From 1bb0897bd318a5eb80591db2f7bae056a65b2072 Mon Sep 17 00:00:00 2001 From: Max Anderson Date: Fri, 21 Feb 2020 14:17:00 -0800 Subject: [PATCH] Initial commit --- .github/workflows/pythonpublish.yml | 27 ++ .gitignore | 132 +++++++ LICENSE | 373 ++++++++++++++++++++ README.md | 32 ++ reflex_core/__init__.py | 2 + reflex_core/aws_rule.py | 210 +++++++++++ reflex_core/notifiers/__init__.py | 3 + reflex_core/notifiers/notifier.py | 8 + reflex_core/notifiers/sns_notifier.py | 22 ++ reflex_core/requirements.txt | 1 + setup.py | 24 ++ tests/__init__.py | 0 tests/test_aws_rule.py | 490 ++++++++++++++++++++++++++ 13 files changed, 1324 insertions(+) create mode 100644 .github/workflows/pythonpublish.yml create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 reflex_core/__init__.py create mode 100644 reflex_core/aws_rule.py create mode 100644 reflex_core/notifiers/__init__.py create mode 100644 reflex_core/notifiers/notifier.py create mode 100644 reflex_core/notifiers/sns_notifier.py create mode 100644 reflex_core/requirements.txt create mode 100644 setup.py create mode 100644 tests/__init__.py create mode 100644 tests/test_aws_rule.py diff --git a/.github/workflows/pythonpublish.yml b/.github/workflows/pythonpublish.yml new file mode 100644 index 0000000..3991e0a --- /dev/null +++ b/.github/workflows/pythonpublish.yml @@ -0,0 +1,27 @@ +name: Upload Python Package + +on: + release: + types: [created] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Set up Python + uses: actions/setup-python@v1 + with: + python-version: '3.x' + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install setuptools wheel twine + - name: Build and publish + env: + TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} + TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} + run: | + export VERSION=${GITHUB_REF/refs\/tags\//} + python setup.py sdist bdist_wheel + twine upload dist/* diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..04e8791 --- /dev/null +++ b/.gitignore @@ -0,0 +1,132 @@ +# IDEs +.vscode + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..a612ad9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,373 @@ +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/README.md b/README.md new file mode 100644 index 0000000..12eaa4a --- /dev/null +++ b/README.md @@ -0,0 +1,32 @@ +# reflex-core +Package for the core Reflex classes. You can use these classes to easily create Reflex rules to secure your cloud environment (currently only supports AWS). + +You'll also want to familiarize yourself with the other parts of Reflex: +- [reflex-cli](https://www.github.com/cloudmitigator/reflex-cli), a CLI for creating and managing your Reflex rules and environment. +- [reflex-engine](https://www.github.com/cloudmitigator/reflex-engine), Terraform modules for deploying required Reflex rule infrastructure. + +## Installation +You can install `reflex-core` using `pip`. + +`pip install reflex-core` + +## Usage +To utilize `reflex-core`, simply import the rule class you want to utilize and implement the required methods. + +``` +from reflex_core import AWSRule + +class MyRule(AWSRule): + def extract_event_data(event): + # Logic for extracting required event info + + def resource_compliant(): + # Logic for determining if the resource configuration is compliant + + # etc +``` + +For examples, browse provided rules on [CloudMitigator's GitHub](https://www.github.com/cloudmitigator/). + +## License +Reflex is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-core/blob/master/LICENSE) diff --git a/reflex_core/__init__.py b/reflex_core/__init__.py new file mode 100644 index 0000000..ad17fa5 --- /dev/null +++ b/reflex_core/__init__.py @@ -0,0 +1,2 @@ +from reflex_core.aws_rule import AWSRule + diff --git a/reflex_core/aws_rule.py b/reflex_core/aws_rule.py new file mode 100644 index 0000000..40d946f --- /dev/null +++ b/reflex_core/aws_rule.py @@ -0,0 +1,210 @@ +""" Module for the AWSRule class """ +import logging + +from reflex_core.notifiers import Notifier +from reflex_core.notifiers import SNSNotifier + + +class AWSRule: + """ Generic class for AWS compliance rules """ + + LOGGER = logging.getLogger(__name__) + + def __init__(self, event): + """ Initialize the rule object """ + self.extract_event_data(event) + self.pre_remediation_functions = [] + self.post_remediation_functions = [] + self.notifiers = [] + + self.add_post_remediation_functions(self.notify) + self.add_notifiers(SNSNotifier) + + def extract_event_data(self, event): + """ Extracts data from the event """ + raise NotImplementedError("extract_event_data not implemented") + + def run_compliance_rule(self): + """ Runs all steps of the compliance rule """ + if not self.resource_compliant(): + self.pre_remediation() + self.remediate() + self.post_remediation() + + def resource_compliant(self): + """ Returns True if the resource is compliant, False otherwise """ + raise NotImplementedError("resource_compliant not implemented") + + def