def execute_security_check_with_executed_type(trace_id, organization_id, project_id, user_id, email, executed_type): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # リソース関連性のバリデーションチェックを行います。 try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if not project: return common_utils.error_common( MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) try: check_history_id = common_utils.get_uuid4() executed_date_time = common_utils.get_current_date() pm_checkHistory.create(trace_id, check_history_id, organization_id, project_id, CHECK_SECURITY, CheckStatus.Waiting, None, executed_type, None, executed_date_time, None, user_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) try: topic_arn = common_utils.get_environ( CommonConst.SECURITYCHECK_EXECUTE_TOPIC) subject = "USER : {0}".format(user_id) message = { 'CheckHistoryId': check_history_id } # Publish message aws_common.aws_sns(trace_id, subject, json.dumps(message), topic_arn) except PmError as e: common_utils.write_log_pm_error(e, pm_logger, exc_info=True) try: check_history = pm_checkHistory.query_key(trace_id, check_history_id, True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response response = common_utils.get_response_by_response_body( HTTPStatus.CREATED, check_history) return common_utils.response(response, pm_logger)
def create_awscoops(trace_id, project_id, organization_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if (not project): return common_utils.error_common(MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) # Create AWSアカウント連携 coop_id = str(uuid.uuid4()) aws_account = CommonConst.UNKNOWN aws_account_name = None role_name = None external_id = str(uuid.uuid4()) description = None effective = Effective.UnConfirmed.value try: pm_awsAccountCoops.create_awscoops(trace_id, coop_id, aws_account, aws_account_name, role_name, external_id, description, effective, organization_id, project_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # Get data response try: awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key( trace_id, coop_id, convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response response = common_utils.get_response_by_response_body( HTTPStatus.CREATED, awscoops_item) return common_utils.response(response, pm_logger)
def delete_project(trace_id, email, project_id, organization_id): # Get logging pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id, convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if (not project): return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # プロジェクト削除の条件を満たしているかチェックを行います。現時点ではチェックすべき項目はありません。 # 現時点ではチェックすべき項目はありません。 # Delete project try: pm_projects.delete_projects(trace_id, project_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_405, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # Create task task_id = str(uuid.uuid4()) user_id = trace_id try: pm_organizationTasks.create_organizationTask(trace_id, task_id, "DELETE_PRJ", project_id, user_id, email, Status.Waiting.value, 0, 3) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) aws_common.sns_organization_topic(trace_id, task_id, "DELETE_PRJ") # data response response = common_utils.get_response_by_response_body( HTTPStatus.NO_CONTENT, None) return common_utils.response(response, pm_logger)
def generate_security_check_webhook(trace_id, organization_id, project_id, user_id, email): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # リソース関連性のバリデーションチェックを行います。 try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if not project: return common_utils.error_common( MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) try: webhooks = pm_securityCheckWebhook.query_project_index( trace_id, project_id, user_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if webhooks: return common_utils.error_common(MsgConst.ERR_302, HTTPStatus.CONFLICT, pm_logger) try: security_check_webhook_id = common_utils.get_uuid4() webhook_path = common_utils.get_uuid4() pm_securityCheckWebhook.create(trace_id, security_check_webhook_id, webhook_path, user_id, email, organization_id, project_id, 3) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) response = common_utils.get_response_by_response_body( HTTPStatus.CREATED, {'webhookPath': webhook_path}) return common_utils.response(response, pm_logger)
def get_project(trace_id, project_id, organization_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id, convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if (not project): return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # data response response = common_utils.get_response_by_response_body( HTTPStatus.OK, project[0]) return common_utils.response(response, pm_logger)
def get_security_check_webhook_by_ids(trace_id, user_id, organization_id, project_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) webhook = None # リソース関連性のバリデーションチェックを行います。 try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if not project: return common_utils.error_common( MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) try: webhooks = pm_securityCheckWebhook.query_project_index( trace_id, project_id, user_id) if webhooks: webhook = pm_securityCheckWebhook.query_key( trace_id, webhooks[0]['SecurityCheckWebhookID'], convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if not webhook: return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) response = common_utils.get_response_by_response_body( HTTPStatus.OK, webhook) return response
