cumulus-aws 0.11.1

data/lib/iam/models/PolicyConfig.rb

@@ -0,0 +1,67 @@
+require "conf/Configuration"
+
+require "json"
+
+module Cumulus
+  module IAM
+    # Public: Represents a policy in AWS. Contains StatementConfig objects that
+    # define the things this policy allows.
+    class PolicyConfig
+
+      attr_accessor :name
+
+      # Public: Constructor. Will be created with no statements.
+      def initialize
+        @version = Configuration.instance.iam.policy_version
+        @statements = []
+      end
+
+      # Public: Add a StatementConfig object to the statements in this PolicyConfig
+      #
+      # statement - the StatementConfig object to add to this PolicyConfig
+      def add_statement(statement)
+        @statements.push(statement)
+      end
+
+      # Public: Determine if this policy is empty. It is considered empty if there
+      # are no statements.
+      #
+      # Returns true if empty, false if not
+      def empty?
+        @statements.empty?
+      end
+
+      # Public: Create a JSON string representing this PolicyConfig which can be
+      # used by AWS IAMs.
+      #
+      # Returns the String JSON representation
+      def as_json
+        as_hash.to_json
+      end
+
+      # Public: Create a pretty JSON string representing this PolicyConfig which can
+      # be used by AWS IAMs.
+      #
+      # Returns the String JSON representation (pretty printed)
+      def as_pretty_json
+        JSON.pretty_generate(as_hash)
+      end
+
+      # Public: Create a Hash that contains the data in this PolicyConfig which will
+      # conform to the AWS IAM format when converted to JSON
+      #
+      # Returns a Hash representing this PolicyConfig
+      def as_hash
+        statements = @statements.map do |statement|
+          statement.as_hash
+        end
+
+        {
+          "Version" => @version,
+          "Statement" => statements
+        }
+      end
+
+    end
+  end
+end

