clear-skies-aws 2.0.1__py3-none-any.whl → 2.0.2__py3-none-any.whl

clearskies_aws/secrets/additional_configs/iam_db_auth.py

@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+import os
+
+import clearskies
+
+
+class IAMDBAuth(clearskies.di.AdditionalConfig):
+    def provide_boto3(self):
+        import boto3
+
+        return boto3
+
+    def provide_connection_details(self, environment, boto3):
+        """
+        Make configuration values and environment variables customizable.
+
+        Allows both the values and the environment variable names to be set for flexible configuration.
+
+        Returns:
+            dict: Connection details for IAM DB authentication.
+        """
+        endpoint = environment.get("db_endpoint")
+        username = environment.get("db_username")
+        database = environment.get("db_database")
+        region = environment.get("AWS_REGION")
+        ssl_ca_bundle_name = environment.get("ssl_ca_bundle_filename")
+        os.environ["LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN"] = "1"
+
+        rds_api = boto3.Session().client("rds")
+        rds_token = rds_api.generate_db_auth_token(DBHostname=endpoint, Port="3306", DBUsername=username, Region=region)
+
+        return {
+            "username": username,
+            "password": rds_token,
+            "host": endpoint,
+            "database": database,
+            "ssl_ca": ssl_ca_bundle_name,
+        }

clearskies_aws/secrets/additional_configs/iam_db_auth_with_ssm.py

@@ -0,0 +1,96 @@
+from __future__ import annotations
+
+import time
+
+import clearskies
+
+
+class IAMDBAuthWithSSM(clearskies.di.AdditionalConfig):
+    def provide_subprocess(self):
+        import subprocess
+
+        return subprocess
+
+    def provide_socket(self):
+        import socket
+
+        return socket
+
+    def provide_connection_details(self, environment, subprocess, socket, boto3):
+        local_port = self.open_tunnel(environment, subprocess, socket, boto3)
+
+        return {
+            "host": "127.0.0.1",
+            "database": environment.get("db_database"),
+            "username": environment.get("db_username"),
+            "password": self.get_password(environment, boto3),
+            "ssl_ca": "rds-cert-bundle.pem",
+            "port": local_port,
+        }
+
+    def get_password(self, environment, boto3):
+        endpoint = environment.get("db_endpoint")
+        username = environment.get("db_username")
+        region = environment.get("db_region")
+
+        rds_api = boto3.Session().client("rds", region_name=region)
+        return rds_api.generate_db_auth_token(DBHostname=endpoint, Port="3306", DBUsername=username, Region=region)
+
+    def open_tunnel(self, environment, subprocess, socket, boto3):
+        endpoint = environment.get("db_endpoint")
+        region = environment.get("db_region")
+        instance_name = environment.get("instance_name")
+        local_proxy_port = int(environment.get("local_proxy_port", "9000"))
+
+        ec2_api = boto3.client("ec2", region_name=region)
+        running_instances = ec2_api.describe_instances(
+            Filters=[
+                {"Name": "tag:Name", "Values": [instance_name]},
+                {"Name": "instance-state-name", "Values": ["running"]},
+            ],
+        )
+        instance_ids = []
+        for reservation in running_instances["Reservations"]:
+            for instance in reservation["Instances"]:
+                instance_ids.append(instance["InstanceId"])
+
+        if len(instance_ids) == 0:
+            raise ValueError("Failed to launch SSM tunnel! Cannot find bastion!")
+
+        instance_id = instance_ids.pop()
+        self._connect_to_bastion(local_proxy_port, instance_id, endpoint, subprocess, socket)
+        return local_proxy_port
+
+    def _connect_to_bastion(self, local_proxy_port, instance_id, endpoint, subprocess, socket):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        result = sock.connect_ex(("127.0.0.1", local_proxy_port))
+        if result == 0:
+            sock.close()
+            return
+
+        tunnel_command = [
+            "aws",
+            "--region",
+            "us-east-1",
+            "ssm",
+            "start-session",
+            "--target",
+            "{}".format(instance_id),
+            "--document-name",
+            "AWS-StartPortForwardingSessionToRemoteHost",
+            '--parameters={{"host":["{}"], "portNumber":["3306"],"localPortNumber":["{}"]}}'.format(
+                endpoint, local_proxy_port
+            ),
+        ]
+
+        subprocess.Popen(tunnel_command)
+        connected = False
+        attempts = 0
+        while not connected and attempts < 6:
+            attempts += 1
+            time.sleep(0.5)
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            result = sock.connect_ex(("127.0.0.1", local_proxy_port))
+            if result == 0:
+                return
+        raise ValueError("Failed to launch SSM tunnel with command: " + " ".join(tunnel_command))

clearskies_aws/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssh_cert_bastion.py

