def get_s3_role(self, repo_id):
token = self.get_auth_token()
request = self.http.request("POST",
self.integrations_api_url,
body=json.dumps({"repoId": repo_id}),
headers={
"Authorization": token,
"Content-Type": "application/json"
})
if request.status == 403:
raise BridgecrewAuthError()
response = json.loads(request.data.decode("utf8"))
while ('Message' in response or 'message' in response):
if 'Message' in response and response[
'Message'] == UNAUTHORIZED_MESSAGE:
raise BridgecrewAuthError()
if 'message' in response and "cannot be found" in response[
'message']:
self.loading_output("creating role")
request = self.http.request(
"POST",
self.integrations_api_url,
body=json.dumps({"repoId": repo_id}),
headers={
"Authorization": token,
"Content-Type": "application/json"
})
response = json.loads(request.data.decode("utf8"))
repo_full_path = response["path"]
return repo_full_path, response
def setup_bridgecrew_credentials(self, bc_api_key, repo_id):
"""
Setup credentials against Bridgecrew's platform.
:param repo_id: Identity string of the scanned repository, of the form <repo_owner>/<repo_name>
:param bc_api_key: Bridgecrew issued API key
"""
self.bc_api_key = bc_api_key
self.repo_id = repo_id
try:
request = http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}),
headers={"Authorization": bc_api_key, "Content-Type": "application/json"})
response = json.loads(request.data.decode("utf8"))
if 'Message' in response:
if response['Message'] == UNAUTHORIZED_MESSAGE:
raise BridgecrewAuthError()
repo_full_path = response["path"]
self.bucket, self.repo_path = repo_full_path.split("/", 1)
self.timestamp = self.repo_path.split("/")[-1]
self.credentials = response["creds"]
self.s3_client = boto3.client("s3",
aws_access_key_id=self.credentials["AccessKeyId"],
aws_secret_access_key=self.credentials["SecretAccessKey"],
aws_session_token=self.credentials["SessionToken"],
region_name=DEFAULT_REGION
)
sleep(10) # Wait for the policy to update
except HTTPError as e:
logging.error(f"Failed to get customer assumed role\n{e}")
raise e
except ClientError as e:
logging.error(f"Failed to initiate client with credentials {self.credentials}\n{e}")
raise e
except JSONDecodeError as e:
logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}")
raise e
def get_auth_token(self) -> str:
if self.is_bc_token(self.bc_api_key):
return self.bc_api_key
# This is a Prisma Cloud token
if not self.prisma_url:
raise ValueError(
"Got a prisma token, but the env variable PRISMA_API_URL is not set"
)
elif '::' not in self.bc_api_key:
raise ValueError(
"PRISMA_API_URL was set, but the API key does not appear to be a valid Prisma API key "
"(must be in format key::secret)")
username, password = self.bc_api_key.split('::')
request = self.http.request(
"POST",
f"{self.prisma_url}/login",
body=json.dumps({
"username": username,
"password": password
}),
headers={"Content-Type": "application/json"})
if request.status == 401:
raise BridgecrewAuthError()
token = json.loads(request.data.decode("utf8"))['token']
return token
def get_auth_token(self) -> str:
if self.is_bc_token(self.bc_api_key):
return self.bc_api_key
# A Prisma Cloud Access Key was specified as the Bridgecrew token.
if not self.prisma_api_url:
raise ValueError(
"A Prisma Cloud token was set, but no Prisma Cloud API URL was set"
)
if '::' not in self.bc_api_key:
raise ValueError(
"A Prisma Cloud token was set, but the token is not in the correct format: <access_key_id>::<secret_key>"
)
username, password = self.bc_api_key.split('::')
request = self.http.request("POST",
f"{self.prisma_api_url}/login",
body=json.dumps({
"username": username,
"password": password
}),
headers=merge_dicts(
{"Content-Type": "application/json"},
get_user_agent_header()))
if request.status == 401:
raise BridgecrewAuthError()
token = json.loads(request.data.decode("utf8"))['token']
return token
def get_s3_role(self, repo_id):
token = self.get_auth_token()
request = self.http.request("POST",
self.integrations_api_url,
body=json.dumps({"repoId": repo_id}),
headers=merge_dicts(
{
"Authorization": token,
"Content-Type": "application/json"
}, get_user_agent_header()))
if request.status == 403:
raise BridgecrewAuthError()
response = json.loads(request.data.decode("utf8"))
while ('Message' in response or 'message' in response):
if 'Message' in response and response[
'Message'] == UNAUTHORIZED_MESSAGE:
raise BridgecrewAuthError()
if 'message' in response and ASSUME_ROLE_UNUATHORIZED_MESSAGE in response[
'message']:
raise BridgecrewAuthError(
"Checkov got an unexpected authorization error that may not be due to your credentials. Please contact support."
)
if 'message' in response and "cannot be found" in response[
'message']:
self.loading_output("creating role")
request = self.http.request(
"POST",
self.integrations_api_url,
body=json.dumps({"repoId": repo_id}),
headers=merge_dicts(
{
"Authorization": token,
"Content-Type": "application/json"
}, get_user_agent_header()))
response = json.loads(request.data.decode("utf8"))
repo_full_path = response["path"]
return repo_full_path, response