def test_authority_true(self):
with patch('premembers.common.checkauthority.check_authority',
return_value=True):
response = checkauthority.authority(trace_id, user_id,
organization_id,
Authority["Owner"])
self.assertEqual(response, None)
def delete_excluded_resources_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = trace_id
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
check_item_code = eventhelper.get_check_item_code(event)
coop_id = eventhelper.get_coop_id(event)
region_name = eventhelper.get_region_name(event)
resource_type = eventhelper.get_resource_type(event)
resource_name = eventhelper.get_resource_name(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# リソース除外設定情報を削除します。
response = checkitemsettings_logic.delete_excluded_resources(
trace_id, organization_id, project_id, check_item_code, coop_id,
region_name, resource_type, resource_name)
return common_utils.response(response, pm_logger)
def create_excluesion_item_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = trace_id
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
email = eventhelper.get_email(event)
check_item_code = eventhelper.get_check_item_code(event)
coop_id = eventhelper.get_coop_id(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return response data
response = checkitemsettings_logic.create_excluesion_item(
trace_id, user_id, organization_id, project_id, email, check_item_code,
coop_id, event['body'])
return common_utils.response(response, pm_logger)
def list_awscoops_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
if (event['queryStringParameters'] and event[
'queryStringParameters']['effective']):
effective = eventhelper.get_effective(event)
else:
effective = None
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(
trace_id, user_id, organization_id, Authority.Viewer)
if response_authority:
return common_utils.response(response_authority, pm_logger)
response = awscoops_logic.get_list_awscoops(trace_id, organization_id,
project_id, effective)
return common_utils.response(response, pm_logger)
def test_authority_false(self):
with patch('premembers.common.checkauthority.check_authority',
return_value=False):
response = checkauthority.authority(trace_id, user_id,
organization_id,
Authority["Owner"])
status_code = response['statusCode']
response_body = json.loads(response['body'])
err_101 = MsgConst.ERR_101
self.assertEqual(status_code, HTTPStatus.FORBIDDEN.value)
self.assertEqual(response_body['code'], err_101['code'])
self.assertEqual(response_body['message'], err_101['message'])
self.assertEqual(response_body['description'], err_101['description'])
def test_authority_error(self):
with patch('premembers.common.checkauthority.check_authority'
) as mock_check_authority:
mock_check_authority.side_effect = PmError()
response = checkauthority.authority(trace_id, user_id,
organization_id,
Authority["Owner"])
status_code = response['statusCode']
response_body = json.loads(response['body'])
err_402 = MsgConst.ERR_402
self.assertEqual(status_code, HTTPStatus.INTERNAL_SERVER_ERROR.value)
self.assertEqual(response_body['code'], err_402['code'])
self.assertEqual(response_body['message'], err_402['message'])
self.assertEqual(response_body['description'], err_402['description'])
def get_organization_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Viewer)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# return data response
response = organizations_logic.get_organization(trace_id, organization_id)
return common_utils.response(response, pm_logger)
def create_notifymail_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Owner)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# return data response
response = notifymail_logic.create_notifymail(trace_id, organization_id,
event["body"])
return common_utils.response(response, pm_logger)
def get_notifyslack_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
notify_code = eventhelper.get_notify_code(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Owner)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return data response
response = notifymail_logic.get_notifyslack(trace_id, organization_id,
notify_code)
return common_utils.response(response, pm_logger)
def list_reports_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Viewer)
if response_authority:
return common_utils.response(response_authority, pm_logger)
response = reports_logic.get_list_reports(trace_id, organization_id,
project_id)
return common_utils.response(response, pm_logger)
def get_security_check_report_url(trace_id, user_id, history_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# チェック履歴情報を取得します。
try:
check_history = pm_checkHistory.get_check_history_by_status(
trace_id, history_id, CheckStatus.ReportCompleted)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 該当するレコードが存在しない場合(取得件数が0件)
if len(check_history) == 0:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# 取得したチェック履歴情報より組織IDを取得する
organization_id = check_history[0]['OrganizationID']
# アクセス権限チェックを行います
response_authority = checkauthority.authority(
trace_id, user_id, organization_id, Authority.Viewer)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# 有効期限が作成から1時間となる署名付きURLを作成します。
try:
signed_url = aws_common.generate_presigned_url(
trace_id, common_utils.get_environ('S3_CHECK_BUCKET'),
check_history[0]['ReportFilePath'])