@@ -0,0 +1,80 @@
+from __future__ import annotations
+
+import os
+import socket
+import subprocess
+import time
+from pathlib import Path
+
+from clearskies.secrets.additional_configs import MySQLConnectionDynamicProducerViaSSHCertBastion as Base
+
+
+class MySQLConnectionDynamicProducerViaSSHCertBastion(Base):
+    _config = None
+    _boto3 = None
+
+    def __init__(
+        self,
+        producer_name=None,
+        bastion_region=None,
+        bastion_name=None,
+        bastion_host=None,
+        bastion_username=None,
+        public_key_file_path=None,
+        local_proxy_port=None,
+        cert_issuer_name=None,
+        database_host=None,
+        database_name=None,
+    ):
+        # not using kwargs because I want the argument list to be explicit
+        self.config = {
+            "producer_name": producer_name,
+            "bastion_host": bastion_host,
+            "bastion_region": bastion_region,
+            "bastion_name": bastion_name,
+            "bastion_username": bastion_username,
+            "public_key_file_path": public_key_file_path,
+            "local_proxy_port": local_proxy_port,
+            "cert_issuer_name": cert_issuer_name,
+            "database_host": database_host,
+            "database_name": database_name,
+        }
+
+    def provide_connection_details(self, environment, secrets, boto3):
+        self._boto3 = boto3
+        return super().provide_connection_details(environment, secrets)
+
+    def _get_bastion_host(self, environment):
+        bastion_host = self._fetch_config(environment, "bastion_host", "akeyless_mysql_bastion_host", default="")
+        bastion_name = self._fetch_config(environment, "bastion_name", "akeyless_mysql_bastion_name", default="")
+        if bastion_host:
+            return bastion_host
+        if bastion_name:
+            bastion_region = self._fetch_config(environment, "bastion_region", "akeyless_mysql_bastion_region")
+            return self._public_ip_from_name(bastion_name, bastion_region)
+        raise ValueError(
+            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion with certificate auth, but I'm missing some configuration. I need either the bastion host or the name of the instance in AWS.  These can be set in the call to `clearskies.backends.akeyless_aws.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the 'bastion_host' or 'bastion_name' argument, or by setting an environment variable named 'akeyless_mysql_bastion_host' or 'akeyless_mysql_bastion_name'."
+        )
+
+    def _public_ip_from_name(self, bastion_name, bastion_region):
+        ec2 = self._boto3.client("ec2", region_name=bastion_region)
+        response = ec2.describe_instances(
+            Filters=[
+                {"Name": "tag:Name", "Values": [bastion_name]},
+                {"Name": "instance-state-name", "Values": ["running"]},
+            ],
+        )
+        if not response.get("Reservations"):
+            raise ValueError(
+                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
+            )
+        if not response.get("Reservations")[0].get("Instances"):
+            raise ValueError(
+                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
+            )
+        instance = response.get("Reservations")[0].get("Instances")[0]
+        if not instance.get("PublicIpAddress"):
+            raise ValueError(
+                f"I found the bastion instance with a name of '{bastion_name}' in region '{bastion_region}', but it doesn't have a public IP address"
+            )
+        return instance.get("PublicIpAddress")

clearskies_aws/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssm_bastion.py

