Python aws_get_client示例

示例#1

文件： test_cinq_auditor_aws_required_tags_generic.py 项目： bbhunt-2020/Canivete

def test_collect_only(cinq_test_service):
    """
    Test if the auditor respects "collect_only" config item
    """

    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    account = setup_info['account']

    prep_s3_testing(cinq_test_service, collect_only=True)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name',
                               NS_CINQ_TEST,
                               default='testbucket')
    client.create_bucket(Bucket=bucket_name)

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Setup test
    cinq_test_service.modify_resource(bucket_name, 'creation_date',
                                      '2000-01-01T00:00:00')

    auditor.run()
    assert not auditor._cinq_test_notices

示例#2

文件： test_cinq_auditor_aws_required_tags_generic.py 项目： bbhunt-2020/Canivete

def test_alert_schedule(cinq_test_service):
    """
    Test whether the auditor respects the alert schedule
    """

    setup_info = setup_test_aws(cinq_test_service)
    account = setup_info['account']

    prep_s3_testing(cinq_test_service)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name',
                               NS_CINQ_TEST,
                               default='testbucket')
    client.create_bucket(Bucket=bucket_name)

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- The auditor should not alert again as we are not at the next scheduled alert time
    auditor.run()
    assert auditor._cinq_test_notices
    auditor.run()
    assert not auditor._cinq_test_notices

示例#3

def test_collect(cinq_test_service):
    """

    :return:
    """

    # Prep
    cinq_test_service.start_mocking_services('ec2')
    account = cinq_test_service.add_test_account(
        account_type='AWS',
        account_name=CINQ_TEST_ACCOUNT_NAME,
        contacts=[{
            'type': 'email',
            'value': dbconfig.get('test_email', NS_CINQ_TEST)
        }],
        properties={'account_number': CINQ_TEST_ACCOUNT_NO})

    # Add resources
    client = aws_get_client('ec2')
    resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)

    # Start collector
    run_aws_collector(account)

    # verify
    assert cinq_test_service.has_resource('non-exist-id') is False
    assert cinq_test_service.has_resource(
        resource['Instances'][0]['InstanceId']) is True

示例#4

文件： test_cinq_collector_aws.py 项目： bbhunt-2020/Canivete

def test_collect(cinq_test_service):
    """

    :return:
    """

    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    account = setup_info['account']

    cinq_test_service.start_mocking_services('ec2')

    # Add resources
    client = aws_get_client('ec2')
    resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)

    # Start collector
    collect_resources(account=account, resource_types=['ec2'])

    # verify
    assert cinq_test_service.has_resource('non-exist-id') is False
    assert cinq_test_service.has_resource(
        resource['Instances'][0]['InstanceId']) is True

    cinq_test_service.stop_mocking_services('ec2')

示例#5

文件： test_cinq_auditor_aws_required_tags_s3.py 项目： bbhunt-2020/Canivete

def test_basic_ops(cinq_test_service):
    """
    Test will pass if for an S3 bucket meet the following condition:
        - Bucket is empty
        - No Bucket Policy was set
        - No Lifecycle Policy was set
        - No tag was set

    The Auditor will:
        - Detect non-compliant S3 buckets
        - Respect grace period settings
        - Be able to remove an empty bucket successfully when the "REMOVE" criteria are met
    """
    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    recipient = setup_info['recipient']
    account = setup_info['account']

    prep_s3_testing(cinq_test_service)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name',
                               NS_CINQ_TEST,
                               default='testbucket')
    client.create_bucket(Bucket=bucket_name)

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- Test if auditor respect grace period settings
    cinq_test_service.modify_resource(bucket_name, 'creation_date',
                                      datetime.datetime.utcnow().isoformat())
    auditor.run()
    assert auditor._cinq_test_notices == {}

    # Test 2 --- Test if auditor can pick up non-compliant resources correctly
    cinq_test_service.modify_resource(bucket_name, 'creation_date',
                                      '2000-01-01T00:00:00')

    auditor.run()
    notices = auditor._cinq_test_notices
    assert bucket_name == notices[recipient]['not_fixed'][0]['resource'].id