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_999,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response_body = {"URL": signed_url}
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, response_body)
return common_utils.response(response, pm_logger)
def create_report_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
email = eventhelper.get_email(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# Create report
response = reports_logic.create_report(trace_id, email, organization_id,
project_id, event["body"])
return common_utils.response(response, pm_logger)
def create_project_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Owner)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# create project
response = projects_logic.create_project(trace_id, organization_id,
event['body'])
return common_utils.response(response, pm_logger)
def get_security_check_webhook_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_query_organization_id(event)
project_id = eventhelper.get_query_project_id(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
response = awschecks_logic.get_security_check_webhook_by_ids(
trace_id, user_id, organization_id, project_id)
return common_utils.response(response, pm_logger)
def list_projects_handler(event, context):
# Get data request
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Viewer)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# return response data
response = projects_logic.get_list_project(trace_id, organization_id)
return common_utils.response(response, pm_logger)
def execute_force_invites_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = trace_id
organization_id = eventhelper.get_organization_id(event)
body = event['body']
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Owner)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# return response data
response = organizations_logic.execute_force_invites(
trace_id, body, organization_id)
return common_utils.response(response, pm_logger)
def delete_awscoop_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
coop_id = eventhelper.get_coop_id(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(
trace_id, user_id, organization_id, Authority.Owner)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# delete awscoop
response = awscoops_logic.delete_awscoop(trace_id, coop_id,
organization_id, project_id)
return common_utils.response(response, pm_logger)
def generate_security_check_webhook_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
email = eventhelper.get_email(event)
body = eventhelper.parse_body(event)
organization_id = body['organizationId']
project_id = body['projectId']
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
response = awschecks_logic.generate_security_check_webhook(
trace_id, organization_id, project_id, user_id, email)
return common_utils.response(response, pm_logger)
def delete_user_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id_sign_in = eventhelper.get_trace_id(event)
user_id = eventhelper.get_user_id(event)
organization_id = eventhelper.get_organization_id(event)
email = eventhelper.get_email(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id_sign_in,
organization_id,
Authority.Owner)
if (response_authority):
return common_utils.response(response_authority, pm_logger)
# return response data
response = organizations_logic.delete_user(trace_id, organization_id,
user_id, email)
return common_utils.response(response, pm_logger)
def request_output_report_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
email = eventhelper.get_email(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
report_id = eventhelper.get_report_id(event)
file_type = eventhelper.get_file_type(event)
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェック
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# export report
response = reports_logic.request_output_report(trace_id, email,
organization_id, project_id,
report_id, file_type)
return common_utils.response(response, pm_logger)
def list_item_settings_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = trace_id
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
coop_id = eventhelper.get_coop_id(event)
group_filter = eventhelper.get_group_filter(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return response data
response = checkitemsettings_logic.list_item_settings(
trace_id, organization_id, project_id, coop_id, group_filter)
return common_utils.response(response, pm_logger)
def execute_security_check_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
email = eventhelper.get_email(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Editor)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return response data
response = awschecks_logic.execute_security_check(trace_id,
organization_id,
project_id, user_id,
email)
return common_utils.response(response, pm_logger)
def get_security_check_detail_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = eventhelper.get_trace_id(event)
organization_id = eventhelper.get_organization_id(event)
project_id = eventhelper.get_project_id(event)
check_history_id = eventhelper.get_check_history_id(event)
group_filter = eventhelper.get_group_filter(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Viewer)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return response data
response = awschecks_logic.get_security_check_detail(