@@ -0,0 +1,162 @@
+from __future__ import annotations
+
+import os
+import socket
+import subprocess
+import time
+from pathlib import Path
+
+from .mysql_connection_dynamic_producer_via_ssh_cert_bastion import (
+    MySQLConnectionDynamicProducerViaSSHCertBastion as Base,
+)
+
+
+class MySQLConnectionDynamicProducerViaSSMBastion(Base):
+    _config = None
+    _boto3 = None
+
+    def __init__(
+        self,
+        producer_name=None,
+        bastion_region=None,
+        bastion_name=None,
+        bastion_username=None,
+        bastion_instance_id=None,
+        public_key_file_path=None,
+        local_proxy_port=None,
+        database_host=None,
+        database_name=None,
+    ):
+        # not using kwargs because I want the argument list to be explicit
+        self.config = {
+            "producer_name": producer_name,
+            "bastion_instance_id": bastion_instance_id,
+            "bastion_region": bastion_region,
+            "bastion_name": bastion_name,
+            "bastion_username": bastion_username,
+            "public_key_file_path": public_key_file_path,
+            "local_proxy_port": local_proxy_port,
+            "database_host": database_host,
+            "database_name": database_name,
+        }
+
+    def provide_connection_details(self, environment, secrets, boto3):
+        self._boto3 = boto3
+        if not secrets:
+            raise ValueError(
+                "I was asked to connect to a database via an AKeyless dynamic producer but AKeyless itself wasn't configured.  Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
+            )
+
+        producer_name = self._fetch_config(environment, "producer_name", "akeyless_mysql_dynamic_producer")
+        bastion_username = self._fetch_config(environment, "bastion_username", "mysql_bastion_username", default="ssm")
+        bastion_instance_id = self._get_bastion_instance_id(environment)
+        public_key_file_path = self._fetch_config(
+            environment, "public_key_file_path", "mysql_bastion_public_key_file_path"
+        )
+        local_proxy_port = self._fetch_config(
+            environment, "local_proxy_port", "akeyless_mysql_bastion_local_proxy_port", default=8888
+        )
+        database_host = self._fetch_config(environment, "database_host", "db_host")
+        database_name = self._fetch_config(environment, "database_name", "db_database")
+
+        # Create the SSH tunnel (yeah, it's obnoxious)
+        self._create_tunnel(
+            secrets,
+            bastion_instance_id,
+            bastion_username,
+            bastion_region,
+            public_key_file_path,
+            local_proxy_port,
+            database_host,
+        )
+
+        # and now we can fetch credentials
+        credentials = secrets.get_dynamic_secret(producer_name)
+
+        return {
+            "username": credentials["user"],
+            "password": credentials["password"],
+            "host": "127.0.0.1",
+            "database": database_name,
+            "port": local_proxy_port,
+        }
+
+    def _get_bastion_instance_id(self, environment):
+        bastion_instance_id = self._fetch_config(
+            environment, "bastion_instance_id", "mysql_bastion_instance_id", default=""
+        )
+        bastion_name = self._fetch_config(environment, "bastion_name", "mysql_bastion_name", default="")
+        if bastion_instance_id:
+            return bastion_instance_id
+        if bastion_name:
+            bastion_region = self._fetch_config(environment, "bastion_region", "mysql_bastion_region")
+            return self._instance_id_from_name(bastion_name, bastion_region)
+        raise ValueError(
+            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion with certificate auth, but I'm missing some configuration. I need either the bastion host or the name of the instance in AWS.  These can be set in the call to `clearskies.backends.akeyless_aws.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the 'bastion_host' or 'bastion_name' argument, or by setting an environment variable named 'akeyless_mysql_bastion_host' or 'akeyless_mysql_bastion_name'."
+        )
+
+    def _instance_id_from_name(self, bastion_name, bastion_region):
+        ec2 = self._boto3.client("ec2", region_name=bastion_region)
+        response = ec2.describe_instances(
+            Filters=[
+                {"Name": "tag:Name", "Values": [bastion_name]},
+                {"Name": "instance-state-name", "Values": ["running"]},
+            ],
+        )
+        if not response.get("Reservations"):
+            raise ValueError(
+                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
+            )
+        if not response.get("Reservations")[0].get("Instances"):
+            raise ValueError(
+                f"Could not find a running instance with the designated bastion name, '{bastion_name}' in region '{bastion_region}'"
+            )
+        return response.get("Reservations")[0].get("Instances")[0]["InstanceId"]
+
+    def _create_tunnel(
+        self,
+        secrets,
+        bastion_instance_id,
+        bastion_username,
+        bastion_region,
+        public_key_file_path,
+        local_proxy_port,
+        database_host,
+    ):
+        # first see if the socket is already open, since we don't close it.
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        result = sock.connect_ex(("127.0.0.1", local_proxy_port))
+        if result == 0:
+            sock.close()
+            return
+
+        # and now we can do this thing.
+        tunnel_command = [
+            "ssh",
+            "-i",
+            public_key_file_path,
+            "-o",
+            "ConnectTimeout=2",
+            "-N",
+            "-L",
+            f"{local_proxy_port}:{database_host}:3306",
+            "-p",
+            "22",
+            f"{bastion_username}@{bastion_instance_id}",
+        ]
+        my_env = os.environ.copy()
+        my_env["AWS_DEFAULT_REGION"] = bastion_region
+        subprocess.Popen(tunnel_command)
+        connected = False
+        attempts = 0
+        while not connected and attempts < 6:
+            attempts += 1
+            time.sleep(0.5)
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            result = sock.connect_ex(("127.0.0.1", local_proxy_port))
+            if result == 0:
+                connected = True
+        if not connected:
+            raise ValueError(
+                "Failed to open SSH tunnel.  The following command was used: \n" + " ".join(tunnel_command)
+            )

