Fix all the broken tests. (#1196)

* Some tests require latest github moto.

* Moving moto to end of test requirements.

* Test to see if all the tests pass.

* Updating tests to work with newest (unreleased) moto.

* Some Fixes from PR 1121 for Google SSO.

.travis.yml

@@ -59,7 +59,7 @@ matrix:
         - coverage run -a -m py.test security_monkey/tests/views || exit 1
         - coverage run -a -m py.test security_monkey/tests/interface || exit 1
         - coverage run -a -m py.test security_monkey/tests/utilities || exit 1
-        - coverage run -a -m py.test security_monkey/tests/sso/header_auth.py || exit 1
+        - coverage run -a -m py.test security_monkey/tests/sso || exit 1
         - bandit -r -ll -ii -x security_monkey/tests .
         - pylint -E -d E1101,E0611,F0401 --ignore=service.py,datastore.py,datastore_utils.py,watcher.py,test_celery_scheduler.py security_monkey
         - flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics

security_monkey/sso/views.py

@@ -22,6 +22,13 @@
 except ImportError:
     onelogin_import_success = False
 
+try:
+    from google.oauth2 import service_account
+    from google.auth.transport.requests import Requests as GoogleAuthTransportRequests
+    google_import_success = True
+except ImportError:
+    google_import_success = False
+
 from .service import fetch_token_header_payload, get_rsa_public_key, setup_user
 
 from security_monkey.datastore import User
@@ -309,7 +316,7 @@ def post(self):
         if self._isAuthMethod('directory'):
             if not self.credentials.token:
                 current_app.logger.debug('Attempting refresh credentials to obtain initial access token')
-                self.credentials.refresh(google.auth.transport.requests.Request())
+                self.credentials.refresh(GoogleAuthTransportRequests())
 
             headers = {'Authorization': 'Bearer {0}'.format(self.credentials.token)}
 
@@ -608,11 +615,14 @@ def get(self):
 
         return active_providers
 
+
 api.add_resource(AzureAD, '/auth/aad', endpoint='aad')
 api.add_resource(Ping, '/auth/ping', endpoint='ping')
-api.add_resource(Google, '/auth/google', endpoint='google')
 api.add_resource(Okta, '/auth/okta', endpoint='okta')
 api.add_resource(Providers, '/auth/providers', endpoint='providers')
 
+if google_import_success:
+    api.add_resource(Google, '/auth/google', endpoint='google')
+
 if onelogin_import_success:
     api.add_resource(OneLogin, '/auth/onelogin', endpoint='onelogin')

security_monkey/tests/scheduling/test_celery_scheduler.py

@@ -41,6 +41,16 @@
     ]
 }
 
+EC2_POLICY = {
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        }
+    ]
+}
+
 ROLE_CONF = {
     "account_number": "012345678910",
     "technology": "iamrole",
@@ -85,6 +95,8 @@ def pre_test_setup(self):
         db.session.commit()
 
     @patch("security_monkey.task_scheduler.tasks.fix_orphaned_deletions")
+    @mock_sts
+    @mock_iam
     def test_find_batch_changes(self, mock_fix_orphaned):
         """
         Runs through a full find job via the IAMRole watcher, as that supports batching.
@@ -106,7 +118,26 @@ def test_find_batch_changes(self, mock_fix_orphaned):
 
         watcher.batched_size = 3  # should loop 4 times
 
-        self.add_roles()
+        ## CREATE MOCK IAM ROLES ## 
+        client = boto3.client("iam")
+        aspd = {
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "sts:AssumeRole",
+                    "Principal": {
+                        "Service": "ec2.amazonaws.com"
+                    }
+                }
+            ]
+        }
+        for x in range(0, 11):
+            # Create the IAM Role via Moto:
+            aspd["Statement"][0]["Resource"] = ARN_PREFIX + ":iam:012345678910:role/roleNumber{}".format(x)
+            client.create_role(Path="/", RoleName="roleNumber{}".format(x),
+                               AssumeRolePolicyDocument=json.dumps(aspd, indent=4))
+            client.put_role_policy(RoleName="roleNumber{}".format(x), PolicyName="testpolicy",
+                                   PolicyDocument=json.dumps(OPEN_POLICY, indent=4))
 
