clear-skies-aws 2.0.1__py3-none-any.whl → 2.0.3__py3-none-any.whl

clearskies_aws/contexts/lambda_sqs_standard.py

@@ -0,0 +1,139 @@
+from __future__ import annotations
+
+import traceback
+from typing import Any
+
+from clearskies.authentication import Public
+from clearskies.contexts.context import Context
+
+from clearskies_aws.input_outputs import LambdaSqsStandard as LambdaSqsStandardInputOutput
+
+
+class LambdaSqsStandard(Context):
+    """
+    Process messages from an SQS Standard Queue with Lambda.
+
+    Use this context when your application lives in a Lambda and is attached to an SQS standard
+    queue.  Lambda always uses batch processing in this case, and will invoke your clearskies application
+    with a batch of messags.  This clearskies context will then in turn invoke your application once
+    for every batched message.  As a result, `request_data` will contain the contents of an individual message
+    from the queue, rather than the original group of batched events from Lambda.  If any exception is thrown,
+    every other message in the queue will still be sent to your application, and clearskies will inform
+    AWS that the message and question failed to process.
+
+    ### Usage
+
+    Here's a very simple example:
+
+    ```
+    import clearskies
+
+
+    def some_function(request_data):
+        return print(request_data)
+
+
+    lambda_sqs = clearskies_aws.contexts.LambdaSqsStandard(
+        clearskies.endpoints.Callable(
+            some_function,
+        ),
+    )
+
+
+    def lambda_handler(event, context):
+        return lambda_sqs(event, context)
+    ```
+
+    `lambda_handler` would then be attached to your lambda function, which is attached to some standard SQS.
+
+    Like the other lambda contexts which don't exist in an HTTP world, you can also attach a clearskies application
+    with routing and hard-code the path to invoke inside the lambda handler itself.  This is handy if you have
+    a few related lambdas with similar configuration (since you only have to build a single application) or if
+    you have an application that already exists and you want to invoke some specific endpoint with an SQS:
+
+    ```
+    import clearskies
+
+
+    def some_function(request_data):
+        return request_data
+
+
+    def some_other_function(request_data):
+        return request_data
+
+
+    def something_else(request_data):
+        return request_data
+
+
+    lambda_invoke = clearskies_aws.contexts.LambdaSqsStandard(
+        clearskies.endpoints.EndpointGroup(
+            [
+                clearskies.endpoints.Callable(
+                    some_function,
+                    url="some_function",
+                ),
+                clearskies.endpoints.Callable(
+                    some_other_function,
+                    url="some_other_function",
+                ),
+                clearskies.endpoints.Callable(
+                    something_else,
+                    url="something_else",
+                ),
+            ]
+        )
+    )
+
+
+    def some_function_handler(event, context):
+        return lambda_invoke(event, context, url="some_function")
+
+
+    def some_other_function_handler(event, context):
+        return lambda_invoke(event, context, url="some_other_function")
+
+
+    def something_else_handler(event, context):
+        return lambda_invoke(event, context, url="something_else")
+    ```
+
+    ### Context Specifics
+
+    When using this context, the following named parameters become available to inject into any callable
+    invoked by clearskies:
+
+    ```
+    |             Name            |       Type       | Description                                            |
+    |:---------------------------:|:----------------:|--------------------------------------------------------|
+    |           `event`           | `dict[str, Any]` | The lambda `event` object                              |
+    |          `context`          | `dict[str, Any]` | The lambda `context` object                            |
+    |         `message_id`        |       `str`      | The AWS message id                                     |
+    |       `receipt_handle`      |       `str`      | The receipt handle                                     |
+    |         `source_arn`        |       `str`      | The ARN of the SQS the lambda is receiving events from |
+    |       `sent_timestamp`      |       `str`      | The timestamp when the message was sent                |
+    | `approximate_receive_count` |       `str`      | The approximate receive count                          |
+    |     `message_attributes`    | `dict[str, Any]` | The message attributes                                 |
+    |           `record`          | `dict[str, Any]` | The full record of the message being processed         |
+    ```
+
+    """
+
+    def __call__(
+        self, event: dict[str, Any], context: dict[str, Any], url: str = "", request_method: str = ""
+    ) -> dict[str, Any]:  # type: ignore[override]
+        item_failures = []
+        for record in event["Records"]:
+            try:
+                self.execute_application(
+                    LambdaSqsStandardInputOutput(record, event, context, url=url, request_method=request_method)
+                )
+            except Exception as e:
+                item_failures.append({"itemIdentifier": record["messageId"]})
+
+        if item_failures:
+            return {
+                "batchItemFailures": item_failures,
+            }
+        return {}

