clear-skies-aws 2.0.1__py3-none-any.whl → 2.0.2__py3-none-any.whl

clearskies_aws/endpoints/secrets_manager_rotation.py

@@ -0,0 +1,195 @@
+from __future__ import annotations
+
+import json
+from collections.abc import Callable
+from typing import Any
+
+import botocore
+import clearskies
+from clearskies import Endpoint
+from clearskies.configs import Callable as CallableConfig
+from clearskies.configs import Schema as SchemaConfig
+from clearskies.configs import StringList
+from clearskies.decorators import parameters_to_properties
+from clearskies.di.inject import Di
+from clearskies.exceptions import ClientError
+from clearskies.input_outputs import InputOutput
+
+from clearskies_aws.di import inject
+
+
+class SecretsManagerRotation(Endpoint):
+
+    di = Di()
+    boto3 = inject.Boto3()
+
+    current = "AWSCURRENT"
+    pending = "AWSPENDING"
+
+    steps = StringList(default=["createSecret", "setSecret", "testSecret", "finishSecret"])
+    create_secret = CallableConfig(default=None)
+    set_secret = CallableConfig(default=None)
+    test_secret = CallableConfig(default=None)
+    finish_secret = CallableConfig(default=None)
+    schema = SchemaConfig(default=None)
+
+    @parameters_to_properties
+    def __init__(
+        self,
+        steps: list[str] | None,
+        create_secret: Callable | None,
+        set_secret: Callable | None,
+        test_secret: Callable | None,
+        finish_secret: Callable | None,
+        schema: list[dict] | None,
+    ):
+        super().__init__()
+
+    def configure(self):
+        self.finalize_and_validate_configuration()
+        class_name = self.__class__.__name__
+        if not self.create_secret:
+            raise KeyError(f"Missing required configuration 'createSecret' for handler {class_name}")
+
+        for config_name in self.steps:
+            config = getattr(self, config_name)
+            if config is None:
+                continue
+
+    def handle(self, input_output: InputOutput):
+        request_data = json.loads(input_output.get_body())
+
+        self.find_input_errors(request_data, input_output, self.schema)
+
+        arn = request_data.get("SecretId")
+        request_token = request_data.get("ClientRequestToken")
+        step = request_data.get("Step")
+        secretsmanager = self.boto3.client("secretsmanager")
+        metadata = secretsmanager.describe_secret(SecretId=arn)
+
+        self._validate_secret_and_request(step, arn, metadata, request_token)
+
+        current_secret_data = {}
+        pending_secret_data = {}
+
+        current_secret = secretsmanager.get_secret_value(SecretId=arn, VersionStage=self.current)
+        current_secret_data = json.loads(current_secret["SecretString"])
+
+        # validate the current secret
+        secret_errors = {
+            **self._extra_column_errors(current_secret_data),
+            **self._find_input_errors(current_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(f"The current secret did not match the configured schema: {secret_errors}")
+
+        # check for a pending secret.  Note that this is not always available.  In the event that we are retrying a failed
+        # rotation it will already be set, in which case we need to skip the createSecret step.
+        try:
+            pending_secret = secretsmanager.get_secret_value(
+                SecretId=arn, VersionId=request_token, VersionStage=self.pending
+            )
+            pending_secret_data = json.loads(pending_secret["SecretString"])
+        except botocore.exceptions.ClientError as error:
+            if error.response["Error"]["Code"] == "ResourceNotFoundException":
+                pending_secret_data = None
+            else:
+                raise error
+
+        # we can't call the createSecret step if we already have a pending secret or this will generate an error from AWS.
+        if step == "createSecret" and pending_secret_data is not None:
