def get_endpoint_certificate_names(self, endpoint):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
region = get_region_from_dns(endpoint.dnsname)
certificate_names = []
if endpoint.type == "elb":
elb_details = elb.get_elbs(account_number=account_number,
region=region,
LoadBalancerNames=[endpoint.name],)
for lb_description in elb_details["LoadBalancerDescriptions"]:
for listener_description in lb_description["ListenerDescriptions"]:
listener = listener_description.get("Listener")
if not listener.get("SSLCertificateId"):
continue
certificate_names.append(iam.get_name_from_arn(listener.get("SSLCertificateId")))
elif endpoint.type == "elbv2":
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb.get_load_balancer_arn_from_endpoint(endpoint.name,
account_number=account_number,
region=region),
)
for listener in listeners["Listeners"]:
if not listener.get("Certificates"):
continue
for certificate in listener["Certificates"]:
certificate_names.append(iam.get_name_from_arn(certificate["CertificateArn"]))
return certificate_names
def get_endpoint_certificate_names(self, endpoint):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
region = get_region_from_dns(endpoint.dnsname)
certificate_names = []
if endpoint.type == "elb":
elb_details = elb.get_elbs(
account_number=account_number,
region=region,
LoadBalancerNames=[endpoint.name],
)
for lb_description in elb_details["LoadBalancerDescriptions"]:
for listener_description in lb_description[
"ListenerDescriptions"]:
listener = listener_description.get("Listener")
if not listener.get("SSLCertificateId"):
continue
certificate_names.append(
iam.get_name_from_arn(
listener.get("SSLCertificateId")))
elif endpoint.type == "elbv2":
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb.get_load_balancer_arn_from_endpoint(
endpoint.name,
account_number=account_number,
region=region),
)
for listener in listeners["Listeners"]:
if not listener.get("Certificates"):
continue
for certificate in listener["Certificates"]:
certificate_names.append(
iam.get_name_from_arn(certificate["CertificateArn"]))
elif endpoint.type == "cloudfront":
cert_id_to_name = iam.get_certificate_id_to_name(
account_number=account_number)
dist = cloudfront.get_distribution(account_number=account_number,
distribution_id=endpoint.name)
loaded = get_distribution_endpoint(account_number, cert_id_to_name,
dist)
if loaded:
certificate_names.append(loaded["certificate_name"])
else:
raise NotImplementedError()
return certificate_names
def get_elb_endpoints_v2(account_number, region, elb_dict):
"""
Retrieves endpoint information from elbv2 response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
listeners = elb.describe_listeners_v2(account_number=account_number, region=region,
LoadBalancerArn=elb_dict['LoadBalancerArn'])
for listener in listeners['Listeners']:
if not listener.get('Certificates'):
continue
for certificate in listener['Certificates']:
endpoint = dict(
name=elb_dict['LoadBalancerName'],
dnsname=elb_dict['DNSName'],
type='elbv2',
port=listener['Port'],
certificate_name=iam.get_name_from_arn(certificate['CertificateArn'])
)
if listener['SslPolicy']:
policy = elb.describe_ssl_policies_v2([listener['SslPolicy']], account_number=account_number, region=region)
endpoint['policy'] = format_elb_cipher_policy_v2(policy)
endpoints.append(endpoint)
return endpoints
def get_elb_endpoints(account_number, region, elb_dict):
"""
Retrieves endpoint information from elb response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
for listener in elb_dict['ListenerDescriptions']:
if not listener['Listener'].get('SSLCertificateId'):
continue
if listener['Listener']['SSLCertificateId'] == 'Invalid-Certificate':
continue
endpoint = dict(name=elb_dict['LoadBalancerName'],
dnsname=elb_dict['DNSName'],
type='elb',
port=listener['Listener']['LoadBalancerPort'],
certificate_name=iam.get_name_from_arn(
listener['Listener']['SSLCertificateId']))
if listener['PolicyNames']:
policy = elb.describe_load_balancer_policies(
elb_dict['LoadBalancerName'],
listener['PolicyNames'],
account_number=account_number,
region=region)
endpoint['policy'] = format_elb_cipher_policy(policy)
endpoints.append(endpoint)
return endpoints
def get_elb_endpoints_v2(account_number, region, elb_dict):
"""