    # Test 3 --- Modify the issue creation date so it will meet the criteria of "remove" action
    cinq_test_service.modify_issue(
        auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
        'created', 0)
    auditor.run()
    notices = auditor._cinq_test_notices
    ''' Check if the action is correct'''
    assert notices[recipient]['not_fixed'][0]['action'] == AuditActions.REMOVE
    ''' Check if the bucket is actually removed '''
    assert len(client.list_buckets()['Buckets']) == 0

示例#6

def test_remove_non_empty_bucket(cinq_test_service):
    """
    Test will pass if for an S3 bucket meet the following condition:
        - Bucket is NOT empty
        - No Bucket Policy was set
        - No Lifecycle Policy was set
        - No tag was set

    The Auditor will:
        - Apply Cinq lifecycle policy to the bucket
    """
    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    recipient = setup_info['recipient']
    account = setup_info['account']

    prep_s3_testing(cinq_test_service)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
    client.create_bucket(Bucket=bucket_name)
    s3_upload_file_from_string(client, bucket_name, 'sample', 'sample text')

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Setup test case
    cinq_test_service.modify_resource(
        bucket_name,
        'creation_date',
        '2000-01-01T00:00:00'
    )
    auditor.run()

    with pytest.raises(ClientError):
        client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules']

    cinq_test_service.modify_issue(
        auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
        'created',
        0
    )
    auditor.run()

    # Verify if the Lifecycle policy is added
    current_policy = client.get_bucket_lifecycle_configuration(Bucket=bucket_name)['Rules'][0]
    assert current_policy['ID'] == 'cloudInquisitor'
    assert current_policy['Status'] == 'Enabled'
    assert current_policy['Expiration'] == {
        'Days': dbconfig.get('lifecycle_expiration_days', NS_AUDITOR_REQUIRED_TAGS, 3)
    }

    '''

示例#7

文件： test_cinq_auditor_aws_required_tags_s3.py 项目： egor045/cloud-inquisitor

def test_fixed_buckets(cinq_test_service):
    """
    Test will pass if for an S3 bucket meet the following condition:
        - Bucket is empty
        - No Bucket Policy was set
        - No Lifecycle Policy was set
        - There was no tag doing the initial audit but missing tags were added during the second audit

    The Auditor will:
        - Detect non-compliant S3 buckets during the first audit
        - Detect Fixed Buckets correctly
    """
    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    recipient = setup_info['recipient']
    account = setup_info['account']

    prep_s3_testing(cinq_test_service)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
    client.create_bucket(Bucket=bucket_name)

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Setup test case
    cinq_test_service.modify_resource(
        bucket_name,
        'creation_date',
        '2000-01-01T00:00:00'
    )
    auditor.run()

    notices = auditor._cinq_test_notices
    assert notices[recipient]['not_fixed'][0]['resource']['resource_id'] == bucket_name

    client.put_bucket_tagging(
        Bucket=bucket_name,
        Tagging={'TagSet': VALID_TAGSET}
    )
    collect_resources(account=account, resource_types=['s3'])
    auditor.run()
    notices = auditor._cinq_test_notices

    # Verify if the auditor will report the issue fixed
    assert notices[recipient]['fixed'][0]['action'] == AuditActions.FIXED
    assert notices[recipient]['fixed'][0]['resource'].resource_id == bucket_name

示例#8

def test_audit(cinq_test_service):
    """

    :return:
    """

    # Prep
    recipient = NotificationContact(
        type='email',
        value=dbconfig.get('test_email', NS_CINQ_TEST)
    )
    cinq_test_service.start_mocking_services('ec2')
    account = cinq_test_service.add_test_account(
        account_type='AWS',
        account_name=CINQ_TEST_ACCOUNT_NAME,
        contacts=[{'type': 'email', 'value': dbconfig.get('test_email', NS_CINQ_TEST)}],
        properties={
            'account_number': CINQ_TEST_ACCOUNT_NO
        }
    )

    db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
    db_setting['enabled'] = ['aws_ec2_instance']
    dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))

