Example #1
0
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.definition = definition
        self.statements = Statements(name, "bucket", amazon.account_id,
                                     amazon.accounts)

        self.amazon = amazon
        self.amazon_buckets = AmazonBuckets(amazon)

        self.permission = []
Example #2
0
class Bucket(object):
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.definition = definition
        self.statements = Statements(name, "bucket", amazon.account_id,
                                     amazon.accounts)

        self.amazon = amazon
        self.amazon_buckets = AmazonBuckets(amazon)

        self.permission = []

    def setup(self):
        """Raise errors if the definition doesn't make sense"""
        self.tags = self.definition.get("tags", {})
        if type(self.tags) != dict or any(
                not isinstance(tag_name, six.string_types)
                or not isinstance(tag_val, six.string_types)
                for tag_name, tag_val in self.tags.items()):
            raise SyncrError(
                "Bucket tags should be a dictionary of {<string> : <string>}",
                got=self.tags)

        self.location = self.definition.get("location", "ap-southeast-2")
        for key, default_allow in (("permission", None), ("allow_permission",
                                                          True),
                                   ("deny_permission", False)):
            for policy in listified(self.definition, key):
                for statement in self.statements.make_permission_statements(
                        policy, allow=default_allow):
                    self.permission.append(statement)

    def resolve(self):
        """Make sure this user exists and has only what policies we want it to have"""
        permission_document = self.make_permission_document(self.permission)

        bucket_info = self.amazon_buckets.bucket_info(self.name)
        if not bucket_info:
            self.amazon_buckets.create_bucket(
                self.name,
                self.location,
                permission_document=permission_document,
                tags=self.tags)
        else:
            self.amazon_buckets.modify_bucket(
                self.name,
                self.location,
                permission_document=permission_document,
                tags=self.tags)

    def make_permission_document(self, permissions):
        """Return a document for these permissions, or None if no permissiosn"""
        if not permissions:
            return
        return self.statements.make_document(permissions)
Example #3
0
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.templates = templates
        self.definition = definition
        self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
        self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))

        self.amazon = amazon
        self.amazon_roles = AmazonRoles(amazon)

        self.trust = []
        self.distrust = []
        self.permission = []
Example #4
0
 def __init__(self, name, definition, amazon, templates=None):
     self.name = name
     self.grant = []
     self.amazon = amazon
     self.definition = definition
     self.statements = Statements(name, "key", amazon.account_id, amazon.accounts, location=self.definition.get("location"))
     self.permission = list(self.statements.make_permission_statements({"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""}, allow=True))
Example #5
0
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.definition = definition
        self.statements = Statements(name, "bucket", amazon.account_id, amazon.accounts)

        self.amazon = amazon
        self.amazon_buckets = AmazonBuckets(amazon)

        self.permission = []
Example #6
0
 def __init__(self, name, definition, amazon, templates=None):
     self.name = name
     self.grant = []
     self.amazon = amazon
     self.definition = definition
     self.statements = Statements(name,
                                  "key",
                                  amazon.account_id,
                                  amazon.accounts,
                                  location=self.definition.get("location"))
     self.permission = list(
         self.statements.make_permission_statements(
             {
                 "principal": {
                     "iam": "root"
                 },
                 "action": "kms:*",
                 "resource": "*",
                 "Sid": ""
             },
             allow=True))
Example #7
0
class Bucket(object):
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.definition = definition
        self.statements = Statements(name, "bucket", amazon.account_id, amazon.accounts)

        self.amazon = amazon
        self.amazon_buckets = AmazonBuckets(amazon)

        self.permission = []

    def setup(self):
        """Raise errors if the definition doesn't make sense"""
        self.tags = self.definition.get("tags", {})
        if type(self.tags) != dict or any(not isinstance(tag_name, six.string_types) or not isinstance(tag_val, six.string_types) for tag_name, tag_val in self.tags.items()):
            raise SyncrError("Bucket tags should be a dictionary of {<string> : <string>}", got=self.tags)

        self.location = self.definition.get("location", "ap-southeast-2")
        for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
            for policy in listified(self.definition, key):
                for statement in self.statements.make_permission_statements(policy, allow=default_allow):
                    self.permission.append(statement)

    def resolve(self):
        """Make sure this user exists and has only what policies we want it to have"""
        permission_document = self.make_permission_document(self.permission)

