def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.definition = definition
self.statements = Statements(name, "bucket", amazon.account_id,
amazon.accounts)
self.amazon = amazon
self.amazon_buckets = AmazonBuckets(amazon)
self.permission = []
class Bucket(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.definition = definition
self.statements = Statements(name, "bucket", amazon.account_id,
amazon.accounts)
self.amazon = amazon
self.amazon_buckets = AmazonBuckets(amazon)
self.permission = []
def setup(self):
"""Raise errors if the definition doesn't make sense"""
self.tags = self.definition.get("tags", {})
if type(self.tags) != dict or any(
not isinstance(tag_name, six.string_types)
or not isinstance(tag_val, six.string_types)
for tag_name, tag_val in self.tags.items()):
raise SyncrError(
"Bucket tags should be a dictionary of {<string> : <string>}",
got=self.tags)
self.location = self.definition.get("location", "ap-southeast-2")
for key, default_allow in (("permission", None), ("allow_permission",
True),
("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(
policy, allow=default_allow):
self.permission.append(statement)
def resolve(self):
"""Make sure this user exists and has only what policies we want it to have"""
permission_document = self.make_permission_document(self.permission)
bucket_info = self.amazon_buckets.bucket_info(self.name)
if not bucket_info:
self.amazon_buckets.create_bucket(
self.name,
self.location,
permission_document=permission_document,
tags=self.tags)
else:
self.amazon_buckets.modify_bucket(
self.name,
self.location,
permission_document=permission_document,
tags=self.tags)
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.templates = templates
self.definition = definition
self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))
self.amazon = amazon
self.amazon_roles = AmazonRoles(amazon)
self.trust = []
self.distrust = []
self.permission = []
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.grant = []
self.amazon = amazon
self.definition = definition
self.statements = Statements(name, "key", amazon.account_id, amazon.accounts, location=self.definition.get("location"))
self.permission = list(self.statements.make_permission_statements({"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""}, allow=True))
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.definition = definition
self.statements = Statements(name, "bucket", amazon.account_id, amazon.accounts)
self.amazon = amazon
self.amazon_buckets = AmazonBuckets(amazon)
self.permission = []
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.grant = []
self.amazon = amazon
self.definition = definition
self.statements = Statements(name,
"key",
amazon.account_id,
amazon.accounts,
location=self.definition.get("location"))
self.permission = list(
self.statements.make_permission_statements(
{
"principal": {
"iam": "root"
},
"action": "kms:*",
"resource": "*",
"Sid": ""
},
allow=True))
class Bucket(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.definition = definition
self.statements = Statements(name, "bucket", amazon.account_id, amazon.accounts)
self.amazon = amazon
self.amazon_buckets = AmazonBuckets(amazon)
self.permission = []
def setup(self):
"""Raise errors if the definition doesn't make sense"""
self.tags = self.definition.get("tags", {})
if type(self.tags) != dict or any(not isinstance(tag_name, six.string_types) or not isinstance(tag_val, six.string_types) for tag_name, tag_val in self.tags.items()):
raise SyncrError("Bucket tags should be a dictionary of {<string> : <string>}", got=self.tags)
self.location = self.definition.get("location", "ap-southeast-2")
for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(policy, allow=default_allow):
self.permission.append(statement)
def resolve(self):
"""Make sure this user exists and has only what policies we want it to have"""
permission_document = self.make_permission_document(self.permission)
bucket_info = self.amazon_buckets.bucket_info(self.name)
if not bucket_info:
self.amazon_buckets.create_bucket(self.name, self.location, permission_document=permission_document, tags=self.tags)
else:
self.amazon_buckets.modify_bucket(self.name, self.location, permission_document=permission_document, tags=self.tags)
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)
class Kms(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.grant = []
self.amazon = amazon
self.definition = definition
self.statements = Statements(name,
"key",
amazon.account_id,
amazon.accounts,
location=self.definition.get("location"))
self.permission = list(
self.statements.make_permission_statements(
{
"principal": {
"iam": "root"
},
"action": "kms:*",
"resource": "*",
"Sid": ""
},
allow=True))
def setup(self):
"""Raise errors if the definition doesn't make sense"""
self.location = self.definition.get("location")
self.description = self.definition.get("description")
self.connection = self.amazon.kms_connection_for(self.location)
if not self.description:
raise BadPolicy("Please define a description", key=self.name)
if "admin_users" in self.definition:
policy = {
"principal": self.definition["admin_users"],
"action": "kms:*",
"resource": {
"kms": "__self__"
},
"Sid": ""
}
for statement in self.statements.make_permission_statements(
policy, allow=True):
self.permission.append(statement)
for key, default_allow in (("permission", None), ("allow_permission",
True),
("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(
policy, allow=default_allow):
self.permission.append(statement)
for policy in listified(self.definition, "grant"):
if not isinstance(policy, dict):
raise BadPolicy(
"Grant must be a dictionary of atleast {grantee, operations}",
got=policy,
key=self.name)
if "grantee" not in policy and "operations" not in policy:
raise BadPolicy(
"Grant must be a dictionary of atleast {grantee, operations}",
got=list(policy.keys()),