    # Add resources
    client = aws_get_client('ec2')
    resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)

    # Collect resource
    run_aws_collector(account)

    # Start auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- Test if auditor will pick up non-compliant instances which is still in grace period
    auditor.run()
    assert auditor._cinq_test_notices == {}

    # Test 2 --- Test if auditor will pick up non-compliant instances correctly
    ''' Modify resource property'''
    assert cinq_test_service.modify_resource(
        resource['Instances'][0]['InstanceId'],
        'launch_date',
        '2000-01-01T00:00:00'
    ) is True

    auditor.run()
    notices = auditor._cinq_test_notices

    assert recipient in notices
    assert notices[recipient]['not_fixed'][0]['resource'].resource_id == resource['Instances'][0]['InstanceId']

示例#9

文件： test_cinq-auditor-aws-required-tags-s3.py 项目： trinitroglycerin/cloud-inquisitor

def case_1(cinq_test_service, account, recipient):
    """
    Test will pass if:
    1. Auditor can detect non-compliant S3 buckets
    2. Auditor respect grace period settings
    3. Auditor can remove an empty bucket successfully when the "REMOVE" criteria are met
    """

    bucket_name = dbconfig.get('test_bucket_name',
                               NS_CINQ_TEST,
                               default='testbucket')

    # Add resources
    client = aws_get_client('s3')
    client.create_bucket(Bucket=bucket_name)
    resource = client.list_buckets()['Buckets'][0]

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- Test if auditor respect grace period settings
    cinq_test_service.modify_resource(resource['Name'], 'creation_date',
                                      datetime.datetime.utcnow().isoformat())
    auditor.run()
    assert auditor._cinq_test_notices == {}

    # Test 2 --- Test if auditor can pick up non-compliant resources correctly
    cinq_test_service.modify_resource(resource['Name'], 'creation_date',
                                      '2000-01-01T00:00:00')

    auditor.run()
    notices = auditor._cinq_test_notices

    assert resource['Name'] == notices[recipient]['not_fixed'][0]['resource'][
        'resource_id']

    # Test 3 --- Modify the issue creation date so it will meet the criteria of "remove" action
    cinq_test_service.modify_issue(
        auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
        'created', 0)
    auditor.run()
    notices = auditor._cinq_test_notices
    ''' Check if the action is correct'''
    assert notices[recipient]['not_fixed'][0]['action'] == AuditActions.REMOVE
    ''' Check if the bucket is actually removed '''
    assert len(client.list_buckets()['Buckets']) == 0

示例#10

文件： test_cinq_auditor_aws_required_tags_ec2.py 项目： gwcmk/cloud-inquisitor

def test_basic_ops(cinq_test_service):
    """
    Test will pass if:
    1. Auditor can detect non-compliant EC2 instances
    2. Auditor respect grace period settings
    """

    # Prep
    cinq_test_service.start_mocking_services('ec2')

    setup_info = setup_test_aws(cinq_test_service)
    recipient = setup_info['recipient']
    account = setup_info['account']

    db_setting = dbconfig.get('audit_scope', NS_AUDITOR_REQUIRED_TAGS)
    db_setting['enabled'] = ['aws_ec2_instance']
    dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'audit_scope', DBCJSON(db_setting))
    dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False)

    # Add resources
    client = aws_get_client('ec2')
    resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)

    # Collect resources
    collect_resources(account=account, resource_types=['ec2'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- Test if auditor respect grace period settings
    cinq_test_service.modify_resource(resource['Instances'][0]['InstanceId'],
                                      'launch_date',
                                      datetime.datetime.utcnow().isoformat())
    auditor.run()
    assert auditor._cinq_test_notices == {}

    # Test 2 --- Test if auditor can pick up non-compliant resources correctly
    ''' Modify resource property'''
    assert cinq_test_service.modify_resource(
        resource['Instances'][0]['InstanceId'], 'launch_date',
        '2000-01-01T00:00:00') is True

    auditor.run()
    notices = auditor._cinq_test_notices

    assert recipient in notices
    assert notices[recipient]['not_fixed'][0][
        'resource'].resource_id == resource['Instances'][0]['InstanceId']