clearskies_aws/di/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+
+from clearskies_aws.di import inject
+from clearskies_aws.di.aws_additional_config_auto_import import AwsAdditionalConfigAutoImport
+
+__all__ = ["inject", "AwsAdditionalConfigAutoImport"]

clearskies_aws/di/aws_additional_config_auto_import.py

@@ -0,0 +1,37 @@
+import datetime
+from types import ModuleType
+from typing import Any
+
+import boto3 as boto3_module
+from clearskies import Environment
+from clearskies.di import AdditionalConfigAutoImport
+from clearskies.di.additional_config import AdditionalConfig
+
+from clearskies_aws.secrets import ParameterStore
+
+
+class AwsAdditionalConfigAutoImport(AdditionalConfigAutoImport):
+    """
+    Provide a DI with AWS modules built-in.
+
+    This DI auto injects boto3, boto3 Session and the parameter store.
+    """
+
+    def provide_boto3(self) -> ModuleType:
+        import boto3
+
+        return boto3
+
+    def provide_parameter_store(self) -> ParameterStore:
+        # This is just here so that we can auto-inject the secrets into the environment without having
+        # to force the developer to define a secrets manager
+        return ParameterStore()
+
+    def provide_boto3_session(self, boto3: ModuleType, environment: Environment) -> boto3_module.session.Session:
+        if not environment.get("AWS_REGION", True):
+            raise ValueError(
+                "To use AWS Session you must use set AWS_REGION in the .env file or an environment variable"
+            )
+
+        session = boto3.session.Session(region_name=environment.get("AWS_REGION", True))
+        return session

clearskies_aws/di/inject/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+
+from clearskies_aws.di.inject.boto3 import Boto3
+from clearskies_aws.di.inject.boto3_session import Boto3Session
+
+__all__ = ["Boto3", "Boto3Session"]

clearskies_aws/di/inject/boto3.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+from types import ModuleType
+
+from clearskies.di.injectable import Injectable
+
+
+class Boto3(Injectable):
+    def __init__(self, cache: bool = True):
+        self.cache = cache
+
+    def __get__(self, instance, parent) -> ModuleType:
+        if instance is None:
+            return self  # type: ignore
+        return self._di.build_from_name("boto3", cache=self.cache)

clearskies_aws/di/inject/boto3_session.py

@@ -0,0 +1,13 @@
+from types import ModuleType
+
+from clearskies.di.injectable import Injectable
+
+
+class Boto3Session(Injectable):
+    def __init__(self, cache: bool = True):
+        self.cache = cache
+
+    def __get__(self, instance, parent) -> ModuleType:
+        if instance is None:
+            return self  # type: ignore
+        return self._di.build_from_name("boto3_session", cache=self.cache)

clearskies_aws/di/inject/parameter_store.py

@@ -0,0 +1,15 @@
+from clearskies.di.injectable import Injectable
+
+from clearskies_aws.secrets.parameter_store import (
+    ParameterStore as ParameterStoreDependency,
+)
+
+
+class ParameterStore(Injectable):
+    def __init__(self, cache: bool = True):
+        self.cache = cache
+
+    def __get__(self, instance, parent) -> ParameterStoreDependency:
+        if instance is None:
+            return self  # type: ignore
+        return self._di.build_from_name("parameter_store", cache=self.cache)

