clear-skies-aws 1.8.5__py3-none-any.whl → 1.9.1__py3-none-any.whl

{clear_skies_aws-1.8.5.dist-info → clear_skies_aws-1.9.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: clear-skies-aws
-Version: 1.8.5
+Version: 1.9.1
 Summary: clearskies bindings for working in AWS
 Home-page: https://github.com/cmancone/clearskies-aws
 License: MIT

{clear_skies_aws-1.8.5.dist-info → clear_skies_aws-1.9.1.dist-info}/RECORD

@@ -3,8 +3,8 @@ clearskies_aws/actions/__init__.py,sha256=QEKR3TKEp7NWqhfz0g19Dv2v8KTTVewKi_3zeX
 clearskies_aws/actions/action_aws.py,sha256=hWYnYA0QNegWp2LDMYILs0Dk1TOsFykW5JgSEMwfDE8,3877
 clearskies_aws/actions/assume_role.py,sha256=tZHKMTQaImj_EAWormFZdIPkR_db7yBwOJxYaUyuGdA,4085
 clearskies_aws/actions/assume_role_test.py,sha256=MDMGePZLVyDNTjdAlGBDJzBlfMpGIpA3Q1Ur0qEPl1w,2450
-clearskies_aws/actions/ses.py,sha256=Lc554msF20ZDUBu43CfdA6bu2-xeOW6d2daOHAn1x5g,6933
-clearskies_aws/actions/ses_test.py,sha256=6XydNRXmniViOHkWcRCZNCEuGi3K2tp2w7Fkyg6JEBk,1739
+clearskies_aws/actions/ses.py,sha256=iSo-dtQoreqOCveGpDAKWkbaa0gZx1xTymHYqlvL7hk,7886
+clearskies_aws/actions/ses_test.py,sha256=lyNbqI46Ld_ZUKtWLgSwwfSOFksQ39H4hzPS3eTx7nk,3076
 clearskies_aws/actions/sns.py,sha256=m9LEoogTGGPr-u8oj39PIiOd9rkoF340nFbWefXJREA,2197
 clearskies_aws/actions/sns_test.py,sha256=iqlaZOA-0YHPOu52-XqpCIAgAv1JZodDdlm4YYYhj8U,2306
 clearskies_aws/actions/sqs.py,sha256=UZykBoi83EzzlqaPVdobZ8D_JRYqPFCwrCjWqg0ACzk,2340
@@ -30,7 +30,8 @@ clearskies_aws/contexts/lambda_sqs_standard_partial_batch_test.py,sha256=q3uqICn
 clearskies_aws/contexts/wsgi.py,sha256=wmHnDIfcrQN0I547uE2mlHHQtOLOpLfpbKpBJkw5puY,510
 clearskies_aws/di/__init__.py,sha256=KLq6G-CKR-Vdk9LZe5TijW_U-McJlrp1QuIXqmyAL-A,56
 clearskies_aws/di/standard_dependencies.py,sha256=WptTwpEjRrPx7gN7VF_pHfW0eJIErjOyR0Q0nk4DXEo,775
-clearskies_aws/handlers/__init__.py,sha256=uzChAhrSefZdvCkwiMLyNP7ij5yXPOBYtJ67XX_trzM,51
+clearskies_aws/handlers/__init__.py,sha256=E2x04QGy5dfaDIB5Xu8IRWwgypIrgGEZibijtKWe8jM,112
+clearskies_aws/handlers/secrets_manager_rotation.py,sha256=KV4XWKar4gT0Xu0eM_D75ECzYkjXxjeZtkOopPRG9rc,7471
 clearskies_aws/handlers/simple_body_routing.py,sha256=FGdeDY8nZIGfCOn0oOHi6EOP1h4xXcBP3W9fH0NuBlc,1449
 clearskies_aws/input_outputs/__init__.py,sha256=Tf8kWN95nwUbvlVaboYT06ICtSuZd0MPPzwWhO5iQGs,385
 clearskies_aws/input_outputs/cli_websocket_mock.py,sha256=J3PDYnFxOzqYhmlxWFcobbb4McKpsGduIBq6jdSAx5Y,434
@@ -57,7 +58,7 @@ clearskies_aws/secrets/parameter_store_test.py,sha256=UyqKE4AZYlldj9ww5f0fR15qsV
 clearskies_aws/secrets/secrets_manager.py,sha256=jlpfAFC23EeSpm50L8B-yrXg4IROQq-M_90zzXDp_ak,3056
 clearskies_aws/secrets/secrets_manager_test.py,sha256=mlNWtDm1wWS5C8aV0vJAzZVZB82KFR6NGRAPEkLtTyk,786
 clearskies_aws/web_socket_connection_model.py,sha256=d_Au_Pu7YXBfc7_lbuI7zz4MZ8ZOOwGM0oooppEofcI,1776
-clear_skies_aws-1.8.5.dist-info/LICENSE,sha256=3Ehd0g3YOpCj8sqj0Xjq5qbOtjjgk9qzhhD9YjRQgOA,1053
-clear_skies_aws-1.8.5.dist-info/METADATA,sha256=GP3Cntgty7nBtpIMrpf1gOZYQO_aT6NU2NzNfMM_BMA,8579
-clear_skies_aws-1.8.5.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-clear_skies_aws-1.8.5.dist-info/RECORD,,
+clear_skies_aws-1.9.1.dist-info/LICENSE,sha256=3Ehd0g3YOpCj8sqj0Xjq5qbOtjjgk9qzhhD9YjRQgOA,1053
+clear_skies_aws-1.9.1.dist-info/METADATA,sha256=TabZogVH3Y9e30ZE81jx_cqvojmOVahuYa5eQ9jzNHM,8579
+clear_skies_aws-1.9.1.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+clear_skies_aws-1.9.1.dist-info/RECORD,,

