def execute_security_check_with_executed_type(trace_id, organization_id,
project_id, user_id, email,
executed_type):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# リソース関連性のバリデーションチェックを行います。
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if not project:
return common_utils.error_common(
MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger)
try:
check_history_id = common_utils.get_uuid4()
executed_date_time = common_utils.get_current_date()
pm_checkHistory.create(trace_id, check_history_id, organization_id,
project_id, CHECK_SECURITY, CheckStatus.Waiting,
None, executed_type, None, executed_date_time,
None, user_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
try:
topic_arn = common_utils.get_environ(
CommonConst.SECURITYCHECK_EXECUTE_TOPIC)
subject = "USER : {0}".format(user_id)
message = {
'CheckHistoryId': check_history_id
}
# Publish message
aws_common.aws_sns(trace_id, subject, json.dumps(message), topic_arn)
except PmError as e:
common_utils.write_log_pm_error(e, pm_logger, exc_info=True)
try:
check_history = pm_checkHistory.query_key(trace_id, check_history_id,
True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response = common_utils.get_response_by_response_body(
HTTPStatus.CREATED, check_history)
return common_utils.response(response, pm_logger)
def create_awscoops(trace_id, project_id, organization_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if (not project):
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# Create AWSアカウント連携
coop_id = str(uuid.uuid4())
aws_account = CommonConst.UNKNOWN
aws_account_name = None
role_name = None
external_id = str(uuid.uuid4())
description = None
effective = Effective.UnConfirmed.value
try:
pm_awsAccountCoops.create_awscoops(trace_id, coop_id, aws_account,
aws_account_name, role_name,
external_id, description, effective,
organization_id, project_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# Get data response
try:
awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id, convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response = common_utils.get_response_by_response_body(
HTTPStatus.CREATED, awscoops_item)
return common_utils.response(response, pm_logger)
def delete_project(trace_id, email, project_id, organization_id):
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id, convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if (not project):
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# プロジェクト削除の条件を満たしているかチェックを行います。現時点ではチェックすべき項目はありません。
# 現時点ではチェックすべき項目はありません。
# Delete project
try:
pm_projects.delete_projects(trace_id, project_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_405,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# Create task
task_id = str(uuid.uuid4())
user_id = trace_id
try:
pm_organizationTasks.create_organizationTask(trace_id, task_id,
"DELETE_PRJ", project_id,
user_id, email,
Status.Waiting.value, 0,
3)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
aws_common.sns_organization_topic(trace_id, task_id, "DELETE_PRJ")
# data response
response = common_utils.get_response_by_response_body(
HTTPStatus.NO_CONTENT, None)
return common_utils.response(response, pm_logger)
def generate_security_check_webhook(trace_id, organization_id, project_id,
user_id, email):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# リソース関連性のバリデーションチェックを行います。
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if not project:
return common_utils.error_common(
MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger)
try:
webhooks = pm_securityCheckWebhook.query_project_index(
trace_id, project_id, user_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if webhooks:
return common_utils.error_common(MsgConst.ERR_302, HTTPStatus.CONFLICT,
pm_logger)
try:
security_check_webhook_id = common_utils.get_uuid4()
webhook_path = common_utils.get_uuid4()
pm_securityCheckWebhook.create(trace_id, security_check_webhook_id,
webhook_path, user_id, email,
organization_id, project_id, 3)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
response = common_utils.get_response_by_response_body(
HTTPStatus.CREATED, {'webhookPath': webhook_path})
return common_utils.response(response, pm_logger)
def get_project(trace_id, project_id, organization_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id, convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if (not project):
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# data response
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, project[0])
return common_utils.response(response, pm_logger)
def get_security_check_webhook_by_ids(trace_id, user_id, organization_id,
project_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
webhook = None
# リソース関連性のバリデーションチェックを行います。
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if not project:
return common_utils.error_common(
MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger)
try:
webhooks = pm_securityCheckWebhook.query_project_index(
trace_id, project_id, user_id)
if webhooks:
webhook = pm_securityCheckWebhook.query_key(
trace_id,
webhooks[0]['SecurityCheckWebhookID'],
convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if not webhook:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, webhook)
return response
def update_project(trace_id, project_id, organization_id, data_body):
# Get logging
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# Parse JSON
try:
body_object = json.loads(data_body)
project_name = body_object["name"]
description = body_object["description"]
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
# Validate
list_error = validate_project(trace_id, project_name)
if list_error:
return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
HTTPStatus.UNPROCESSABLE_ENTITY,
list_error, pm_logger)
# Get project
try:
project_item = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as err:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
err, pm_logger, True)
if not project_item:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# update project
if common_utils.is_null(description):
description = None
attribute = {
'ProjectName': {
"Value": project_name
},
'Description': {
"Value": description
}
}
updated_at = project_item[0]['UpdatedAt']
try:
pm_projects.update_project(trace_id, project_id, attribute, updated_at)
except PmError as err:
return common_utils.error_exception(MsgConst.ERR_DB_404,
HTTPStatus.INTERNAL_SERVER_ERROR,
err, pm_logger, True)
# Get data update
try:
project_result = pm_projects.get_projects(trace_id,
project_id,
convert_response=True)
except PmError as err:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
err, pm_logger, True)
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, project_result[0])
# return data response
return common_utils.response(response, pm_logger)
def create_report(trace_id, email, organization_id, project_id, data_body):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if (not project):
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# Parse JSON
try:
body_object = json.loads(data_body)
report_name = body_object["name"]
aws_accounts = body_object["awsAccounts"]
output_file_type = body_object["outputFileType"]
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
# Validate
list_error = validate_report(trace_id, report_name, aws_accounts,
output_file_type)
if list_error:
return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
HTTPStatus.UNPROCESSABLE_ENTITY,
list_error, pm_logger)
# Create report
report_id = common_utils.get_uuid4()
status = Status.Waiting.value
html_output_status = Status.Waiting.value
excel_output_status = Status.Waiting.value
schema_version = CommonConst.SCHEMA_VERSION
try:
pm_reports.create_report(trace_id, report_id, report_name, email,
aws_accounts, status, None, None, None,
html_output_status, None, None,
excel_output_status, None, None,
schema_version, organization_id, project_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# AWS利用状況情報収集ジョブの設定
# レポート中間ファイル作成ジョブの設定
# レポート出力ジョブの設定
codes = [
'COLLECT_AWS_RESOURCE_INFO', 'OUTPUT_REPORT_JSON',
'OUTPUT_REPORT_EXCEL'
]
job_id = []
for code in codes:
response, job_id = job_report(trace_id, email, report_id, code, job_id)
if response:
# Delete report
pm_reports.delete_reports(trace_id, report_id)
return response
try:
report = pm_reports.query_report(trace_id, report_id, True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response = common_utils.get_response_by_response_body(
HTTPStatus.CREATED, report)
return common_utils.response(response, pm_logger)
def get_security_check_detail(trace_id,
organization_id,
project_id,
check_history_id=None,
group_filter=None):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# リソース関連性のバリデーションチェックを行います。
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if (not project):
return common_utils.error_common(
MsgConst.ERR_AWS_401, HTTPStatus.UNPROCESSABLE_ENTITY, pm_logger)
# 最新チェック結果のチェック履歴ID CheckHistoryIDを取得します。
if check_history_id is None:
try:
lastest_check_result = pm_latestCheckResult.query_key(
trace_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(
MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e,
pm_logger, True)
if (not lastest_check_result):
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, [])
return common_utils.response(response, pm_logger)
check_history_id = lastest_check_result["CheckHistoryID"]
else:
try:
lastest_check_result = pm_latestCheckResult.query_key_by_check_history_id(
trace_id, project_id, organization_id, check_history_id)
except PmError as e:
return common_utils.error_exception(
MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e,
pm_logger, True)
if (not lastest_check_result):
