clear-skies-aws 1.10.2__py3-none-any.whl → 2.0.1__py3-none-any.whl

clearskies_aws/secrets/additional_configs/iam_db_auth_with_ssm.py

@@ -1,92 +0,0 @@
-import time
-import clearskies
-class IAMDBAuthWithSSM(clearskies.di.AdditionalConfig):
-    def provide_subprocess(self):
-        import subprocess
-        return subprocess
-
-    def provide_socket(self):
-        import socket
-        return socket
-
-    def provide_connection_details(self, environment, subprocess, socket, boto3):
-        local_port = self.open_tunnel(environment, subprocess, socket, boto3)
-
-        return {
-            'host': '127.0.0.1',
-            'database': environment.get('db_database'),
-            'username': environment.get('db_username'),
-            'password': self.get_password(environment, boto3),
-            'ssl_ca': 'rds-cert-bundle.pem',
-            'port': local_port,
-        }
-
-    def get_password(self, environment, boto3):
-        endpoint = environment.get('db_endpoint')
-        username = environment.get('db_username')
-        region = environment.get('db_region')
-
-        rds_api = boto3.Session().client('rds', region_name=region)
-        return rds_api.generate_db_auth_token(DBHostname=endpoint, Port='3306', DBUsername=username, Region=region)
-
-    def open_tunnel(self, environment, subprocess, socket, boto3):
-        endpoint = environment.get('db_endpoint')
-        region = environment.get('db_region')
-        instance_name = environment.get('instance_name')
-        local_proxy_port = int(environment.get('local_proxy_port', '9000'))
-
-        ec2_api = boto3.client('ec2', region_name=region)
-        running_instances = ec2_api.describe_instances(
-            Filters=[{
-                'Name': 'tag:Name',
-                'Values': [instance_name]
-            }, {
-                'Name': 'instance-state-name',
-                'Values': ['running']
-            }],
-        )
-        instance_ids = []
-        for reservation in running_instances['Reservations']:
-            for instance in reservation['Instances']:
-                instance_ids.append(instance['InstanceId'])
-
-        if len(instance_ids) == 0:
-            raise ValueError('Failed to launch SSM tunnel! Cannot find bastion!')
-
-        instance_id = instance_ids.pop()
-        self._connect_to_bastion(local_proxy_port, instance_id, endpoint, subprocess, socket)
-        return local_proxy_port
-
-    def _connect_to_bastion(self, local_proxy_port, instance_id, endpoint, subprocess, socket):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        result = sock.connect_ex(('127.0.0.1', local_proxy_port))
-        if result == 0:
-            sock.close()
-            return
-
-        tunnel_command = [
-            'aws',
-            '--region',
-            'us-east-1',
-            'ssm',
-            'start-session',
-            '--target',
-            '{}'.format(instance_id),
-            '--document-name',
-            'AWS-StartPortForwardingSessionToRemoteHost',
-            '--parameters={{"host":["{}"], "portNumber":["3306"],"localPortNumber":["{}"]}}'.format(
-                endpoint, local_proxy_port
-            ),
-        ]
-
-        subprocess.Popen(tunnel_command)
-        connected = False
-        attempts = 0
-        while not connected and attempts < 6:
-            attempts += 1
-            time.sleep(0.5)
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            result = sock.connect_ex(('127.0.0.1', local_proxy_port))
-            if result == 0:
-                return
-        raise ValueError('Failed to launch SSM tunnel with command: ' + ' '.join(tunnel_command))

clearskies_aws/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssh_cert_bastion.py