Retrieves endpoint information from elbv2 response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb_dict['LoadBalancerArn'])
for listener in listeners['Listeners']:
if not listener.get('Certificates'):
continue
for certificate in listener['Certificates']:
endpoint = dict(name=elb_dict['LoadBalancerName'],
dnsname=elb_dict['DNSName'],
type='elbv2',
port=listener['Port'],
certificate_name=iam.get_name_from_arn(
certificate['CertificateArn']))
if listener['SslPolicy']:
policy = elb.describe_ssl_policies_v2(
[listener['SslPolicy']],
account_number=account_number,
region=region)
endpoint['policy'] = format_elb_cipher_policy_v2(policy)
endpoints.append(endpoint)
return endpoints
def get_elb_endpoints(account_number, region, elb_dict):
"""
Retrieves endpoint information from elb response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
for listener in elb_dict['ListenerDescriptions']:
if not listener['Listener'].get('SSLCertificateId'):
continue
if listener['Listener']['SSLCertificateId'] == 'Invalid-Certificate':
continue
endpoint = dict(
name=elb_dict['LoadBalancerName'],
dnsname=elb_dict['DNSName'],
type='elb',
port=listener['Listener']['LoadBalancerPort'],
certificate_name=iam.get_name_from_arn(listener['Listener']['SSLCertificateId'])
)
if listener['PolicyNames']:
policy = elb.describe_load_balancer_policies(elb_dict['LoadBalancerName'], listener['PolicyNames'],
account_number=account_number, region=region)
endpoint['policy'] = format_elb_cipher_policy(policy)
current_app.logger.debug("Found new endpoint. Endpoint: {}".format(endpoint))
endpoints.append(endpoint)
return endpoints
def test_get_name_from_arn():
from lemur.plugins.lemur_aws.iam import get_name_from_arn
arn = "arn:aws:iam::123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
assert (get_name_from_arn(arn) ==
"tttt2.netflixtest.net-NetflixInc-20150624-20150625")
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
assert (get_name_from_arn(arn) ==
"tttt2.netflixtest.net-NetflixInc-20150624-20150625")
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
assert (get_name_from_arn(arn) ==
"tttt2.netflixtest.net-NetflixInc-20150624-20150625")
arn = "arn:aws:acm:us-west-2:123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
assert (get_name_from_arn(arn) ==
"tttt2.netflixtest.net-NetflixInc-20150624-20150625")
def get_certificates(self, options, **kwargs):
certs = []
arns = iam.get_all_server_certs(
self.get_option('accountNumber', options))
for arn in arns:
cert_body, cert_chain = iam.get_cert_from_arn(arn)
cert_name = iam.get_name_from_arn(arn)
cert = dict(body=cert_body, chain=cert_chain, name=cert_name)
certs.append(cert)
return certs
def get_certificates(self, options, **kwargs):
certs = []
arns = iam.get_all_server_certs(find_value('accountNumber', options))
for arn in arns:
cert_body, cert_chain = iam.get_cert_from_arn(arn)
cert_name = iam.get_name_from_arn(arn)
cert = dict(public_certificate=cert_body,
intermediate_certificate=cert_chain,
name=cert_name)
certs.append(cert)
return certs
def get_certificates(self, options, **kwargs):
certs = []
arns = iam.get_all_server_certs(find_value('accountNumber', options))
for arn in arns:
cert_body, cert_chain = iam.get_cert_from_arn(arn)
cert_name = iam.get_name_from_arn(arn)
cert = dict(
public_certificate=cert_body,
intermediate_certificate=cert_chain,
name=cert_name
)
certs.append(cert)
return certs
def get_certificates(self, options, **kwargs):
certs = []
arns = iam.get_all_server_certs(self.get_option('accountNumber', options))
for arn in arns:
cert_body, cert_chain = iam.get_cert_from_arn(arn)
cert_name = iam.get_name_from_arn(arn)
cert = dict(
body=cert_body,
chain=cert_chain,
name=cert_name
)
certs.append(cert)
return certs
def get_elb_endpoints(account_number, region, elb_dict):
"""
Retrieves endpoint information from elb response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
for listener in elb_dict["ListenerDescriptions"]:
if not listener["Listener"].get("SSLCertificateId"):
continue
if listener["Listener"]["SSLCertificateId"] == "Invalid-Certificate":
continue
endpoint = dict(
name=elb_dict["LoadBalancerName"],
dnsname=elb_dict["DNSName"],
type="elb",
port=listener["Listener"]["LoadBalancerPort"],
certificate_name=iam.get_name_from_arn(
listener["Listener"]["SSLCertificateId"]),
