async def can_move_back_to_pending(request, current_user, groups): if request.get("status") in ["cancelled", "rejected"]: # Don't allow returning requests to pending state if more than a day has passed since the last update if request.get("last_updated", 0) < int(time.time()) - 86400: return False # Allow admins to return requests back to pending state if can_admin_policies(current_user, groups): return True return False
async def get(self): admin_bypass_approval_enabled: bool = can_admin_policies( self.user, self.groups) self_service_iam_config: dict = config.get("self_service_iam") self.write({ "admin_bypass_approval_enabled": admin_bypass_approval_enabled, **self_service_iam_config, })
async def can_update_cancel_requests_v2(requester_username, user, groups): # Users can update their own requests can_update = user == requester_username # Allow admins to update / cancel requests if not can_update: if can_admin_policies(user, groups): return True return can_update
async def can_update_requests(request, user, groups): # Users can update their own requests can_update = user in request["username"] # Allow admins to return requests back to pending state if not can_update: if can_admin_policies(user, groups): return True return can_update
async def can_move_back_to_pending_v2(extended_request: ExtendedRequestModel, last_updated, current_user, groups): if extended_request.request_status in [ RequestStatus.cancelled, RequestStatus.rejected, ]: # Don't allow returning requests to pending state if more than a day has passed since the last update if last_updated < int(time.time()) - 86400: return False # Allow admins to return requests back to pending state if can_admin_policies(current_user, groups): return True return False
async def get(self): admin_bypass_approval_enabled: bool = can_admin_policies( self.user, self.groups) export_to_terraform_enabled: bool = config.get( "export_to_terraform_enabled", False) self_service_iam_config: dict = config.get("self_service_iam", SELF_SERVICE_IAM_DEFAULTS) self.write({ "admin_bypass_approval_enabled": admin_bypass_approval_enabled, "export_to_terraform_enabled": export_to_terraform_enabled, **self_service_iam_config, })
async def get(self): admin_bypass_approval_enabled: bool = can_admin_policies( self.user, self.groups) export_to_terraform_enabled: bool = config.get( "export_to_terraform_enabled", False) self_service_iam_config: dict = config.get("self_service_iam", SELF_SERVICE_IAM_DEFAULTS) # Help message can be configured with Markdown for link handling help_message: str = config.get("self_service_iam_help_message") self.write({ "admin_bypass_approval_enabled": admin_bypass_approval_enabled, "export_to_terraform_enabled": export_to_terraform_enabled, "help_message": help_message, **self_service_iam_config, })
async def get(self): """ Provide information about site configuration for the frontend :return: """ is_contractor = config.config_plugin().is_contractor(self.user) site_config = { "consoleme_logo": await get_random_security_logo(), "google_tracking_uri": config.get("google_analytics.tracking_url"), "documentation_url": config.get("documentation_page"), "support_contact": config.get("support_contact"), "support_chat_url": config.get("support_chat_url"), "security_logo": config.get("security_logo.image"), "security_url": config.get("security_logo.url"), } user_profile = { "site_config": site_config, "user": self.user, "can_logout": config.get("auth.set_auth_cookie"), "is_contractor": is_contractor, "employee_photo_url": config.config_plugin().get_employee_photo_url(self.user), "employee_info_url": config.config_plugin().get_employee_info_url(self.user), "authorization": { "can_edit_policies": can_admin_policies(self.user, self.groups), "can_create_roles": can_create_roles(self.user, self.groups), "can_delete_roles": can_delete_roles(self.user, self.groups), }, "pages": { "header": { "custom_header_message_title": config.get("headers.custom_header_message.title", ""), "custom_header_message_text": config.get("headers.custom_header_message.text", ""), }, "groups": { "enabled": config.get("headers.group_access.enabled", False) }, "users": { "enabled": config.get("headers.group_access.enabled", False) }, "policies": { "enabled": config.get("headers.policies.enabled", True) and not is_contractor }, "self_service": { "enabled": config.get("enable_self_service", True) and not is_contractor }, "api_health": { "enabled": is_in_group( self.user, self.groups, config.get("groups.can_edit_health_alert", []), ) }, "audit": { "enabled": is_in_group(self.user, self.groups, config.get("groups.can_audit", [])) }, "config": { "enabled": can_edit_dynamic_config(self.user, self.groups) }, }, "accounts": await get_account_id_to_name_mapping(), } self.set_header("Content-Type", "application/json") self.write(user_profile)
