async def can_move_back_to_pending(request, current_user, groups):
if request.get("status") in ["cancelled", "rejected"]:
# Don't allow returning requests to pending state if more than a day has passed since the last update
if request.get("last_updated", 0) < int(time.time()) - 86400:
return False
# Allow admins to return requests back to pending state
if can_admin_policies(current_user, groups):
return True
return False
async def get(self):
admin_bypass_approval_enabled: bool = can_admin_policies(
self.user, self.groups)
self_service_iam_config: dict = config.get("self_service_iam")
self.write({
"admin_bypass_approval_enabled": admin_bypass_approval_enabled,
**self_service_iam_config,
})
async def can_update_cancel_requests_v2(requester_username, user, groups):
# Users can update their own requests
can_update = user == requester_username
# Allow admins to update / cancel requests
if not can_update:
if can_admin_policies(user, groups):
return True
return can_update
async def can_update_requests(request, user, groups):
# Users can update their own requests
can_update = user in request["username"]
# Allow admins to return requests back to pending state
if not can_update:
if can_admin_policies(user, groups):
return True
return can_update
async def can_move_back_to_pending_v2(extended_request: ExtendedRequestModel,
last_updated, current_user, groups):
if extended_request.request_status in [
RequestStatus.cancelled,
RequestStatus.rejected,
]:
# Don't allow returning requests to pending state if more than a day has passed since the last update
if last_updated < int(time.time()) - 86400:
return False
# Allow admins to return requests back to pending state
if can_admin_policies(current_user, groups):
return True
return False
async def get(self):
admin_bypass_approval_enabled: bool = can_admin_policies(
self.user, self.groups)
export_to_terraform_enabled: bool = config.get(
"export_to_terraform_enabled", False)
self_service_iam_config: dict = config.get("self_service_iam",
SELF_SERVICE_IAM_DEFAULTS)
self.write({
"admin_bypass_approval_enabled": admin_bypass_approval_enabled,
"export_to_terraform_enabled": export_to_terraform_enabled,
**self_service_iam_config,
})
async def get(self):
admin_bypass_approval_enabled: bool = can_admin_policies(
self.user, self.groups)
export_to_terraform_enabled: bool = config.get(
"export_to_terraform_enabled", False)
self_service_iam_config: dict = config.get("self_service_iam",
SELF_SERVICE_IAM_DEFAULTS)
# Help message can be configured with Markdown for link handling
help_message: str = config.get("self_service_iam_help_message")
self.write({
"admin_bypass_approval_enabled": admin_bypass_approval_enabled,
"export_to_terraform_enabled": export_to_terraform_enabled,
"help_message": help_message,
**self_service_iam_config,
})
async def get(self):
"""
Provide information about site configuration for the frontend
:return:
"""
is_contractor = config.config_plugin().is_contractor(self.user)
site_config = {
"consoleme_logo": await get_random_security_logo(),
"google_tracking_uri": config.get("google_analytics.tracking_url"),
"documentation_url": config.get("documentation_page"),
"support_contact": config.get("support_contact"),
"support_chat_url": config.get("support_chat_url"),
"security_logo": config.get("security_logo.image"),
"security_url": config.get("security_logo.url"),
}
user_profile = {
"site_config":
site_config,
"user":
self.user,
"can_logout":
config.get("auth.set_auth_cookie"),
"is_contractor":
is_contractor,
"employee_photo_url":
config.config_plugin().get_employee_photo_url(self.user),
"employee_info_url":
config.config_plugin().get_employee_info_url(self.user),
"authorization": {
"can_edit_policies":
can_admin_policies(self.user, self.groups),
"can_create_roles": can_create_roles(self.user, self.groups),
"can_delete_roles": can_delete_roles(self.user, self.groups),
},
"pages": {
"header": {
"custom_header_message_title":
config.get("headers.custom_header_message.title", ""),