示例#11

文件： test_cinq-auditor-aws-required-tags-s3.py 项目： trinitroglycerin/cloud-inquisitor

def case_2(cinq_test_service, account, recipient):
    """
    Test will pass if:
    1. Auditor can handle non-empty bucket when the "REMOVE" criteria are met
    """

    from io import StringIO
    file_obj = StringIO()
    file_obj.write('Test Text')

    bucket_name = dbconfig.get('test_bucket_name',
                               NS_CINQ_TEST,
                               default='testbucket')

    # Add resources
    client = aws_get_client('s3')
    client.create_bucket(Bucket=bucket_name)
    resource = client.list_buckets()['Buckets'][0]
    client.upload_fileobj(file_obj, bucket_name, 'sample')

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Setup test case
    cinq_test_service.modify_resource(resource['Name'], 'creation_date',
                                      '2000-01-01T00:00:00')
    auditor.run()
    cinq_test_service.modify_issue(
        auditor._cinq_test_notices[recipient]['not_fixed'][0]['issue'].id,
        'created', 0)
    auditor.run()

    # Verify if the Lifecycle policy is added
    assert client.get_bucket_lifecycle_configuration(
        Bucket=bucket_name)['Rules'][0]['ID'] == 'cloudInquisitor'
    assert client.get_bucket_lifecycle_configuration(
        Bucket=bucket_name)['Rules'][0]['Status'] == 'Enabled'
    assert client.get_bucket_lifecycle_configuration(
        Bucket=bucket_name)['Rules'][0]['Expiration'] == {
            'Days': 1
        }

示例#12

文件： test_cinq_auditor_aws_required_tags_s3.py 项目： egor045/cloud-inquisitor

def test_compliant_bucket(cinq_test_service):
    """
    Test will pass if for an S3 bucket meet the following condition:
        - Is compliant

    The Auditor will:
        - Not mark compliant buckets as non-compliant
    """

    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    account = setup_info['account']

    prep_s3_testing(cinq_test_service)

    # Add resources
    client = aws_get_client('s3')
    bucket_name = dbconfig.get('test_bucket_name', NS_CINQ_TEST, default='testbucket')
    client.create_bucket(Bucket=bucket_name)

    client.put_bucket_tagging(
        Bucket=bucket_name,
        Tagging={'TagSet': VALID_TAGSET}
    )

    # Collect resources
    collect_resources(account=account, resource_types=['s3'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Setup test case
    cinq_test_service.modify_resource(
        bucket_name,
        'creation_date',
        '2000-01-01T00:00:00'
    )
    auditor.run()
    assert auditor._cinq_test_notices == {}

示例#13

def test_audit(cinq_test_service):
    """

    :return:
    """

    # Prep
    recipient = NotificationContact('email',
                                    dbconfig.get('test_email', NS_CINQ_TEST))
    cinq_test_service.start_mocking_services('ec2')
    account = cinq_test_service.add_test_account(
        account_type='AWS',
        account_name=CINQ_TEST_ACCOUNT_NAME,
        contacts=[{
            'type': 'email',
            'value': dbconfig.get('test_email', NS_CINQ_TEST)
        }],
        properties={'account_number': CINQ_TEST_ACCOUNT_NO})

    # Add resources
    client = aws_get_client('ec2')
    resource = client.create_volume(
        AvailabilityZone=client.describe_availability_zones()
        ['AvailabilityZones'][0]['ZoneName'],
        Size=16)

    # Collect resource
    run_aws_collector(account)

    # Start auditor
    auditor = MockEBSAuditor()

    # Test 1 --- Test if the auditor can catch the volume we added
    auditor.run()
    notice = auditor._cinq_test_notices

    assert notice[recipient][0].volume_id.value == resource['VolumeId']