clearskies_aws/actions/ses.py

@@ -22,9 +22,9 @@ class SES(ActionAws):
     def configure(
         self,
         sender,
-        to: Optional[Union[list, str]] = None,
-        cc: Optional[Union[list, str]] = None,
-        bcc: Optional[Union[list, str]] = None,
+        to: Optional[Union[list, str,  Callable]] = None,
+        cc: Optional[Union[list, str,  Callable]] = None,
+        bcc: Optional[Union[list, str,  Callable]] = None,
         subject: Optional[str] = None,
         message: Optional[str] = None,
         subject_template: Optional[str] = None,
@@ -48,7 +48,7 @@ class SES(ActionAws):
             destination_values = locals()[key]
             if not destination_values:
                 continue
-            if type(destination_values) == str:
+            if type(destination_values) == str or callable(destination_values):
                 self.destinations[key] = [destination_values]
             else:
                 self.destinations[key] = destination_values
@@ -136,6 +136,17 @@ class SES(ActionAws):
         resolved = []
         destinations = self.destinations[name]
         for destination in destinations:
+            if callable(destination):
+                more = self.di.call_function(destination, model=model)
+                if not isinstance(more, list):
+                    more = [more]
+                for entry in more:
+                    if not isinstance(entry, str):
+                        raise ValueError(f"I invoked a callable to fetch the '{name}' addresses for model '{model.__class__.__name__}' but it returned something other than a string.  Callables must return a valid email address or a list of email addresses.")
+                    if "@" not in entry:
+                        raise ValueError(f"I invoked a callable to fetch the '{name}' addresses for model '{model.__class__.__name__}' but it returned a non-email address.  Callables must return a valid email address or a list of email addresses.")
+                resolved.extend(more)
+                continue
             if "@" in destination:
                 resolved.append(destination)
                 continue