        bucket_info = self.amazon_buckets.bucket_info(self.name)
        if not bucket_info:
            self.amazon_buckets.create_bucket(self.name, self.location, permission_document=permission_document, tags=self.tags)
        else:
            self.amazon_buckets.modify_bucket(self.name, self.location, permission_document=permission_document, tags=self.tags)

    def make_permission_document(self, permissions):
        """Return a document for these permissions, or None if no permissiosn"""
        if not permissions:
            return
        return self.statements.make_document(permissions)
Example #8
0
class Kms(object):
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.grant = []
        self.amazon = amazon
        self.definition = definition
        self.statements = Statements(name,
                                     "key",
                                     amazon.account_id,
                                     amazon.accounts,
                                     location=self.definition.get("location"))
        self.permission = list(
            self.statements.make_permission_statements(
                {
                    "principal": {
                        "iam": "root"
                    },
                    "action": "kms:*",
                    "resource": "*",
                    "Sid": ""
                },
                allow=True))

    def setup(self):
        """Raise errors if the definition doesn't make sense"""
        self.location = self.definition.get("location")
        self.description = self.definition.get("description")

        self.connection = self.amazon.kms_connection_for(self.location)
        if not self.description:
            raise BadPolicy("Please define a description", key=self.name)

        if "admin_users" in self.definition:
            policy = {
                "principal": self.definition["admin_users"],
                "action": "kms:*",
                "resource": {
                    "kms": "__self__"
                },
                "Sid": ""
            }
            for statement in self.statements.make_permission_statements(
                    policy, allow=True):
                self.permission.append(statement)

        for key, default_allow in (("permission", None), ("allow_permission",
                                                          True),
                                   ("deny_permission", False)):
            for policy in listified(self.definition, key):
                for statement in self.statements.make_permission_statements(
                        policy, allow=default_allow):
                    self.permission.append(statement)

        for policy in listified(self.definition, "grant"):
            if not isinstance(policy, dict):
                raise BadPolicy(
                    "Grant must be a dictionary of atleast {grantee, operations}",
                    got=policy,
                    key=self.name)

            if "grantee" not in policy and "operations" not in policy:
                raise BadPolicy(
                    "Grant must be a dictionary of atleast {grantee, operations}",
                    got=list(policy.keys()),
                    key=self.name)

            policy['grantee'] = list(
                self.statements.iam_arns_from_specification(policy['grantee']))
            if 'retiree' in policy:
                policy['retiree'] = list(
                    self.statements.iam_arns_from_specification(
                        policy['retiree']))

            for thing in ('grantee', 'retiree'):
                if thing in policy:
                    if len(policy[thing]) > 1:
                        raise BadPolicy("Can only have one {0}".format(thing),
                                        got=len(policy[thing]),
                                        key=self.name)
                    policy[thing] = policy[thing][0]

            self.grant.append(policy)

    def resolve(self):
        """Make sure this key exists and has only what policies we want it to have"""
        permission_document = self.make_permission_document(self.permission)

        amazon_keys = AmazonKms(self.amazon, self.connection)
        key_info = amazon_keys.key_info(self.name)
        if not key_info:
            amazon_keys.create_key(self.name,
                                   self.description,
                                   permission_document=permission_document)
        else:
            amazon_keys.modify_key(self.name,
                                   self.description,
                                   permission_document=permission_document)

        amazon_keys.modify_grant(self.name, self.description, grant=self.grant)

    def make_permission_document(self, permissions):
        """Return a document for these permissions, or None if no permissiosn"""
        if not permissions:
            return
        return self.statements.make_document(permissions)
Example #9
0
class Kms(object):
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.grant = []
        self.amazon = amazon
        self.definition = definition
        self.statements = Statements(name, "key", amazon.account_id, amazon.accounts, location=self.definition.get("location"))
        self.permission = list(self.statements.make_permission_statements({"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""}, allow=True))

    def setup(self):
        """Raise errors if the definition doesn't make sense"""
        self.location = self.definition.get("location")
        self.description = self.definition.get("description")

        self.connection = self.amazon.kms_connection_for(self.location)
        if not self.description:
            raise BadPolicy("Please define a description", key=self.name)