remediate(self): + """ Fixes the configuration of the non-compliant resource """ + raise NotImplementedError("remediate not implemented") + + def pre_remediation(self): + """ Any steps to take before remediating the resource """ + for pre_remediation_function in self.pre_remediation_functions: + pre_remediation_function() + + def post_remediation(self): + """ Any steps to take after remediating the resource """ + for post_remediation_function in self.post_remediation_functions: + post_remediation_function() + + def get_remediation_message(self): + """ Provides a message about the remediation to be sent in notifications """ + raise NotImplementedError("get_remediation_message not implemented") + + def add_pre_remediation_functions(self, functions): + """ + Sets a function or list of functions to be run before remediation action occurs. + + If anything other than a function is present in the list, it will be ignored. + If something other than a function or list is passed, it will be ignored. + """ + if isinstance(functions, list): + for function in functions: + if callable(function): + self.pre_remediation_functions.append(function) + else: + self.LOGGER.warning( + "%s is not a function. Not adding to list of pre-remediation functions.", + function, + ) + elif callable(functions): + self.pre_remediation_functions.append(functions) + else: + self.LOGGER.warning( + "%s is not a function or list. Not adding to list of pre-remediation functions.", + functions, + ) + + def remove_pre_remediation_functions(self, functions): + """ + Stop a function or list of functions from being run pre-remediation. + + Takes a function or list of functions and removes them from the list + of pre-remediation functions. Anything not in the list will be ignored. + """ + if isinstance(functions, list): + for function in functions: + try: + self.pre_remediation_functions.remove(function) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of pre-remediation functions. Skipping", + function, + ) + else: + try: + self.pre_remediation_functions.remove(functions) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of pre-remediation functions. Skipping", + functions, + ) + + def add_post_remediation_functions(self, functions): + """ + Sets a function or list of functions to be run after remediation action occurs. + + If anything other than a function is present in the list, it will be ignored. + If something other than a function or list is passed, it will be ignored. + """ + if isinstance(functions, list): + for function in functions: + if callable(function): + self.post_remediation_functions.append(function) + else: + self.LOGGER.warning( + "%s is not a function. Not adding to list of post-remediation functions.", + function, + ) + elif callable(functions): + self.post_remediation_functions.append(functions) + else: + self.LOGGER.warning( + "%s is not a function or list. Not adding to list of post-remediation functions.", + functions, + ) + + def remove_post_remediation_functions(self, functions): + """ + Stop a function or list of functions from being run post-remediation. + + Takes a function or list of functions and removes them from the list + of post-remediation functions. Anything not in the list will be ignored. + """ + if isinstance(functions, list): + for function in functions: + try: + self.post_remediation_functions.remove(function) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of post-remediation functions. Skipping", + function, + ) + else: + try: + self.post_remediation_functions.remove(functions) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of post-remediation functions. Skipping", + functions, + ) + + def add_notifiers(self, notifiers): + """ + Sets a Notifier or list of Notifiers to send remediation notifications with. + + If anything other than a Notifier is present in the list, it will be ignored. + If something other than a Notifier or list is passed, it will be ignored. + """ + if isinstance(notifiers, list): + for notifier in notifiers: + if issubclass(notifier, Notifier): + self.notifiers.append(notifier) + else: + self.LOGGER.warning( + "%s is not a Notifier. Not adding to list of Notifiers.", + notifier, + ) + elif issubclass(notifiers, Notifier): + self.notifiers.append(notifiers) + else: + self.LOGGER.warning( + "%s is not a Notifier or list. Not adding to list of Notifiers.", + notifiers, + ) + + def remove_notifiers(self, notifiers): + """ + Stop a Notifier or list of Notifiers from sending remediation notifications. + + Takes a Notifier or list of Notifiers and stops them from sending + remediation notifications. Anything not currently configured to send + notifictions will be ignored. + """ + if isinstance(notifiers, list): + for notifier in notifiers: + try: + self.notifiers.remove(notifier) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of Notifiers. Skipping", notifier + ) + else: + try: + self.notifiers.remove(notifiers) + except ValueError: + self.LOGGER.warning( + "%s