async def get(self, account_id, resource_type, region=None, resource_name=None): if not self.user: return if config.get("policy_editor.disallow_contractors", True) and self.contractor: if self.user not in config.get( "groups.can_bypass_contractor_restrictions", [] ): raise MustBeFte("Only FTEs are authorized to view this page.") read_only = False can_save_delete = (can_admin_policies(self.user, self.groups),) account_id_for_arn: str = account_id if resource_type == "s3": account_id_for_arn = "" arn = f"arn:aws:{resource_type}:{region or ''}:{account_id_for_arn}:{resource_name}" stats.count( "ResourcePolicyEditHandler.get", tags={"user": self.user, "arn": arn} ) log_data = { "user": self.user, "ip": self.ip, "function": f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}", "message": "Incoming request", "user-agent": self.request.headers.get("User-Agent"), "request_id": self.request_uuid, "arn": arn, } log.debug(log_data) resource_details = await fetch_resource_details( account_id, resource_type, resource_name, region ) # TODO: Get S3 errors for s3 buckets only, else CT errors yesterday = (datetime.today() - timedelta(days=1)).strftime("%Y%m%d") s3_query_url = None if resource_type == "s3": s3_query_url = config.get("s3.bucket_query_url") all_s3_errors = None if s3_query_url: s3_query_url = s3_query_url.format( yesterday=yesterday, bucket_name=f"'{resource_name}'" ) s3_error_topic = config.get("redis.s3_errors", "S3_ERRORS") all_s3_errors = self.red.get(s3_error_topic) s3_errors = [] if all_s3_errors: s3_errors = json.loads(all_s3_errors).get(arn, []) account_ids_to_name = await get_account_id_to_name_mapping() # TODO(ccastrapel/psanders): Make a Swagger spec for this self.write( dict( arn=arn, resource_details=resource_details, account_id=account_id, account_name=account_ids_to_name.get(account_id, None), read_only=read_only, can_save_delete=can_save_delete, s3_errors=s3_errors, error_url=s3_query_url, ) )
async def post(self): """ POST /api/v2/request Request example JSON: (Request Schema is RequestCreationModel in models.py) { "changes": { "changes": [ { "principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1", "change_type": "inline_policy", "action": "attach", "policy": { "policy_document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListMultipartUploadParts*", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::curtis-nflx-test/*", "arn:aws:s3:::curtis-nflx-test" ], "Sid": "cmccastrapel159494014dsd1shak" }, { "Action": [ "ec2:describevolumes", "ec2:detachvolume", "ec2:describelicenses", "ec2:AssignIpv6Addresses", "ec2:reportinstancestatus" ], "Effect": "Allow", "Resource": [ "*" ], "Sid": "cmccastrapel1594940141hlvvv" }, { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::123456789012:role/curtisTestInstanceProfile" ], "Sid": "cmccastrapel1596483596easdits" } ] } } }, { "principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1", "change_type": "assume_role_policy", "policy": { "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/consolemeInstanceProfile" }, "Sid": "AllowConsoleMeProdAssumeRolses" } ], "Version": "2012-10-17" } } }, { "principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1", "change_type": "managed_policy", "policy_name": "ApiProtect", "action": "attach", "arn": "arn:aws:iam::123456789012:policy/ApiProtect" }, { "principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1", "change_type": "managed_policy", "policy_name": "TagProtect", "action": "detach", "arn": "arn:aws:iam::123456789012:policy/TagProtect" }, { "principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1", "change_type": "inline_policy", "policy_name": "random_policy254", "action": "attach", "policy": { "policy_document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AssignIpv6Addresses" ], "Effect": "Allow", "Resource": [ "*" ], "Sid": "cmccastrapel1594940141shakabcd" } ] } } } ] }, "justification": "testing this out.", "admin_auto_approve": false } Response example JSON: (Response Schema is RequestCreationResponse in models.py) { "errors": 1, "request_created": true, "request_id": "0c9fb298-c8ea-4d50-917c-3212da07b3ad", "action_results": [ { "status": "success", "message": "Success description" }, { "status": "error", "message": "Error description" } ] } """ if config.get("policy_editor.disallow_contractors", True) and self.contractor: if self.user not in config.get( "groups.can_bypass_contractor_restrictions", []): raise MustBeFte("Only FTEs are authorized to view this page.") tags = {"user": self.user} stats.count("RequestHandler.post", tags=tags) log_data = { "function": f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}", "user": self.user, "message": "Create