clearskies_aws/secrets/akeyless_with_ssm_cache.py

@@ -0,0 +1,60 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+from clearskies.secrets.akeyless import Akeyless
+from types_boto3_ssm import SSMClient
+
+from clearskies_aws.secrets import parameter_store
+
+
+class AkeylessWithSsmCache(parameter_store.ParameterStore, Akeyless):
+    def get(self, path: str, refresh: bool = False) -> str | None:  # type: ignore[override]
+        # AWS SSM parameter paths only allow a-z, A-Z, 0-9, -, _, ., /, @, and :
+        # Replace any disallowed characters with hyphens
+        ssm_name = re.sub(r"[^a-zA-Z0-9\-_\./@:]", "-", path)
+        # if we're not forcing a refresh, then see if it is in paramater store
+        if not refresh:
+            missing = False
+            try:
+                response = self.ssm.get_parameter(Name=ssm_name, WithDecryption=True)
+            except self.ssm.exceptions.ParameterNotFound:
+                missing = True
+            if not missing:
+                value = response["Parameter"].get("Value", "")
+                if value:
+                    return value
+
+        # otherwise get it out of Akeyless
+        value = str(super().get(path))
+
+        # and make sure and store the new value in parameter store
+        if value:
+            self.ssm.put_parameter(
+                Name=ssm_name,
+                Value=value,
+                Type="SecureString",
+                Overwrite=True,
+            )
+
+        return value
+
+    def update(self, path: str, value: Any) -> bool:  # type: ignore[override]
+        res = self._api.update_secret_val(
+            self.akeyless.UpdateSecretVal(name=path, value=str(value), token=self._get_token())
+        )
+        self.ssm.put_parameter(
+            Name=re.sub(r"[^a-zA-Z0-9\-_\./@:]", "-", path),
+            Value=value,
+            Type="SecureString",
+            Overwrite=True,
+        )
+        return True
+
+    def upsert(self, path: str, value: Any) -> bool:  # type: ignore[override]
+        try:
+            self.update(path, value)
+        except Exception as e:
+            self.create(path, value)
+        return True

clearskies_aws/secrets/parameter_store.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+from botocore.exceptions import ClientError
+from clearskies.exceptions.not_found import NotFound
+from types_boto3_ssm import SSMClient
+
+from clearskies_aws.secrets import secrets
+
+
+class ParameterStore(secrets.Secrets):
+    ssm: SSMClient
+
+    def __init__(self):
+        super().__init__()
+        self.ssm = self.boto3.client("ssm", region_name=self.environment.get("AWS_REGION"))
+
+    def create(self, path: str, value: str) -> bool:
+        return self.update(path, value)
+
+    def get(self, path: str, silent_if_not_found: bool = False) -> str | None:  # type: ignore[override]
+        try:
+            result = self.ssm.get_parameter(Name=path, WithDecryption=True)
+        except ClientError as e:
+            error = e.response.get("Error", {})
+            if error.get("Code") == "ResourceNotFoundException":
+                if silent_if_not_found:
+                    return None
+                raise NotFound(f"Could not find secret '{path}' in parameter store")
+            raise e
+        return result["Parameter"].get("Value", "")
+
+    def list_secrets(self, path: str) -> list[str]:
+        response = self.ssm.get_parameters_by_path(Path=path, Recursive=False)
+        return [parameter["Name"] for parameter in response["Parameters"] if "Name" in parameter]
+
+    def update(self, path: str, value: str) -> bool:  # type: ignore[override]
+        response = self.ssm.put_parameter(
+            Name=path,
+            Value=value,
+            Type="String",
+            Overwrite=True,
+        )
+        return True
+
+    def upsert(self, path: str, value: str) -> bool:  # type: ignore[override]
+        return self.update(path, value)
+
+    def list_sub_folders(
+        self,
+        path: str,
+    ) -> list[str]:  # type: ignore[override]
+        raise NotImplementedError("Parameter store doesn't support list_sub_folders.")