is not in the list of Notifiers. Skipping", notifiers + ) + + def notify(self): + """ Send notification messages with all Notifiers """ + for notifier in self.notifiers: + try: + notifier().notify(self.get_remediation_message()) + except Exception as exp: # pylint: disable=broad-except + self.LOGGER.error( + "An error occurred while trying to send a notification: %s", exp + ) diff --git a/reflex_core/notifiers/__init__.py b/reflex_core/notifiers/__init__.py new file mode 100644 index 0000000..30ec934 --- /dev/null +++ b/reflex_core/notifiers/__init__.py @@ -0,0 +1,3 @@ +""" Reflex-core Notifiers """ +from .notifier import Notifier +from .sns_notifier import SNSNotifier diff --git a/reflex_core/notifiers/notifier.py b/reflex_core/notifiers/notifier.py new file mode 100644 index 0000000..84998c6 --- /dev/null +++ b/reflex_core/notifiers/notifier.py @@ -0,0 +1,8 @@ +""" Generic Notifier class """ + +class Notifier(): + """ The Notifier base class """ + + def notify(self, message): + """ Send a notification """ + NotImplementedError("notify is not implemented.") diff --git a/reflex_core/notifiers/sns_notifier.py b/reflex_core/notifiers/sns_notifier.py new file mode 100644 index 0000000..673e129 --- /dev/null +++ b/reflex_core/notifiers/sns_notifier.py @@ -0,0 +1,22 @@ +""" SNSNotifier class """ +import os + +import boto3 + +from reflex_core.notifiers import Notifier + + +class SNSNotifier(Notifier): + """ SNS (Simple Notification Service) Notifier """ + + CLIENT = boto3.client("sns") + + def notify(self, message): + """ Sends a notification message via SNS. """ + sns_topic = self.get_sns_topic() + + self.CLIENT.publish(TopicArn=sns_topic, Message=message) + + def get_sns_topic(self): + """ Get the SNS topic to notify. """ + return os.environ["SNS_TOPIC"] diff --git a/reflex_core/requirements.txt b/reflex_core/requirements.txt new file mode 100644 index 0000000..30ddf82 --- /dev/null +++ b/reflex_core/requirements.txt @@ -0,0 +1 @@ +boto3 diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..d4bd7e4 --- /dev/null +++ b/setup.py @@ -0,0 +1,24 @@ +import setuptools +import os + +with open("README.md", "r") as fh: + long_description = fh.read() + +setuptools.setup( + name="reflex-core", + version=f"{os.environ['VERSION']}", + author="Cloud Mitigator", + author_email="cloudmitigator@gmail.com", + description="Package for providing core Reflex rule classes", + long_description=long_description, + long_description_content_type="text/markdown", + url="https://github.com/pangolock/reflex-core", + packages=setuptools.find_packages(), + install_requires=["boto3"], + classifiers=[ + "Programming Language :: Python :: 3", + "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)", + "Operating System :: OS Independent", + ], + python_requires='>=3.7', +) diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/test_aws_rule.py b/tests/test_aws_rule.py new file mode 100644 index 0000000..508569c --- /dev/null +++ b/tests/test_aws_rule.py @@ -0,0 +1,490 @@ +import os +import unittest +from unittest.mock import patch + +from reflex_core import aws_rule +from reflex_core.notifiers import Notifier + + +class TestAwsRule(unittest.TestCase): + EVENT = {} + + def test_create_aws_rule_fully_implemented(self): + FullyImplementedAwsRule(self.EVENT) + + def test_create_aws_rule_all_function_not_implemented(self): + with self.assertRaises(NotImplementedError): + NotImplementedAwsRule(self.EVENT) + + def test_extract_not_implemented(self): + with self.assertRaises(NotImplementedError): + ExtractNotImplementedAwsRule(self.EVENT) + + def test_remediate_not_implemented(self): + with self.assertRaises(NotImplementedError): + test = RemediateNotImplementedAwsRule(self.EVENT) + test.remediate() + + def test_resource_not_implemented(self): + with self.assertRaises(NotImplementedError): + test = ResourceNotImplementedAwsRule(self.EVENT) + test.resource_compliant() + + def test_message_not_implemented(self): + with self.assertRaises(NotImplementedError): + test = MessageNotImplementedAwsRule(self.EVENT) + test.get_remediation_message() + + def test_fully_implemented_run_compliance_rule(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + test.run_compliance_rule() + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + def test_add_and_execute_pre_remediation_action(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_pre_remediation_functions(print_test) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions[0], print_test) + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + def test_add_and_execute_pre_remediation_actions(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_pre_remediation_functions([print_test, print_test]) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions, + [print_test, print_test]) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + @patch('logging.Logger.warning') + def test_add_and_execute_non_executable_pre_remediation_action(self, + mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + