def opt_out(dynamo_table, message):
if CONFIG:
opt_out_period = CONFIG.get("opt_out_period_days", 90)
else:
opt_out_period = 90
if not message.reason or not message.requestor:
return ResponderReturn(
successful=False,
return_message="Reason and requestor must be specified")
role_id = dynamo.find_role_in_cache(dynamo_table, message.account,
message.role_name)
if not role_id:
return ResponderReturn(
successful=False,
return_message="Unable to find role {} in account {}".format(
message.role_name, message.account),
)
role_data = dynamo.get_role_data(dynamo_table, role_id, fields=["OptOut"])
if "OptOut" in role_data and role_data["OptOut"]:
timestr = time.strftime("%m/%d/%y",
time.localtime(role_data["OptOut"]["expire"]))
return ResponderReturn(
successful=False,
return_message=
("Role {} in account {} is already opted out by {} for reason {} "
"until {}".format(
message.role_name,
message.account,
role_data["OptOut"]["owner"],
role_data["OptOut"]["reason"],
timestr,
)),
)
else:
current_dt = datetime.datetime.fromtimestamp(time.time())
expire_dt = current_dt + datetime.timedelta(opt_out_period)
expire_epoch = int(
(expire_dt - datetime.datetime(1970, 1, 1)).total_seconds())
new_opt_out = {
"owner": message.requestor,
"reason": message.reason,
"expire": expire_epoch,
}
dynamo.set_role_data(dynamo_table, role_id, {"OptOut": new_opt_out})
return ResponderReturn(
successful=True,
return_message="Role {} in account {} opted-out until {}".format(
message.role_name, message.account,
expire_dt.strftime("%m/%d/%y")),
)
def opt_out(dynamo_table, message):
if CONFIG:
opt_out_period = CONFIG.get('opt_out_period_days', 90)
else:
opt_out_period = 90
if not message.reason or not message.requestor:
return ResponderReturn(
successful=False,
return_message='Reason and requestor must be specified')
role_id = dynamo.find_role_in_cache(dynamo_table, message.account,
message.role_name)
if not role_id:
return ResponderReturn(
successful=False,
return_message='Unable to find role {} in account {}'.format(
message.role_name, message.account))
role_data = dynamo.get_role_data(dynamo_table, role_id, fields=['OptOut'])
if 'OptOut' in role_data and role_data['OptOut']:
timestr = time.strftime('%m/%d/%y',
time.localtime(role_data['OptOut']['expire']))
return ResponderReturn(
successful=False,
return_message=
('Role {} in account {} is already opted out by {} for reason {} '
'until {}'.format(message.role_name, message.account,
role_data['OptOut']['owner'],
role_data['OptOut']['reason'], timestr)))
else:
current_dt = datetime.datetime.fromtimestamp(time.time())
expire_dt = current_dt + datetime.timedelta(opt_out_period)
expire_epoch = int(
(expire_dt - datetime.datetime(1970, 1, 1)).total_seconds())
new_opt_out = {
'owner': message.requestor,
'reason': message.reason,
'expire': expire_epoch
}
dynamo.set_role_data(dynamo_table, role_id, {'OptOut': new_opt_out})
return ResponderReturn(
successful=True,
return_message='Role {} in account {} opted-out until {}'.format(
message.role_name, message.account,
expire_dt.strftime('%m/%d/%y')))
from collections import namedtuple
import datetime
import time
from repokid import CONFIG
from repokid import _get_hooks
import repokid.cli.repokid_cli as cli
import repokid.utils.dynamo as dynamo
import repokid.utils.roledata as roledata
ResponderReturn = namedtuple('ResponderReturn', 'successful, return_message')
if CONFIG:
hooks = _get_hooks(CONFIG.get('hooks', ['repokid.hooks.loggers']))
else:
hooks = ['repokid.hooks.loggers']
def implements_command(command):
def _implements_command(func):
if not hasattr(func, "_implements_command"):
func._implements_command = command
return func
return _implements_command
@implements_command('list_repoable_services')
def list_repoable_services(dynamo_table, message):
role_id = dynamo.find_role_in_cache(dynamo_table, message.account,
message.role_name)
from collections import namedtuple
import datetime
import time
from repokid import CONFIG
from repokid import get_hooks
import repokid.commands.repo
import repokid.utils.dynamo as dynamo
