sraverify 0.1.0__py3-none-any.whl

sraverify/core/logging.py

@@ -0,0 +1,37 @@
+"""
+Logging configuration for SRA Verify.
+"""
+import logging
+import sys
+
+# Create a logger
+logger = logging.getLogger("sraverify")
+
+# Create handlers
+console_handler = logging.StreamHandler(sys.stdout)
+
+# Create formatters
+default_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+console_formatter = logging.Formatter(default_format)
+
+# Add formatters to handlers
+console_handler.setFormatter(console_formatter)
+
+# Add handlers to logger
+logger.addHandler(console_handler)
+
+# Set default level
+logger.setLevel(logging.INFO)
+
+def configure_logging(debug=False):
+    """
+    Configure logging level based on debug flag.
+    
+    Args:
+        debug: If True, set logging level to DEBUG, otherwise INFO
+    """
+    if debug:
+        logger.setLevel(logging.DEBUG)
+        logger.debug("Debug logging enabled")
+    else:
+        logger.setLevel(logging.INFO)

sraverify/core/session.py

@@ -0,0 +1,47 @@
+"""
+AWS session management.
+"""
+from typing import Optional
+import boto3
+
+
+def get_session(region: Optional[str] = None, profile: Optional[str] = None, 
+                role_arn: Optional[str] = None) -> boto3.Session:
+    """
+    Get AWS session with optional region, profile, and role.
+    
+    Args:
+        region: AWS region name
+        profile: AWS profile name
+        role_arn: ARN of IAM role to assume
+        
+    Returns:
+        AWS session
+        
+    Raises:
+        Exception: If session creation fails
+    """
+    try:
+        # First create a session with the provided profile or default credentials
+        session = boto3.Session(region_name=region, profile_name=profile)
+        
+        # If a role ARN is provided, assume that role
+        if role_arn:
+            sts_client = session.client('sts')
+            response = sts_client.assume_role(
+                RoleArn=role_arn,
+                RoleSessionName='sraverify-session'
+            )
+            
+            # Create a new session with the assumed role credentials
+            credentials = response['Credentials']
+            return boto3.Session(
+                aws_access_key_id=credentials['AccessKeyId'],
+                aws_secret_access_key=credentials['SecretAccessKey'],
+                aws_session_token=credentials['SessionToken'],
+                region_name=region
+            )
+        
+        return session
+    except Exception as e:
+        raise Exception(f"Failed to create AWS session: {str(e)}")

sraverify/lib/__init__.py

@@ -0,0 +1,4 @@
+"""
+SRAVerify library package
+"""
+from . import outputs

sraverify/lib/audit_info.py

@@ -0,0 +1,37 @@
+# sraverify/lib/audit_info.py
+from typing import List, Optional
+import boto3
+from .session import get_session
+from .regions import validate_regions
+from .org_mgmt_checker import OrgMgmtChecker
+
+class AuditInfo:
+    """Class to hold audit context information"""
+    def __init__(self, 
+                 regions: Optional[List[str]] = None,
+                 profile: Optional[str] = None,
+                 session: Optional[boto3.Session] = None):
+        self.session = session or get_session(profile=profile)
+        self.regions = self._initialize_regions(regions)
+        self.profile = profile
+        self.account_id = self._get_account_id()
+        self.org_checker = OrgMgmtChecker()
+        if session:
+            self.org_checker.initialize(session)
+            
+    def _initialize_regions(self, specified_regions: Optional[List[str]] = None) -> List[str]:
+        """Initialize and validate regions"""
+        return validate_regions(specified_regions, self.session)
+
+    def _get_account_id(self) -> str:
+        """Get AWS account ID"""
+        try:
+            return self.session.client('sts').get_caller_identity()['Account']
+        except Exception as e:
+            raise Exception(f"Failed to get AWS account ID: {str(e)}")
+
+    def get_regional_session(self, region: str) -> boto3.Session:
+        """Get a session for a specific region"""
+        if region not in self.regions:
+            raise ValueError(f"Region {region} is not in the list of validated regions")
+        return get_session(region=region, profile=self.profile)