@@ -1,81 +0,0 @@
-from clearskies.secrets.additional_configs import MySQLConnectionDynamicProducerViaSSHCertBastion as Base
-from pathlib import Path
-import socket
-import subprocess
-import os
-import time
-class MySQLConnectionDynamicProducerViaSSHCertBastion(Base):
-    _config = None
-    _boto3 = None
-
-    def __init__(
-        self,
-        producer_name=None,
-        bastion_region=None,
-        bastion_name=None,
-        bastion_host=None,
-        bastion_username=None,
-        public_key_file_path=None,
-        local_proxy_port=None,
-        cert_issuer_name=None,
-        database_host=None,
-        database_name=None
-    ):
-        # not using kwargs because I want the argument list to be explicit
-        self.config = {
-            'producer_name': producer_name,
-            'bastion_host': bastion_host,
-            'bastion_region': bastion_region,
-            'bastion_name': bastion_name,
-            'bastion_username': bastion_username,
-            'public_key_file_path': public_key_file_path,
-            'local_proxy_port': local_proxy_port,
-            'cert_issuer_name': cert_issuer_name,
-            'database_host': database_host,
-            'database_name': database_name,
-        }
-
-    def provide_connection_details(self, environment, secrets, boto3):
-        self._boto3 = boto3
-        return super().provide_connection_details(environment, secrets)
-
-    def _get_bastion_host(self, environment):
-        bastion_host = self._fetch_config(environment, 'bastion_host', 'akeyless_mysql_bastion_host', default='')
-        bastion_name = self._fetch_config(environment, 'bastion_name', 'akeyless_mysql_bastion_name', default='')
-        if bastion_host:
-            return bastion_host
-        if bastion_name:
-            bastion_region = self._fetch_config(environment, 'bastion_region', 'akeyless_mysql_bastion_region')
-            return self._public_ip_from_name(bastion_name, bastion_region)
-        raise ValueError(
-            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion with certificate auth, but I'm missing some configuration. I need either the bastion host or the name of the instance in AWS.  These can be set in the call to `clearskies.backends.akeyless_aws.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the 'bastion_host' or 'bastion_name' argument, or by setting an environment variable named 'akeyless_mysql_bastion_host' or 'akeyless_mysql_bastion_name'."
-        )
-
-    def _public_ip_from_name(self, bastion_name, bastion_region):
-        ec2 = self._boto3.client('ec2', region_name=bastion_region)
-        response = ec2.describe_instances(
-            Filters=[
-                {
-                    'Name': 'tag:Name',
-                    'Values': [bastion_name]
-                },
-                {
-                    'Name': 'instance-state-name',
-                    'Values': ['running']
-                },
-            ],
-        )
-        if not response.get('Reservations'):
-            raise ValueError(
-                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
-            )
-        if not response.get('Reservations')[0].get('Instances'):
-            raise ValueError(
-                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
-            )
-        instance = response.get('Reservations')[0].get('Instances')[0]
-        if not instance.get('PublicIpAddress'):
-            raise ValueError(
-                f"I found the bastion instance with a name of '{bastion_name}' in region '{bastion_region}', but it doesn't have a public IP address"
-            )
-        return instance.get('PublicIpAddress')

clearskies_aws/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssm_bastion.py