"custom_header_message_text":
config.get("headers.custom_header_message.text", ""),
},
"groups": {
"enabled": config.get("headers.group_access.enabled",
False)
},
"users": {
"enabled": config.get("headers.group_access.enabled",
False)
},
"policies": {
"enabled":
config.get("headers.policies.enabled", True)
and not is_contractor
},
"self_service": {
"enabled":
config.get("enable_self_service", True)
and not is_contractor
},
"api_health": {
"enabled":
is_in_group(
self.user,
self.groups,
config.get("groups.can_edit_health_alert", []),
)
},
"audit": {
"enabled":
is_in_group(self.user, self.groups,
config.get("groups.can_audit", []))
},
"config": {
"enabled": can_edit_dynamic_config(self.user, self.groups)
},
},
"accounts":
await get_account_id_to_name_mapping(),
}
self.set_header("Content-Type", "application/json")
self.write(user_profile)
async def get(self, account_id, resource_type, region=None, resource_name=None):
if not self.user:
return
if config.get("policy_editor.disallow_contractors", True) and self.contractor:
if self.user not in config.get(
"groups.can_bypass_contractor_restrictions", []
):
raise MustBeFte("Only FTEs are authorized to view this page.")
read_only = False
can_save_delete = (can_admin_policies(self.user, self.groups),)
account_id_for_arn: str = account_id
if resource_type == "s3":
account_id_for_arn = ""
arn = f"arn:aws:{resource_type}:{region or ''}:{account_id_for_arn}:{resource_name}"
stats.count(
"ResourcePolicyEditHandler.get", tags={"user": self.user, "arn": arn}
)
log_data = {
"user": self.user,
"ip": self.ip,
"function": f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"message": "Incoming request",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"arn": arn,
}
log.debug(log_data)
resource_details = await fetch_resource_details(
account_id, resource_type, resource_name, region
)
# TODO: Get S3 errors for s3 buckets only, else CT errors
yesterday = (datetime.today() - timedelta(days=1)).strftime("%Y%m%d")
s3_query_url = None
if resource_type == "s3":
s3_query_url = config.get("s3.bucket_query_url")
all_s3_errors = None
if s3_query_url:
s3_query_url = s3_query_url.format(
yesterday=yesterday, bucket_name=f"'{resource_name}'"
)
s3_error_topic = config.get("redis.s3_errors", "S3_ERRORS")
all_s3_errors = self.red.get(s3_error_topic)
s3_errors = []
if all_s3_errors:
s3_errors = json.loads(all_s3_errors).get(arn, [])
account_ids_to_name = await get_account_id_to_name_mapping()
# TODO(ccastrapel/psanders): Make a Swagger spec for this
self.write(
dict(
arn=arn,
resource_details=resource_details,
account_id=account_id,
account_name=account_ids_to_name.get(account_id, None),
read_only=read_only,
can_save_delete=can_save_delete,
s3_errors=s3_errors,
error_url=s3_query_url,
)
)
async def post(self):
"""
POST /api/v2/request
Request example JSON: (Request Schema is RequestCreationModel in models.py)
{
"changes": {
"changes": [
{
"principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1",
"change_type": "inline_policy",
"action": "attach",
"policy": {
"policy_document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListMultipartUploadParts*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::curtis-nflx-test/*",
"arn:aws:s3:::curtis-nflx-test"
],
"Sid": "cmccastrapel159494014dsd1shak"
},
{
"Action": [
"ec2:describevolumes",
"ec2:detachvolume",
"ec2:describelicenses",
"ec2:AssignIpv6Addresses",
"ec2:reportinstancestatus"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "cmccastrapel1594940141hlvvv"
},
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::123456789012:role/curtisTestInstanceProfile"
],
"Sid": "cmccastrapel1596483596easdits"
}
]
}
}
},
{
"principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1",
"change_type": "assume_role_policy",
"policy": {
"policy_document": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/consolemeInstanceProfile"
},
"Sid": "AllowConsoleMeProdAssumeRolses"
}
],
"Version": "2012-10-17"
}
}
},
{
"principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1",