+            return
+
+        # call the appropriate step and pass along *everything*.
+        getattr(self, step)(
+            current_secret_data=current_secret_data,
+            pending_secret_data=pending_secret_data,
+            secretsmanager=secretsmanager,
+            metadata=metadata,
+            request_token=request_token,
+            arn=arn,
+        )
+
+    def _validate_secret_and_request(self, step: str, arn: str, metadata: dict[str, Any], request_token: str):
+        """Perform basic checks suggested by AWS of both the request and the secret to ensure validity."""
+        if step not in self.steps:
+            raise ClientError(f"Invalid step: {step}")
+
+        if not metadata.get("RotationEnabled"):
+            raise ValueError("Secret %s is not enabled for rotation" % arn)
+
+        versions = metadata["VersionIdsToStages"]
+        prefix = f"Rotation config error for version '{request_token}' of secret '{arn}': "
+        if request_token not in versions:
+            raise ValueError(f"{prefix} we don't have a stage for rotation")
+        if self.current in versions[request_token]:
+            raise ValueError(
+                f"{prefix} it's already the current version, which shouldn't happen.  I'm quitting with prejudice."
+            )
+        elif self.pending not in versions[request_token]:
+            raise ValueError(f"{prefix} it hasn't been set to pending yet, which makes no sense!")
+
+    def createSecret(self, **kwargs):
+        new_secret_data = self.di.call_function(self.create_secret, **kwargs)
+        if new_secret_data is None:
+            raise ValueError(
+                f"I called the configured createSecret function but it didn't return anything.  It has to return the new secret data."
+            )
+        if not isinstance(new_secret_data, dict):
+            raise ValueError(
+                f"I called the configured createSecret function but it didn't return a dictionary.  The createSecret function must return a dictionary."
+            )
+
+        secret_errors = {
+            **self._extra_column_errors(new_secret_data),
+            **self.find_input_errors(new_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(
+                f"The secret data returned by the call to createSecret did not match the configured schema: {secret_errors}"
+            )
+
+        # if we get this far we can store the new data
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        secretsmanager.put_secret_value(
+            SecretId=arn,
+            SecretString=json.dumps(new_secret_data),
+            ClientRequestToken=request_token,
+            VersionStages=[self.pending],
+        )
+
+    def setSecret(self, **kwargs):
+        if not self._configuration.get("setSecret"):
+            return
+        self._di.call_function(self._configuration["setSecret"], **kwargs)
+
+    def testSecret(self, **kwargs):
+        if not self._configuration.get("testSecret"):
+            return
+        self._di.call_function(self._configuration["testSecret"], **kwargs)
+
+    def finishSecret(self, **kwargs):
+        if self._configuration.get("finishSecret"):
+            self._di.call_function(self._configuration["finishSecret"], **kwargs)
+
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        metadata = kwargs["metadata"]
+        current_version = None
+        for version in metadata["VersionIdsToStages"]:
+            if self.current not in metadata["VersionIdsToStages"][version]:
+                continue
+
+            if version == request_token:
+                return
+
+            current_version = version
+            break
+
+        # finish the rotation by taking the new version and making it current.
+        secretsmanager.update_secret_version_stage(
+            SecretId=arn, VersionStage=self.current, MoveToVersionId=request_token, RemoveFromVersionId=current_version
+        )