import repokid.utils.roledata as roledata
ResponderReturn = namedtuple("ResponderReturn", "successful, return_message")
if CONFIG:
hooks = get_hooks(CONFIG.get("hooks", ["repokid.hooks.loggers"]))
else:
hooks = ["repokid.hooks.loggers"]
def implements_command(command):
def _implements_command(func):
if not hasattr(func, "_implements_command"):
func._implements_command = command
return func
return _implements_command
@implements_command("list_repoable_services")
def list_repoable_services(dynamo_table, message):
role_id = dynamo.find_role_in_cache(dynamo_table, message.account,
message.role_name)
"""
Get a list of all role IDs for all accounts by scanning the Dynamo table
Args:
dynamo_table (Table)
Returns:
list: role ids in all accounts
"""
table = dynamo_table or ROLE_TABLE
role_ids: List[str] = []
response = table.scan(ProjectionExpression="Arn")
role_ids.extend([str(role_dict["Arn"]) for role_dict in response["Items"]])
while "LastEvaluatedKey" in response:
response = table.scan(
ProjectionExpression="Arn",
ExclusiveStartKey=response["LastEvaluatedKey"],
)
role_ids.extend([str(role_dict["Arn"]) for role_dict in response["Items"]])
return role_ids
dynamodb_config = CONFIG.get("dynamo_db")
if dynamodb_config:
ROLE_TABLE = dynamo_get_or_create_table(**CONFIG["dynamo_db"])
else:
logger.warning("No DynamoDB config found; not creating table")
ROLE_TABLE = None
from collections import namedtuple
from typing import Callable
from repokid import CONFIG
from repokid import get_hooks
from repokid.commands.repo import _rollback_role
from repokid.dispatcher.types import Message
from repokid.role import Role
from repokid.utils.dynamo import find_role_in_cache
from repokid.utils.permissions import get_permissions_in_policy
from repokid.utils.permissions import get_services_and_permissions_from_repoable
ResponderReturn = namedtuple("ResponderReturn", "successful, return_message")
if CONFIG:
hooks_list = CONFIG.get("hooks", ["repokid.hooks.loggers"])
else:
hooks_list = ["repokid.hooks.loggers"]
hooks = get_hooks(hooks_list)
DispatcherCommand = Callable[[Message], ResponderReturn]
def implements_command(
command: str, ) -> Callable[[DispatcherCommand], DispatcherCommand]:
def _implements_command(func: DispatcherCommand) -> DispatcherCommand:
if not hasattr(func, "_implements_command"):
setattr(func, "_implements_command", command)
return func
return _implements_command
def opt_out(message: Message) -> ResponderReturn:
if CONFIG:
opt_out_period = CONFIG.get("opt_out_period_days", 90)
else:
opt_out_period = 90
if not message.reason or not message.requestor:
return ResponderReturn(
successful=False, return_message="Reason and requestor must be specified"
)
role_id = find_role_in_cache(message.role_name, message.account)
if not role_id:
return ResponderReturn(
successful=False,
return_message="Unable to find role {} in account {}".format(
message.role_name, message.account
),
)
role = Role(role_id=role_id)
role.fetch(fields=["OptOut"])
if role.opt_out:
timestr = time.strftime("%m/%d/%y", time.localtime(role.opt_out["expire"]))
return ResponderReturn(
successful=False,
return_message=(
"Role {} in account {} is already opted out by {} for reason {} "
"until {}".format(
message.role_name,
message.account,
role.opt_out["owner"],
role.opt_out["reason"],
timestr,
)
),
)
else:
current_dt = datetime.datetime.fromtimestamp(time.time())
expire_dt = current_dt + datetime.timedelta(opt_out_period)
expire_epoch = int((expire_dt - datetime.datetime(1970, 1, 1)).total_seconds())
new_opt_out = {
"owner": message.requestor,
"reason": message.reason,
"expire": expire_epoch,
}
role.opt_out = new_opt_out
try:
role.store(fields=["opt_out"])
except RoleStoreError:
return ResponderReturn(
successful=False,
return_message=f"Failed to opt out role {message.role_name} in account {message.account}",
)
return ResponderReturn(
successful=True,
return_message="Role {} in account {} opted-out until {}".format(
message.role_name, message.account, expire_dt.strftime("%m/%d/%y")
),
)