@@ -1,141 +0,0 @@
-from .mysql_connection_dynamic_producer_via_ssh_cert_bastion import MySQLConnectionDynamicProducerViaSSHCertBastion as Base
-from pathlib import Path
-import socket
-import subprocess
-import os
-import time
-class MySQLConnectionDynamicProducerViaSSMBastion(Base):
-    _config = None
-    _boto3 = None
-
-    def __init__(
-        self,
-        producer_name=None,
-        bastion_region=None,
-        bastion_name=None,
-        bastion_username=None,
-        bastion_instance_id=None,
-        public_key_file_path=None,
-        local_proxy_port=None,
-        database_host=None,
-        database_name=None
-    ):
-        # not using kwargs because I want the argument list to be explicit
-        self.config = {
-            'producer_name': producer_name,
-            'bastion_instance_id': bastion_instance_id,
-            'bastion_region': bastion_region,
-            'bastion_name': bastion_name,
-            'bastion_username': bastion_username,
-            'public_key_file_path': public_key_file_path,
-            'local_proxy_port': local_proxy_port,
-            'database_host': database_host,
-            'database_name': database_name,
-        }
-
-    def provide_connection_details(self, environment, secrets, boto3):
-        self._boto3 = boto3
-        if not secrets:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer but AKeyless itself wasn't configured.  Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
-            )
-
-        producer_name = self._fetch_config(environment, 'producer_name', 'akeyless_mysql_dynamic_producer')
-        bastion_username = self._fetch_config(environment, 'bastion_username', 'mysql_bastion_username', default='ssm')
-        bastion_instance_id = self._get_bastion_instance_id(environment)
-        public_key_file_path = self._fetch_config(
-            environment, 'public_key_file_path', 'mysql_bastion_public_key_file_path'
-        )
-        local_proxy_port = self._fetch_config(
-            environment, 'local_proxy_port', 'akeyless_mysql_bastion_local_proxy_port', default=8888
-        )
-        database_host = self._fetch_config(environment, 'database_host', 'db_host')
-        database_name = self._fetch_config(environment, 'database_name', 'db_database')
-
-        # Create the SSH tunnel (yeah, it's obnoxious)
-        self._create_tunnel(
-            secrets, bastion_instance_id, bastion_username, bastion_region, public_key_file_path, local_proxy_port,
-            database_host
-        )
-
-        # and now we can fetch credentials
-        credentials = secrets.get_dynamic_secret(producer_name)
-
-        return {
-            'username': credentials['user'],
-            'password': credentials['password'],
-            'host': '127.0.0.1',
-            'database': database_name,
-            'port': local_proxy_port,
-        }
-
-    def _get_bastion_instance_id(self, environment):
-        bastion_instance_id = self._fetch_config(
-            environment, 'bastion_instance_id', 'mysql_bastion_instance_id', default=''
-        )
-        bastion_name = self._fetch_config(environment, 'bastion_name', 'mysql_bastion_name', default='')
-        if bastion_instance_id:
-            return bastion_instance_id
-        if bastion_name:
-            bastion_region = self._fetch_config(environment, 'bastion_region', 'mysql_bastion_region')
-            return self._instance_id_from_name(bastion_name, bastion_region)
-        raise ValueError(
-            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion with certificate auth, but I'm missing some configuration. I need either the bastion host or the name of the instance in AWS.  These can be set in the call to `clearskies.backends.akeyless_aws.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the 'bastion_host' or 'bastion_name' argument, or by setting an environment variable named 'akeyless_mysql_bastion_host' or 'akeyless_mysql_bastion_name'."
-        )
-
-    def _instance_id_from_name(self, bastion_name, bastion_region):
-        ec2 = self._boto3.client('ec2', region_name=bastion_region)
-        response = ec2.describe_instances(
-            Filters=[
-                {
-                    'Name': 'tag:Name',
-                    'Values': [bastion_name]
-                },
-                {
-                    'Name': 'instance-state-name',
-                    'Values': ['running']
-                },
-            ],
-        )
-        if not response.get('Reservations'):
-            raise ValueError(
-                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
-            )
-        if not response.get('Reservations')[0].get('Instances'):
-            raise ValueError(
-                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
-            )
-        return response.get('Reservations')[0].get('Instances')[0]['InstanceId']
-
-    def _create_tunnel(
-        self, secrets, bastion_instance_id, bastion_username, bastion_region, public_key_file_path, local_proxy_port,
-        database_host
-    ):
-        # first see if the socket is already open, since we don't close it.
-        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        result = sock.connect_ex(('127.0.0.1', local_proxy_port))
-        if result == 0:
-            sock.close()
-            return
-
-        # and now we can do this thing.
-        tunnel_command = [
-            'ssh', '-i', public_key_file_path, '-o', 'ConnectTimeout=2', '-N', '-L',
-            f'{local_proxy_port}:{database_host}:3306', '-p', '22', f'{bastion_username}@{bastion_instance_id}'
-        ]
-        my_env = os.environ.copy()
-        my_env['AWS_DEFAULT_REGION'] = bastion_region
-        subprocess.Popen(tunnel_command)
-        connected = False
-        attempts = 0
-        while not connected and attempts < 6:
-            attempts += 1
-            time.sleep(0.5)
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            result = sock.connect_ex(('127.0.0.1', local_proxy_port))
-            if result == 0:
-                connected = True
-        if not connected:
-            raise ValueError(
-                'Failed to open SSH tunnel.  The following command was used: \n' + ' '.join(tunnel_command)
-            )

clearskies_aws/secrets/akeyless_with_ssm_cache.py

@@ -1,46 +0,0 @@
-import re
-
-from clearskies.secrets import AKeyless
-
-
-class AkeylessWithSsmCache(AKeyless):
-    _boto3 = None
-
-    def __init__(self, requests, environment, boto3):
-        super().__init__(requests, environment)
-        self._boto3 = boto3
-        if not self._environment.get("AWS_REGION", True):
-            raise ValueError(
-                "To use parameter store you must use set the 'AWS_REGION' environment variable"
-            )
-
-    def get(self, path, refresh=False):
-        ssm = self._boto3.client("ssm", region_name="us-east-1")
-        # AWS SSM parameter paths only allow a-z, A-Z, 0-9, -, _, ., /, @, and :
-        # Replace any disallowed characters with hyphens
-        ssm_name = re.sub(r"[^a-zA-Z0-9\-_\./@:]", "-", path)
-        # if we're not forcing a refresh, then see if it is in paramater store
-        if not refresh:
-            missing = False
-            try:
-                response = ssm.get_parameter(Name=ssm_name, WithDecryption=True)
-            except ssm.exceptions.ParameterNotFound:
-                missing = True
-            if not missing:
-                value = response["Parameter"]["Value"]
-                if value:
-                    return value
-
-        # otherwise get it out of Akeyless
-        value = super().get(path)
-
-        # and make sure and store the new value in parameter store
-        if value:
-            ssm.put_parameter(
-                Name=ssm_name,
-                Value=value,
-                Type="SecureString",
-                Overwrite=True,
-            )
-
-        return value