clearskies_aws/endpoints/simple_body_routing.py

@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import json
+from typing import Any
+
+from clearskies import Endpoint
+from clearskies.configs import AnyDict, String
+from clearskies.di.inject import Di
+from clearskies.input_outputs import InputOutput
+
+
+class SimpleBodyRouting(Endpoint):
+    di = Di()
+
+    route_key = String(default="route")
+    routes = AnyDict(default={})
+
+    def __init__(self, routes: dict[str, Any], route_key: str = "route"):
+        self.routes = routes
+        self.route_key = route_key
+
+    def handle(self, input_output: InputOutput) -> Any:
+        body = json.loads(input_output.get_body()) if input_output.has_body() else {}
+
+        if not body or not body.get(self.route_key):
+            return self.error(input_output, "Not Found", 404)
+
+        route = body[self.route_key]
+        if route not in self.routes:
+            return self.error(input_output, "Not Found", 404)
+        return input_output.respond(
+            self.di.call_function(
+                self.routes[route],
+                request_data=body,
+                **input_output.context_specifics(),
+            ),
+            200,
+        )
+
+    def documentation(self):
+        return []

clearskies_aws/input_outputs/__init__.py

@@ -0,0 +1,21 @@
+from __future__ import annotations
+
+from clearskies_aws.input_outputs.cli_web_socket_mock import CliWebSocketMock
+from clearskies_aws.input_outputs.lambda_alb import LambdaAlb
+from clearskies_aws.input_outputs.lambda_api_gateway import LambdaApiGateway
+from clearskies_aws.input_outputs.lambda_api_gateway_web_socket import (
+    LambdaApiGatewayWebSocket,
+)
+from clearskies_aws.input_outputs.lambda_invocation import LambdaInvocation
+from clearskies_aws.input_outputs.lambda_sns import LambdaSns
+from clearskies_aws.input_outputs.lambda_sqs_standard import LambdaSqsStandard
+
+__all__ = [
+    "CliWebSocketMock",
+    "LambdaApiGateway",
+    "LambdaApiGatewayWebSocket",
+    "LambdaAlb",
+    "LambdaInvocation",
+    "LambdaSns",
+    "LambdaSqsStandard",
+]

clearskies_aws/input_outputs/cli_web_socket_mock.py

@@ -0,0 +1,18 @@
+from __future__ import annotations
+
+import json
+
+import clearskies
+
+
+class CliWebSocketMock(clearskies.input_outputs.Cli):
+    def context_specifics(self):
+        connection_id = json.loads(self.get_body()).get("connection_id")
+        if not connection_id:
+            raise KeyError("When using the CliWebsocketMock you must provide connection_id in the request body")
+
+        return {
+            "event": {},
+            "context": {},
+            "connection_id": connection_id,
+        }

clearskies_aws/input_outputs/lambda_alb.py

@@ -0,0 +1,53 @@
+from __future__ import annotations
+
+from typing import Any
+
+from clearskies.configs import String
+from clearskies.input_outputs import Headers
+
+from clearskies_aws.input_outputs import lambda_input_output
+
+
+class LambdaAlb(lambda_input_output.LambdaInputOutput):
+    """Application Load Balancer specific Lambda input/output handler."""
+
+    def __init__(self, event: dict[str, Any], context: dict[str, Any]):
+        # Call parent constructor
+        super().__init__(event, context)
+
+        # ALB specific initialization
+        self.request_method = event.get("httpMethod", "GET").upper()
+        self.path = event.get("path", "/")
+
+        # Extract query parameters (ALB only has single value query parameters)
+        self.query_parameters = event.get("queryStringParameters") or {}
+
+        # Extract headers (ALB only has single value headers)
+        headers_dict = {}
+        for key, value in event.get("headers", {}).items():
+            headers_dict[key.lower()] = str(value)
+
+        self.request_headers = Headers(headers_dict)
+
+    def get_client_ip(self) -> str:
+        """Get the client IP address from ALB headers."""
+        # ALB always provides client IP via X-Forwarded-For header
+        forwarded_for = self.request_headers.get("x-forwarded-for")
+        if not forwarded_for:
+            raise KeyError(
+                "The x-forwarded-for header wasn't present in the request, and it should always exist for anything behind an ALB.  You are probably using the wrong context."
+            )
+
+        # X-Forwarded-For can contain multiple IPs, take the first one
+        return forwarded_for.split(",")[0].strip()
+
+    def context_specifics(self) -> dict[str, Any]:
+        """Provide ALB specific context data."""
+        request_context = self.event.get("requestContext", {})
+        elb = request_context.get("elb", {})
+
+        return {
+            **super().context_specifics(),
+            "path": self.path,
+            "target_group_arn": elb.get("targetGroupArn"),
+        }