key=self.name)
policy['grantee'] = list(
self.statements.iam_arns_from_specification(policy['grantee']))
if 'retiree' in policy:
policy['retiree'] = list(
self.statements.iam_arns_from_specification(
policy['retiree']))
for thing in ('grantee', 'retiree'):
if thing in policy:
if len(policy[thing]) > 1:
raise BadPolicy("Can only have one {0}".format(thing),
got=len(policy[thing]),
key=self.name)
policy[thing] = policy[thing][0]
self.grant.append(policy)
def resolve(self):
"""Make sure this key exists and has only what policies we want it to have"""
permission_document = self.make_permission_document(self.permission)
amazon_keys = AmazonKms(self.amazon, self.connection)
key_info = amazon_keys.key_info(self.name)
if not key_info:
amazon_keys.create_key(self.name,
self.description,
permission_document=permission_document)
else:
amazon_keys.modify_key(self.name,
self.description,
permission_document=permission_document)
amazon_keys.modify_grant(self.name, self.description, grant=self.grant)
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)
class Kms(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.grant = []
self.amazon = amazon
self.definition = definition
self.statements = Statements(name, "key", amazon.account_id, amazon.accounts, location=self.definition.get("location"))
self.permission = list(self.statements.make_permission_statements({"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""}, allow=True))
def setup(self):
"""Raise errors if the definition doesn't make sense"""
self.location = self.definition.get("location")
self.description = self.definition.get("description")
self.connection = self.amazon.kms_connection_for(self.location)
if not self.description:
raise BadPolicy("Please define a description", key=self.name)
if "admin_users" in self.definition:
policy = {"principal": self.definition["admin_users"], "action": "kms:*", "resource": { "kms": "__self__" }, "Sid": ""}
for statement in self.statements.make_permission_statements(policy, allow=True):
self.permission.append(statement)
for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(policy, allow=default_allow):
self.permission.append(statement)
for policy in listified(self.definition, "grant"):
if not isinstance(policy, dict):
raise BadPolicy("Grant must be a dictionary of atleast {grantee, operations}", got=policy, key=self.name)
if "grantee" not in policy and "operations" not in policy:
raise BadPolicy("Grant must be a dictionary of atleast {grantee, operations}", got=list(policy.keys()), key=self.name)
policy['grantee'] = list(self.statements.iam_arns_from_specification(policy['grantee']))
if 'retiree' in policy:
policy['retiree'] = list(self.statements.iam_arns_from_specification(policy['retiree']))
for thing in ('grantee', 'retiree'):
if thing in policy:
if len(policy[thing]) > 1:
raise BadPolicy("Can only have one {0}".format(thing), got=len(policy[thing]), key=self.name)
policy[thing] = policy[thing][0]
self.grant.append(policy)
def resolve(self):
"""Make sure this key exists and has only what policies we want it to have"""
permission_document = self.make_permission_document(self.permission)
amazon_keys = AmazonKms(self.amazon, self.connection)
key_info = amazon_keys.key_info(self.name)
if not key_info:
amazon_keys.create_key(self.name, self.description, permission_document=permission_document)
else:
amazon_keys.modify_key(self.name, self.description, permission_document=permission_document)
amazon_keys.modify_grant(self.name, self.description, grant=self.grant)
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)
class Role(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.templates = templates
self.definition = definition
self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))
self.amazon = amazon
self.amazon_roles = AmazonRoles(amazon)
self.trust = []
self.distrust = []
self.permission = []
def setup(self):
"""Raise errors if the definition doesn't make sense"""
if "use" in self.definition:
template = self.definition["use"]
if not self.templates:
raise NoTemplates(name=self.name, looking_for_template=template, available=self.templates.keys())
if template not in self.templates:
raise CantFindTemplate(name=self.name, looking_for_template=template, available=self.templates.keys())
self.definition = MergedOptions.using(self.templates[template], self.definition)
self.description = self.definition.get("description", "No description provided!")
for statement in listified(self.definition, "allow_to_assume_me"):
self.trust.extend(self.statements.expand_trust_statement(statement, allow=True))
for statement in listified(self.definition, "disallow_to_assume_me"):
self.distrust.extend(self.statements.expand_trust_statement(statement, allow=False))
for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(policy, allow=default_allow):
self.permission.append(statement)
def resolve(self):
"""Make sure this user exists and has only what policies we want it to have"""
# Get the permission and trust document
# Make sure they're both valid before continuing
trust_document = self.make_trust_document(self.trust, self.distrust)
permission_document = self.make_permission_document(self.permission)
role_info = self.amazon_roles.role_info(self.name)
if not role_info:
self.amazon_roles.create_role(self.name, trust_document, policies={self.policy_name: permission_document})
else:
self.amazon_roles.modify_role(role_info, self.name, trust_document, policies={self.policy_name: permission_document})
if self.definition.get("make_instance_profile"):
self.amazon_roles.make_instance_profile(self.name)
def make_trust_document(self, trust, distrust):
"""Make a document for trust or None if no trust or distrust"""
if not trust and not distrust:
return
return self.statements.make_document((trust or []) + (distrust or []))
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)