def _process_resource_set(self, resources, event=None): client = self.manager.get_client( 'azure.mgmt.resource.locks.ManagementLockClient') result = [] for resource in resources: if resource.get('resourceGroup') is None: locks = [ r.serialize(True) for r in client.management_locks. list_at_resource_group_level(resource['name']) ] else: locks = [ r.serialize(True) for r in client.management_locks.list_at_resource_level( resource['resourceGroup'], ResourceIdParser.get_namespace(resource['id']), ResourceIdParser.get_resource_name( resource.get('c7n:parent-id')) or '', ResourceIdParser.get_resource_type(resource['id']), resource['name']) ] if StringUtils.equal('Absent', self.lock_type) and not locks: result.append(resource) else: for lock in locks: if StringUtils.equal('Any', self.lock_type) or \ StringUtils.equal(lock['properties']['level'], self.lock_type): result.append(resource) break return result
def _process_resource_set(self, resources, event=None): client = self.manager.get_client() result = [] for resource in resources: database_name = resource['name'] if StringUtils.equal(database_name, "master"): continue if 'c7n:data-masking-policy' not in resource: server_id = resource[ChildTypeInfo.parent_key] server_name = ResourceIdParser.get_resource_name(server_id) dmr = client.data_masking_policies.get( resource['resourceGroup'], server_name, database_name) if dmr: resource['c7n:data-masking-policy'] = dmr.serialize( True).get('properties', {}) else: resource['c7n:data-masking-policy'] = {} required_status = 'Enabled' if self.enabled else 'Disabled' if StringUtils.equal( resource['c7n:data-masking-policy'].get( 'dataMaskingState'), required_status): result.append(resource) return result
def _get_tag_value_from_event(self, event): principal_role = self.principal_role_jmes_path.search(event) principal_type = self.principal_type_jmes_path.search(event) user = None # The Subscription Admins role does not have a principal type if StringUtils.equal(principal_role, 'Subscription Admin'): user = self.service_admin_jmes_path.search(event) # ServicePrincipal type elif StringUtils.equal(principal_type, 'ServicePrincipal'): user = self.sp_jmes_path.search(event) if not user: known_claims = { 'upn': self.upn_jmes_path.search(event), 'name': self.name_jmes_path.search(event) } if known_claims[self.default_claim]: user = known_claims[self.default_claim] elif self.default_claim == 'upn' and known_claims['name']: user = known_claims['name'] elif self.default_claim == 'name' and known_claims['upn']: user = known_claims['upn'] # Last effort search for an email address in the claims if not user: claims = event['data'].get('claims', []) for c in claims: value = claims[c] if self._is_email(value): user = value break if not user: self.log.error('Principal could not be determined.') return user
def _get_user_from_event(self, event): principal_role = self.principal_role_jmes_path.search(event) principal_type = self.principal_type_jmes_path.search(event) user = None # The Subscription Admins role does not have a principal type if StringUtils.equal(principal_role, 'Subscription Admin'): user = self.service_admin_jmes_path.search(event) # ServicePrincipal type elif StringUtils.equal(principal_type, 'ServicePrincipal'): user = self.sp_jmes_path.search(event) # Other types and main fallback (e.g. User, Office 365 Groups, and Security Groups) if not user and self.upn_jmes_path.search(event): user = self.upn_jmes_path.search(event) # Last effort search for an email address in the claims if not user: claims = event['data']['claims'] for c in claims: value = claims[c] if self._is_email(value): user = value if not user: self.log.error('Principal could not be determined.') return user
def _get_tag_value_from_event(self, event): principal_role = self.principal_role_jmes_path.search(event) principal_type = self.principal_type_jmes_path.search(event) user = None # The Subscription Admins role does not have a principal type if StringUtils.equal(principal_role, 'Subscription Admin'): user = self.service_admin_jmes_path.search(event) # ServicePrincipal type elif StringUtils.equal(principal_type, 'ServicePrincipal'): user = self.sp_jmes_path.search(event) # Other types and main fallback (e.g. User, Office 365 Groups, and Security Groups) if not user and self.upn_jmes_path.search(event): user = self.upn_jmes_path.search(event) # Last effort search for an email address in the claims if not user: claims = event['data']['claims'] for c in claims: value = claims[c] if self._is_email(value): user = value if not user: self.log.error('Principal could not be determined.') return user
def _get_user_from_event(self, event): principal_role = self.principal_role_jmes_path.search(event) principal_type = self.principal_type_jmes_path.search(event) # The Subscription Admins role does not have a principal type if StringUtils.equal(principal_role, 'Subscription Admin'): return self.service_admin_jmes_path.search(event) # ServicePrincipal type elif StringUtils.equal(principal_type, 'ServicePrincipal'): return self.sp_jmes_path.search(event) # Other types (e.g. User, Office 365 Groups, and Security Groups) elif self.upn_jmes_path.search(event): return self.upn_jmes_path.search(event) else: self.log.error('Principal could not be determined.')
