125 lines
3.6 KiB
Python
125 lines
3.6 KiB
Python
|
#!/usr/bin/env python
|
||
|
import sys
|
||
|
import os
|
||
|
import logging
|
||
|
from invoke import task, Collection
|
||
|
|
||
|
BIN = os.path.abspath(os.path.join(os.path.dirname(__file__), "endgame", "bin", "cli.py"))
|
||
|
sys.path.append(
|
||
|
os.path.abspath(
|
||
|
os.path.join(os.path.dirname(__file__), os.path.pardir, "endgame")
|
||
|
)
|
||
|
)
|
||
|
|
||
|
logger = logging.getLogger(__name__)
|
||
|
# services that we will expose in these tests
|
||
|
EXPOSE_SERVICES = [
|
||
|
"iam",
|
||
|
"ecr",
|
||
|
# "secretsmanager",
|
||
|
"lambda"
|
||
|
]
|
||
|
# services to run the list-resources command against
|
||
|
LIST_SERVICES = [
|
||
|
"iam",
|
||
|
"lambda",
|
||
|
"ecr",
|
||
|
"efs",
|
||
|
"secretsmanager",
|
||
|
"s3"
|
||
|
]
|
||
|
|
||
|
EVIL_PRINCIPAL = os.getenv("EVIL_PRINCIPAL")
|
||
|
if not os.getenv("EVIL_PRINCIPAL"):
|
||
|
raise Exception("Please set the EVIL_PRINCIPAL environment variable to the ARN of the rogue principal that you "
|
||
|
"want to give access to.")
|
||
|
|
||
|
# Create the necessary collections (namespaces)
|
||
|
ns = Collection()
|
||
|
|
||
|
test = Collection("test")
|
||
|
ns.add_collection(test)
|
||
|
|
||
|
# def exception_handler(func):
|
||
|
# def inner_function(*args, **kwargs):
|
||
|
# try:
|
||
|
# func(*args, **kwargs)
|
||
|
# except UnexpectedExit as u_e:
|
||
|
# logger.critical(f"FAIL! UnexpectedExit: {u_e}")
|
||
|
# sys.exit(1)
|
||
|
# except Failure as f_e:
|
||
|
# logger.critical(f"FAIL: Failure: {f_e}")
|
||
|
# sys.exit(1)
|
||
|
#
|
||
|
# return inner_function
|
||
|
|
||
|
|
||
|
# BUILD
|
||
|
@task
|
||
|
def build_package(c):
|
||
|
"""Build the policy_sentry package from the current directory contents for use with PyPi"""
|
||
|
c.run('python -m pip install --upgrade setuptools wheel')
|
||
|
c.run('python setup.py -q sdist bdist_wheel')
|
||
|
|
||
|
|
||
|
@task(pre=[build_package])
|
||
|
def install_package(c):
|
||
|
"""Install the package built from the current directory contents (not PyPi)"""
|
||
|
c.run('pip3 install -q dist/endgame-*.tar.gz')
|
||
|
|
||
|
|
||
|
@task
|
||
|
def create_terraform(c):
|
||
|
c.run("make terraform-demo")
|
||
|
|
||
|
|
||
|
@task
|
||
|
def destroy_terraform(c):
|
||
|
c.run("make terraform-destroy")
|
||
|
|
||
|
|
||
|
# @exception_handler
|
||
|
# @task(pre=[create_terraform], post=[destroy_terraform])
|
||
|
# @task
|
||
|
@task(pre=[install_package])
|
||
|
def list_resources(c):
|
||
|
for service in LIST_SERVICES:
|
||
|
c.run(f"echo '\nListing {service}'", pty=True)
|
||
|
|
||
|
|
||
|
# @exception_handler
|
||
|
# @task(pre=[create_terraform], post=[destroy_terraform])
|
||
|
@task
|
||
|
def expose_dry_run(c):
|
||
|
"""DRY RUN"""
|
||
|
for service in EXPOSE_SERVICES:
|
||
|
c.run(f"{BIN} expose --service {service} --name test-resource-exposure --dry-run", pty=True)
|
||
|
|
||
|
# @exception_handler
|
||
|
# @task(pre=[create_terraform], post=[destroy_terraform])
|
||
|
@task
|
||
|
def expose_undo(c):
|
||
|
"""Test the undo capability, even though we will destroy it after anyway (just to test the capability)"""
|
||
|
c.run(f"echo 'Exposing the Terraform infrastructure to {EVIL_PRINCIPAL}'")
|
||
|
for service in EXPOSE_SERVICES:
|
||
|
c.run(f"{BIN} expose --service {service} --name test-resource-exposure ", pty=True)
|
||
|
c.run(f"echo 'Undoing the exposure to {EVIL_PRINCIPAL} before destroying, just to be extra sure and to test "
|
||
|
f"it out.'")
|
||
|
c.run(f"{BIN} expose --service {service} --name test-resource-exposure --undo", pty=True)
|
||
|
|
||
|
|
||
|
# @exception_handler
|
||
|
# @task(pre=[create_terraform], post=[destroy_terraform])
|
||
|
@task
|
||
|
def expose(c):
|
||
|
"""REAL EXPOSURE TO ROGUE ACCOUNT"""
|
||
|
for service in EXPOSE_SERVICES:
|
||
|
c.run(f"echo 'Exposing the Terraform infrastructure to {EVIL_PRINCIPAL}'")
|
||
|
c.run(f"{BIN} expose --service {service} --name test-resource-exposure", pty=True)
|
||
|
|
||
|
|
||
|
test.add_task(list_resources, "list-resources")
|
||
|
test.add_task(expose_dry_run, "expose-dry-run")
|
||
|
test.add_task(expose_undo, "expose-undo")
|
||
|
test.add_task(expose, "expose")
|