def update_project(trace_id, project_id, organization_id, data_body): # Get logging pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # Parse JSON try: body_object = json.loads(data_body) project_name = body_object["name"] description = body_object["description"] except Exception as e: return common_utils.error_exception(MsgConst.ERR_REQUEST_202, HTTPStatus.BAD_REQUEST, e, pm_logger, True) # Validate list_error = validate_project(trace_id, project_name) if list_error: return common_utils.error_validate(MsgConst.ERR_REQUEST_201, HTTPStatus.UNPROCESSABLE_ENTITY, list_error, pm_logger) # Get project try: project_item = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as err: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, err, pm_logger, True) if not project_item: return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # update project if common_utils.is_null(description): description = None attribute = { 'ProjectName': { "Value": project_name }, 'Description': { "Value": description } } updated_at = project_item[0]['UpdatedAt'] try: pm_projects.update_project(trace_id, project_id, attribute, updated_at) except PmError as err: return common_utils.error_exception(MsgConst.ERR_DB_404, HTTPStatus.INTERNAL_SERVER_ERROR, err, pm_logger, True) # Get data update try: project_result = pm_projects.get_projects(trace_id, project_id, convert_response=True) except PmError as err: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, err, pm_logger, True) response = common_utils.get_response_by_response_body( HTTPStatus.OK, project_result[0]) # return data response return common_utils.response(response, pm_logger)
def create_report(trace_id, email, organization_id, project_id, data_body): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if (not project): return common_utils.error_common(MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) # Parse JSON try: body_object = json.loads(data_body) report_name = body_object["name"] aws_accounts = body_object["awsAccounts"] output_file_type = body_object["outputFileType"] except Exception as e: return common_utils.error_exception(MsgConst.ERR_REQUEST_202, HTTPStatus.BAD_REQUEST, e, pm_logger, True) # Validate list_error = validate_report(trace_id, report_name, aws_accounts, output_file_type) if list_error: return common_utils.error_validate(MsgConst.ERR_REQUEST_201, HTTPStatus.UNPROCESSABLE_ENTITY, list_error, pm_logger) # Create report report_id = common_utils.get_uuid4() status = Status.Waiting.value html_output_status = Status.Waiting.value excel_output_status = Status.Waiting.value schema_version = CommonConst.SCHEMA_VERSION try: pm_reports.create_report(trace_id, report_id, report_name, email, aws_accounts, status, None, None, None, html_output_status, None, None, excel_output_status, None, None, schema_version, organization_id, project_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # AWS利用状況情報収集ジョブの設定 # レポート中間ファイル作成ジョブの設定 # レポート出力ジョブの設定 codes = [ 'COLLECT_AWS_RESOURCE_INFO', 'OUTPUT_REPORT_JSON', 'OUTPUT_REPORT_EXCEL' ] job_id = [] for code in codes: response, job_id = job_report(trace_id, email, report_id, code, job_id) if response: # Delete report pm_reports.delete_reports(trace_id, report_id) return response try: report = pm_reports.query_report(trace_id, report_id, True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response response = common_utils.get_response_by_response_body( HTTPStatus.CREATED, report) return common_utils.response(response, pm_logger)
def get_security_check_detail(trace_id, organization_id, project_id, check_history_id=None, group_filter=None): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # リソース関連性のバリデーションチェックを行います。 try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if (not project): return common_utils.error_common( MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) # 最新チェック結果のチェック履歴ID CheckHistoryIDを取得します。 if check_history_id is None: try: lastest_check_result = pm_latestCheckResult.query_key( trace_id, project_id, organization_id) except PmError as e: return common_utils.error_exception( MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if (not lastest_check_result): response = common_utils.get_response_by_response_body( HTTPStatus.OK, []) return common_utils.response(response, pm_logger) check_history_id = lastest_check_result["CheckHistoryID"] else: try: lastest_check_result = pm_latestCheckResult.query_key_by_check_history_id( trace_id, project_id, organization_id, check_history_id) except PmError as e: return common_utils.error_exception( MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if (not lastest_check_result): return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # チェック結果詳細情報を取得します。 