"change_type": "managed_policy",
"policy_name": "ApiProtect",
"action": "attach",
"arn": "arn:aws:iam::123456789012:policy/ApiProtect"
},
{
"principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1",
"change_type": "managed_policy",
"policy_name": "TagProtect",
"action": "detach",
"arn": "arn:aws:iam::123456789012:policy/TagProtect"
},
{
"principal_arn": "arn:aws:iam::123456789012:role/curtisTestRole1",
"change_type": "inline_policy",
"policy_name": "random_policy254",
"action": "attach",
"policy": {
"policy_document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AssignIpv6Addresses"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "cmccastrapel1594940141shakabcd"
}
]
}
}
}
]
},
"justification": "testing this out.",
"admin_auto_approve": false
}
Response example JSON: (Response Schema is RequestCreationResponse in models.py)
{
"errors": 1,
"request_created": true,
"request_id": "0c9fb298-c8ea-4d50-917c-3212da07b3ad",
"action_results": [
{
"status": "success",
"message": "Success description"
},
{
"status": "error",
"message": "Error description"
}
]
}
"""
if config.get("policy_editor.disallow_contractors",
True) and self.contractor:
if self.user not in config.get(
"groups.can_bypass_contractor_restrictions", []):
raise MustBeFte("Only FTEs are authorized to view this page.")
tags = {"user": self.user}
stats.count("RequestHandler.post", tags=tags)
log_data = {
"function":
f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"user": self.user,
"message": "Create request initialization",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"ip": self.ip,
"admin_auto_approved": False,
"probe_auto_approved": False,
}
log.debug(log_data)
try:
# Validate the model
changes = RequestCreationModel.parse_raw(self.request.body)
extended_request = await generate_request_from_change_model_array(
changes, self.user)
log_data["request"] = extended_request.dict()
log.debug(log_data)
admin_approved = False
approval_probe_approved = False
# TODO: Provide a note to the requester that admin_auto_approve will apply the requested policies only.
# It will not automatically apply generated policies. The administrative user will need to visit the policy
# Request page to do this manually.
if changes.admin_auto_approve:
# make sure user is allowed to use admin_auto_approve
can_manage_policy_request = (can_admin_policies(
self.user, self.groups), )
if can_manage_policy_request:
extended_request.request_status = RequestStatus.approved
admin_approved = True
extended_request.reviewer = self.user
self_approval_comment = CommentModel(
id=str(uuid.uuid4()),
timestamp=int(time.time()),
user_email=self.user,
user=extended_request.requester_info,
last_modified=int(time.time()),
text=f"Self-approved by admin: {self.user}",
)
extended_request.comments.append(self_approval_comment)
log_data["admin_auto_approved"] = True
log_data["request"] = extended_request.dict()
log.debug(log_data)
stats.count(
f"{log_data['function']}.post.admin_auto_approved",
tags={"user": self.user},
)
else:
# someone is trying to use admin bypass without being an admin, don't allow request to proceed
stats.count(
f"{log_data['function']}.post.unauthorized_admin_bypass",
tags={"user": self.user},
)
log_data[
"message"] = "Unauthorized user trying to use admin bypass"
log.error(log_data)
await write_json_error("Unauthorized", obj=self)
return
else:
# If admin auto approve is false, check for auto-approve probe eligibility
is_eligible_for_auto_approve_probe = (
await is_request_eligible_for_auto_approval(
extended_request, self.user))
# If we have only made requests that are eligible for auto-approval probe, check against them
if is_eligible_for_auto_approve_probe:
should_auto_approve_request = await should_auto_approve_policy_v2(
extended_request, self.user, self.groups)
if should_auto_approve_request["approved"]:
extended_request.request_status = RequestStatus.approved
approval_probe_approved = True
stats.count(
f"{log_data['function']}.probe_auto_approved",