        if "admin_users" in self.definition:
            policy = {"principal": self.definition["admin_users"], "action": "kms:*", "resource": { "kms": "__self__" }, "Sid": ""}
            for statement in self.statements.make_permission_statements(policy, allow=True):
                self.permission.append(statement)

        for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
            for policy in listified(self.definition, key):
                for statement in self.statements.make_permission_statements(policy, allow=default_allow):
                    self.permission.append(statement)

        for policy in listified(self.definition, "grant"):
            if not isinstance(policy, dict):
                raise BadPolicy("Grant must be a dictionary of atleast {grantee, operations}", got=policy, key=self.name)

            if "grantee" not in policy and "operations" not in policy:
                raise BadPolicy("Grant must be a dictionary of atleast {grantee, operations}", got=list(policy.keys()), key=self.name)

            policy['grantee'] = list(self.statements.iam_arns_from_specification(policy['grantee']))
            if 'retiree' in policy:
                policy['retiree'] = list(self.statements.iam_arns_from_specification(policy['retiree']))

            for thing in ('grantee', 'retiree'):
                if thing in policy:
                    if len(policy[thing]) > 1:
                        raise BadPolicy("Can only have one {0}".format(thing), got=len(policy[thing]), key=self.name)
                    policy[thing] = policy[thing][0]

            self.grant.append(policy)

    def resolve(self):
        """Make sure this key exists and has only what policies we want it to have"""
        permission_document = self.make_permission_document(self.permission)

        amazon_keys = AmazonKms(self.amazon, self.connection)
        key_info = amazon_keys.key_info(self.name)
        if not key_info:
            amazon_keys.create_key(self.name, self.description, permission_document=permission_document)
        else:
            amazon_keys.modify_key(self.name, self.description, permission_document=permission_document)

        amazon_keys.modify_grant(self.name, self.description, grant=self.grant)

    def make_permission_document(self, permissions):
        """Return a document for these permissions, or None if no permissiosn"""
        if not permissions:
            return
        return self.statements.make_document(permissions)
Example #10
0
class Role(object):
    def __init__(self, name, definition, amazon, templates=None):
        self.name = name
        self.templates = templates
        self.definition = definition
        self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
        self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))

        self.amazon = amazon
        self.amazon_roles = AmazonRoles(amazon)

        self.trust = []
        self.distrust = []
        self.permission = []

    def setup(self):
        """Raise errors if the definition doesn't make sense"""
        if "use" in self.definition:
            template = self.definition["use"]
            if not self.templates:
                raise NoTemplates(name=self.name, looking_for_template=template, available=self.templates.keys())

            if template not in self.templates:
                raise CantFindTemplate(name=self.name, looking_for_template=template, available=self.templates.keys())

            self.definition = MergedOptions.using(self.templates[template], self.definition)

        self.description = self.definition.get("description", "No description provided!")

        for statement in listified(self.definition, "allow_to_assume_me"):
            self.trust.extend(self.statements.expand_trust_statement(statement, allow=True))

        for statement in listified(self.definition, "disallow_to_assume_me"):
            self.distrust.extend(self.statements.expand_trust_statement(statement, allow=False))

        for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
            for policy in listified(self.definition, key):
                for statement in self.statements.make_permission_statements(policy, allow=default_allow):
                    self.permission.append(statement)

    def resolve(self):
        """Make sure this user exists and has only what policies we want it to have"""
        # Get the permission and trust document
        # Make sure they're both valid before continuing
        trust_document = self.make_trust_document(self.trust, self.distrust)
        permission_document = self.make_permission_document(self.permission)

        role_info = self.amazon_roles.role_info(self.name)
        if not role_info:
            self.amazon_roles.create_role(self.name, trust_document, policies={self.policy_name: permission_document})
        else:
            self.amazon_roles.modify_role(role_info, self.name, trust_document, policies={self.policy_name: permission_document})

        if self.definition.get("make_instance_profile"):
            self.amazon_roles.make_instance_profile(self.name)

    def make_trust_document(self, trust, distrust):
        """Make a document for trust or None if no trust or distrust"""
        if not trust and not distrust:
            return

        return self.statements.make_document((trust or []) + (distrust or []))

    def make_permission_document(self, permissions):
        """Return a document for these permissions, or None if no permissiosn"""
        if not permissions:
            return
        return self.statements.make_document(permissions)