request initialization", "user-agent": self.request.headers.get("User-Agent"), "request_id": self.request_uuid, "ip": self.ip, "admin_auto_approved": False, "probe_auto_approved": False, } log.debug(log_data) try: # Validate the model changes = RequestCreationModel.parse_raw(self.request.body) extended_request = await generate_request_from_change_model_array( changes, self.user) log_data["request"] = extended_request.dict() log.debug(log_data) admin_approved = False approval_probe_approved = False # TODO: Provide a note to the requester that admin_auto_approve will apply the requested policies only. # It will not automatically apply generated policies. The administrative user will need to visit the policy # Request page to do this manually. if changes.admin_auto_approve: # make sure user is allowed to use admin_auto_approve can_manage_policy_request = (can_admin_policies( self.user, self.groups), ) if can_manage_policy_request: extended_request.request_status = RequestStatus.approved admin_approved = True extended_request.reviewer = self.user self_approval_comment = CommentModel( id=str(uuid.uuid4()), timestamp=int(time.time()), user_email=self.user, user=extended_request.requester_info, last_modified=int(time.time()), text=f"Self-approved by admin: {self.user}", ) extended_request.comments.append(self_approval_comment) log_data["admin_auto_approved"] = True log_data["request"] = extended_request.dict() log.debug(log_data) stats.count( f"{log_data['function']}.post.admin_auto_approved", tags={"user": self.user}, ) else: # someone is trying to use admin bypass without being an admin, don't allow request to proceed stats.count( f"{log_data['function']}.post.unauthorized_admin_bypass", tags={"user": self.user}, ) log_data[ "message"] = "Unauthorized user trying to use admin bypass" log.error(log_data) await write_json_error("Unauthorized", obj=self) return else: # If admin auto approve is false, check for auto-approve probe eligibility is_eligible_for_auto_approve_probe = ( await is_request_eligible_for_auto_approval( extended_request, self.user)) # If we have only made requests that are eligible for auto-approval probe, check against them if is_eligible_for_auto_approve_probe: should_auto_approve_request = await should_auto_approve_policy_v2( extended_request, self.user, self.groups) if should_auto_approve_request["approved"]: extended_request.request_status = RequestStatus.approved approval_probe_approved = True stats.count( f"{log_data['function']}.probe_auto_approved", tags={"user": self.user}, ) approving_probes = [] for approving_probe in should_auto_approve_request[ "approving_probes"]: approving_probe_comment = CommentModel( id=str(uuid.uuid4()), timestamp=int(time.time()), user_email= f"Auto-Approve Probe: {approving_probe['name']}", last_modified=int(time.time()), text= f"Policy {approving_probe['policy']} auto-approved by probe: {approving_probe['name']}", ) extended_request.comments.append( approving_probe_comment) approving_probes.append(approving_probe["name"]) extended_request.reviewer = ( f"Auto-Approve Probe: {','.join(approving_probes)}" ) log_data["probe_auto_approved"] = True log_data["request"] = extended_request.dict() log.debug(log_data) dynamo = UserDynamoHandler(self.user) request = await dynamo.write_policy_request_v2(extended_request) log_data["message"] = "New request created in Dynamo" log_data["request"] = extended_request.dict() log_data["dynamo_request"] = request log.debug(log_data) except (InvalidRequestParameter, ValidationError) as e: log_data["message"] = "Validation Exception" log.error(log_data, exc_info=True) stats.count(f"{log_data['function']}.validation_exception", tags={"user": self.user}) self.write_error(400, message="Error validating input: " + str(e)) if config.get("development"): raise return except Exception as e: log_data[ "message"] = "Unknown Exception occurred while parsing request" log.error(log_data, exc_info=True) stats.count(f"{log_data['function']}.exception", tags={"user": self.user}) sentry_sdk.capture_exception(tags={"user": self.user}) self.write_error(500, message="Error parsing request: " + str(e)) if config.get("development"): raise return # If here, request has been successfully created response = RequestCreationResponse( errors=0, request_created=True, request_id=extended_request.id, request_url=f"/policies/request/{extended_request.id}", action_results=[], ) # If approved is true due to an auto-approval probe or admin auto-approval, apply the non-autogenerated changes if extended_request.request_status == RequestStatus.approved: for change in extended_request.changes.changes: if change.autogenerated: continue policy_request_modification_model = ( PolicyRequestModificationRequestModel.parse_obj({ "modification_model": { "command": "apply_change", "change_id": change.id, } })) policy_apply_response = ( await parse_and_apply_policy_request_modification( extended_request, policy_request_modification_model, self.user, self.groups, int(time.time()), approval_probe_approved, )) response.errors = policy_apply_response.errors response.action_results = policy_apply_response.action_results # Update in dynamo await dynamo.write_policy_request_v2(extended_request) account_id = await get_resource_account(extended_request.arn) # Force a refresh of the role in Redis/DDB arn_parsed = parse_arn(extended_request.arn) if arn_parsed["service"] == "iam" and arn_parsed[ "resource"] == "role": await aws.fetch_iam_role(account_id, extended_request.arn, force_refresh=True) log_data["request"] = extended_request.dict() log_data["message"] = "Applied changes based on approved request" log_data["response"] = response.dict() log.debug(log_data) await aws.send_communications_new_policy_request( extended_request, admin_approved, approval_probe_approved) self.write(response.json()) await self.finish() await cache_all_policy_requests() return
async def get(self, request_id): """ GET /api/v2/requests/{request_id} """ tags = {"user": self.user} stats.count("RequestDetailHandler.get", tags=tags) log_data = { "function": f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}", "user": self.user, "message": "Get request details", "user-agent": self.request.headers.get("User-Agent"), "request_id": self.request_uuid, "policy_request_id": request_id, } log.debug(log_data) if config.get("policy_editor.disallow_contractors", True) and self.contractor: if self.user not in config.get( "groups.can_bypass_contractor_restrictions", []): self.write_error( 403, message="Only FTEs are authorized to view this page.") return try: extended_request, last_updated = await self._get_extended_request( request_id, log_data) except InvalidRequestParameter as e: sentry_sdk.capture_exception(tags={"user": self.user}) self.write_error(400, message="Error validating input: " + str(e)) return except NoMatchingRequest as e: sentry_sdk.capture_exception(tags={"user": self.user}) self.write_error(404, message="Error getting request:" + str(e)) return # Run these tasks concurrently. concurrent_results = await asyncio.gather( populate_old_policies(extended_request, self.user), populate_cross_account_resource_policies(extended_request, self.user), ) extended_request = concurrent_results[0] populate_cross_account_resource_policies_result = concurrent_results[1] if populate_cross_account_resource_policies_result["changed"]: extended_request = populate_cross_account_resource_policies_result[ "extended_request"] # Update in dynamo with the latest resource policy changes dynamo = UserDynamoHandler(self.user) updated_request = await dynamo.write_policy_request_v2( extended_request) last_updated = updated_request.get("last_updated") can_approve_reject = (can_admin_policies(self.user, self.groups), ) can_update_cancel = await can_update_cancel_requests_v2( extended_request.requester_email, self.user, self.groups) can_move_back_to_pending = await can_move_back_to_pending_v2( extended_request, last_updated, self.user, self.groups) # In the future request_specific_config will have specific approvers for specific changes based on ABAC request_specific_config = { "can_approve_reject": can_approve_reject, "can_update_cancel": can_update_cancel, "can_move_back_to_pending": can_move_back_to_pending, } template = None # Force a refresh of the role in Redis/DDB arn_parsed = parse_arn(extended_request.arn) if arn_parsed["service"] == "iam" and arn_parsed["resource"] == "role": iam_role = await aws.fetch_iam_role(arn_parsed["account"], extended_request.arn) template = iam_role.get("templated") response = { "request": extended_request.json(), "last_updated": last_updated, "request_config": request_specific_config, "template": template, } self.write(response)
async def get(self): """ Provide information about site configuration for the frontend :return: """ is_contractor = config.config_plugin().is_contractor(self.user) site_config = { "consoleme_logo": await get_random_security_logo(), "google_analytics": { "tracking_id": config.get("google_analytics.tracking_id"), "options": config.get("google_analytics.options", {}), }, "documentation_url": config.get( "documentation_page", "https://hawkins.gitbook.io/consoleme/" ), "support_contact": config.get("support_contact"), "support_chat_url": config.get( "support_chat_url", "https://discord.com/invite/nQVpNGGkYu" ), "security_logo": config.get("security_logo.image"), "security_url": config.get("security_logo.url"), # If site_config.landing_url is set, users will be redirected