         # Set up the monitor:
         batched_monitor = Monitor(IAMRole, test_account)
@@ -154,11 +185,9 @@ def mock_slurp():
         # Check that there are audit issues for all 11 items:
         assert len(ItemAudit.query.all()) == 11
 
-        # Delete one of the items:
-        # Moto lacks implementation for "delete_role" (and I'm too lazy to submit a PR :D) -- so need to create again...
-        mock_iam().stop()
-        mock_sts().stop()
-        self.add_roles(initial=False)
+        # Delete two of the items:
+        client.delete_role(RoleName="roleNumber9")
+        client.delete_role(RoleName="roleNumber10")
 
         # Run the it again:
         watcher.current_account = None  # Need to reset the watcher
@@ -200,9 +229,6 @@ def mock_slurp_list_with_exception():
         security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors
         security_monkey.watchers.iam.iam_role.list_roles = old_list_roles
 
-        mock_iam().stop()
-        mock_sts().stop()
-
     def test_audit_specific_changes(self):
         from security_monkey.task_scheduler.tasks import _audit_specific_changes
         from security_monkey.monitors import Monitor

security_monkey/tests/watchers/ec2/test_ebs_snapshot.py

@@ -25,13 +25,15 @@
 from security_monkey import AWS_DEFAULT_REGION
 
 import boto
-from moto import mock_sts, mock_ec2
+from moto import mock_sts_deprecated, mock_sts, mock_ec2_deprecated, mock_ec2
 from freezegun import freeze_time
 
 
 class EBSSnapshotWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
+    @mock_sts_deprecated
+    @mock_ec2_deprecated
     @mock_sts
     @mock_ec2
     def test_slurp(self):
@@ -42,7 +44,5 @@ def test_slurp(self):
         watcher = EBSSnapshot(accounts=[self.account.name])
         item_list, exception_map = watcher.slurp()
 
-        self.assertIs(
-            expr1=len(item_list),
-            expr2=1,
-            msg="Watcher should have 1 item but has {}".format(len(item_list)))
+        descriptions = {snapshot.config['description'] for snapshot in item_list}
+        self.assertIn('My snapshot', descriptions)

security_monkey/tests/watchers/ec2/test_ebs_volume.py

@@ -25,13 +25,15 @@
 from security_monkey import AWS_DEFAULT_REGION
 
 import boto
-from moto import mock_sts, mock_ec2
+from moto import mock_sts_deprecated, mock_sts, mock_ec2_deprecated, mock_ec2
 from freezegun import freeze_time
 
 
 class EBSVolumeWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
+    @mock_sts_deprecated
+    @mock_ec2_deprecated
     @mock_sts
     @mock_ec2
     def test_slurp(self):

security_monkey/tests/watchers/rds/test_rds_db_instance.py

@@ -25,15 +25,15 @@
 from security_monkey import AWS_DEFAULT_REGION
 
 import boto
-from moto import mock_sts, mock_rds
+from moto import mock_sts, mock_rds_deprecated
 from freezegun import freeze_time
 
 
 class RDSDBInstanceWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_rds
+    @mock_rds_deprecated
     def test_slurp(self):
         conn = boto.rds.connect_to_region(AWS_DEFAULT_REGION)
         conn.create_dbinstance(

security_monkey/tests/watchers/rds/test_rds_security_group.py

@@ -25,15 +25,15 @@
 from security_monkey import AWS_DEFAULT_REGION
 
 import boto
-from moto import mock_sts, mock_rds
+from moto import mock_sts, mock_rds_deprecated
 from freezegun import freeze_time
 
 
 class RDSecurityGroupWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_rds
+    @mock_rds_deprecated
     def test_slurp(self):
         conn = boto.rds.connect_to_region(AWS_DEFAULT_REGION)
         conn.create_dbsecurity_group('db_sg1', 'DB Security Group')