certificate_path=iam.get_path_from_arn(
listener["Listener"]["SSLCertificateId"]),
registry_type=iam.get_registry_type_from_arn(
listener["Listener"]["SSLCertificateId"]),
)
if listener["PolicyNames"]:
policy = elb.describe_load_balancer_policies(
elb_dict["LoadBalancerName"],
listener["PolicyNames"],
account_number=account_number,
region=region,
)
endpoint["policy"] = format_elb_cipher_policy(policy)
current_app.logger.debug(
"Found new endpoint. Endpoint: {}".format(endpoint))
endpoints.append(endpoint)
return endpoints
def get_endpoints(self, options, **kwargs):
endpoints = []
account_number = self.get_option('accountNumber', options)
regions = self.get_option('regions', options)
if not regions:
regions = ec2.get_regions(account_number=account_number)
else:
regions = regions.split(',')
for region in regions:
elbs = elb.get_all_elbs(account_number=account_number,
region=region)
current_app.logger.info(
"Describing load balancers in {0}-{1}".format(
account_number, region))
for e in elbs:
for listener in e['ListenerDescriptions']:
if not listener['Listener'].get('SSLCertificateId'):
continue
if listener['Listener'][
'SSLCertificateId'] == 'Invalid-Certificate':
continue
endpoint = dict(
name=e['LoadBalancerName'],
dnsname=e['DNSName'],
type='e',
port=listener['Listener']['LoadBalancerPort'],
certificate_name=iam.get_name_from_arn(
listener['Listener']['SSLCertificateId']))
if listener['PolicyNames']:
policy = elb.describe_load_balancer_policies(
e['LoadBalancerName'],
listener['PolicyNames'],
account_number=account_number,
region=region)
endpoint['policy'] = format_elb_cipher_policy(policy)
endpoints.append(endpoint)
return endpoints
def get_elb_endpoints_v2(account_number, region, elb_dict):
"""
Retrieves endpoint information from elbv2 response data.
:param account_number:
:param region:
:param elb_dict:
:return:
"""
endpoints = []
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb_dict["LoadBalancerArn"],
)
for listener in listeners["Listeners"]:
if not listener.get("Certificates"):
continue
for certificate in listener["Certificates"]:
endpoint = dict(
name=elb_dict["LoadBalancerName"],
dnsname=elb_dict["DNSName"],
type="elbv2",
port=listener["Port"],
certificate_name=iam.get_name_from_arn(
certificate["CertificateArn"]),
certificate_path=iam.get_path_from_arn(
certificate["CertificateArn"]),
registry_type=iam.get_registry_type_from_arn(
certificate["CertificateArn"]),
)
if listener["SslPolicy"]:
policy = elb.describe_ssl_policies_v2(
[listener["SslPolicy"]],
account_number=account_number,
region=region)
endpoint["policy"] = format_elb_cipher_policy_v2(policy)
endpoints.append(endpoint)
return endpoints
def get_endpoints(self, options, **kwargs):
endpoints = []
account_number = self.get_option('accountNumber', options)
regions = self.get_option('regions', options)
if not regions:
regions = get_regions(account_number=account_number)
else:
regions = regions.split(',')
for region in regions:
elbs = get_all_elbs(account_number=account_number, region=region)
current_app.logger.info("Describing load balancers in {0}-{1}".format(account_number, region))
for elb in elbs:
for listener in elb['ListenerDescriptions']:
if not listener['Listener'].get('SSLCertificateId'):
continue
if listener['Listener']['SSLCertificateId'] == 'Invalid-Certificate':
continue
endpoint = dict(
name=elb['LoadBalancerName'],
dnsname=elb['DNSName'],
type='elb',
port=listener['Listener']['LoadBalancerPort'],
certificate_name=iam.get_name_from_arn(listener['Listener']['SSLCertificateId'])
)
if listener['PolicyNames']:
policy = describe_load_balancer_policies(elb['LoadBalancerName'], listener['PolicyNames'], account_number=account_number, region=region)
endpoint['policy'] = format_elb_cipher_policy(policy)
endpoints.append(endpoint)
return endpoints
def test_get_name_from_arn():
from lemur.plugins.lemur_aws.iam import get_name_from_arn
arn = 'arn:aws:iam::123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625'
assert get_name_from_arn(
arn) == 'tttt2.netflixtest.net-NetflixInc-20150624-20150625'
def test_get_name_from_arn():
from lemur.plugins.lemur_aws.iam import get_name_from_arn
arn = 'arn:aws:iam::123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625'
assert get_name_from_arn(arn) == 'tttt2.netflixtest.net-NetflixInc-20150624-20150625'