self): pass def audit_all_objects(self): RUNTIME_AUDITORS[self.__class__.__name__].append(self) def save_issues(self): pass mock_query = MockAccountQuery() mock_db_session = MockDBSession() test_account = Account() test_account.name = "TEST_ACCOUNT" test_account.notes = "TEST ACCOUNT" test_account.s3_name = "TEST_ACCOUNT" test_account.number = "012345678910" test_account.role_name = "TEST_ACCOUNT" test_account.third_party = False test_account.active = True mock_query.add_account(test_account) test_account2 = Account() test_account2.name = "TEST_ACCOUNT2" test_account2.notes = "TEST ACCOUNT2" test_account2.s3_name = "TEST_ACCOUNT2" test_account2.number = "123123123123" test_account2.role_name = "TEST_ACCOUNT"
def post(self): """ .. http:post:: /api/1/account/ Create a new account. **Example Request**: .. sourcecode:: http POST /api/1/account/ HTTP/1.1 Host: example.com Accept: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'role_name': 'CustomRole', 'active': true, 'third_party': false } **Example Response**: .. sourcecode:: http HTTP/1.1 201 Created Vary: Accept Content-Type: application/json { 'name': 'new_account' 's3_name': 'new_account', 'number': '0123456789', 'notes': 'this account is for ...', 'role_name': 'CustomRole', 'active': true, 'third_party': false } :statuscode 201: created :statuscode 401: Authentication Error. Please Login. """ auth, retval = __check_auth__(self.auth_dict) if auth: return retval self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json') self.reqparse.add_argument('s3_name', required=False, type=unicode, help='Will use name if s3_name not provided.', location='json') self.reqparse.add_argument('number', required=False, type=unicode, help='Add the account number if available.', location='json') self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json') self.reqparse.add_argument('role_name', required=False, type=unicode, help='Custom role name.', location='json') self.reqparse.add_argument('active', required=False, type=bool, help='Determines whether this account should be interrogated by security monkey.', location='json') self.reqparse.add_argument('third_party', required=False, type=bool, help='Determines whether this account is a known friendly third party account.', location='json') args = self.reqparse.parse_args() account = Account() account.name = args['name'] account.s3_name = args.get('s3_name', args['name']) account.number = args['number'] account.notes = args['notes'] account.active = args['active'] account.third_party = args['third_party'] db.session.add(account) db.session.commit() db.session.refresh(account) marshaled_account = marshal(account.__dict__, ACCOUNT_FIELDS) marshaled_account['auth'] = self.auth_dict return marshaled_account, 201