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# チェック結果詳細情報を取得します。
try:
if common_utils.is_null(group_filter) is True:
check_result_items = pm_checkResultItems.get_security_check_detail(
trace_id, check_history_id)
else:
check_result_items = pm_checkResultItems.get_security_check_detail(
trace_id, check_history_id,
CommonConst.GROUP_FILTER_TEMPLATE.format(group_filter))
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
if (not check_result_items):
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, [])
return common_utils.response(response, pm_logger)
# 個別チェック結果レコードに対して、各チェック結果に作成されたチェック結果ファイルを取得する。
response_body = []
for check_result_item in check_result_items:
try:
data = FileUtils.read_json(trace_id, "S3_CHECK_BUCKET",
check_result_item["ResultJsonPath"])
except PmError as e:
if e.cause_error.response['Error'][
'Code'] == CommonConst.NO_SUCH_KEY:
return common_utils.error_exception(
MsgConst.ERR_S3_702, HTTPStatus.INTERNAL_SERVER_ERROR, e,
pm_logger, True)
else:
return common_utils.error_exception(
MsgConst.ERR_S3_709, HTTPStatus.INTERNAL_SERVER_ERROR, e,
pm_logger, True)
response_body.append(get_response_body(check_result_item, data))
# return response data
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, response_body)
return common_utils.response(response, pm_logger)
def list_item_settings(trace_id, organization_id, project_id, coop_id,
group_filter):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# リソース関連性のバリデーションチェックを行います。
# プロジェクトテーブルに、プロジェクトID{project_id}をキーとしてクエリを実行します。
try:
project = pm_projects.get_projects_by_organization_id(
trace_id, project_id, organization_id)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# プロジェクトに該当レコードが存在しなかった場合(取得件数が0件)
if (not project):
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# AWSアカウントAWSAccountは、AWSアカウント連携テーブルに、AWSアカウント連携ID{coop_id}をキーとしてクエリを実行します。
try:
awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 有効なAWSアカウントが存在しなかった場合(取得件数が0件)
if (not awscoops_item):
return common_utils.error_common(MsgConst.ERR_AWS_401,
HTTPStatus.UNPROCESSABLE_ENTITY,
pm_logger)
# チェック項目除外情報を取得します。
account_refine_code = CommonConst.ACCOUNT_REFINE_CODE.format(
organization_id, project_id, awscoops_item['AWSAccount'])
try:
exclusion_items = pm_exclusionitems.query_filter_account_refine_code(
trace_id, account_refine_code, group_filter)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# マニュアル評価情報を取得します。
try:
assessment_items = pm_assessmentItems.query_filter_account_refine_code(
trace_id, account_refine_code, group_filter)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# リソース除外情報を取得します。
try:
exclusion_resources = pm_exclusionResources.query_filter_account_refine_code(
trace_id, account_refine_code, group_filter)
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# メンバーズ加入アカウントの確認をします
members = common_utils.get_value('Members', awscoops_item, Members.Disable)
if (isinstance(members, Decimal)):
members = int(members)
# セキュリティチェック項目設定一覧の配列を作成します。
security_item_settings = []
list_check_item_code_exclusion = jmespath.search('[*].CheckItemCode',
exclusion_items)
list_check_item_code_assessment = jmespath.search('[*].CheckItemCode',
assessment_items)
list_check_item_code_exclusion_resource = jmespath.search(
'[*].CheckItemCode', exclusion_resources)
for check_item_code in LIST_CHECK_ITEM_CODE:
# リクエストパラメータgroupFilterにてフィルタ文字列が指定されていた場合、その文字列に該当するチェック項目コードを持つチェックだけ配列へ含めます。
if (common_utils.is_null(group_filter) is False
and group_filter not in check_item_code):
continue
# マネージド項目有無managedFlag
managed_flag = ManagedFlag.NotManaged
if (check_item_code in LIST_CHECK_ITEM_CODE_MANAGED):
if members == Members.Enable:
managed_flag = ManagedFlag.Managed
# チェック項目除外有無exclusionFlag
exclusion_flag = ExclusionFlag.Disable
if (check_item_code in list_check_item_code_exclusion):
exclusion_flag = ExclusionFlag.Enable
# マニュアル評価設定有無assessmentFlag
assessment_flag = AssessmentFlag.NotManual
if (check_item_code in LIST_CHECK_ITEM_CODE_ASSESSMENT):
assessment_flag = AssessmentFlag.NotAssessment
if (check_item_code in list_check_item_code_assessment):
assessment_flag = AssessmentFlag.Assessment
# リソース除外設定有無excludedResourceFlag
excluded_resource_flag = ExcludedResourceFlag.Other
if (check_item_code in LIST_CHECK_ITEM_CODE_EXCLUDED_RESOURCE):
excluded_resource_flag = ExcludedResourceFlag.Disable
if (check_item_code in list_check_item_code_exclusion_resource):
excluded_resource_flag = ExcludedResourceFlag.Enable
security_item_setting = {
"checkItemCode": check_item_code,
"managedFlag": managed_flag,
"exclusionFlag": exclusion_flag,
"assessmentFlag": assessment_flag,
"excludedResourceFlag": excluded_resource_flag
}
security_item_settings.append(security_item_setting)
# 作成したSecurityItemSettingの配列をレスポンスとして作成します。
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, security_item_settings)
return common_utils.response(response, pm_logger)