tags={"user": self.user},
)
approving_probes = []
for approving_probe in should_auto_approve_request[
"approving_probes"]:
approving_probe_comment = CommentModel(
id=str(uuid.uuid4()),
timestamp=int(time.time()),
user_email=
f"Auto-Approve Probe: {approving_probe['name']}",
last_modified=int(time.time()),
text=
f"Policy {approving_probe['policy']} auto-approved by probe: {approving_probe['name']}",
)
extended_request.comments.append(
approving_probe_comment)
approving_probes.append(approving_probe["name"])
extended_request.reviewer = (
f"Auto-Approve Probe: {','.join(approving_probes)}"
)
log_data["probe_auto_approved"] = True
log_data["request"] = extended_request.dict()
log.debug(log_data)
dynamo = UserDynamoHandler(self.user)
request = await dynamo.write_policy_request_v2(extended_request)
log_data["message"] = "New request created in Dynamo"
log_data["request"] = extended_request.dict()
log_data["dynamo_request"] = request
log.debug(log_data)
except (InvalidRequestParameter, ValidationError) as e:
log_data["message"] = "Validation Exception"
log.error(log_data, exc_info=True)
stats.count(f"{log_data['function']}.validation_exception",
tags={"user": self.user})
self.write_error(400, message="Error validating input: " + str(e))
if config.get("development"):
raise
return
except Exception as e:
log_data[
"message"] = "Unknown Exception occurred while parsing request"
log.error(log_data, exc_info=True)
stats.count(f"{log_data['function']}.exception",
tags={"user": self.user})
sentry_sdk.capture_exception(tags={"user": self.user})
self.write_error(500, message="Error parsing request: " + str(e))
if config.get("development"):
raise
return
# If here, request has been successfully created
response = RequestCreationResponse(
errors=0,
request_created=True,
request_id=extended_request.id,
request_url=f"/policies/request/{extended_request.id}",
action_results=[],
)
# If approved is true due to an auto-approval probe or admin auto-approval, apply the non-autogenerated changes
if extended_request.request_status == RequestStatus.approved:
for change in extended_request.changes.changes:
if change.autogenerated:
continue
policy_request_modification_model = (
PolicyRequestModificationRequestModel.parse_obj({
"modification_model": {
"command": "apply_change",
"change_id": change.id,
}
}))
policy_apply_response = (
await parse_and_apply_policy_request_modification(
extended_request,
policy_request_modification_model,
self.user,
self.groups,
int(time.time()),
approval_probe_approved,
))
response.errors = policy_apply_response.errors
response.action_results = policy_apply_response.action_results
# Update in dynamo
await dynamo.write_policy_request_v2(extended_request)
account_id = await get_resource_account(extended_request.arn)
# Force a refresh of the role in Redis/DDB
arn_parsed = parse_arn(extended_request.arn)
if arn_parsed["service"] == "iam" and arn_parsed[
"resource"] == "role":
await aws.fetch_iam_role(account_id,
extended_request.arn,
force_refresh=True)
log_data["request"] = extended_request.dict()
log_data["message"] = "Applied changes based on approved request"
log_data["response"] = response.dict()
log.debug(log_data)
await aws.send_communications_new_policy_request(
extended_request, admin_approved, approval_probe_approved)
self.write(response.json())
await self.finish()
await cache_all_policy_requests()
return
async def get(self, request_id):
"""
GET /api/v2/requests/{request_id}
"""
tags = {"user": self.user}
stats.count("RequestDetailHandler.get", tags=tags)
log_data = {
"function":
f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"user": self.user,
"message": "Get request details",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"policy_request_id": request_id,
}
log.debug(log_data)
if config.get("policy_editor.disallow_contractors",
True) and self.contractor:
if self.user not in config.get(
"groups.can_bypass_contractor_restrictions", []):
self.write_error(
403, message="Only FTEs are authorized to view this page.")