data/lib/iam/models/ResourceWithPolicy.rb

@@ -0,0 +1,208 @@
+require "conf/Configuration"
+require "iam/loader/Loader"
+require "iam/models/IamDiff"
+require "iam/models/PolicyConfig"
+require "iam/models/StatementConfig"
+require "util/Colors"
+
+require "json"
+
+module Cumulus
+  module IAM
+    # Public: Represents a configuration for a resource that has attached policies.
+    # Lazily loads its static and template policies as needed. Is the base class for
+    # groups, roles, and users.
+    #
+    # Additionally, exposes a constructor that takes no parameters. This parameter
+    # essentially creates an "empty resource", which can then be filled and json
+    # configuration can be generated from the object. This is useful when migrating.
+    class ResourceWithPolicy
+
+      attr_accessor :attached_policies
+      attr_accessor :name
+      attr_reader :inlines
+      attr_reader :statics
+      attr_reader :type
+
+      # Public: Constructor.
+      #
+      # name - the name of the resource
+      # json - a hash containing JSON configuration for this resource, if nil, this
+      #        resource will be an "empty resource"
+      def initialize(name = nil, json = nil)
+        if !json.nil?
+          @name = name
+          @json = json
+          @attached_policies = json["policies"]["attached"]
+          @statics = json["policies"]["static"]
+          @templates = json["policies"]["templates"]
+          @inlines = json["policies"]["inlines"]
+        else
+          @name = nil
+          @attached_policies = []
+          @statics = []
+          @templates = []
+          @inlines = []
+        end
+      end
+
+      # Public: Generate the JSON string to turn this object back into a Cumulus
+      # config file.
+      #
+      # Returns the JSON string.
+      def json
+        JSON.pretty_generate(hash)
+      end
+
+      # Public: Generate a hash that represents this config. This hash will be json
+      # serializable to Cumulus config format
+      #
+      # Returns the hash
+      def hash
+        {
+          "name" => @name,
+          "policies" => {
+            "attached" => @attached_policies,
+            "inlines" => @inlines.flatten,
+            "static" => @statics,
+            "templates" => @templates
+          }
+        }
+      end
+
+      # Public: Lazily produce the inline policy document for this resource as a
+      # PolicyConfig. Includes the static and inline policies as well as applied
+      # templates.
+      #
+      # Returns the policy for this resource as a PolicyConfig
+      def policy
+        @policy ||= init_policy
+      end
+
+      # Internal: Produce the inline policy document for this resource as a
+      # PolicyConfig. Includes the static and inline policies as well as applied
+      # templates.
+      #
+      # Returns the policy for this resource as a PolicyConfig
+      def init_policy
+        policy = PolicyConfig.new
+        static_statements.each do |statement|
+          policy.add_statement(statement)
+        end
+        template_statements.each do |statement|
+          policy.add_statement(statement)
+        end
+        inline_statements.each do |statement|
+          policy.add_statement(statement)
+        end
+        policy
+      end
+      private :init_policy
+
+      # Public: Produce the name for the policy that will be generated for this
+      # resource.
+      #
+      # Returns the String name
+      def generated_policy_name
+        policy_prefix = Configuration.instance.iam.policy_prefix
+        policy_suffix = Configuration.instance.iam.policy_suffix
+        "#{policy_prefix}#{@name}#{policy_suffix}"
+      end
+
+      # Internal: Lazily load the static policies for this resource
+      #
+      # Returns an Array of static policies as StatementConfig
+      def static_statements
+        @static_statements ||= init_static_statements
+      end
+      private :static_statements
+
+      # Internal: Load the static policies for this resource
+      #
+      # Returns an Array of static policies as StatementConfig
+      def init_static_statements
+        statements = []
+        @statics.map do |name|
+          statements << Loader.static_policy(name)
+        end
+        statements.flatten!
+        statements
+      end
+      private :init_static_statements
+
+      # Internal: Lazily load the template policies for this resource, applying
+      # template variables
+      #
+      # Returns an Array of applied templates as StatementConfig objects
+      def template_statements
+        @template_statements ||= init_template_statements
+      end
+      private :template_statements
+
+      # Internal: Load the template policies for this resource, applying template
+      # variables
+      #
+      # Returns an Array of applied templates as StatementConfig objects
+      def init_template_statements
+        @templates.map do |template|
+          Loader.template_policy(template["template"], template["vars"])
+        end.flatten
+      end
+      private :init_template_statements
+
+      # Internal: Load the inline policies defined in the JSON config for this
+      # resource.
+      def inline_statements
+        @inlines.map do |inline|
+          StatementConfig.new(inline)
+        end
+      end
+      private :inline_statements
+
+      # Public: Diff this resource with the resource from AWS
+      #
+      # aws_resource - the Aws::IAM::* resource to compare against
+      #
+      # Returns an array of IamDiff objects representing the differences
+      def diff(aws_resource)
+        diffs = []
+
+        aws_policies = Hash[aws_resource.policies.map { |p| [p.name, p] }]
+        p = policy
+        p.name = generated_policy_name
+
+        # check if we've ever generated a policy for this resource
+        if !aws_policies.key?(generated_policy_name) and !policy.empty?
+          diffs << IamDiff.added_policy(generated_policy_name, p)
+        end
+
+        # loop through all the policies and look for changes
+        aws_policies.each do |name, aws_policy|
+          if name != generated_policy_name
+            diffs << IamDiff.unmanaged_policy(name)
+          else
+            aws_statements = JSON.parse(URI.unescape(aws_policy.policy_document))["Statement"]
+            local_statements = p.as_hash["Statement"]
+
+            if aws_statements != local_statements
+              diff = IamDiff.new(IamChange::POLICY, aws_statements, p)
+              diff.policy_name = generated_policy_name
+              diffs << diff
+            end
+          end
+        end
+
+        # look for changes in managed policies
+        aws_arns = aws_resource.attached_policies.map { |a| a.arn }
+        new_policies = @attached_policies.select { |local| !aws_arns.include?(local) }
+        removed_policies = aws_arns.select { |aws| !@attached_policies.include?(aws) }
+        if !new_policies.empty? or !removed_policies.empty?
+          diffs << IamDiff.attached(new_policies, removed_policies)
+        end
+
+        diffs
+      end
+
+    end
+  end
+end

data/lib/iam/models/RoleConfig.rb

@@ -0,0 +1,53 @@
+require "iam/models/IamDiff"
+require "iam/models/ResourceWithPolicy"
+
+require "json"
+
+module Cumulus
+  module IAM
+    # Public: Represents a config file for a role. Will lazily load its static and
+    # template policies as needed.
+    class RoleConfig < ResourceWithPolicy
+
+      attr_accessor :policy_document
+
+      # Public: Constructor.
+      #
+      # name - the name of the role
+      # json - the Hash containing the JSON configuration for this RoleConfig, if
+      #        nil, this will be an "empty RoleConfig"
+      def initialize(name = nil, json = nil)
+        super(name, json)
+        @policy_document = Loader.policy_document(json["policy-document"]) unless json.nil?
+        @type = "role"
+      end
+
+      # override diff to check for changes in policy documents
+      def diff(aws_resource)
+        differences = super(aws_resource)
+
+        aws_policy = JSON.parse(URI.unescape(aws_resource.assume_role_policy_document)).to_s
+
+        if one_line_policy_document != aws_policy
+          differences << IamDiff.new(IamChange::POLICY_DOC, aws_resource, self)
+        end
+
+        differences
+      end
+
+      def hash
+        h = super()
+        h["policy-document"] = @policy_document
+        h
+      end
+
+      # Internal: Get the policy document as a one line string for easier comparison
+      #
+      # Returns the policy on one line
+      def one_line_policy_document
+        JSON.parse(@policy_document).to_s
+      end
+
+    end
+  end
+end