security_monkey/tests/watchers/rds/test_rds_subnet_group.py

@@ -25,16 +25,16 @@
 from security_monkey import AWS_DEFAULT_REGION
 
 import boto
-from moto import mock_sts, mock_rds, mock_ec2
+from moto import mock_sts, mock_rds_deprecated, mock_ec2_deprecated
 from freezegun import freeze_time
 
 
 class RDSSubnetGroupWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_rds
-    @mock_ec2
+    @mock_rds_deprecated
+    @mock_ec2_deprecated
     def test_slurp(self):
         vpc_conn = boto.connect_vpc(AWS_DEFAULT_REGION)
         vpc = vpc_conn.create_vpc("10.0.0.0/16")

security_monkey/tests/watchers/test_route53.py

@@ -24,15 +24,15 @@
 from security_monkey.watchers.route53 import Route53
 
 import boto
-from moto import mock_sts, mock_route53
+from moto import mock_sts, mock_route53_deprecated
 from freezegun import freeze_time
 
 
 class Route53WatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_route53
+    @mock_route53_deprecated
     def test_slurp(self):
         conn = boto.connect_route53('the_key', 'the_secret')
         zone = conn.create_hosted_zone("testdns.aws.com")

security_monkey/tests/watchers/test_s3.py

@@ -54,20 +54,18 @@ def pre_test_setup(self):
         client.create_bucket(Bucket="someotherbucket")
         client.create_bucket(Bucket="someotherbucket2")
 
-    def test_watcher_exceptions(self):
+    def test_slurp(self):
         """
-        Tests that if exceptions are encountered, the watcher continues.
+        Tests whether the watcher finds the three created buckets.
 
-        Unfortunately -- moto lacks all of the S3 methods that we need. So this is just a
-        test to ensure that exception handling works OK.
         :return:
         """
         mock_sts().start()
 
         s3_watcher = S3(accounts=[self.account.name])
-        s3_watcher.slurp()
+        item_list, exception_map = s3_watcher.slurp()
 
-        assert len(ExceptionLogs.query.all()) == 3  # We created 3 buckets
+        assert len(item_list) == 3  # We created 3 buckets
 
         mock_s3().stop()
         mock_sts().stop()

security_monkey/tests/watchers/vpc/test_networkacl.py

@@ -24,23 +24,21 @@
 from security_monkey.watchers.vpc.networkacl import NetworkACL
 
 import boto
-from moto import mock_sts, mock_ec2
+from moto import mock_sts, mock_ec2_deprecated
 from freezegun import freeze_time
 
 
 class NetworkACLWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_ec2
+    @mock_ec2_deprecated
     def test_slurp(self):
         conn = boto.connect_vpc('the_key', 'the secret')
-        conn.create_vpc("10.0.0.0/16")
+        vpc = conn.create_vpc("10.0.0.0/16")
 
         watcher = NetworkACL(accounts=[self.account.name])
         item_list, exception_map = watcher.slurp()
 
-        self.assertIs(
-            expr1=len(item_list),
-            expr2=1,
-            msg="Watcher should have 1 item but has {}".format(len(item_list)))
+        vpc_ids = {nacl.config['vpc_id'] for nacl in item_list}
+        self.assertIn(vpc.id, vpc_ids)

security_monkey/tests/watchers/vpc/test_peering.py

@@ -24,15 +24,15 @@
 from security_monkey.watchers.vpc.peering import Peering
 
 import boto
-from moto import mock_sts, mock_ec2
+from moto import mock_sts, mock_ec2_deprecated
 from freezegun import freeze_time
 
 
 class PeeringWatcherTestCase(SecurityMonkeyWatcherTestCase):
 
     @freeze_time("2016-07-18 12:00:00")
     @mock_sts
-    @mock_ec2
+    @mock_ec2_deprecated
     def test_slurp(self):
         conn = boto.connect_vpc('the_key', 'the secret')
         vpc = conn.create_vpc("10.0.0.0/16")