to the landing URL after authenticating # on the frontend. "landing_url": config.get("site_config.landing_url"), "temp_policy_support": config.get("policies.temp_policy_support"), "notifications": { "enabled": config.get("site_config.notifications.enabled"), "request_interval": config.get( "site_config.notifications.request_interval", 60 ), }, "cloudtrail_denies_policy_generation": config.get( "celery.cache_cloudtrail_denies.enabled", False ), } custom_page_header: Dict[str, str] = await get_custom_page_header( self.user, self.groups ) user_profile = { "site_config": site_config, "user": self.user, "can_logout": config.get("auth.set_auth_cookie", False), "is_contractor": is_contractor, "employee_photo_url": config.config_plugin().get_employee_photo_url( self.user ), "employee_info_url": config.config_plugin().get_employee_info_url( self.user ), "authorization": { "can_edit_policies": can_admin_policies(self.user, self.groups), "can_create_roles": can_create_roles(self.user, self.groups), "can_delete_iam_principals": can_delete_iam_principals( self.user, self.groups ), }, "pages": { "header": { "custom_header_message_title": custom_page_header.get( "custom_header_message_title", "" ), "custom_header_message_text": custom_page_header.get( "custom_header_message_text", "" ), "custom_header_message_route": custom_page_header.get( "custom_header_message_route", "" ), }, "groups": { "enabled": config.get("headers.group_access.enabled", False) }, "users": {"enabled": config.get("headers.group_access.enabled", False)}, "policies": { "enabled": config.get("headers.policies.enabled", True) and not is_contractor }, "self_service": { "enabled": config.get("enable_self_service", True) and not is_contractor }, "api_health": { "enabled": is_in_group( self.user, self.groups, config.get("groups.can_edit_health_alert", []), ) }, "audit": { "enabled": is_in_group( self.user, self.groups, config.get("groups.can_audit", []) ) }, "config": {"enabled": can_edit_dynamic_config(self.user, self.groups)}, }, "accounts": await get_account_id_to_name_mapping(), } self.set_header("Content-Type", "application/json") self.write(user_profile)
async def get(self, account_id, resource_type, region=None, resource_name=None): if not self.user: return if config.get("policy_editor.disallow_contractors", True) and self.contractor: if self.user not in config.get( "groups.can_bypass_contractor_restrictions", []): raise MustBeFte("Only FTEs are authorized to view this page.") read_only = False can_save_delete = (can_admin_policies(self.user, self.groups), ) account_id_for_arn: str = account_id if resource_type == "s3": account_id_for_arn = "" arn = f"arn:aws:{resource_type}:{region or ''}:{account_id_for_arn}:{resource_name}" path = "" if resource_type == "managed_policy": # special case for managed policies path = region or "" if path: arn = f"arn:aws:iam::{account_id}:policy/{path}/{resource_name}" else: arn = f"arn:aws:iam::{account_id}:policy/{resource_name}" stats.count("ResourcePolicyEditHandler.get", tags={ "user": self.user, "arn": arn }) log_data = { "user": self.user, "ip": self.ip, "function": f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}", "message": "Incoming request", "user-agent": self.request.headers.get("User-Agent"), "request_id": self.request_uuid, "arn": arn, } log.debug(log_data) error = "" try: resource_details = await fetch_resource_details( account_id, resource_type, resource_name, region, path) except Exception as e: sentry_sdk.capture_exception() log.error({**log_data, "error": e}, exc_info=True) resource_details = None error = str(e) if not resource_details: self.send_error( 404, message= (f"Unable to retrieve the specified {resource_type} resource: " f"{account_id}/{resource_name}/{region}. {error}", ), ) return # TODO: Get S3 errors for s3 buckets only, else CT errors yesterday = (datetime.today() - timedelta(days=1)).strftime("%Y%m%d") s3_query_url = None if resource_type == "s3": s3_query_url = config.get("s3.bucket_query_url") all_s3_errors = None if s3_query_url: s3_query_url = s3_query_url.format( yesterday=yesterday, bucket_name=f"'{resource_name}'") s3_error_topic = config.get("redis.s3_errors", "S3_ERRORS") all_s3_errors = self.red.get(s3_error_topic) s3_errors = [] if all_s3_errors: s3_errors = json.loads(all_s3_errors).get(arn, []) account_ids_to_name = await get_account_id_to_name_mapping() # TODO(ccastrapel/psanders): Make a Swagger spec for this self.write( dict( arn=arn, resource_details=resource_details, account_id=account_id, account_name=account_ids_to_name.get(account_id, None), read_only=read_only, can_save_delete=can_save_delete, s3_errors=s3_errors, error_url=s3_query_url, config_timeline_url=resource_details.get( "config_timeline_url"), ))