trace_id, organization_id, project_id, check_history_id, group_filter)
return common_utils.response(response, pm_logger)
def get_security_check_resource_handler(event, context):
trace_id = eventhelper.get_trace_id(event)
user_id = trace_id
organization_id = eventhelper.get_organization_id(event)
coop_id = eventhelper.get_coop_id(event)
project_id = eventhelper.get_project_id(event)
check_item_code = eventhelper.get_check_item_code(event)
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# アクセス権限チェックを行います。
response_authority = checkauthority.authority(trace_id, user_id,
organization_id,
Authority.Viewer)
if response_authority:
return common_utils.response(response_authority, pm_logger)
# return response data
response = awschecks_logic.get_security_check_resource(
trace_id, coop_id, project_id, organization_id, check_item_code)
return common_utils.response(response, pm_logger)
def execute_copy_item_setting(trace_id, organization_id_destination,
project_id_destination, coop_id_destination,
body_object, email, user_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# Parse JSON
try:
body_object_json = json.loads(body_object)
organization_id_source = body_object_json['copy_source'][
'organization_id']
project_id_source = body_object_json['copy_source']['project_id']
coop_id_source = body_object_json['copy_source']['coop_id']
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
# アクセス権限チェックを行います。コピー元の組織ID
response_authority_source = checkauthority.authority(
trace_id, user_id, organization_id_source, Authority.Editor)
if response_authority_source:
return common_utils.response(response_authority_source, pm_logger)
# アクセス権限チェックを行います。コピー先の組織ID
response_authority_destination = checkauthority.authority(
trace_id, user_id, organization_id_destination, Authority.Editor)
if response_authority_destination:
return common_utils.response(response_authority_destination, pm_logger)
# リソース関連性のバリデーションチェックを行います。
# コピー元のAWSアカウント連携ID{coop_id}をキーとして、AWSアカウント連携テーブルへクエリを実行する。
try:
awscoops_item_source = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id_source)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 有効なAWSアカウントが存在しなかった場合(取得件数が0件)
if not awscoops_item_source:
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# コピー先のAWSアカウント連携ID{coopId}をキーとして、AWSアカウント連携テーブルへクエリを実行する。
try:
awscoops_item_destination = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id_destination)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 有効なAWSアカウントが存在しなかった場合(取得件数が0件)
if not awscoops_item_destination:
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# コピー元のチェック項目除外情報を取得します。
account_refine_code_source = CommonConst.ACCOUNT_REFINE_CODE.format(
organization_id_source, project_id_source,
awscoops_item_source['AWSAccount'])
try:
exclusion_items_source = pm_exclusionitems.query_filter_account_refine_code(
trace_id, account_refine_code_source)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# コピー元のマニュアル評価情報を取得します。
try:
assessment_items_source = pm_assessmentItems.query_filter_account_refine_code(
trace_id, account_refine_code_source)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# PM_AssessmentItemsとPM_ExclusionItems両方のレコードが取得できなかった場合、エラーログを出力してエラーレスポンスを返します。
if len(exclusion_items_source) == 0 and len(assessment_items_source) == 0:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
aws_account_destination = awscoops_item_destination['AWSAccount']
account_refine_code_destination = CommonConst.ACCOUNT_REFINE_CODE.format(
organization_id_destination, project_id_destination,
aws_account_destination)
time_to_live_exclusion_destination = common_utils.get_time_to_live(
CommonConst.EXCLUSION_EXPIRATION_DATE)
# 作成処理は、先に取得した「コピー元のチェック項目除外情報」のレコード数分、繰り返します。
try:
for exclusion_item in exclusion_items_source:
exclusion_item_id_destination = CommonConst.EXCLUSIONITEM_ID.format(
organization_id_destination, project_id_destination,
aws_account_destination, exclusion_item['CheckItemCode'])
pm_exclusionitems.create(
trace_id, exclusion_item_id_destination,
organization_id_destination, project_id_destination,
aws_account_destination, exclusion_item['CheckItemCode'],
time_to_live_exclusion_destination,
common_utils.get_value("ExclusionComment", exclusion_item),
user_id, email, account_refine_code_destination)
except Exception:
return common_utils.error_common(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
pm_logger)
time_to_live_assessment_destination = common_utils.get_time_to_live(
CommonConst.ASSESSMENT_EXPIRATION_DATE)
# 作成処理は、先に取得した「コピー元のマニュアル評価情報」のレコード数分、繰り返します。
try:
for assessment_item in assessment_items_source:
assessment_item_id_destination = CommonConst.ASSESSMENTITEM_ID.format(
organization_id_destination, project_id_destination,
aws_account_destination, assessment_item['CheckItemCode'])
pm_assessmentItems.create(
trace_id, assessment_item_id_destination,
organization_id_destination, project_id_destination,
aws_account_destination, assessment_item['CheckItemCode'],
time_to_live_assessment_destination,
common_utils.get_value("AssessmentComment", assessment_item),
user_id, email, account_refine_code_destination)
except Exception:
return common_utils.error_common(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
pm_logger)
# return response data
response = common_utils.get_response_by_response_body(
HTTPStatus.NO_CONTENT, None)
return common_utils.response(response, pm_logger)