return
try:
extended_request, last_updated = await self._get_extended_request(
request_id, log_data)
except InvalidRequestParameter as e:
sentry_sdk.capture_exception(tags={"user": self.user})
self.write_error(400, message="Error validating input: " + str(e))
return
except NoMatchingRequest as e:
sentry_sdk.capture_exception(tags={"user": self.user})
self.write_error(404, message="Error getting request:" + str(e))
return
# Run these tasks concurrently.
concurrent_results = await asyncio.gather(
populate_old_policies(extended_request, self.user),
populate_cross_account_resource_policies(extended_request,
self.user),
)
extended_request = concurrent_results[0]
populate_cross_account_resource_policies_result = concurrent_results[1]
if populate_cross_account_resource_policies_result["changed"]:
extended_request = populate_cross_account_resource_policies_result[
"extended_request"]
# Update in dynamo with the latest resource policy changes
dynamo = UserDynamoHandler(self.user)
updated_request = await dynamo.write_policy_request_v2(
extended_request)
last_updated = updated_request.get("last_updated")
can_approve_reject = (can_admin_policies(self.user, self.groups), )
can_update_cancel = await can_update_cancel_requests_v2(
extended_request.requester_email, self.user, self.groups)
can_move_back_to_pending = await can_move_back_to_pending_v2(
extended_request, last_updated, self.user, self.groups)
# In the future request_specific_config will have specific approvers for specific changes based on ABAC
request_specific_config = {
"can_approve_reject": can_approve_reject,
"can_update_cancel": can_update_cancel,
"can_move_back_to_pending": can_move_back_to_pending,
}
template = None
# Force a refresh of the role in Redis/DDB
arn_parsed = parse_arn(extended_request.arn)
if arn_parsed["service"] == "iam" and arn_parsed["resource"] == "role":
iam_role = await aws.fetch_iam_role(arn_parsed["account"],
extended_request.arn)
template = iam_role.get("templated")
response = {
"request": extended_request.json(),
"last_updated": last_updated,
"request_config": request_specific_config,
"template": template,
}
self.write(response)
async def get(self):
"""
Provide information about site configuration for the frontend
:return:
"""
is_contractor = config.config_plugin().is_contractor(self.user)
site_config = {
"consoleme_logo": await get_random_security_logo(),
"google_analytics": {
"tracking_id": config.get("google_analytics.tracking_id"),
"options": config.get("google_analytics.options", {}),
},
"documentation_url": config.get(
"documentation_page", "https://hawkins.gitbook.io/consoleme/"
),
"support_contact": config.get("support_contact"),
"support_chat_url": config.get(
"support_chat_url", "https://discord.com/invite/nQVpNGGkYu"