clearskies_aws/actions/ses_test.py

@@ -48,3 +48,42 @@ class SESTest(unittest.TestCase):
                 Source='test@example.com'
             ),
         ])
+
+    def test_send_callable(self):
+        ses = SES(self.environment, self.boto3, self.di)
+        ses.configure(
+            'test@example.com',
+            to=lambda model: 'jane@example.com',
+            bcc=lambda model: ['bob@example.com', 'greg@example.com'],
+            subject='welcome!',
+            message_template='hi {{ model.id }}!'
+        )
+        model = MagicMock()
+        model.id = 'asdf'
+        ses(model)
+        self.ses.send_email.assert_has_calls([
+            call(
+                Destination={
+                    'ToAddresses': ['jane@example.com'],
+                    'CcAddresses': [],
+                    'BccAddresses': ['bob@example.com', 'greg@example.com']
+                },
+                Message={
+                    'Body': {
+                        'Html': {
+                            'Charset': 'utf-8',
+                            'Data': 'hi asdf!'
+                        },
+                        'Text': {
+                            'Charset': 'utf-8',
+                            'Data': 'hi asdf!'
+                        }
+                    },
+                    'Subject': {
+                        'Charset': 'utf-8',
+                        'Data': 'welcome!'
+                    }
+                },
+                Source='test@example.com'
+            ),
+        ])

clearskies_aws/handlers/__init__.py

@@ -1 +1,2 @@
 from .simple_body_routing import SimpleBodyRouting
+from .secrets_manager_rotation import SecretsManagerRotation