clearskies_aws/secrets/secrets.py

@@ -0,0 +1,16 @@
+from __future__ import annotations
+
+from clearskies.di.inject import Di, Environment
+from clearskies.secrets import Secrets as BaseSecrets
+
+from clearskies_aws.di import inject
+
+
+class Secrets(BaseSecrets):
+    boto3 = inject.Boto3()
+    environment = Environment()
+
+    def __init__(self):
+        super().__init__()
+        if not self.environment.get("AWS_REGION", True):
+            raise ValueError("To use secrets manager you must use set the 'AWS_REGION' environment variable")

clearskies_aws/secrets/secrets_manager.py

@@ -0,0 +1,96 @@
+from __future__ import annotations
+
+from typing import Any
+
+from botocore.exceptions import ClientError
+from clearskies.exceptions.not_found import NotFound
+from types_boto3_secretsmanager import SecretsManagerClient
+from types_boto3_secretsmanager.type_defs import SecretListEntryTypeDef
+
+from clearskies_aws.secrets import secrets
+
+
+class SecretsManager(secrets.Secrets):
+    secrets_manager: SecretsManagerClient
+
+    def __init__(self):
+        super().__init__()
+        self.secrets_manager = self.boto3.client("secretsmanager", region_name=self.environment.get("AWS_REGION"))
+
+    def create(self, secret_id: str, value: Any, kms_key_id: str | None = None) -> bool:
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+            "KmsKeyId": kms_key_id,
+        }
+        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
+        result = self.secrets_manager.create_secret(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def get(  # type: ignore[override]
+        self,
+        secret_id: str,
+        version_id: str | None = None,
+        version_stage: str | None = None,
+        silent_if_not_found: bool = False,
+    ) -> str | bytes | None:
+        calling_parameters = {"SecretId": secret_id}
+
+        # Only add optional parameters if they are not None
+        if version_id:
+            calling_parameters["VersionId"] = version_id
+        if version_stage:
+            calling_parameters["VersionStage"] = version_stage
+
+        try:
+            result = self.secrets_manager.get_secret_value(**calling_parameters)
+        except ClientError as e:
+            error = e.response.get("Error", {})
+            if error.get("Code") == "ResourceNotFoundException":
+                if silent_if_not_found:
+                    return None
+                raise NotFound(
+                    f"Could not find secret '{secret_id}' with version '{version_id}' and stage '{version_stage}'"
+                )
+            raise e
+        if result.get("SecretString"):
+            return result.get("SecretString")
+        return result.get("SecretBinary")
+
+    def list_secrets(self, path: str) -> list[SecretListEntryTypeDef]:  # type: ignore[override]
+        results = self.secrets_manager.list_secrets(
+            Filters=[
+                {
+                    "Key": "name",
+                    "Values": [path],
+                },
+            ],
+        )
+        return results["SecretList"]
+
+    def update(self, secret_id: str, value: str, kms_key_id: str | None = None) -> bool:  # type: ignore[override]
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+        }
+        if kms_key_id:
+            # If no KMS key is provided, we should not include it in the parameters
+            calling_parameters["KmsKeyId"] = kms_key_id
+
+        result = self.secrets_manager.update_secret(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def upsert(self, secret_id: str, value: str, kms_key_id: str | None = None) -> bool:  # type: ignore[override]
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+        }
+        if kms_key_id:
+            # If no KMS key is provided, we should not include it in the parameters
+            calling_parameters["KmsKeyId"] = kms_key_id
+
+        result = self.secrets_manager.put_secret_value(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def list_sub_folders(self, path: str, value: str) -> list[str]:  # type: ignore[override]
+        raise NotImplementedError("Secrets Manager doesn't support list_sub_folders.")

clear_skies_aws-2.0.1.dist-info/RECORD

@@ -1,4 +0,0 @@
-clear_skies_aws-2.0.1.dist-info/METADATA,sha256=RuKqjsvTbdZc56XVM2UD6IZnSySbVkWA5SaFkxpbps4,8972
-clear_skies_aws-2.0.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-clear_skies_aws-2.0.1.dist-info/licenses/LICENSE,sha256=MkEX8JF8kZxdyBpTTcB0YTd-xZpWnHvbRlw-pQh8u58,1069
-clear_skies_aws-2.0.1.dist-info/RECORD,,