2015-06-22 22:47:27 +02:00
|
|
|
"""
|
2015-07-23 17:52:56 +02:00
|
|
|
.. module: lemur.plugins.lemur_aws.iam
|
2015-06-22 22:47:27 +02:00
|
|
|
:platform: Unix
|
|
|
|
:synopsis: Contains helper functions for interactive with AWS IAM Apis.
|
|
|
|
:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
|
|
|
|
:license: Apache, see LICENSE for more details.
|
|
|
|
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
|
|
|
"""
|
2016-12-27 19:31:33 +01:00
|
|
|
import botocore
|
|
|
|
|
|
|
|
from retrying import retry
|
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
from lemur.extensions import metrics
|
2016-12-27 19:31:33 +01:00
|
|
|
from lemur.plugins.lemur_aws.sts import sts_client
|
|
|
|
|
|
|
|
|
|
|
|
def retry_throttled(exception):
|
|
|
|
"""
|
|
|
|
Determines if this exception is due to throttling
|
|
|
|
:param exception:
|
|
|
|
:return:
|
|
|
|
"""
|
|
|
|
if isinstance(exception, botocore.exceptions.ClientError):
|
|
|
|
if exception.response['Error']['Code'] == 'NoSuchEntity':
|
|
|
|
return False
|
2017-01-05 02:46:47 +01:00
|
|
|
|
|
|
|
metrics.send('iam_retry', 'counter', 1)
|
2016-12-27 19:31:33 +01:00
|
|
|
return True
|
2015-07-11 02:06:57 +02:00
|
|
|
|
|
|
|
|
|
|
|
def get_name_from_arn(arn):
|
|
|
|
"""
|
|
|
|
Extract the certificate name from an arn.
|
|
|
|
|
|
|
|
:param arn: IAM SSL arn
|
|
|
|
:return: name of the certificate as uploaded to AWS
|
|
|
|
"""
|
|
|
|
return arn.split("/", 1)[1]
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
def create_arn_from_cert(account_number, region, certificate_name):
|
|
|
|
"""
|
|
|
|
Create an ARN from a certificate.
|
|
|
|
:param account_number:
|
|
|
|
:param region:
|
|
|
|
:param certificate_name:
|
|
|
|
:return:
|
|
|
|
"""
|
|
|
|
return "arn:aws:iam::{account_number}:server-certificate/{certificate_name}".format(
|
|
|
|
account_number=account_number,
|
|
|
|
certificate_name=certificate_name)
|
|
|
|
|
|
|
|
|
|
|
|
@sts_client('iam')
|
|
|
|
@retry(retry_on_exception=retry_throttled, stop_max_attempt_number=7, wait_exponential_multiplier=100)
|
|
|
|
def upload_cert(name, body, private_key, cert_chain=None, **kwargs):
|
2015-06-22 22:47:27 +02:00
|
|
|
"""
|
|
|
|
Upload a certificate to AWS
|
|
|
|
|
2015-08-03 22:51:27 +02:00
|
|
|
:param name:
|
2017-01-05 02:46:47 +01:00
|
|
|
:param body:
|
2015-06-22 22:47:27 +02:00
|
|
|
:param private_key:
|
|
|
|
:param cert_chain:
|
|
|
|
:return:
|
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
client = kwargs.pop('client')
|
|
|
|
try:
|
|
|
|
if cert_chain:
|
|
|
|
return client.upload_server_certificate(
|
|
|
|
ServerCertificateName=name,
|
|
|
|
CertificateBody=str(body),
|
|
|
|
PrivateKey=str(private_key),
|
|
|
|
CertificateChain=str(cert_chain)
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
return client.upload_server_certificate(
|
|
|
|
ServerCertificateName=name,
|
|
|
|
CertificateBody=str(body),
|
|
|
|
PrivateKey=str(private_key)
|
|
|
|
)
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
|
|
if e.response['Error']['Code'] != 'EntityAlreadyExists':
|
|
|
|
raise e
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2016-12-27 19:31:33 +01:00
|
|
|
@sts_client('iam')
|
2017-01-05 02:46:47 +01:00
|
|
|
@retry(retry_on_exception=retry_throttled, stop_max_attempt_number=7, wait_exponential_multiplier=100)
|
2016-12-27 19:31:33 +01:00
|
|
|
def delete_cert(cert_name, **kwargs):
|
2015-06-22 22:47:27 +02:00
|
|
|
"""
|
|
|
|
Delete a certificate from AWS
|
|
|
|
|
2016-07-28 22:08:24 +02:00
|
|
|
:param cert_name:
|
2015-06-22 22:47:27 +02:00
|
|
|
:return:
|
|
|
|
"""
|
2016-12-27 19:31:33 +01:00
|
|
|
client = kwargs.pop('client')
|
2017-03-04 01:03:52 +01:00
|
|
|
try:
|
|
|
|
client.delete_server_certificate(ServerCertificateName=cert_name)
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
|
|
if e.response['Error']['Code'] != 'NoSuchEntity':
|
|
|
|
raise e
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
@sts_client('iam')
|
|
|
|
@retry(retry_on_exception=retry_throttled, stop_max_attempt_number=7, wait_exponential_multiplier=100)
|
|
|
|
def get_certificate(name, **kwargs):
|
2015-06-22 22:47:27 +02:00
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
Retrieves an SSL certificate.
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
:return:
|
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
client = kwargs.pop('client')
|
|
|
|
return client.get_server_certificate(
|
|
|
|
ServerCertificateName=name
|
|
|
|
)['ServerCertificate']
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
@sts_client('iam')
|
|
|
|
@retry(retry_on_exception=retry_throttled, stop_max_attempt_number=7, wait_exponential_multiplier=100)
|
|
|
|
def get_certificates(**kwargs):
|
2016-11-18 20:27:46 +01:00
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
Fetches one page of certificate objects for a given account.
|
|
|
|
:param kwargs:
|
2016-11-18 20:27:46 +01:00
|
|
|
:return:
|
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
client = kwargs.pop('client')
|
|
|
|
return client.list_server_certificates(**kwargs)
|
2016-11-18 20:27:46 +01:00
|
|
|
|
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
def get_all_certificates(**kwargs):
|
2015-06-22 22:47:27 +02:00
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
Use STS to fetch all of the SSL certificates from a given account
|
2015-06-22 22:47:27 +02:00
|
|
|
"""
|
2017-01-05 02:46:47 +01:00
|
|
|
certificates = []
|
|
|
|
account_number = kwargs.get('account_number')
|
2015-06-22 22:47:27 +02:00
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
while True:
|
|
|
|
response = get_certificates(**kwargs)
|
|
|
|
metadata = response['ServerCertificateMetadataList']
|
|
|
|
|
|
|
|
for m in metadata:
|
|
|
|
certificates.append(get_certificate(m['ServerCertificateName'], account_number=account_number))
|
2015-06-22 22:47:27 +02:00
|
|
|
|
2017-01-05 02:46:47 +01:00
|
|
|
if not response.get('Marker'):
|
|
|
|
return certificates
|
|
|
|
else:
|
|
|
|
kwargs.update(dict(Marker=response['Marker']))
|