def is_match(self, security_rule): if not StringUtils.equal(self.direction_key, security_rule['properties']['direction']): return False ranges_match = self.is_ranges_match(security_rule) protocol_match = (self.ip_protocol is None) or \ (StringUtils.equal(self.ip_protocol, security_rule['properties']['protocol'])) if self.access is not None: access_match = StringUtils.equal( self.access, security_rule['properties']['access']) return self.match_op([ranges_match, protocol_match, access_match]) else: return self.match_op([ranges_match, protocol_match])
def _process_resource_set(self, resources, event=None): client = self.manager.get_client() result = [] for resource in resources: if 'transparentDataEncryption' not in resource['properties']: server_id = resource[ChildTypeInfo.parent_key] server_name = ResourceIdParser.get_resource_name(server_id) tde = client.transparent_data_encryptions.get( resource['resourceGroup'], server_name, resource['name'], "current") resource['properties']['transparentDataEncryption'] = \ tde.serialize(True).get('properties', {}) required_status = 'Enabled' if self.enabled else 'Disabled' if StringUtils.equal( resource['properties']['transparentDataEncryption'].get('status'), required_status): result.append(resource) return result
def resource_api_version(self, resource_id): """ latest non-preview api version for resource """ namespace = ResourceIdParser.get_namespace(resource_id) resource_type = ResourceIdParser.get_resource_type(resource_id) cache_id = namespace + resource_type if cache_id in self._provider_cache: return self._provider_cache[cache_id] resource_client = self.client( 'azure.mgmt.resource.ResourceManagementClient') provider = resource_client.providers.get(namespace) # The api version may be directly provided if not provider.resource_types and resource_client.providers.api_version: return resource_client.providers.api_version rt = next((t for t in provider.resource_types if StringUtils.equal(t.resource_type, resource_type)), None) if rt and rt.api_versions: versions = [ v for v in rt.api_versions if 'preview' not in v.lower() ] api_version = versions[0] if versions else rt.api_versions[0] self._provider_cache[cache_id] = api_version return api_version
def _provision(self, params): rg_unit = ResourceGroupUnit() rg_unit.provision_if_not_exists({'name': params['resource_group_name'], 'location': params['location']}) plan_params = AppServicePlan( app_service_plan_name=params['name'], location=params['location'], sku=SkuDescription( name=params['sku_name'], capacity=1, tier=params['sku_tier']), kind='linux', target_worker_size_id=0, reserved=True) plan = self.client.app_service_plans.begin_create_or_update(params['resource_group_name'], params['name'], plan_params).result() # Deploy default autoscale rule for dedicated plans if required by the policy autoscale_params = copy.deepcopy(params.get('auto_scale', {})) if bool(autoscale_params.get('enabled')) and \ not StringUtils.equal(plan.sku, 'dynamic'): autoscale_params['name'] = 'autoscale' autoscale_params['resource_group_name'] = params['resource_group_name'] autoscale_params['service_plan_id'] = plan.id autoscale_params['location'] = plan.location ac_unit = AutoScaleUnit() ac_unit.provision(autoscale_params) return plan
def process(self, network_security_groups): ip_protocol = self.data.get(IP_PROTOCOL, '*') direction = self.data[DIRECTION] prefix = self.data.get(PREFIX, 'c7n-policy-') # Build a list of ports described in the action. ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535')) except_ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, '')) self.action_ports = ports.difference(except_ports) for nsg in network_security_groups: nsg_name = nsg['name'] resource_group = nsg['resourceGroup'] # Get list of ports to Deny or Allow access to. ports = self._build_ports_strings(nsg, direction, ip_protocol) if not ports: # If its empty, it means NSG already blocks/allows access to all ports, # no need to change. self.manager.log.info("Network security group %s satisfies provided " "ports configuration, no actions scheduled.", nsg_name) continue rules = nsg['properties']['securityRules'] rules = sorted(rules, key=lambda k: k['properties']['priority']) rules = [r for r in rules if StringUtils.equal(r['properties']['direction'], direction)] lowest_priority = rules[0]['properties']['priority'] if len(rules) > 0 else 4096 # Create new top-priority rule to allow/block ports from the action. rule_name = prefix + str(uuid.uuid1()) new_rule = { 'name': rule_name, 'properties': { 'access': self.access_action, 'destinationAddressPrefix': '*', 'destinationPortRanges': ports, 'direction': self.data[DIRECTION], 'priority': lowest_priority - PRIORITY_STEP, 'protocol': ip_protocol, 'sourceAddressPrefix': '*', 'sourcePortRange': '*', } } self.manager.log.info("NSG %s. Creating new rule to %s access for ports %s", nsg_name, self.access_action, ports) try: self.manager.get_client().security_rules.create_or_update( resource_group, nsg_name, rule_name, new_rule ) except CloudError as e: self.manager.log.error('Failed to create or update security rule for %s NSG.', nsg_name) self.manager.log.error(e)
def _build_ports_strings(self, nsg, direction_key, ip_protocol): nsg_ports = PortsRangeHelper.build_ports_dict(nsg, direction_key, ip_protocol) IsAllowed = StringUtils.equal(self.access_action, ALLOW_OPERATION) # Find ports with different access level from NSG and this action diff_ports = sorted([p for p in self.action_ports if nsg_ports.get(p, False) != IsAllowed]) return PortsRangeHelper.get_ports_strings_from_list(diff_ports)
def process(self, network_security_groups): ip_protocol = self.data.get(IP_PROTOCOL, '*') direction = self.data[DIRECTION] # Build a list of ports described in the action. ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535')) except_ports = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, '')) self.action_ports = ports.difference(except_ports) for nsg in network_security_groups: nsg_name = nsg['name'] resource_group = nsg['resourceGroup'] # Get list of ports to Deny or Allow access to. ports = self._build_ports_strings(nsg, direction, ip_protocol) if not ports: # If its empty, it means NSG already blocks/allows access to all ports, # no need to change. self.manager.log.info("Network security group %s satisfies provided " "ports configuration, no actions scheduled.", nsg_name) continue rules = nsg['properties']['securityRules'] rules = sorted(rules, key=lambda k: k['properties']['priority']) rules = [r for r in rules if StringUtils.equal(r['properties']['direction'], direction)] lowest_priority = rules[0]['properties']['priority'] if len(rules) > 0 else 4096 # Create new top-priority rule to allow/block ports from the action. rule_name = 'c7n-policy-' + str(uuid.uuid1()) new_rule = { 'name': rule_name, 'properties': { 'access': self.access_action, 'destinationAddressPrefix': '*', 'destinationPortRanges': ports, 'direction': self.data[DIRECTION], 'priority': lowest_priority - PRIORITY_STEP, 'protocol': ip_protocol, 'sourceAddressPrefix': '*', 'sourcePortRange': '*', } } self.manager.log.info("NSG %s. Creating new rule to %s access for ports %s", nsg_name, self.access_action, ports) try: self.manager.get_client().security_rules.create_or_update( resource_group, nsg_name, rule_name, new_rule ) except CloudError as e: self.manager.log.error('Failed to create or update security rule for %s NSG.', nsg_name) self.manager.log.error(e)
def process(self, network_security_groups, event=None): # Get variables self.ip_protocol = self.data.get(IP_PROTOCOL, '*') self.IsAllowed = StringUtils.equal(self.data.get(ACCESS), ALLOW_OPERATION) self.match = self.data.get(MATCH, 'all') # Calculate ports from the settings: # If ports not specified -- assuming the entire range # If except_ports not specifed -- nothing ports_set = PortsRangeHelper.get_ports_set_from_string(self.data.get(PORTS, '0-65535')) except_set = PortsRangeHelper.get_ports_set_from_string(self.data.get(EXCEPT_PORTS, '')) self.ports = ports_set.difference(except_set) nsgs = [nsg for nsg in network_security_groups if self._check_nsg(nsg)] return nsgs
def resource_api_version(self, resource_id): """ latest non-preview api version for resource """ namespace = ResourceIdParser.get_namespace(resource_id) resource_type = ResourceIdParser.get_resource_type(resource_id) if resource_type in self._provider_cache: return self._provider_cache[resource_type] resource_client = self.client('azure.mgmt.resource.ResourceManagementClient') provider = resource_client.providers.get(namespace) rt = next((t for t in provider.resource_types if StringUtils.equal(t.resource_type, resource_type.split('/')[-1])), None) if rt and rt.api_versions: versions = [v for v in rt.api_versions if 'preview' not in v.lower()] api_version = versions[0] if versions else rt.api_versions[0] self._provider_cache[resource_type] = api_version return api_version
