def rollback_role(account_number, role_name, selection=None, commit=None): """ Display the historical policy versions for a roll as a numbered list. Restore to a specific version if selected. Indicate changes that will be made and then actually make them if commit is selected. Args: account_number (string) role_name (string) selection (int): which policy version in the list to rollback to commit (bool): actually make the change Returns: None """ role_data = _find_role_in_cache(account_number, role_name) if not role_data: LOGGER.warn('Could not find role with name {}'.format(role_name)) return else: role = Role(role_data) # no option selected, display a table of options if not selection: headers = [ 'Number', 'Source', 'Discovered', 'Policy Length', 'Policy Contents' ] rows = [] for index, policies_version in enumerate(role.policies): rows.append([ index, policies_version['Source'], policies_version['Discovered'], len(str(policies_version['Policy'])), str(policies_version['Policy'])[:50] ]) print tabulate(rows, headers=headers) return from cloudaux import CloudAux conn = CONFIG['connection_iam'] conn['account_number'] = account_number ca = CloudAux(**conn) current_policies = get_role_inline_policies(role.as_dict(), **conn) if selection and not commit: pp = pprint.PrettyPrinter() print "Will restore the following policies:" pp.pprint(role.policies[int(selection)]['Policy']) print "Current policies:" pp.pprint(current_policies) return # if we're restoring from a version with fewer policies than we have now, we need to remove them to # complete the restore. To do so we'll store all the policy names we currently have and remove them # from the list as we update. Any policy names left need to be manually removed policies_to_remove = current_policies.keys() for policy_name, policy in role.policies[int(selection)]['Policy'].items(): try: LOGGER.info("Pushing cached policy: {}".format(policy_name)) ca.call('iam.client.put_role_policy', RoleName=role.role_name, PolicyName=policy_name, PolicyDocument=json.dumps(policy, indent=2, sort_keys=True)) except botocore.excpetion.ClientError as e: LOGGER.error("Unable to push policy {}. Error: {}".format( policy_name, e.message)) else: # remove the policy name if it's in the list try: policies_to_remove.remove(policy_name) except: pass if policies_to_remove: for policy_name in policies_to_remove: try: ca.call('iam.client.delete_role_policy', RoleName=role.role_name, PolicyName=policy_name) except botocore.excpetion.ClientError as e: LOGGER.error("Unable to delete policy {}. Error: {}".format( policy_name, e.message)) # TODO: possibly update the total and repoable permissions here, we'd have to get Aardvark and all that current_policies = get_role_inline_policies(role.as_dict(), **conn) or {} roledata.add_new_policy_version(role, current_policies, 'Restore') role.total_permissions = len(roledata._get_role_permissions(role)) # update stats roledata.update_stats([role], source='Restore') LOGGER.info('Successfully restored selected version of role policies')
def repo_role(account_number, role_name, commit=False): """ Calculate what repoing can be done for a role and then actually do it if commit is set 1) Check that a role exists, it isn't being disqualified by a filter, and that is has fresh AA data 2) Get the role's current permissions, repoable permissions, and the new policy if it will change 3) Make the changes if commit is set Args: account_number (string) role_name (string) commit (bool) Returns: None """ errors = [] role_data = _find_role_in_cache(account_number, role_name) if not role_data: LOGGER.warn('Could not find role with name {}'.format(role_name)) return else: role = Role(role_data) if len(role.disqualified_by) > 0: LOGGER.info( 'Cannot repo role {} because it is being disqualified by: {}'. format(role_name, role.disqualified_by)) return if not role.aa_data: LOGGER.warn('ARN not found in Access Advisor: {}'.format(role.arn)) return if not role.repoable_permissions: LOGGER.info('No permissions to repo for role {}'.format(role_name)) return old_aa_data_services = [] for aa_service in role.aa_data: if (datetime.datetime.strptime(aa_service['lastUpdated'], '%a, %d %b %Y %H:%M:%S %Z') < datetime.datetime.now() - datetime.timedelta( days=CONFIG['repo_requirements']['oldest_aa_data_days'])): old_aa_data_services.append(aa_service['serviceName']) if old_aa_data_services: LOGGER.error( 'AAData older than threshold for these services: {}'.format( old_aa_data_services)) return permissions = roledata._get_role_permissions(role) repoable_permissions = roledata._get_repoable_permissions( permissions, role.aa_data, role.no_repo_permissions) repoed_policies, deleted_policy_names = roledata._get_repoed_policy( role.policies[-1]['Policy'], repoable_permissions) policies_length = len(json.dumps(repoed_policies)) if not commit: for name in deleted_policy_names: LOGGER.info('Would delete policy from {} with name {}'.format( role_name, name)) if repoed_policies: LOGGER.info('Would replace policies for role {} with: \n{}'.format( role_name, json.dumps(repoed_policies, indent=2, sort_keys=True))) if policies_length > MAX_AWS_POLICY_SIZE: LOGGER.error( "Policies would exceed the AWS size limit after repo for role: {}. " "Please manually minify.".format(role_name)) return from cloudaux import CloudAux conn = CONFIG['connection_iam'] conn['account_number'] = account_number ca = CloudAux(**conn) if policies_length > MAX_AWS_POLICY_SIZE: LOGGER.error( "Policies would exceed the AWS size limit after repo for role: {}. " "Please manually minify.".format(role_name)) return for name in deleted_policy_names: LOGGER.info('Deleting policy with name {} from {}'.format( name, role.role_name)) try: ca.call('iam.client.delete_role_policy', RoleName=role.role_name, PolicyName=name) except botocore.exceptions.ClientError as e: error = 'Error deleting policy: {} from role: {}. Exception: {}'.format( name, role.role_name, e) LOGGER.error(error) errors.append(error) if repoed_policies: LOGGER.info('Replacing Policies With: \n{}'.format( json.dumps(repoed_policies, indent=2, sort_keys=True))) for policy_name, policy in repoed_policies.items(): try: ca.call('iam.client.put_role_policy', RoleName=role.role_name, PolicyName=policy_name, PolicyDocument=json.dumps(policy, indent=2, sort_keys=True)) except botocore.exceptions.ClientError as e: error = 'Exception calling PutRolePolicy on {role}/{policy}\n{e}\n'.format( role=role.role_name, policy=policy_name, e=str(e)) LOGGER.error(error) errors.append(error) current_policies = get_role_inline_policies(role.as_dict(), **conn) or {} roledata.add_new_policy_version(role, current_policies, 'Repo') if not errors: roledata.set_repoed(role.role_id) # update total and repoable permissions and services role.total_permissions = len(roledata._get_role_permissions(role)) role.repoable_permissions = 0 role.repoable_services = [] roledata.update_repoable_data([role]) # update stats roledata.update_stats([role], source='Repo') LOGGER.info('Successfully repoed role: {}'.format(role.role_name)) return errors