try: if common_utils.is_null(group_filter) is True: check_result_items = pm_checkResultItems.get_security_check_detail( trace_id, check_history_id) else: check_result_items = pm_checkResultItems.get_security_check_detail( trace_id, check_history_id, CommonConst.GROUP_FILTER_TEMPLATE.format(group_filter)) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) if (not check_result_items): response = common_utils.get_response_by_response_body( HTTPStatus.OK, []) return common_utils.response(response, pm_logger) # 個別チェック結果レコードに対して、各チェック結果に作成されたチェック結果ファイルを取得する。 response_body = [] for check_result_item in check_result_items: try: data = FileUtils.read_json(trace_id, "S3_CHECK_BUCKET", check_result_item["ResultJsonPath"]) except PmError as e: if e.cause_error.response['Error'][ 'Code'] == CommonConst.NO_SUCH_KEY: return common_utils.error_exception( MsgConst.ERR_S3_702, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) else: return common_utils.error_exception( MsgConst.ERR_S3_709, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) response_body.append(get_response_body(check_result_item, data)) # return response data response = common_utils.get_response_by_response_body( HTTPStatus.OK, response_body) return common_utils.response(response, pm_logger)
def list_item_settings(trace_id, organization_id, project_id, coop_id, group_filter): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # リソース関連性のバリデーションチェックを行います。 # プロジェクトテーブルに、プロジェクトID{project_id}をキーとしてクエリを実行します。 try: project = pm_projects.get_projects_by_organization_id( trace_id, project_id, organization_id) except Exception as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # プロジェクトに該当レコードが存在しなかった場合(取得件数が0件) if (not project): return common_utils.error_common(MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) # AWSアカウントAWSAccountは、AWSアカウント連携テーブルに、AWSアカウント連携ID{coop_id}をキーとしてクエリを実行します。 try: awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key( trace_id, coop_id) except Exception as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 有効なAWSアカウントが存在しなかった場合(取得件数が0件) if (not awscoops_item): return common_utils.error_common(MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger) # チェック項目除外情報を取得します。 account_refine_code = CommonConst.ACCOUNT_REFINE_CODE.format( organization_id, project_id, awscoops_item['AWSAccount']) try: exclusion_items = pm_exclusionitems.query_filter_account_refine_code( trace_id, account_refine_code, group_filter) except Exception as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # マニュアル評価情報を取得します。 try: assessment_items = pm_assessmentItems.query_filter_account_refine_code( trace_id, account_refine_code, group_filter) except Exception as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # リソース除外情報を取得します。 try: exclusion_resources = pm_exclusionResources.query_filter_account_refine_code( trace_id, account_refine_code, group_filter) except Exception as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # メンバーズ加入アカウントの確認をします members = common_utils.get_value('Members', awscoops_item, Members.Disable) if (isinstance(members, Decimal)): members = int(members) # セキュリティチェック項目設定一覧の配列を作成します。 security_item_settings = [] list_check_item_code_exclusion = jmespath.search('[*].CheckItemCode', exclusion_items) list_check_item_code_assessment = jmespath.search('[*].CheckItemCode', assessment_items) list_check_item_code_exclusion_resource = jmespath.search( '[*].CheckItemCode', exclusion_resources) for check_item_code in LIST_CHECK_ITEM_CODE: # リクエストパラメータgroupFilterにてフィルタ文字列が指定されていた場合、その文字列に該当するチェック項目コードを持つチェックだけ配列へ含めます。 if (common_utils.is_null(group_filter) is False and group_filter not in check_item_code): continue # マネージド項目有無managedFlag managed_flag = ManagedFlag.NotManaged if (check_item_code in LIST_CHECK_ITEM_CODE_MANAGED): if members == Members.Enable: managed_flag = ManagedFlag.Managed # チェック項目除外有無exclusionFlag exclusion_flag = ExclusionFlag.Disable if (check_item_code in list_check_item_code_exclusion): exclusion_flag = ExclusionFlag.Enable # マニュアル評価設定有無assessmentFlag assessment_flag = AssessmentFlag.NotManual if (check_item_code in LIST_CHECK_ITEM_CODE_ASSESSMENT): assessment_flag = AssessmentFlag.NotAssessment if (check_item_code in list_check_item_code_assessment): assessment_flag = AssessmentFlag.Assessment # リソース除外設定有無excludedResourceFlag excluded_resource_flag = ExcludedResourceFlag.Other if (check_item_code in LIST_CHECK_ITEM_CODE_EXCLUDED_RESOURCE): excluded_resource_flag = ExcludedResourceFlag.Disable if (check_item_code in list_check_item_code_exclusion_resource): excluded_resource_flag = ExcludedResourceFlag.Enable security_item_setting = { "checkItemCode": check_item_code, "managedFlag": managed_flag, "exclusionFlag": exclusion_flag, "assessmentFlag": assessment_flag, "excludedResourceFlag": excluded_resource_flag } security_item_settings.append(security_item_setting) # 作成したSecurityItemSettingの配列をレスポンスとして作成します。 response = common_utils.get_response_by_response_body( HTTPStatus.OK, security_item_settings) return common_utils.response(response, pm_logger)