clearskies_aws/endpoints/__init__.py

@@ -0,0 +1 @@
+from .secrets_manager_rotation import SecretsManagerRotation

clearskies_aws/endpoints/secrets_manager_rotation.py

@@ -0,0 +1,194 @@
+from __future__ import annotations
+
+import json
+from collections.abc import Callable
+from typing import Any
+
+import botocore
+import clearskies
+from clearskies import Endpoint
+from clearskies.configs import Callable as CallableConfig
+from clearskies.configs import Schema as SchemaConfig
+from clearskies.configs import StringList
+from clearskies.decorators import parameters_to_properties
+from clearskies.di.inject import Di
+from clearskies.exceptions import ClientError
+from clearskies.input_outputs import InputOutput
+
+from clearskies_aws.di import inject
+
+
+class SecretsManagerRotation(Endpoint):
+    di = Di()
+    boto3 = inject.Boto3()
+
+    current = "AWSCURRENT"
+    pending = "AWSPENDING"
+
+    steps = StringList(default=["createSecret", "setSecret", "testSecret", "finishSecret"])
+    create_secret = CallableConfig(default=None)
+    set_secret = CallableConfig(default=None)
+    test_secret = CallableConfig(default=None)
+    finish_secret = CallableConfig(default=None)
+    schema = SchemaConfig(default=None)
+
+    @parameters_to_properties
+    def __init__(
+        self,
+        steps: list[str] | None,
+        create_secret: Callable | None,
+        set_secret: Callable | None,
+        test_secret: Callable | None,
+        finish_secret: Callable | None,
+        schema: list[dict] | None,
+    ):
+        super().__init__()
+
+    def configure(self):
+        self.finalize_and_validate_configuration()
+        class_name = self.__class__.__name__
+        if not self.create_secret:
+            raise KeyError(f"Missing required configuration 'createSecret' for handler {class_name}")
+
+        for config_name in self.steps:
+            config = getattr(self, config_name)
+            if config is None:
+                continue
+
+    def handle(self, input_output: InputOutput):
+        request_data = json.loads(input_output.get_body())
+
+        self.find_input_errors(request_data, input_output, self.schema)
+
+        arn = request_data.get("SecretId")
+        request_token = request_data.get("ClientRequestToken")
+        step = request_data.get("Step")
+        secretsmanager = self.boto3.client("secretsmanager")
+        metadata = secretsmanager.describe_secret(SecretId=arn)
+
+        self._validate_secret_and_request(step, arn, metadata, request_token)
+
+        current_secret_data = {}
+        pending_secret_data = {}
+
+        current_secret = secretsmanager.get_secret_value(SecretId=arn, VersionStage=self.current)
+        current_secret_data = json.loads(current_secret["SecretString"])
+
+        # validate the current secret
+        secret_errors = {
+            **self._extra_column_errors(current_secret_data),
+            **self._find_input_errors(current_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(f"The current secret did not match the configured schema: {secret_errors}")
+
+        # check for a pending secret.  Note that this is not always available.  In the event that we are retrying a failed
+        # rotation it will already be set, in which case we need to skip the createSecret step.
+        try:
+            pending_secret = secretsmanager.get_secret_value(
+                SecretId=arn, VersionId=request_token, VersionStage=self.pending
+            )
+            pending_secret_data = json.loads(pending_secret["SecretString"])
+        except botocore.exceptions.ClientError as error:
+            if error.response["Error"]["Code"] == "ResourceNotFoundException":
+                pending_secret_data = None
+            else:
+                raise error
+
+        # we can't call the createSecret step if we already have a pending secret or this will generate an error from AWS.
+        if step == "createSecret" and pending_secret_data is not None:
+            return
+
