def test_s3_backend_delete_v1(s3_bucket_name):
from swag_client.backend import SWAGManager
from swag_client.util import parse_swag_config_options
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': s3_bucket_name,
'swag.schema_version': 1,
'swag.cache_expires': 0
}
swagv1 = SWAGManager(**parse_swag_config_options(swag_opts))
account = {
"bastion": "testaccount.net",
"metadata": {
"s3_name": "testaccounts3",
"cloudtrail_index": "cloudtrail_testaccount[yyyymm]",
"cloudtrail_kibana_url":
"http://testaccount.cloudtrail.dashboard.net",
"email": "*****@*****.**",
"account_number": "012345678910"
},
"schema_version": 1,
"owners": ["*****@*****.**"],
"ours": True,
"email": "*****@*****.**",
"description": "LOL, Test account",
"cmc_required": False,
"tags": ["testing"],
"id": "aws-012345678910",
"name": "testaccount",
"type": "aws",
"alias": [
"test",
],
"services": {
"rolliepollie": {
"enabled": True
},
"awwwdit": {
"enabled": True
}
}
}
swagv1.create(account)
assert len(swagv1.get_all()['accounts']) == 1
swagv1.delete(account)
assert len(swagv1.get_all()['accounts']) == 0
def test_dynamodb_backend_create(dynamodb_table):
from swag_client.backend import SWAGManager
from swag_client.util import parse_swag_config_options
swag_opts = {
'swag.type': 'dynamodb',
'swag.namespace': 'accounts',
'swag.cache_expires': 0
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
account = {
'aliases': ['test'],
'contacts': ['*****@*****.**'],
'description': 'LOL, Test account',
'email': '*****@*****.**',
'environment': 'test',
'id': '012345678910',
'name': 'testaccount',
'owner': 'netflix',
'provider': 'aws',
'sensitive': False
}
assert not swag.get_all()
item = swag.create(account)
assert swag.get("[?id=='{id}']".format(id=item['id']))
def test_s3_backend_get_all(s3_bucket_name):
from swag_client.backend import SWAGManager
from swag_client.util import parse_swag_config_options
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': s3_bucket_name,
'swag.cache_expires': 0
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
account = {
'aliases': ['test'],
'contacts': ['*****@*****.**'],
'description': 'LOL, Test account',
'email': '*****@*****.**',
'environment': 'test',
'id': '012345678910',
'name': 'testaccount',
'owner': 'netflix',
'provider': 'aws',
'sensitive': False
}
swag.create(account)
assert len(swag.get_all()) == 1
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, spinnaker):
"""Use the SWAG client to sync SWAG accounts to Security Monkey."""
from security_monkey.account_manager import account_registry
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': bucket_name,
'swag.data_file': bucket_prefix,
'swag.region': bucket_region
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
account_manager = account_registry[account_type]()
for account in swag.get_all("[?provider=='{provider}']".format(provider=account_type.lower())):
services = account.get('services', [])
services_by_name = {s['name']: s for s in services}
secmonkey_service = services_by_name.get('security_monkey', {})
all_region_status = {}
for status in secmonkey_service.get('status', []):
if status['region'] == 'all':
all_region_status = status
break
active = all_region_status.get('enabled', False)
thirdparty = account['owner'] != owner
if spinnaker:
spinnaker_name = swag.get_service_name('spinnaker', "[?id=='{id}']".format(id=account['id']))
if not spinnaker_name:
name = account['name']
else:
name = spinnaker_name
else:
name = account['name']
notes = account['description']
identifier = account['id']
custom_fields = {}
s3_name = swag.get_service_name('s3', "[?id=='{id}']".format(id=account['id']))
if s3_name:
custom_fields['s3_name'] = s3_name
s3_service = services_by_name.get('s3', {})
if s3_service:
c_id = s3_service['metadata'].get('canonicalId', None)
if c_id:
custom_fields['canonical_id'] = c_id
role_name = secmonkey_service.get('metadata', {}).get('role_name', None)
if role_name is not None:
custom_fields['role_name'] = role_name
account_manager.sync(account_manager.account_type, name, active, thirdparty,
notes, identifier,
custom_fields=custom_fields)
db.session.close()
app.logger.info('SWAG sync successful.')
def _prep_accounts(account_names):
"""
Convert CLI provided account names into list of accounts from SWAG.
Considers account aliases as well as account names.
Returns a list of account numbers
"""
matching_accounts = list()
account_names = account_names.split(',')
account_names = {name.lower().strip() for name in account_names}
# create a new copy of the account_names list so we can remove accounts as needed
for account in list(account_names):
if re.match('\d{12}', account):
account_names.remove(account)
matching_accounts.append(account)
if not account_names:
return matching_accounts
try:
current_app.logger.info('getting bucket {}'.format(
current_app.config.get('SWAG_BUCKET')))
swag = SWAGManager(**parse_swag_config_options(current_app.config.get('SWAG_OPTS')))
all_accounts = swag.get_all(current_app.config.get('SWAG_FILTER'))
service_enabled_requirement = current_app.config.get('SWAG_SERVICE_ENABLED_REQUIREMENT', None)
if service_enabled_requirement:
all_accounts = swag.get_service_enabled(service_enabled_requirement, accounts_list=all_accounts)
except (KeyError, InvalidSWAGDataException, Exception) as e:
current_app.logger.error('Account names passed but SWAG not configured or unavailable: {}'.format(e))
if 'all' in account_names:
return [account['id'] for account in all_accounts]
lookup = {account['name']: Bunch(account) for account in all_accounts}
for account in all_accounts:
# get the right key, depending on whether we're using swag v1 or v2
alias_key = 'aliases' if account['schemaVersion'] == '2' else 'alias'
for alias in account[alias_key]:
lookup[alias] = Bunch(account)
for name in account_names:
if name not in lookup:
current_app.logger.warn('Could not find an account named %s'
% name)
continue
account_number = lookup[name].get('id', None)
if account_number:
matching_accounts.append(account_number)
return matching_accounts
def test_file_backend_get_all(vector_path):
from swag_client.backend import SWAGManager
from swag_client.util import parse_swag_config_options
swag_opts = {
'swag.data_dir': vector_path,
'swag.namespace': 'valid_accounts_v2',
'swag.cache_expires': 0
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
assert len(swag.get_all()) == 2
def get_all_accounts(bucket, region='us-west-2', json_path='accounts.json', **filters):
"""Fetches all the accounts from SWAG."""
