automate bootstrapping of integrations tests #1289
Conversation
* introduce a secret that holds the test userdata * move ConfigureCognito step from frontend to backend * add logic in ConfigureCognito to create the test users and assigned them to groups if `with_approval_tests=True` (reads info from the secret) * tests are reading the userdata from the secret
| @@ -3,7 +3,18 @@ The purpose of these tests is to automatically validate functionalities of data. | |||
|
|
|||
| ## Pre-requisites | |||
| - A real deployment of data.all in AWS | |||
| - 4 Cognito users (at the moment only Cognito is supported) like the ones defined in `conftest`(e.g. `testUser1` with password `Pass1Word!`) | |||
| - A SecretManager secret (`'{self.resource_prefix}-{target_env["envname"]}-cognito-test-users'`) with the followings contents | |||
There was a problem hiding this comment.
Do we need SecretManager here? We don't need auto rotation or so, I think SSM Parameter store is enough, also it's free.
There was a problem hiding this comment.
That's a good point, I am not an expert but my go-to is that when a password is involved I use SecretsManager (even if it's just for tests). Apart from the pricing aspect I don't see a downside.
There was a problem hiding this comment.
We had issues in the past with checkov flagging some secrets in SecretsManager because some best practices dictate that encrypted Secrets in secret manager should be rotated at least annually and encrypted with a KMS key. So if we add a secret, it needs to be encrypted with KMS and with rotation enabled. So as @SofiaSazonova was saying if it does not rotate, we might go for SSM. The question is, do we need to rotate them? what can happen if the password gets exposed?
In the scenario where a malicious user:
- knows that a company uses data.all. Tries to guess the cloudfront domain that might be something like .dataall.com
- tries to hit the domain with the default test user password (company is careless and did not change it)
- can overflood a company CICD pipeline with requests?
There was a problem hiding this comment.
After discussing with @dlpzx offline we decided to use SSM params for simplicity. Thanks for the spot on commend Sofia :)
| @@ -3,7 +3,18 @@ The purpose of these tests is to automatically validate functionalities of data. | |||
|
|
|||
| ## Pre-requisites | |||
| - A real deployment of data.all in AWS | |||
| - 4 Cognito users (at the moment only Cognito is supported) like the ones defined in `conftest`(e.g. `testUser1` with password `Pass1Word!`) | |||
| - A SecretManager secret (`'{self.resource_prefix}-{target_env["envname"]}-cognito-test-users'`) with the followings contents | |||
| ``` | |||
There was a problem hiding this comment.
I know, that's for test purposes, but why expose it in code (especially opensource)? May be it's better just to leave comment like: userdata with username, password and groups.
There was a problem hiding this comment.
I just gave an example password, real deployments should use a different one. Is your concern that people will just copy and paste the example and hence make themselves vulnerable?
| "testUser4": {"password": "yourPassword", "groups": ["testGroup4"]} | ||
| } | ||
| ``` | ||
| - If you are not using Cognito then you must manually create the users/groups |
There was a problem hiding this comment.
If not using Cognito, they still need to create the secret to store the passwords right?
There was a problem hiding this comment.
Indeed, if they are not using Cognito they must create the users manually and then create the secret for the CodeBuild job to read from. Will fix
| else: | ||
| raise e | ||
|
|
||
| print('Updating Canaries user password...') |
There was a problem hiding this comment.
nit: prints logs referencing CW canaries. Can we replace prints by logs?
|
|
||
| cognito = boto3.client('cognito-idp', region_name=region) | ||
| try: | ||
| user_pool = cognito.describe_user_pool_client(UserPoolId=user_pool_id, ClientId=app_client) | ||
| user_pool = cognito.describe_user_pool_client(UserPoolId=user_pool_id, ClientId=app_client) |
There was a problem hiding this comment.
You removed the general try/except because if it fails then the stack will rollback right?
There was a problem hiding this comment.
Nope, I removed it because it was only catching the exception printing and throwing it again which isn't required as the exception will currently bubble up and print the exact same information...
except ClientError as e:
print(f'Failed to setup cognito due to: {e}')
raise e
) ### Feature or Bugfix - Bugfix ### Detail Integration tests are running from a CodeBuild job in the tooling account but the `cognito-test-users` param exists in the environment account. ### Relates Fixes an issue introduced #1289 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Feature or Bugfix
Detail
with_approval_tests=True(reads info from SSM param)with_approval_tests=TrueCognito allowsALLOW_USER_PASSWORD_AUTHauth flowSecurity
Please answer the questions below briefly where applicable, or write
N/A. Based onOWASP 10.
fetching data from storage outside the application (e.g. a database, an S3 bucket)?
evalor similar functions are used?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.