+        # call the appropriate step and pass along *everything*.
+        getattr(self, step)(
+            current_secret_data=current_secret_data,
+            pending_secret_data=pending_secret_data,
+            secretsmanager=secretsmanager,
+            metadata=metadata,
+            request_token=request_token,
+            arn=arn,
+        )
+
+    def _validate_secret_and_request(self, step: str, arn: str, metadata: dict[str, Any], request_token: str):
+        """Perform basic checks suggested by AWS of both the request and the secret to ensure validity."""
+        if step not in self.steps:
+            raise ClientError(f"Invalid step: {step}")
+
+        if not metadata.get("RotationEnabled"):
+            raise ValueError("Secret %s is not enabled for rotation" % arn)
+
+        versions = metadata["VersionIdsToStages"]
+        prefix = f"Rotation config error for version '{request_token}' of secret '{arn}': "
+        if request_token not in versions:
+            raise ValueError(f"{prefix} we don't have a stage for rotation")
+        if self.current in versions[request_token]:
+            raise ValueError(
+                f"{prefix} it's already the current version, which shouldn't happen.  I'm quitting with prejudice."
+            )
+        elif self.pending not in versions[request_token]:
+            raise ValueError(f"{prefix} it hasn't been set to pending yet, which makes no sense!")
+
+    def createSecret(self, **kwargs):
+        new_secret_data = self.di.call_function(self.create_secret, **kwargs)
+        if new_secret_data is None:
+            raise ValueError(
+                f"I called the configured createSecret function but it didn't return anything.  It has to return the new secret data."
+            )
+        if not isinstance(new_secret_data, dict):
+            raise ValueError(
+                f"I called the configured createSecret function but it didn't return a dictionary.  The createSecret function must return a dictionary."
+            )
+
+        secret_errors = {
+            **self._extra_column_errors(new_secret_data),
+            **self.find_input_errors(new_secret_data),
+        }
+        if secret_errors:
+            raise ValueError(
+                f"The secret data returned by the call to createSecret did not match the configured schema: {secret_errors}"
+            )
+
+        # if we get this far we can store the new data
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        secretsmanager.put_secret_value(
+            SecretId=arn,
+            SecretString=json.dumps(new_secret_data),
+            ClientRequestToken=request_token,
+            VersionStages=[self.pending],
+        )
+
+    def setSecret(self, **kwargs):
+        if not self._configuration.get("setSecret"):
+            return
+        self._di.call_function(self._configuration["setSecret"], **kwargs)
+
+    def testSecret(self, **kwargs):
+        if not self._configuration.get("testSecret"):
+            return
+        self._di.call_function(self._configuration["testSecret"], **kwargs)
+
+    def finishSecret(self, **kwargs):
+        if self._configuration.get("finishSecret"):
+            self._di.call_function(self._configuration["finishSecret"], **kwargs)
+
+        secretsmanager = kwargs["secretsmanager"]
+        request_token = kwargs["request_token"]
+        arn = kwargs["arn"]
+        metadata = kwargs["metadata"]
+        current_version = None
+        for version in metadata["VersionIdsToStages"]:
+            if self.current not in metadata["VersionIdsToStages"][version]:
+                continue
+
+            if version == request_token:
+                return
+
+            current_version = version
+            break
+
+        # finish the rotation by taking the new version and making it current.
+        secretsmanager.update_secret_version_stage(
+            SecretId=arn, VersionStage=self.current, MoveToVersionId=request_token, RemoveFromVersionId=current_version
+        )