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': bucket,
'swag.region': region,
'swag.data_file': json_path,
'swag.schema_version': 1
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
accounts = swag.get_all()
accounts = [account for account in accounts['accounts'] if is_sub_dict(filters, account)]
return {'accounts': accounts}
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type,
spinnaker):
"""Use the SWAG client to sync SWAG accounts to Security Monkey."""
from security_monkey.account_manager import account_registry
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': bucket_name,
'swag.data_file': bucket_prefix,
'swag.region': bucket_region
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
account_manager = account_registry[account_type]()
for account in swag.get_all(
"[?provider=='{provider}']".format(provider=account_type.lower())):
services = account.get('services', [])
services_by_name = {s['name']: s for s in services}
# Check if the account is active or not:
# With the current SWAG schema, need to do the following:
# 1. Check if the 'account_status' field is set to 'ready'.
# 2. Loop through all the services for "security_monkey" and if the status is "active", then the account
# is active.
check_active = active = False
if account['account_status'] == 'ready':
check_active = True
if check_active:
secmonkey_service = services_by_name.get('security_monkey', {})
for status in secmonkey_service.get('status', []):
if status['region'] == 'all':
active = status.get('enabled', False)
break
thirdparty = account['owner'] != owner
if spinnaker:
spinnaker_name = swag.get_service_name(
'spinnaker', "[?id=='{id}']".format(id=account['id']))
if not spinnaker_name:
name = account['name']
else:
name = spinnaker_name
else:
name = account['name']
notes = account['description']
identifier = account['id']
custom_fields = {}
s3_name = swag.get_service_name(
's3', "[?id=='{id}']".format(id=account['id']))
if s3_name:
custom_fields['s3_name'] = s3_name
s3_service = services_by_name.get('s3', {})
if s3_service:
c_id = s3_service['metadata'].get('canonicalId', None)
if c_id:
custom_fields['canonical_id'] = c_id
role_name = secmonkey_service.get('metadata',
{}).get('role_name', None)
if role_name is not None:
custom_fields['role_name'] = role_name
account_manager.sync(account_manager.account_type,
name,
active,
thirdparty,
notes,
identifier,
custom_fields=custom_fields)
db.session.close()
app.logger.info('SWAG sync successful.')
def sync_swag(owner, bucket_name, bucket_prefix, bucket_region, account_type, spinnaker):
"""Use the SWAG client to sync SWAG accounts to Security Monkey."""
from security_monkey.account_manager import account_registry
swag_opts = {
'swag.type': 's3',
'swag.bucket_name': bucket_name,
'swag.data_file': bucket_prefix,
'swag.region': bucket_region
}
swag = SWAGManager(**parse_swag_config_options(swag_opts))
account_manager = account_registry[account_type]()
for account in swag.get_all("[?provider=='{provider}']".format(provider=account_type.lower())):
services = account.get('services', [])
services_by_name = {s['name']: s for s in services}
# Check if the account is active or not:
# With the current SWAG schema, need to do the following:
# 1. Check if the 'account_status' field is set to 'ready'.
# 2. Loop through all the services for "security_monkey" and if the status is "active", then the account
# is active.
check_active = active = False
if account['account_status'] == 'ready':
check_active = True
if check_active:
secmonkey_service = services_by_name.get('security_monkey', {})
for status in secmonkey_service.get('status', []):
if status['region'] == 'all':
active = status.get('enabled', False)
break
thirdparty = account['owner'] != owner
if spinnaker:
spinnaker_name = swag.get_service_name('spinnaker', "[?id=='{id}']".format(id=account['id']))
if not spinnaker_name:
name = account['name']
else:
name = spinnaker_name
else:
name = account['name']
notes = account['description']
identifier = account['id']
custom_fields = {}
s3_name = swag.get_service_name('s3', "[?id=='{id}']".format(id=account['id']))
if s3_name:
custom_fields['s3_name'] = s3_name
s3_service = services_by_name.get('s3', {})
if s3_service:
c_id = s3_service['metadata'].get('canonicalId', None)
if c_id:
custom_fields['canonical_id'] = c_id
role_name = secmonkey_service.get('metadata', {}).get('role_name', None)
if role_name is not None:
custom_fields['role_name'] = role_name
account_manager.sync(account_manager.account_type, name, active, thirdparty,
notes, identifier,
custom_fields=custom_fields)
db.session.close()
app.logger.info('SWAG sync successful.')