def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.templates = templates
self.definition = definition
self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))
self.amazon = amazon
self.amazon_roles = AmazonRoles(amazon)
self.trust = []
self.distrust = []
self.permission = []
class Role(object):
def __init__(self, name, definition, amazon, templates=None):
self.name = name
self.templates = templates
self.definition = definition
self.statements = Statements(name, "role", amazon.account_id, amazon.accounts)
self.policy_name = "syncr_policy_{0}".format(self.name.replace("/", "__"))
self.amazon = amazon
self.amazon_roles = AmazonRoles(amazon)
self.trust = []
self.distrust = []
self.permission = []
def setup(self):
"""Raise errors if the definition doesn't make sense"""
if "use" in self.definition:
template = self.definition["use"]
if not self.templates:
raise NoTemplates(name=self.name, looking_for_template=template, available=self.templates.keys())
if template not in self.templates:
raise CantFindTemplate(name=self.name, looking_for_template=template, available=self.templates.keys())
self.definition = MergedOptions.using(self.templates[template], self.definition)
self.description = self.definition.get("description", "No description provided!")
for statement in listified(self.definition, "allow_to_assume_me"):
self.trust.extend(self.statements.expand_trust_statement(statement, allow=True))
for statement in listified(self.definition, "disallow_to_assume_me"):
self.distrust.extend(self.statements.expand_trust_statement(statement, allow=False))
for key, default_allow in (("permission", None), ("allow_permission", True), ("deny_permission", False)):
for policy in listified(self.definition, key):
for statement in self.statements.make_permission_statements(policy, allow=default_allow):
self.permission.append(statement)
def resolve(self):
"""Make sure this user exists and has only what policies we want it to have"""
# Get the permission and trust document
# Make sure they're both valid before continuing
trust_document = self.make_trust_document(self.trust, self.distrust)
permission_document = self.make_permission_document(self.permission)
role_info = self.amazon_roles.role_info(self.name)
if not role_info:
self.amazon_roles.create_role(self.name, trust_document, policies={self.policy_name: permission_document})
else:
self.amazon_roles.modify_role(role_info, self.name, trust_document, policies={self.policy_name: permission_document})
if self.definition.get("make_instance_profile"):
self.amazon_roles.make_instance_profile(self.name)
def make_trust_document(self, trust, distrust):
"""Make a document for trust or None if no trust or distrust"""
if not trust and not distrust:
return
return self.statements.make_document((trust or []) + (distrust or []))
def make_permission_document(self, permissions):
"""Return a document for these permissions, or None if no permissiosn"""
if not permissions:
return
return self.statements.make_document(permissions)
def resolve(self):
"""Remove the role"""
AmazonRoles(self.amazon).remove_role(self.name)