clearskies_aws/secrets/parameter_store.py

@@ -1,50 +0,0 @@
-from botocore.exceptions import ClientError
-from clearskies.secrets.exceptions import NotFound
-class ParameterStore:
-    _boto3 = None
-    _environment = None
-    _ssm = None
-
-    def __init__(self, boto3, environment):
-        self._boto3 = boto3
-        self._environment = environment
-        if not self._environment.get('AWS_REGION', True):
-            raise ValueError("To use parameter store you must use set the 'AWS_REGION' environment variable")
-        self._ssm = self._boto3.client('ssm', region_name=self._environment.get('AWS_REGION'))
-
-    def create(self, path, value):
-        return self.update(path, value)
-
-    def get(self, path, silent_if_not_found=False):
-        try:
-            result = self._ssm.get_parameter(Name=path, WithDecryption=True)
-        except ClientError as e:
-            if e.response['Error']['Code'] == 'ResourceNotFoundException':
-                if silent_if_not_found:
-                    return None
-                raise NotFound(
-                    f"Cound not find secret '{secret_id}' with version '{version}' and stage '{version_stage}'"
-                )
-            raise e
-        return result['Parameter']['Value']
-
-    def list_secrets(self, path):
-        response = self._ssm.get_parameters_by_path(Path=path, Recursive=False)
-        return [parameter['Name'] for parameter in response['Parameters']]
-
-    def update(self, path, value):
-        response = self._ssm.put_parameter(
-            Name=path,
-            Value=value,
-            Type='String',
-            Overwrite=True,
-        )
-        return True
-
-    def upsert(self, path, value):
-        return self.update(path, value)
-
-    def list_sub_folders(self, path, value):
-        raise NotImplementedError(
-            "Parameter store doesn't support list_sub_folders."
-        )

clearskies_aws/secrets/parameter_store_test.py

@@ -1,18 +0,0 @@
-import unittest
-from types import SimpleNamespace
-from unittest.mock import MagicMock
-
-from .parameter_store import ParameterStore
-
-
-class ParameterStoreTest(unittest.TestCase):
-    def setUp(self):
-        self.environment = SimpleNamespace(get=MagicMock(return_value='us-east-1'))
-
-    def test_get(self):
-        ssm = SimpleNamespace(get_parameter=MagicMock(return_value={'Parameter': {'Value': 'sup'}}))
-        boto3 = SimpleNamespace(client=MagicMock(return_value=ssm))
-        parameter_store = ParameterStore(boto3, self.environment)
-        self.assertEqual("sup", parameter_store.get("/my/item"))
-        ssm.get_parameter.assert_called_with(Name='/my/item', WithDecryption=True)
-        boto3.client.assert_called_with('ssm', region_name='us-east-1')