clearskies_aws/input_outputs/lambda_api_gateway.py

@@ -0,0 +1,123 @@
+from __future__ import annotations
+
+from typing import Any
+
+from clearskies.configs import String
+from clearskies.input_outputs import Headers
+
+from clearskies_aws.input_outputs import lambda_input_output
+
+
+class LambdaApiGateway(lambda_input_output.LambdaInputOutput):
+    """API Gateway v1 and v2 Lambda input/output handler."""
+
+    resource = String(default="")
+
+    def __init__(self, event: dict, context: dict[str, Any]):
+        # Call parent constructor
+        super().__init__(event, context)
+
+        # Determine API Gateway version and parse accordingly
+        version = self._detect_version(event)
+        if version == "1.0":
+            self._parse_event_v1(event)
+        elif version == "2.0":
+            self._parse_event_v2(event)
+        else:
+            raise ValueError(f"Unsupported API Gateway event version: {version}")
+
+    def _detect_version(self, event: dict) -> str:
+        """Detect API Gateway version from event structure."""
+        if "version" in event:
+            return event["version"]
+        elif "httpMethod" in event:
+            return "1.0"  # v1 has httpMethod at root level
+        elif "requestContext" in event and "http" in event["requestContext"]:
+            return "2.0"  # v2 has http in requestContext
+        else:
+            raise ValueError("Unable to determine API Gateway version from event structure")
+
+    def _parse_event_v1(self, event: dict) -> None:
+        """Parse API Gateway v1 event structure."""
+        self.request_method = event.get("httpMethod", "GET").upper()
+        self.path = event.get("path", "/")
+        self.resource = event.get("resource", "")
+
+        # Extract query parameters (v1 has both single and multi-value)
+        self.query_parameters = {
+            **(event.get("queryStringParameters") or {}),
+            **(event.get("multiValueQueryStringParameters") or {}),
+        }
+
+        # Extract headers (v1 has both single and multi-value)
+        headers_dict = {}
+        for key, value in {
+            **event.get("headers", {}),
+            **event.get("multiValueHeaders", {}),
+        }.items():
+            headers_dict[key.lower()] = str(value)
+
+        self.request_headers = Headers(headers_dict)
+
+    def _parse_event_v2(self, event: dict) -> None:
+        """Parse API Gateway v2 event structure."""
+        request_context = event.get("requestContext", {})
+        http_context = request_context.get("http", {})
+
+        self.request_method = http_context.get("method", "GET").upper()
+        self.path = http_context.get("path", "/")
+        # v2 doesn't have resource field
+        self.resource = ""
+
+        # Extract query parameters (v2 only has single values)
+        self.query_parameters = event.get("queryStringParameters") or {}
+
+        # Extract headers (v2 only has single value headers)
+        headers_dict = {}
+        for key, value in event.get("headers", {}).items():
+            headers_dict[key.lower()] = str(value)
+
+        self.request_headers = Headers(headers_dict)
+
+    def get_client_ip(self) -> str:
+        """Get the client IP address from API Gateway event."""
+        request_context = self.event.get("requestContext", {})
+
+        # Try v1 format first (identity.sourceIp)
+        identity = request_context.get("identity", {})
+        if "sourceIp" in identity:
+            return identity["sourceIp"]
+
+        # Try v2 format (http.sourceIp)
+        http_context = request_context.get("http", {})
+        if "sourceIp" in http_context:
+            return http_context["sourceIp"]
+
+        raise ValueError("Unable to find the client ip inside the API Gateway")
+
+    def get_protocol(self) -> str:
+        """Get the protocol from API Gateway request context."""
+        request_context = self.event.get("requestContext", {})
+
+        # Try v2 format first (has explicit protocol)
+        http_context = request_context.get("http", {})
+        if "protocol" in http_context:
+            protocol = http_context["protocol"]
+            return "https" if protocol.upper().startswith("HTTPS") else "http"
+
+        # v1 defaults to HTTPS
+        return "https"
+
+    def context_specifics(self) -> dict[str, Any]:
+        """Provide API Gateway specific context data."""
+        request_context = self.event.get("requestContext", {})
+        http_context = request_context.get("http", {})
+
+        return {
+            **super().context_specifics(),
+            "resource": self.resource,
+            "stage": request_context.get("stage"),
+            "request_id": request_context.get("requestId"),
+            "api_id": request_context.get("apiId"),
+            "api_version": self._detect_version(self.event),
+        }