示例#14

def case_1(cinq_test_service, account, recipient):
    """
    Test will pass if:
    1. Auditor can detect non-compliant EC2 instances
    2. Auditor respect grace period settings
    """

    # Add resources
    client = aws_get_client('ec2')
    resource = client.run_instances(ImageId='i-10000', MinCount=1, MaxCount=1)

    # Collect resources
    collect_resources(account=account, resource_types=['ec2'])

    # Initialize auditor
    auditor = MockRequiredTagsAuditor()

    # Test 1 --- Test if auditor respect grace period settings
    cinq_test_service.modify_resource(resource['Instances'][0]['InstanceId'],
                                      'launch_date',
                                      datetime.datetime.utcnow().isoformat())
    auditor.run()
    assert auditor._cinq_test_notices == {}

    # Test 2 --- Test if auditor can pick up non-compliant resources correctly
    ''' Modify resource property'''
    assert cinq_test_service.modify_resource(
        resource['Instances'][0]['InstanceId'], 'launch_date',
        '2000-01-01T00:00:00') is True

    auditor.run()
    notices = auditor._cinq_test_notices

    assert recipient in notices
    assert notices[recipient]['not_fixed'][0][
        'resource'].resource_id == resource['Instances'][0]['InstanceId']

示例#15

def test_volume_ec2_s3(cinq_test_service):
    """

    :return:
    """
    # Prep
    setup_info = setup_test_aws(cinq_test_service)
    recipient = setup_info['recipient']
    account = setup_info['account']

    set_audit_scope('aws_ec2_instance', 'aws_s3_bucket')
    dbconfig.set(NS_AUDITOR_REQUIRED_TAGS, 'collect_only', False)
    cinq_test_service.start_mocking_services('cloudwatch', 'ec2', 's3')

    num_resources = 100
    compliant_buckets = []
    non_compliant_buckets = []
    compliant_ec2 = []
    non_compliant_ec2 = []

    client_s3 = aws_get_client('s3')
    client_ec2 = aws_get_client('ec2')
    regions = get_aws_regions('s3')

    # Workaround for a moto cloudwatch KeyError bug
    regions.remove('eu-west-3')

    # Setup resources
    for i in range(0, num_resources):
        bucket_name = uuid.uuid4().hex
        client_s3.create_bucket(
            Bucket=bucket_name,
            CreateBucketConfiguration={'LocationConstraint': random.choice(regions)}
        )
        compliant_buckets.append(bucket_name) if random.randint(0, 1) else non_compliant_buckets.append(bucket_name)

        resource = client_ec2.run_instances(ImageId='i-{}'.format(i), MinCount=1, MaxCount=1)
        instance_id = resource['Instances'][0]['InstanceId']
        compliant_ec2.append(instance_id) if random.randint(0, 1) else non_compliant_ec2.append(instance_id)

    for instance_id in compliant_ec2:
        client_ec2.create_tags(
            Resources=[instance_id],
            Tags=VALID_TAGSET
        )

    for item in compliant_buckets:
        client_s3.put_bucket_tagging(
            Bucket=item,
            Tagging={'TagSet': VALID_TAGSET}
        )

    # collection
    collect_resources(account=account, resource_types=['ec2', 's3'])

    for item in compliant_buckets + non_compliant_buckets:
        cinq_test_service.modify_resource(
            item,
            'creation_date',
            '2000-01-01T00:00:00'
        )

    for instance_id in compliant_ec2 + non_compliant_ec2:
        cinq_test_service.modify_resource(
            instance_id,
            'launch_date',
            '2000-01-01T00:00:00'
        )

    auditor = MockRequiredTagsAuditor()
    auditor.run()

    compliant_resources = compliant_buckets + compliant_ec2
    non_compliant_resources = non_compliant_buckets + non_compliant_ec2
    for item in auditor._cinq_test_notices[recipient]['not_fixed']:
        assert item['resource'].id not in compliant_resources
        assert item['resource'].id in non_compliant_resources

    assert len(non_compliant_resources) == len(auditor._cinq_test_notices[recipient]['not_fixed'])