my_string = "string" + + test.add_pre_remediation_functions(my_string) + test.run_compliance_rule() + mock_log.assert_called_with( + '%s is not a function or list. Not adding to list of pre-remediation functions.', + 'string') + + @patch('logging.Logger.warning') + def test_add_and_execute_non_executables_pre_remediation_actions(self, + mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + my_string = "string" + + test.add_pre_remediation_functions([my_string, my_string]) + test.run_compliance_rule() + mock_log.assert_called_with( + '%s is not a function. Not adding to list of pre-remediation functions.', + 'string') + + def test_remove_pre_remediation_action(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_pre_remediation_functions(print_test) + test.remove_pre_remediation_functions(print_test) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions, []) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + def test_remove_pre_remediation_actions(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_pre_remediation_functions([print_test, print_test]) + test.remove_pre_remediation_functions([print_test, print_test]) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions, []) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + @patch('logging.Logger.warning') + def test_remove_pre_remediation_actions_value_error(self, mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + def new_test(): + print("test") + + test.add_pre_remediation_functions([print_test, print_test]) + test.remove_pre_remediation_functions([print_test, new_test]) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions, [print_test]) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of pre-remediation functions. Skipping') + + @patch('logging.Logger.warning') + def test_remove_pre_remediation_action_value_error(self, mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + def new_test(): + print("test") + + test.add_pre_remediation_functions(print_test) + test.remove_pre_remediation_functions(new_test) + test.run_compliance_rule() + self.assertEqual(test.pre_remediation_functions, [print_test]) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of pre-remediation functions. Skipping') + + def test_add_and_execute_post_remediation_action(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_post_remediation_functions(print_test) + test.run_compliance_rule() + self.assertEqual(test.post_remediation_functions[1], print_test) + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + def test_add_and_execute_post_remediation_actions(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_post_remediation_functions([print_test, print_test]) + test.run_compliance_rule() + self.assertEqual(test.post_remediation_functions[1:3], + [print_test, print_test]) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + @patch('logging.Logger.warning') + def test_add_and_execute_non_executable_post_remediation_action(self, + mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + my_string = "string" + + test.add_post_remediation_functions(my_string) + test.run_compliance_rule() + mock_log.assert_called_with( + '%s is not a function or list. Not adding to list of post-remediation functions.', + 'string') + + @patch('logging.Logger.warning') + def test_add_and_execute_non_executable_post_remediation_actions(self, + mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + my_string = "string" + + test.add_post_remediation_functions([my_string, my_string]) + test.run_compliance_rule() + mock_log.assert_called_with( + '%s is not a function. Not adding to list of post-remediation functions.', + 'string') + + def test_remove_post_remediation_action(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_post_remediation_functions(print_test) + test.remove_post_remediation_functions(print_test) + test.run_compliance_rule() + self.assertEqual(len(test.post_remediation_functions), 1) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + def test_remove_post_remediation_actions(self): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + test.add_post_remediation_functions([print_test, print_test]) + test.remove_post_remediation_functions([print_test, print_test]) + test.run_compliance_rule() + self.assertEqual(len(test.post_remediation_functions), 1) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + + @patch('logging.Logger.warning') + def test_remove_post_remediation_actions_value_error(self, mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + def new_test(): + print("test") + + test.add_post_remediation_functions([print_test, print_test]) + test.remove_post_remediation_functions([print_test, new_test]) + test.run_compliance_rule() + self.assertEqual(test.post_remediation_functions[1], print_test) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of post-remediation functions. Skipping') + + @patch('logging.Logger.warning') + def