def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
try:
response = self.client.get_topic_attributes(TopicArn=self.arn)
attributes = response.get("Attributes")
if attributes.get("Policy"):
policy = constants.get_empty_policy()
policy["Statement"].extend(
json.loads(attributes.get("Policy")).get("Statement"))
else:
policy = constants.get_empty_policy()
success = True
except self.client.exceptions.ResourceNotFoundException as error:
logger.critical(error)
success = False
except botocore.exceptions.ClientError as error:
logger.critical(error)
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
try:
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/glacier.html#Glacier.Client.get_vault_access_policy
response = self.client.get_vault_access_policy(vaultName=self.name)
policy = json.loads(response.get("policy").get("Policy"))
success = True
# This is silly. If there is no access policy set on the vault, then it returns the same error as if the vault didn't exist.
except self.client.exceptions.ResourceNotFoundException as error:
logger.debug(error)
success = True
except botocore.exceptions.ClientError:
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
policy = constants.get_empty_policy()
try:
response = self.client.get_bucket_policy(Bucket=self.name)
policy = json.loads(response.get("Policy"))
message = "200: Successfully obtained bucket policy for %s" % self.arn
success = True
except botocore.exceptions.ClientError as error:
error_code = error.response['Error']['Code']
message = f"{error_code}: {error.response.get('Error').get('Message')} for {error.response.get('Error').get('BucketName')}"
if error.response['Error']['Code'] == "AccessDenied":
success = False
elif error.response['Error']['Code'] == "NoSuchBucketPolicy":
success = True
else:
# This occurs when there is no resource policy attached
success = True
except Exception as error:
message = error
success = False
logger.debug(message)
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
policy = constants.get_empty_policy()
try:
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html#ECR.Client.get_repository_policy
response = self.client.get_repository_policy(
repositoryName=self.name)
policy = json.loads(response.get("policyText"))
success = True
except self.client.exceptions.RepositoryPolicyNotFoundException:
logger.debug("Policy not found. Setting policy document to empty.")
success = True
except self.client.exceptions.RepositoryNotFoundException:
logger.critical("Repository does not exist")
success = False
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
logger.debug("Getting resource policy for %s" % self.arn)
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
try:
response = self.client.get_layer_version_policy(
LayerName=self.name, VersionNumber=self.version)
policy = json.loads(response.get("Policy"))
success = True
except self.client.exceptions.ResourceNotFoundException as error:
logger.debug("The Policy does not exist. We will have to add it.")
success = True
except botocore.exceptions.ClientError as error:
logger.critical(error)
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
policy = constants.get_empty_policy()
try:
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm-pca.html#ACMPCA.Client.get_policy
response = self.client.get_policy(ResourceArn=self.arn)
policy = json.loads(response.get("Policy"))
success = True
# This is dumb. "If either the private CA resource or the policy cannot be found, this action returns a ResourceNotFoundException."
# That means we have to set it to true, even when the resource doesn't exist. smh.
# That will only affect the expose command and not the smash command.
except self.client.exceptions.ResourceNotFoundException:
logger.debug(f"Resource {self.name} not found")
success = True
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
try:
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ses.html#SES.Client.list_identity_policies
response = self.client.describe_elasticsearch_domain_config(DomainName=self.name)
domain_config = response.get("DomainConfig")
policy = domain_config.get("AccessPolicies").get("Options")
if policy:
policy = json.loads(policy)
else:
policy = constants.get_empty_policy()
success = True
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document, success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
try:
response = self.client.get_resource_policy(SecretId=self.name)
if response.get("ResourcePolicy"):
policy = json.loads(response.get("ResourcePolicy"))
else:
policy = constants.get_empty_policy()
success = True
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
# If you do not know the names of the policies that are attached to the identity, you can use ListIdentityPolicies
logger.debug("Getting resource policy for %s" % self.arn)
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
try:
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ses.html#SES.Client.list_identity_policies
response = self.client.list_identity_policies(Identity=self.name)
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ses.html#SES.Client.get_identity_policies
policy_names = response.get("PolicyNames")
if policy_names:
response = self.client.get_identity_policies(Identity=self.name, PolicyNames=policy_names)
policies = response.get("Policies")
if constants.SID_SIGNATURE in policies:
policy = json.loads(policies.get(constants.SID_SIGNATURE))
success = True
else:
policy = constants.get_empty_policy()
success = True
except botocore.exceptions.ClientError:
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document, success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.get_key_policy
logger.debug("Getting resource policy for %s" % self.arn)
try:
response = self.client.get_key_policy(KeyId=self.arn,
PolicyName="default")
if response.get("Policy"):
policy = constants.get_empty_policy()
policy["Statement"].extend(
json.loads(response.get("Policy")).get("Statement"))
else:
policy = constants.get_empty_policy()
success = True
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response
def _get_rbp(self) -> ResponseGetRbp:
"""Get the resource based policy for this resource and store it"""
logger.debug("Getting resource policy for %s" % self.arn)
try:
response = self.client.get_role(RoleName=self.name)
policy = response.get("Role").get("AssumeRolePolicyDocument")
success = True
except self.client.exceptions.NoSuchEntityException:
logger.critical(f"There is no resource with the name {self.name}")
policy = constants.get_empty_policy()
success = False
except botocore.exceptions.ClientError:
# When there is no policy, let's return an empty policy to avoid breaking things
policy = constants.get_empty_policy()
success = False
policy_document = PolicyDocument(
policy=policy,
service=self.service,
override_action=self.override_action,
include_resource_block=self.include_resource_block,
override_resource_block=self.override_resource_block,
override_account_id_instead_of_principal=self.
override_account_id_instead_of_principal,
)
response = ResponseGetRbp(policy_document=policy_document,
success=success)
return response