def get_s3_role(self, repo_id): token = self.get_auth_token() request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), headers={ "Authorization": token, "Content-Type": "application/json" }) if request.status == 403: raise BridgecrewAuthError() response = json.loads(request.data.decode("utf8")) while ('Message' in response or 'message' in response): if 'Message' in response and response[ 'Message'] == UNAUTHORIZED_MESSAGE: raise BridgecrewAuthError() if 'message' in response and "cannot be found" in response[ 'message']: self.loading_output("creating role") request = self.http.request( "POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), headers={ "Authorization": token, "Content-Type": "application/json" }) response = json.loads(request.data.decode("utf8")) repo_full_path = response["path"] return repo_full_path, response
def setup_bridgecrew_credentials(self, bc_api_key, repo_id): """ Setup credentials against Bridgecrew's platform. :param repo_id: Identity string of the scanned repository, of the form <repo_owner>/<repo_name> :param bc_api_key: Bridgecrew issued API key """ self.bc_api_key = bc_api_key self.repo_id = repo_id try: request = http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) response = json.loads(request.data.decode("utf8")) if 'Message' in response: if response['Message'] == UNAUTHORIZED_MESSAGE: raise BridgecrewAuthError() repo_full_path = response["path"] self.bucket, self.repo_path = repo_full_path.split("/", 1) self.timestamp = self.repo_path.split("/")[-1] self.credentials = response["creds"] self.s3_client = boto3.client("s3", aws_access_key_id=self.credentials["AccessKeyId"], aws_secret_access_key=self.credentials["SecretAccessKey"], aws_session_token=self.credentials["SessionToken"], region_name=DEFAULT_REGION ) sleep(10) # Wait for the policy to update except HTTPError as e: logging.error(f"Failed to get customer assumed role\n{e}") raise e except ClientError as e: logging.error(f"Failed to initiate client with credentials {self.credentials}\n{e}") raise e except JSONDecodeError as e: logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}") raise e
def get_auth_token(self) -> str: if self.is_bc_token(self.bc_api_key): return self.bc_api_key # This is a Prisma Cloud token if not self.prisma_url: raise ValueError( "Got a prisma token, but the env variable PRISMA_API_URL is not set" ) elif '::' not in self.bc_api_key: raise ValueError( "PRISMA_API_URL was set, but the API key does not appear to be a valid Prisma API key " "(must be in format key::secret)") username, password = self.bc_api_key.split('::') request = self.http.request( "POST", f"{self.prisma_url}/login", body=json.dumps({ "username": username, "password": password }), headers={"Content-Type": "application/json"}) if request.status == 401: raise BridgecrewAuthError() token = json.loads(request.data.decode("utf8"))['token'] return token
def get_auth_token(self) -> str: if self.is_bc_token(self.bc_api_key): return self.bc_api_key # A Prisma Cloud Access Key was specified as the Bridgecrew token. if not self.prisma_api_url: raise ValueError( "A Prisma Cloud token was set, but no Prisma Cloud API URL was set" ) if '::' not in self.bc_api_key: raise ValueError( "A Prisma Cloud token was set, but the token is not in the correct format: <access_key_id>::<secret_key>" ) username, password = self.bc_api_key.split('::') request = self.http.request("POST", f"{self.prisma_api_url}/login", body=json.dumps({ "username": username, "password": password }), headers=merge_dicts( {"Content-Type": "application/json"}, get_user_agent_header())) if request.status == 401: raise BridgecrewAuthError() token = json.loads(request.data.decode("utf8"))['token'] return token
def get_s3_role(self, repo_id): token = self.get_auth_token() request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), headers=merge_dicts( { "Authorization": token, "Content-Type": "application/json" }, get_user_agent_header())) if request.status == 403: raise BridgecrewAuthError() response = json.loads(request.data.decode("utf8")) while ('Message' in response or 'message' in response): if 'Message' in response and response[ 'Message'] == UNAUTHORIZED_MESSAGE: raise BridgecrewAuthError() if 'message' in response and ASSUME_ROLE_UNUATHORIZED_MESSAGE in response[ 'message']: raise BridgecrewAuthError( "Checkov got an unexpected authorization error that may not be due to your credentials. Please contact support." ) if 'message' in response and "cannot be found" in response[ 'message']: self.loading_output("creating role") request = self.http.request( "POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), headers=merge_dicts( { "Authorization": token, "Content-Type": "application/json" }, get_user_agent_header())) response = json.loads(request.data.decode("utf8")) repo_full_path = response["path"] return repo_full_path, response