clearskies_aws/handlers/secrets_manager_rotation.py

@@ -0,0 +1,174 @@
+import json
+
+import clearskies
+from clearskies.handlers.exceptions import ClientError
+from clearskies.handlers.base import Base
+import botocore
+
+class SecretsManagerRotation(Base, clearskies.handlers.SchemaHelper):
+    _steps = ["createSecret", "setSecret", "testSecret", "finishSecret"]
+
+    current = "AWSCURRENT"
+    pending = "AWSPENDING"
+
+    _configuration_defaults = {
+        "createSecret": None,
+        "setSecret": None,
+        "testSecret": None,
+        "finishSecret": None,
+        "schema": [],
+    }
+
+    def __init__(self, boto3, di):
+        super().__init__(di)
+        self.boto3 = boto3
+
+    def _check_configuration(self, configuration):
+        super()._check_configuration(configuration)
+        class_name = self.__class__.__name__
+        if not configuration.get("createSecret"):
+            raise KeyError(f"Missing required configuration 'createSecret' for handler {class_name}")
+
+        for config_name in self._steps:
+            config = configuration.get(config_name)
+            if config is None:
+                continue
+            if not callable(config):
+                raise ValueError(f"Misconfiguration for handler {class_name}: configuration '{config_name}' is not callable")
+
+        if configuration.get("schema") is not None:
+            self._check_schema(configuration["schema"], None, f"Misconfiguration for handler {class_name}")
+
+    def _finalize_configuration(self, configuration):
+        if configuration.get('schema'):
+            configuration['schema'] = self._schema_to_columns(configuration['schema'])
+        return super()._finalize_configuration(configuration)
+
+    def handle(self, input_output):
+        request_data = input_output.json_body()
+
+        arn = request_data.get('SecretId')
+        request_token = request_data.get('ClientRequestToken')
+        step = request_data.get('Step')
+        secretsmanager = self.boto3.client('secretsmanager')
+        metadata = secretsmanager.describe_secret(SecretId=arn)
+
+        self._validate_secret_and_request(step, arn, metadata, request_token)
+
+        current_secret_data = {}
+        pending_secret_data = {}
+
+        current_secret = secretsmanager.get_secret_value(SecretId=arn, VersionStage=self.current)
+        current_secret_data = json.loads(current_secret['SecretString'])
+
+        # validate the current secret
+        secret_errors = {
+            **self._extra_column_errors(current_secret_data),
+            **self._find_input_errors(current_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(f"The current secret did not match the configured schema: {secret_errors}")
+
+        # check for a pending secret.  Note that this is not always available.  In the event that we are retrying a failed
+        # rotation it will already be set, in which case we need to skip the createSecret step.
+        try:
+            pending_secret = secretsmanager.get_secret_value(SecretId=arn, VersionId=request_token, VersionStage=self.pending)
+            pending_secret_data = json.loads(pending_secret['SecretString'])
+        except botocore.exceptions.ClientError as error:
+            if error.response['Error']['Code'] == 'ResourceNotFoundException':
+                pending_secret_data = None
+            else:
+                raise error
+
+        # we can't call the createSecret step if we already have a pending secret or this will generate an error from AWS.
+        if step == "createSecret" and pending_secret_data is not None:
+            return
+
+        # call the appropriate step and pass along *everything*.
+        getattr(self, step)(
+            current_secret_data=current_secret_data,
+            pending_secret_data=pending_secret_data,
+            secretsmanager=secretsmanager,
+            metadata=metadata,
+            request_token=request_token,
+            arn=arn,
+        )
+
+    def _validate_secret_and_request(self, step, arn, metadata, request_token):
+        """ This function does some basic checks suggested by AWS of both the request and the secret to make sure everything is on the up-and-up. """
+        if step not in self._steps:
+            raise ClientError(f"Invalid step: {step}")
+
+        if not metadata.get('RotationEnabled'):
+            raise ValueError("Secret %s is not enabled for rotation" % arn)
+
+        versions = metadata["VersionIdsToStages"]
+        prefix = f"Rotation config error for version '{request_token}' of secret '{arn}': "
+        if request_token not in versions:
+            raise ValueError(f"{prefix} we don't have a stage for rotation")
+        if self.current in versions[request_token]:
+            raise ValueError(f"{prefix} it's already the current version, which shouldn't happen.  I'm quitting with prejudice.")
+        elif self.pending not in versions[request_token]:
+            raise ValueError(f"{prefix} it hasn't been set to pending yet, which makes no sense!")
+
+    def createSecret(self, **kwargs):
+        new_secret_data = self._di.call_function(self._configuration["createSecret"], **kwargs)
+        if new_secret_data is None:
+            raise ValueError(f"I called the configured createSecret function but it didn't return anything.  It has to return the new secret data.")
+        if not isinstance(new_secret_data, dict):
+            raise ValueError(f"I called the configured createSecret function but it didn't return a dictionary.  The createSecret function must return a dictionary.")
+
+        secret_errors = {
+            **self._extra_column_errors(new_secret_data),
+            **self._find_input_errors(new_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(f"The secret data returned by the call to createSecret did not match the configured schema: {secret_errors}")
+
+        # if we get this far we can store the new data
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        secretsmanager.put_secret_value(
+            SecretId=arn,
+            SecretString=json.dumps(new_secret_data),
+            ClientRequestToken=request_token,
+            VersionStages=[self.pending],
+        )
+
+    def setSecret(self, **kwargs):
+        if not self._configuration.get("setSecret"):
+            return
+        self._di.call_function(self._configuration["setSecret"], **kwargs)
+
+    def testSecret(self, **kwargs):
+        if not self._configuration.get("testSecret"):
+            return
+        self._di.call_function(self._configuration["testSecret"], **kwargs)
+
+    def finishSecret(self, **kwargs):
+        if self._configuration.get("finishSecret"):
+            self._di.call_function(self._configuration["finishSecret"], **kwargs)
+
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        metadata = kwargs["metadata"]
+        current_version = None
+        for version in metadata["VersionIdsToStages"]:
+            if self.current not in metadata["VersionIdsToStages"][version]:
+                continue
+
+            if version == request_token:
+                return
+
+            current_version = version
+            break
+
+        # finish the rotation by taking the new version and making it current.
+        secretsmanager.update_secret_version_stage(
+            SecretId=arn,
+            VersionStage=self.current,
+            MoveToVersionId=request_token,
+            RemoveFromVersionId=current_version
+        )