),
"security_logo": config.get("security_logo.image"),
"security_url": config.get("security_logo.url"),
# If site_config.landing_url is set, users will be redirected to the landing URL after authenticating
# on the frontend.
"landing_url": config.get("site_config.landing_url"),
"temp_policy_support": config.get("policies.temp_policy_support"),
"notifications": {
"enabled": config.get("site_config.notifications.enabled"),
"request_interval": config.get(
"site_config.notifications.request_interval", 60
),
},
"cloudtrail_denies_policy_generation": config.get(
"celery.cache_cloudtrail_denies.enabled", False
),
}
custom_page_header: Dict[str, str] = await get_custom_page_header(
self.user, self.groups
)
user_profile = {
"site_config": site_config,
"user": self.user,
"can_logout": config.get("auth.set_auth_cookie", False),
"is_contractor": is_contractor,
"employee_photo_url": config.config_plugin().get_employee_photo_url(
self.user
),
"employee_info_url": config.config_plugin().get_employee_info_url(
self.user
),
"authorization": {
"can_edit_policies": can_admin_policies(self.user, self.groups),
"can_create_roles": can_create_roles(self.user, self.groups),
"can_delete_iam_principals": can_delete_iam_principals(
self.user, self.groups
),
},
"pages": {
"header": {
"custom_header_message_title": custom_page_header.get(
"custom_header_message_title", ""
),
"custom_header_message_text": custom_page_header.get(
"custom_header_message_text", ""
),
"custom_header_message_route": custom_page_header.get(
"custom_header_message_route", ""
),
},
"groups": {
"enabled": config.get("headers.group_access.enabled", False)
},
"users": {"enabled": config.get("headers.group_access.enabled", False)},
"policies": {
"enabled": config.get("headers.policies.enabled", True)
and not is_contractor
},
"self_service": {
"enabled": config.get("enable_self_service", True)
and not is_contractor
},
"api_health": {
"enabled": is_in_group(
self.user,
self.groups,
config.get("groups.can_edit_health_alert", []),
)
},
"audit": {
"enabled": is_in_group(
self.user, self.groups, config.get("groups.can_audit", [])
)
},
"config": {"enabled": can_edit_dynamic_config(self.user, self.groups)},
},
"accounts": await get_account_id_to_name_mapping(),
}
self.set_header("Content-Type", "application/json")
self.write(user_profile)
async def get(self,
account_id,
resource_type,
region=None,
resource_name=None):
if not self.user:
return
if config.get("policy_editor.disallow_contractors",
True) and self.contractor:
if self.user not in config.get(
"groups.can_bypass_contractor_restrictions", []):
raise MustBeFte("Only FTEs are authorized to view this page.")
read_only = False
can_save_delete = (can_admin_policies(self.user, self.groups), )
account_id_for_arn: str = account_id
if resource_type == "s3":
account_id_for_arn = ""
arn = f"arn:aws:{resource_type}:{region or ''}:{account_id_for_arn}:{resource_name}"
path = ""
if resource_type == "managed_policy":
# special case for managed policies
path = region or ""
if path:
arn = f"arn:aws:iam::{account_id}:policy/{path}/{resource_name}"
else:
arn = f"arn:aws:iam::{account_id}:policy/{resource_name}"
stats.count("ResourcePolicyEditHandler.get",
tags={
"user": self.user,
"arn": arn
})
log_data = {
"user": self.user,
"ip": self.ip,
"function":
f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"message": "Incoming request",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"arn": arn,
}
log.debug(log_data)
error = ""
try:
resource_details = await fetch_resource_details(
account_id, resource_type, resource_name, region, path)
except Exception as e:
sentry_sdk.capture_exception()
log.error({**log_data, "error": e}, exc_info=True)
resource_details = None
error = str(e)
if not resource_details:
self.send_error(
404,
message=
(f"Unable to retrieve the specified {resource_type} resource: "
f"{account_id}/{resource_name}/{region}. {error}", ),
)
return
# TODO: Get S3 errors for s3 buckets only, else CT errors
yesterday = (datetime.today() - timedelta(days=1)).strftime("%Y%m%d")
s3_query_url = None
if resource_type == "s3":
s3_query_url = config.get("s3.bucket_query_url")
all_s3_errors = None
if s3_query_url:
s3_query_url = s3_query_url.format(
yesterday=yesterday, bucket_name=f"'{resource_name}'")
s3_error_topic = config.get("redis.s3_errors", "S3_ERRORS")
all_s3_errors = self.red.get(s3_error_topic)
s3_errors = []
if all_s3_errors:
s3_errors = json.loads(all_s3_errors).get(arn, [])
account_ids_to_name = await get_account_id_to_name_mapping()
# TODO(ccastrapel/psanders): Make a Swagger spec for this
self.write(
dict(
arn=arn,
resource_details=resource_details,
account_id=account_id,
account_name=account_ids_to_name.get(account_id, None),
read_only=read_only,
can_save_delete=can_save_delete,
s3_errors=s3_errors,
error_url=s3_query_url,
config_timeline_url=resource_details.get(
"config_timeline_url"),
))