def resource_api_version(self, resource_id): """ latest non-preview api version for resource """ namespace = ResourceIdParser.get_namespace(resource_id) resource_type = ResourceIdParser.get_resource_type(resource_id) cache_id = namespace + resource_type if cache_id in self._provider_cache: return self._provider_cache[cache_id] resource_client = self.client('azure.mgmt.resource.ResourceManagementClient') provider = resource_client.providers.get(namespace) rt = next((t for t in provider.resource_types if StringUtils.equal(t.resource_type, resource_type)), None) if rt and rt.api_versions: versions = [v for v in rt.api_versions if 'preview' not in v.lower()] api_version = versions[0] if versions else rt.api_versions[0] self._provider_cache[cache_id] = api_version return api_version
def test_string_utils_equal(self): # Case insensitive matches self.assertTrue(StringUtils.equal("FOO", "foo")) self.assertTrue(StringUtils.equal("fOo", "FoO")) self.assertTrue(StringUtils.equal("ABCDEFGH", "abcdefgh")) self.assertFalse(StringUtils.equal("Foo", "Bar")) # Case sensitive matches self.assertFalse(StringUtils.equal("Foo", "foo", False)) self.assertTrue(StringUtils.equal("foo", "foo", False)) self.assertTrue(StringUtils.equal("fOo", "fOo", False)) self.assertFalse(StringUtils.equal("Foo", "Bar")) # Strip whitespace matches self.assertTrue(StringUtils.equal(" Foo ", "foo")) self.assertTrue(StringUtils.equal("Foo", " foo ")) self.assertTrue(StringUtils.equal(" Foo ", "Foo", False)) self.assertTrue(StringUtils.equal("Foo", " Foo ", False)) # Returns false for non string types self.assertFalse(StringUtils.equal(1, "foo")) self.assertFalse(StringUtils.equal("foo", 1)) self.assertFalse(StringUtils.equal(True, False))
def is_consumption_plan(function_params): return StringUtils.equal(function_params.service_plan['sku_tier'], 'dynamic')
def process_resource(self, resource, event_item=None): # if the auto-tag-user policy set update to False (or it's unset) then we # will skip writing their UserName tag and not overwrite pre-existing values if not self.should_update and resource.get('tags', {}).get( self.tag_key, None): return user = self.default_user if event_item: principal_role = self.principal_role_jmes_path.search(event_item) principal_type = self.principal_type_jmes_path.search(event_item) # The Subscription Admins role does not have a principal type if StringUtils.equal(principal_role, 'Subscription Admin'): user = self.service_admin_jmes_path.search(event_item) or user # ServicePrincipal type elif StringUtils.equal(principal_type, 'ServicePrincipal'): user = self.sp_jmes_path.search(event_item) or user # Other types (e.g. User, Office 365 Groups, and Security Groups) elif self.upn_jmes_path.search(event_item): user = self.upn_jmes_path.search(event_item) else: self.log.error('Principal could not be determined.') else: # Calculate start time delta_days = self.data.get('days', self.max_query_days) start_time = utcnow() - datetime.timedelta(days=delta_days) # resource group type if self.manager.type == 'resourcegroup': resource_type = "Microsoft.Resources/subscriptions/resourcegroups" query_filter = " and ".join([ "eventTimestamp ge '%s'" % start_time, "resourceGroupName eq '%s'" % resource['name'], "eventChannels eq 'Operation'" ]) # other Azure resources else: resource_type = resource['type'] query_filter = " and ".join([ "eventTimestamp ge '%s'" % start_time, "resourceUri eq '%s'" % resource['id'], "eventChannels eq 'Operation'" ]) # fetch activity logs logs = self.client.activity_logs.list(filter=query_filter, select=self.query_select) # get the user who issued the first operation operation_name = "%s/write" % resource_type first_op = self.get_first_operation(logs, operation_name) if first_op is not None: user = first_op.caller # issue tag action to label user try: TagHelper.add_tags(self, resource, {self.tag_key: user}) except CloudError as e: # resources can be locked if e.inner_exception.error == 'ScopeLocked': pass