clearskies_aws/input_outputs/lambda_api_gateway_web_socket.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+
+from typing import Any
+
+from clearskies.configs import String
+from clearskies.input_outputs import Headers
+
+from clearskies_aws.input_outputs import lambda_input_output
+
+
+class LambdaApiGatewayWebSocket(lambda_input_output.LambdaInputOutput):
+    """Api Gateway WebSocket specific Lambda input/output handler."""
+
+    route_key = String(default="")
+    connection_id = String(default="")
+
+    def __init__(self, event: dict[str, Any], context: dict[str, Any], url: str = ""):
+        # Call parent constructor
+        super().__init__(event, context)
+
+        self.path = url
+
+        # WebSocket specific initialization
+        request_context = event.get("requestContext", {})
+
+        # WebSocket uses route_key, but doesn't have either a route or a method
+        self.route_key = request_context.get("routeKey", "")
+        self.request_method = self.route_key.upper()  # For compatibility
+
+        # WebSocket connection ID
+        self.connection_id = request_context.get("connectionId", "")
+
+        # These will only be available, at monst, during the on-connect step
+        self.query_parameters = event.get("queryStringParameters") or {}
+        headers_dict = {}
+        for key, value in event.get("headers", {}).items():
+            headers_dict[key.lower()] = str(value)
+        self.request_headers = Headers(headers_dict)
+
+    def get_client_ip(self) -> str:
+        """Get the client IP address from WebSocket request context."""
+        request_context = self.event.get("requestContext", {})
+        identity = request_context.get("identity", {})
+
+        if "sourceIp" in identity:
+            return identity["sourceIp"]
+
+        raise ValueError("Unable to find the client ip inside the API Gateway")
+
+    def respond(self, body: Any, status_code: int = 200) -> dict[str, Any]:
+        """Create WebSocket specific response format."""
+        # WebSocket responses are simpler than HTTP responses
+        return {
+            "statusCode": status_code,
+        }
+
+    def context_specifics(self) -> dict[str, Any]:
+        """Provide WebSocket specific context data."""
+        request_context = self.event.get("requestContext", {})
+
+        return {
+            **super().context_specifics(),
+            "connection_id": self.connection_id,
+            "route_key": self.route_key,
+            "stage": request_context.get("stage"),
+            "request_id": request_context.get("requestId"),
+            "api_id": request_context.get("apiId"),
+            "domain_name": request_context.get("domainName"),
+            "event_type": request_context.get("eventType"),
+            "connected_at": request_context.get("connectedAt"),
+        }

clearskies_aws/input_outputs/lambda_input_output.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+import base64
+import json
+from abc import abstractmethod
+from typing import Any, cast
+from urllib.parse import urlencode
+
+from clearskies.configs import AnyDict, String
+from clearskies.input_outputs import InputOutput
+
+
+class LambdaInputOutput(InputOutput):
+    """Base class for Lambda input/output handlers that provides common Lambda functionality."""
+
+    event = AnyDict(default={})
+    context = AnyDict(default={})
+    path = String(default="/")
+
+    _cached_body = None
+    _body_was_cached = False
+
+    def __init__(self, event: dict[str, Any], context: dict[str, Any]):
+        # Store event and context
+        self.event = event
+        self.context = context
+
+        # Initialize the base class
+        super().__init__()
+
+    def respond(self, body: Any, status_code: int = 200) -> dict[str, Any]:
+        """Create standard Lambda HTTP response format."""
+        if "content-type" not in self.response_headers:
+            self.response_headers.content_type = "application/json; charset=UTF-8"
+
+        is_base64 = False
+
+        if isinstance(body, bytes):
+            is_base64 = True
+            final_body = base64.encodebytes(body).decode("utf8")
+        elif isinstance(body, str):
+            final_body = body
+        else:
+            final_body = json.dumps(body)
+
+        return {
+            "isBase64Encoded": is_base64,
+            "statusCode": status_code,
+            "headers": dict(self.response_headers),
+            "body": final_body,
+        }
+
+    def has_body(self) -> bool:
+        return bool(self.get_body())
+
+    def get_body(self) -> str:
+        """Get request body with base64 decoding if needed."""
+        if not self._body_was_cached:
+            self._body_was_cached = True
+            self._cached_body = self.event.get("body", "")
+            if (
+                self._cached_body is not None
+                and self.event.get("isBase64Encoded", False)
+                and isinstance(self._cached_body, str)
+            ):
+                self._cached_body = base64.decodebytes(self._cached_body.encode("utf-8")).decode("utf-8")
+        return self._cached_body or ""
+
+    def get_client_ip(self) -> str:
+        """Get client IP - can be overridden by subclasses for event-specific logic."""
+        return "127.0.0.1"
+
+    def get_protocol(self) -> str:
+        """Get protocol."""
+        # Default to HTTPS for most Lambda HTTP events
+        return "https"
+
+    def get_full_path(self) -> str:
+        """Get full path."""
+        return self.path
+
+    def context_specifics(self) -> dict[str, Any]:
+        """Provide Lambda-specific context."""
+        return {
+            "event": self.event,
+            "context": self.context,
+        }