def test_detect_change(self):
from security_monkey.datastore_utils import detect_change, hash_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(
region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id,
)
sti = SomeTestItem().from_slurp(ACTIVE_CONF,
account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Item does not exist in the DB yet:
assert (True, 'durable', None,
'created') == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# Add the item to the DB:
db.session.add(item)
db.session.commit()
# Durable change (nothing hashed in DB yet)
assert (True, 'durable', item,
'changed') == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# No change:
item.latest_revision_complete_hash = complete_hash
item.latest_revision_durable_hash = durable_hash
db.session.add(item)
db.session.commit()
assert (False, None, item,
None) == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
complete_hash, durable_hash = hash_item(mod_conf, ["IGNORE_ME"])
assert (True, 'ephemeral', item,
None) == detect_change(sti, self.account, self.technology,
complete_hash, durable_hash)
def find_changes_batch(self, items, exception_map):
# Given the list of items, find new items that don't yet exist:
durable_items = []
from security_monkey.datastore_utils import hash_item, detect_change, persist_item
for item in items:
complete_hash, durable_hash = hash_item(item.config, self.ephemeral_paths)
# Detect if a change occurred:
is_change, change_type, db_item = detect_change(item, self.current_account[0], self.technology,
complete_hash, durable_hash)
# As Officer Barbrady says: "Move along... Nothing to see here..."
if not is_change:
continue
# Now call out to persist item:
is_durable = (change_type == "durable")
persist_item(item, db_item, self.technology, self.current_account[0], complete_hash,
durable_hash, is_durable)
if is_durable:
durable_items.append(item)
return durable_items
def test_detect_change(self):
from security_monkey.datastore_utils import detect_change, hash_item
from security_monkey.datastore import Item
self.setup_db()
item = Item(region="universal",
name="SomeRole",
arn=ARN_PREFIX + ":iam::012345678910:role/SomeRole",
tech_id=self.technology.id,
account_id=self.account.id,
)
sti = SomeTestItem().from_slurp(ACTIVE_CONF, account_name=self.account.name)
# Get the hash:
complete_hash, durable_hash = hash_item(sti.config, [])
# Item does not exist in the DB yet:
assert (True, 'durable', None, 'created') == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# Add the item to the DB:
db.session.add(item)
db.session.commit()
# Durable change (nothing hashed in DB yet)
assert (True, 'durable', item, 'changed') == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# No change:
item.latest_revision_complete_hash = complete_hash
item.latest_revision_durable_hash = durable_hash
db.session.add(item)
db.session.commit()
assert (False, None, item, None) == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
# Ephemeral change:
mod_conf = dict(ACTIVE_CONF)
mod_conf["IGNORE_ME"] = "I am ephemeral!"
complete_hash, durable_hash = hash_item(mod_conf, ["IGNORE_ME"])
assert (True, 'ephemeral', item, None) == detect_change(sti, self.account, self.technology, complete_hash,
durable_hash)
def find_changes_batch(self, items, exception_map):
# Given the list of items, find new items that don't yet exist:
durable_items = []
from security_monkey.datastore_utils import hash_item, detect_change, persist_item
for item in items:
complete_hash, durable_hash = hash_item(item.config,
self.ephemeral_paths)
# Detect if a change occurred:
is_change, change_type, db_item, created_changed = detect_change(
item, self.current_account[0], self.technology, complete_hash,
durable_hash)
if not is_change:
continue
is_durable = (change_type == "durable")
if is_durable:
durable_items.append(item)
if created_changed == 'created':
self.created_items.append(
ChangeItem.from_items(old_item=None,
new_item=item,
source_watcher=self))
if created_changed == 'changed':
db_item.audit_issues = db_item.issues
db_item.config = db_item.revisions.first().config
# At this point, a durable change was detected. If the complete hash is the same,
# then the durable hash is out of date, and this is not a real item change. This could happen if the
# ephemeral definitions change (this will be fixed in persist_item).
# Only add the items to the changed item list that are real item changes:
if db_item.latest_revision_complete_hash != complete_hash:
self.changed_items.append(
ChangeItem.from_items(old_item=db_item,
new_item=item,
source_watcher=self))
persist_item(item, db_item, self.technology,
self.current_account[0], complete_hash, durable_hash,
is_durable)
return durable_items
def find_changes_batch(self, items, exception_map):
# Given the list of items, find new items that don't yet exist:
durable_items = []
from security_monkey.datastore_utils import hash_item, detect_change, persist_item
for item in items:
complete_hash, durable_hash = hash_item(item.config, self.ephemeral_paths)
# Detect if a change occurred:
is_change, change_type, db_item, created_changed = detect_change(
item, self.current_account[0], self.technology, complete_hash, durable_hash)
if not is_change:
continue
is_durable = (change_type == "durable")
if is_durable:
durable_items.append(item)
if created_changed == 'created':
self.created_items.append(ChangeItem.from_items(old_item=None, new_item=item, source_watcher=self))
if created_changed == 'changed':
db_item.audit_issues = db_item.issues
db_item.config = db_item.revisions.first().config
# At this point, a durable change was detected. If the complete hash is the same,
# then the durable hash is out of date, and this is not a real item change. This could happen if the
# ephemeral definitions change (this will be fixed in persist_item).
# Only add the items to the changed item list that are real item changes:
if db_item.latest_revision_complete_hash != complete_hash:
self.changed_items.append(ChangeItem.from_items(old_item=db_item, new_item=item,
source_watcher=self))
persist_item(item, db_item, self.technology, self.current_account[0], complete_hash,
durable_hash, is_durable)
return durable_items
def find_changes_batch(self, items, exception_map):
# Given the list of items, find new items that don't yet exist:
durable_items = []
from security_monkey.datastore_utils import hash_item, detect_change, persist_item
for item in items:
complete_hash, durable_hash = hash_item(item.config,
self.ephemeral_paths)
# Detect if a change occurred:
is_change, change_type, db_item, created_changed = detect_change(
item, self.current_account[0], self.technology, complete_hash,
durable_hash)
if not is_change:
continue
is_durable = (change_type == "durable")
if is_durable:
durable_items.append(item)
if created_changed == 'created':
self.created_items.append(
ChangeItem.from_items(old_item=None, new_item=item))
if created_changed == 'changed':
db_item.audit_issues = db_item.issues
db_item.config = db_item.revisions.first().config
self.changed_items.append(
ChangeItem.from_items(old_item=db_item, new_item=item))
persist_item(item, db_item, self.technology,
self.current_account[0], complete_hash, durable_hash,
is_durable)
return durable_items