clearskies_aws/endpoints/simple_body_routing.py

@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import json
+from typing import Any
+
+from clearskies import Endpoint
+from clearskies.configs import AnyDict, String
+from clearskies.di.inject import Di
+from clearskies.input_outputs import InputOutput
+
+
+class SimpleBodyRouting(Endpoint):
+    di = Di()
+
+    route_key = String(default="route")
+    routes = AnyDict(default={})
+
+    def __init__(self, routes: dict[str, Any], route_key: str = "route"):
+        self.routes = routes
+        self.route_key = route_key
+
+    def handle(self, input_output: InputOutput) -> Any:
+        body = json.loads(input_output.get_body()) if input_output.has_body() else {}
+
+        if not body or not body.get(self.route_key):
+            return self.error(input_output, "Not Found", 404)
+
+        route = body[self.route_key]
+        if route not in self.routes:
+            return self.error(input_output, "Not Found", 404)
+        return input_output.respond(
+            self.di.call_function(
+                self.routes[route],
+                request_data=body,
+                **input_output.context_specifics(),
+            ),
+            200,
+        )
+
+    def documentation(self):
+        return []

clearskies_aws/input_outputs/__init__.py

@@ -0,0 +1,21 @@
+from __future__ import annotations
+
+from clearskies_aws.input_outputs.cli_web_socket_mock import CliWebSocketMock
+from clearskies_aws.input_outputs.lambda_alb import LambdaAlb
+from clearskies_aws.input_outputs.lambda_api_gateway import LambdaApiGateway
+from clearskies_aws.input_outputs.lambda_api_gateway_web_socket import (
+    LambdaApiGatewayWebSocket,
+)
+from clearskies_aws.input_outputs.lambda_invoke import LambdaInvoke
+from clearskies_aws.input_outputs.lambda_sns import LambdaSns
+from clearskies_aws.input_outputs.lambda_sqs_standard import LambdaSqsStandard
+
+__all__ = [
+    "CliWebSocketMock",
+    "LambdaApiGateway",
+    "LambdaApiGatewayWebSocket",
+    "LambdaAlb",
+    "LambdaInvoke",
+    "LambdaSns",
+    "LambdaSqsStandard",
+]

clearskies_aws/input_outputs/cli_web_socket_mock.py

@@ -0,0 +1,20 @@
+from __future__ import annotations
+
+import json
+
+import clearskies
+
+
+class CliWebSocketMock(clearskies.input_outputs.Cli):
+    def context_specifics(self):
+        connection_id = json.loads(self.get_body()).get("connection_id")
+        if not connection_id:
+            raise KeyError("When using the CliWebsocketMock you must provide connection_id in the request body")
+
+        return {
+            "event": {},
+            "context": {},
+            "connection_id": connection_id,
+            "domain": "",
+            "stage": "",
+        }

clearskies_aws/input_outputs/lambda_alb.py

@@ -0,0 +1,53 @@
+from __future__ import annotations
+
+from typing import Any
+
+from clearskies.configs import String
+from clearskies.input_outputs import Headers
+
+from clearskies_aws.input_outputs import lambda_input_output
+
+
+class LambdaAlb(lambda_input_output.LambdaInputOutput):
+    """Application Load Balancer specific Lambda input/output handler."""
+
+    def __init__(self, event: dict[str, Any], context: dict[str, Any]):
+        # Call parent constructor
+        super().__init__(event, context)
+
+        # ALB specific initialization
+        self.request_method = event.get("httpMethod", "GET").upper()
+        self.path = event.get("path", "/")
+
+        # Extract query parameters (ALB only has single value query parameters)
+        self.query_parameters = event.get("queryStringParameters") or {}
+
+        # Extract headers (ALB only has single value headers)
+        headers_dict = {}
+        for key, value in event.get("headers", {}).items():
+            headers_dict[key.lower()] = str(value)
+
+        self.request_headers = Headers(headers_dict)
+
+    def get_client_ip(self) -> str:
+        """Get the client IP address from ALB headers."""
+        # ALB always provides client IP via X-Forwarded-For header
+        forwarded_for = self.request_headers.get("x-forwarded-for")
+        if not forwarded_for:
+            raise KeyError(
+                "The x-forwarded-for header wasn't present in the request, and it should always exist for anything behind an ALB.  You are probably using the wrong context."
+            )
+
+        # X-Forwarded-For can contain multiple IPs, take the first one
+        return forwarded_for.split(",")[0].strip()
+
+    def context_specifics(self) -> dict[str, Any]:
+        """Provide ALB specific context data."""
+        request_context = self.event.get("requestContext", {})
+        elb = request_context.get("elb", {})
+
+        return {
+            **super().context_specifics(),
+            "path": self.path,
+            "target_group_arn": elb.get("targetGroupArn"),
+        }