data/lib/iam/models/StatementConfig.rb

@@ -0,0 +1,35 @@
+module Cumulus
+  module IAM
+    # Public: Represents a policy config file.
+    class StatementConfig
+
+      attr_reader :effect
+      attr_reader :action
+      attr_reader :resource
+
+      # Public: Constructor.
+      #
+      # json - the Hash containing the JSON configuration for this StatementConfig
+      def initialize(json)
+        @effect = json["Effect"]
+        @action = json["Action"]
+        @resource = json["Resource"]
+        @condition = json["Condition"]
+      end
+
+      # Public: Create a Hash that contains the data in this StatementConfig which
+      # can be turned into JSON that matches the format for AWS IAMS.
+      #
+      # Returns the Hash representing this StatementConfig.
+      def as_hash
+        {
+          "Effect" => @effect,
+          "Action" => @action,
+          "Resource" => @resource,
+          "Condition" => @condition
+        }.reject { |k, v| v.nil? }
+      end
+
+    end
+  end
+end

data/lib/iam/models/UserConfig.rb

@@ -0,0 +1,21 @@
+require "iam/models/ResourceWithPolicy"
+
+module Cumulus
+  module IAM
+    # Public: Represents a config file for a user. Lazily loads its static and
+    # template policies as needed.
+    class UserConfig < ResourceWithPolicy
+
+      # Public: Constructor
+      #
+      # name - the name of the user
+      # json - the Hash containing the JSON configuration for this UserConfig, if
+      #        nil, this will be an "empty UserConfig"
+      def initialize(name = nil, json = nil)
+        super(name, json)
+        @type = "user"
+      end
+
+    end
+  end
+end

data/lib/kinesis/Kinesis.rb

@@ -0,0 +1,94 @@
+require "aws-sdk"
+
+module Cumulus
+  module Kinesis
+    class << self
+
+      @@client = Aws::Kinesis::Client.new(Configuration.instance.client)
+
+      require "aws_extensions/kinesis/StreamDescription"
+      Aws::Kinesis::Types::StreamDescription.send(:include, AwsExtensions::Kinesis::StreamDescription)
+
+      # Public - Returns a Hash of stream name to Aws::Kinesis::Types::StreamDescription with all shards loaded
+      def named_streams
+        @named_streams ||= Hash[stream_names.map { |name| [name, describe_stream(name)] }]
+      end
+
+      # Public - Returns an array of all the stream names
+      def stream_names
+        @stream_names ||= init_stream_names
+      end
+
+      # Public - Returns a Hash of stream name to tags
+      def stream_tags
+        @stream_tags ||= Hash[stream_names.map { |name| [name, init_tags(name) ] }]
+      end
+
+      # Public - Load the entire stream description with all shards
+      #
+      # Returns a Aws::Kinesis::Types::StreamDescription with all shards loaded
+      def describe_stream(stream_name)
+        stream = @@client.describe_stream({
+          stream_name: stream_name
+        }).stream_description
+
+        while stream.has_more_shards do
+          stream_continued = @@client.describe_stream({
+            stream_name: stream_name,
+            exclusive_start_shard_id: stream.shards.last.shard_id
+          }).stream_description
+
+          stream.shards.concat(stream_continued.shards)
+          stream.has_more_shards = stream_continued.has_more_shards
+        end
+
+        stream
+      end
+
+      private
+
+      # Internal - Load the tags for a stream
+      #
+      # Returns a Hash containing the tags as key/value pairs
+      def init_tags(stream_name)
+        response = @@client.list_tags_for_stream({
+          stream_name: stream_name,
+        })
+
+        tags = response.tags
+
+        while response.has_more_tags do
+          response = @@client.list_tags_for_stream({
+            stream_name: stream_name,
+            exclusive_start_tag_key: tags.last.key
+          })
+
+          tags.concat(response.tags)
+        end
+
+        Hash[tags.map { |tag| [tag.key, tag.value] }]
+      end
+
+      # Internal - Load the list of stream names
+      #
+      # Returns the stream names as an Array
+      def init_stream_names
+        streams = []
+
+        has_more_streams = true
+
+        while has_more_streams do
+          response = @@client.list_streams({
+            exclusive_start_stream_name: streams.last
+          })
+
+          streams.concat(response.stream_names)
+          has_more_streams = response.has_more_streams
+        end
+
+        streams
+      end
+
+    end
+  end
+end