clearskies_aws/secrets/secrets_manager.py

@@ -1,75 +0,0 @@
-from botocore.exceptions import ClientError
-from clearskies.secrets.exceptions import NotFound
-class SecretsManager:
-    _boto3 = None
-    _environment = None
-    _secrets_manager = None
-
-    def __init__(self, boto3, environment):
-        self._boto3 = boto3
-        self._environment = environment
-        if not self._environment.get('AWS_REGION', True):
-            raise ValueError("To use secrets manager you must use set the 'AWS_REGION' environment variable")
-        self._secrets_manager = self._boto3.client('secretsmanager', region_name=self._environment.get('AWS_REGION'))
-
-    def create(self, secret_id, value, kms_key_id=None):
-        calling_parameters = {
-            'SecretId': secret_id,
-            'SecretString': value,
-            'KmsKeyId': kms_key_id,
-        }
-        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
-        result = self._secrets_manager.create_secret(**calling_parameters)
-
-    def get(self, secret_id, version_id=None, version_stage=None, silent_if_not_found=False):
-        calling_parameters = {
-            'SecretId': secret_id,
-            'VersionId': version_id,
-            'VersionStage': version_stage,
-        }
-        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
-        try:
-            result = self._secrets_manager.get_secret_value(**calling_parameters)
-        except ClientError as e:
-            if e.response['Error']['Code'] == 'ResourceNotFoundException':
-                if silent_if_not_found:
-                    return None
-                raise NotFound(
-                    f"Cound not find secret '{secret_id}' with version '{version_id}' and stage '{version_stage}'"
-                )
-            raise e
-        if result.get('SecretString'):
-            return result.get('SecretString')
-        return result.get('SecretBinary')
-
-    def list_secrets(self, path):
-        results = self._secrets_manager.list_secrets(Filters=[
-            {
-                'Key': 'name',
-                'Values': [path],
-            },
-        ], )
-        return results['SecretList']
-
-    def update(self, secret_id, value, kms_key_id=None):
-        calling_parameters = {
-            'SecretId': secret_id,
-            'SecretString': value,
-            'KmsKeyId': kms_key_id,
-        }
-        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
-        result = self._secrets_manager.update_secret(**calling_parameters)
-
-    def upsert(self, secret_id, value, kms_key_id=None):
-        calling_parameters = {
-            'SecretId': secret_id,
-            'SecretString': value,
-            'KmsKeyId': kms_key_id,
-        }
-        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
-        result = self._secrets_manager.put_secret_value(**calling_parameters)
-
-    def list_sub_folders(self, path, value):
-        raise NotImplementedError(
-            "Secrets Manager doesn't support list_sub_folders."
-        )

clearskies_aws/secrets/secrets_manager_test.py

@@ -1,18 +0,0 @@
-import unittest
-from types import SimpleNamespace
-from unittest.mock import MagicMock
-
-from .secrets_manager import SecretsManager
-
-
-class SecretsManagerTest(unittest.TestCase):
-    def setUp(self):
-        self.environment = SimpleNamespace(get=MagicMock(return_value='us-east-1'))
-
-    def test_get(self):
-        secretsmanager = SimpleNamespace(get_secret_value=MagicMock(return_value={'SecretString': 'sup'}))
-        boto3 = SimpleNamespace(client=MagicMock(return_value=secretsmanager))
-        secrets_manager = SecretsManager(boto3, self.environment)
-        self.assertEqual("sup", secrets_manager.get("/my/item"))
-        secretsmanager.get_secret_value.assert_called_with(SecretId='/my/item')
-        boto3.client.assert_called_with('secretsmanager', region_name='us-east-1')

clearskies_aws/web_socket_connection_model.py

@@ -1,43 +0,0 @@
-from abc import abstractmethod
-import json
-
-import clearskies
-
-
-class WebSocketConnectionModel(clearskies.Model):
-
-    id_column_name = "connection_id"
-
-    def __init__(self, backend, columns, boto3, input_output):
-        super().__init__(backend, columns)
-        self._boto3 = boto3
-        self._input_output = input_output
-
-    def _build_model(self):
-        model_class = self.model_class()
-        return model_class(self._backend, self._columns, self._boto3, self._input_output)
-
-    def send(self, message):
-        if not self.exists:
-            raise ValueError("Cannot send message to non-existent connection.")
-        if not self.data.get("connection_id"):
-            raise ValueError(
-                f"Hmmm... I couldn't find the connection id for the {self.__class__.__name__}.  I'm picky about id column names.  Can you please make sure I have a column called connection_id and that it contains the connection id?"
-            )
-
-        event = self._input_output.context_specifics()["event"]
-        domain = event.get("requestContext", {}).get("domainName")
-        stage = event.get("requestContext", {}).get("stage")
-        # only include the stage if we're using the default AWS domain - not with a custom domain
-        if ".amazonaws.com" in domain:
-            endpoint_url = f"https://{domain}/{stage}"
-        else:
-            endpoint_url = f"https://{domain}"
-        api_gateway = self._boto3.client("apigatewaymanagementapi", endpoint_url=endpoint_url)
-
-        bytes_message = json.dumps(message).encode("utf-8")
-        try:
-            response = api_gateway.post_to_connection(Data=bytes_message, ConnectionId=self.connection_id)
-        except api_gateway.exceptions.GoneException:
-            self.delete()
-        return response