test_remove_post_remediation_action_value_error(self, mock_log): + os.environ["SNS_TOPIC"] = "test" + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + + def print_test(): + print("test") + + def new_test(): + print("test") + + test.add_post_remediation_functions(print_test) + test.remove_post_remediation_functions(new_test) + test.run_compliance_rule() + self.assertEqual(test.post_remediation_functions[1], print_test) + + boto.assert_called_with('Publish', + {'TopicArn': 'test', 'Message': None}) + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of post-remediation functions. Skipping') + + def test_add_notifier(self): + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(FakeNotifier) + self.assertEqual(test.notifiers[1], FakeNotifier) + + def test_add_notifiers(self): + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers([FakeNotifier, FakeNotifier]) + self.assertEqual(test.notifiers[1:3], [FakeNotifier, FakeNotifier]) + + @patch('logging.Logger.warning') + def test_add_notifier_failure_not_class(self, mock_log): + with self.assertRaises(TypeError): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers('FakeNotifier') + + @patch('logging.Logger.warning') + def test_add_notifiers_failure_not_class(self, mock_log): + with self.assertRaises(TypeError): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(['FakeNotifier', 'FakeNotifier']) + + @patch('logging.Logger.warning') + def test_add_notifier_failure_wrong_class(self, mock_log): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(NotANotifier) + self.assertEqual(mock_log.call_args[0][0], '%s is not a Notifier or list. Not adding to list of Notifiers.') + + @patch('logging.Logger.warning') + def test_add_notifiers_failure_wrong_class(self, mock_log): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers([NotANotifier, NotANotifier]) + self.assertEqual(mock_log.call_args[0][0], '%s is not a Notifier. Not adding to list of Notifiers.') + + def test_remove_notifier(self): + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(FakeNotifier) + test.remove_notifiers(FakeNotifier) + self.assertEqual(len(test.notifiers), 1) + + def test_remove_notifiers(self): + with patch('botocore.client.BaseClient._make_api_call') as boto: + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers([FakeNotifier, FakeNotifier]) + test.remove_notifiers([FakeNotifier, FakeNotifier]) + self.assertEqual(len(test.notifiers), 1) + + @patch('logging.Logger.warning') + def test_remove_notifier_failure_not_class(self, mock_log): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(FakeNotifier) + test.remove_notifiers('FakeNotifier') + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of Notifiers. Skipping') + + @patch('logging.Logger.warning') + def test_remove_notifiers_failure_not_class(self, mock_log): + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers([FakeNotifier, FakeNotifier]) + test.remove_notifiers(['FakeNotifier', 'FakeNotifier']) + self.assertEqual(mock_log.call_args[0][0], + '%s is not in the list of Notifiers. Skipping') + + def test_notify(self): + with patch('botocore.client.BaseClient._make_api_call') as boto: + os.environ["SNS_TOPIC"] = "test" + test = FullyImplementedAwsRule(self.EVENT) + test.notify() + boto.assert_called_with('Publish', {'TopicArn': 'test', 'Message': None}) + + @patch('logging.Logger.error') + def test_notify_exception(self, mock_log): + with patch('botocore.client.BaseClient._make_api_call') as boto: + os.environ["SNS_TOPIC"] = "test" + test = FullyImplementedAwsRule(self.EVENT) + test.add_notifiers(FakeNotifier) + test.notify() + boto.assert_called_with('Publish', {'TopicArn': 'test', 'Message': None}) + self.assertEqual(mock_log.call_args[0][0], + 'An error occurred while trying to send a notification: %s') + + + + +class NotImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + +class FullyImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + def remediate(self): + pass + + def extract_event_data(self, event): + pass + + def resource_compliant(self): + pass + + def get_remediation_message(self): + pass + + +class ExtractNotImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + def remediate(self): + pass + + def resource_compliant(self): + pass + + def get_remediation_message(self): + pass + + +class RemediateNotImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + def extract_event_data(self, event): + pass + + def resource_compliant(self): + pass + + def get_remediation_message(self): + pass + + +class ResourceNotImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + def remediate(self): + pass + + def extract_event_data(self, event): + pass + + def get_remediation_message(self): + pass + + +class MessageNotImplementedAwsRule(aws_rule.AWSRule): + def __init__(self, event): + super().__init__(event) + + def remediate(self): + pass + + def extract_event_data(self, event): + pass + + def resource_compliant(self): + pass + + +class FakeNotifier(Notifier): + def notify(self, message): + raise ValueError + + +class NotANotifier: + def notify(self): + pass