sraverify/lib/banner.py

@@ -0,0 +1,42 @@
+from colorama import Fore, Style
+import datetime
+import os
+import boto3
+
+def print_banner(profile: str, region: str, session: boto3.Session = None):
+    """Print the SRAVerify banner and initial execution information."""
+    # ASCII art banner with version
+    print(f"""
+                    _____ _____         ___       ___        _  __       
+                   / ____|  __ \     /\ \  \     /  /       (_)/ _|      
+                  | (___ | |__) |   /  \ \  \   /  /__  _ __ _| |_ _   _ 
+                   \___ \|  _  /   / /\ \ \   v   / _ \| '__| |  _| | | |
+                   ____) | | \ \  / ____ \ \     /  __/| |  | | | | |_| |
+                  |_____/|_|  \_\/_/    \_\ \___/ \___||_|  |_|_|  \__, |
+                                                                   __/ |
+                                                                  |___/ {Fore.BLUE}
+                                     the security architecture verifier tool{Style.RESET_ALL}
+    """)
+
+    print(f"{Fore.YELLOW}Date: {datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}{Style.RESET_ALL}\n")
+
+    # Print AWS credentials information
+    print("-> Using the AWS credentials below:")
+    print(f"  · AWS-CLI Profile: {profile}")
+    print(f"  · AWS Region: {region}")
+    
+    if session:
+        try:
+            sts = session.client('sts')
+            caller_identity = sts.get_caller_identity()
+            print(f"  · AWS Account: {caller_identity['Account']}")
+            print(f"  · User Id: {caller_identity['UserId']}")
+            print(f"  · Caller Identity ARN: {caller_identity['Arn']}")
+        except Exception as e:
+            print(f"  · Unable to retrieve identity information: {str(e)}")
+    
+    print("\n-> Using the following configuration:")
+    config_dir = os.path.join(os.path.dirname(__file__), "..", "config")
+    print(f"  · Config File: {os.path.join(config_dir, 'config.yaml')}")
+    print(f"  · Mutelist File: {os.path.join(config_dir, 'mutelist.yaml')}")
+    print("  · Scanning unused services and resources: False\n")

sraverify/lib/check_loader.py

@@ -0,0 +1,80 @@
+# sraverify/lib/check_loader.py
+
+import os
+import importlib.util
+from typing import List, Type, Dict
+from sraverify.checks import SecurityCheck
+
+def discover_checks(check_type: str = "all", debug: bool = False, security_ou_name: str = None) -> List[Type[SecurityCheck]]:
+    """
+    Discover and load all security check classes.
+    
+    Args:
+        check_type: Type of check to run ("all", "account" or "organization")
+        debug: Whether to print debug information
+        security_ou_name: Optional name of security OU to search for
+    
+    Returns:
+        List of security check classes
+    """
+    check_classes = []
+    checks_dir = os.path.join(os.path.dirname(__file__), '..', 'checks')
+    
+    # Keep track of loaded check IDs to avoid duplicates
+    loaded_check_ids = set()
+    
+    for root, _, files in os.walk(checks_dir):
+        for file in files:
+            if file.endswith('.py') and not file.startswith('__'):
+                file_path = os.path.join(root, file)
+                
+                try:
+                    # Import the module
+                    spec = importlib.util.spec_from_file_location(
+                        f"sraverify.checks.{file[:-3]}", 
+                        file_path
+                    )
+                    if spec and spec.loader:
+                        module = importlib.util.module_from_spec(spec)
+                        spec.loader.exec_module(module)
+                        
+                        # Find security check classes in the module
+                        for item_name in dir(module):
+                            item = getattr(module, item_name)
+                            if (isinstance(item, type) and 
+                                issubclass(item, SecurityCheck) and 
+                                item != SecurityCheck):
+                                
+                                # Create an instance to check its type
+                                check_instance = item()
+                                
+                                check_id = getattr(check_instance, 'check_id', None)
+                                instance_check_type = getattr(check_instance, 'check_type', 'account')
+                                
+                                # Skip if we've already loaded this check
+                                if check_id in loaded_check_ids:
+                                    continue
+                                
+                                # Filter based on check_type parameter
+                                if check_type != "all" and instance_check_type != check_type:
+                                    if debug:
+                                        print(f"Debug: Skipping {check_id} (type: {instance_check_type}) - not matching requested type: {check_type}")
+                                    continue
+                                
+                                loaded_check_ids.add(check_id)
+                                check_classes.append(item)
+                                
+                                if debug:
+                                    print(f"Debug: Loaded check {check_id} (type: {instance_check_type}) from {file}")
+                                
+                except Exception as e:
+                    if debug:
+                        print(f"Debug: Error loading {file}: {str(e)}")
+                    continue
+    
+    if debug:
+        print(f"\nDebug: Total checks loaded: {len(check_classes)}")
+        if check_type != "all":
+            print(f"Debug: Filtered for check_type: {check_type}")
+    
+    return check_classes

sraverify/lib/org_mgmt_checker.py

@@ -0,0 +1,86 @@
+"""Organization Management Account Checker"""
+
+from typing import Optional, Tuple
+import boto3
+from botocore.exceptions import ClientError
+import logging
+
+class OrgMgmtChecker:
+    """Singleton class to check and cache organization management account status"""
+    
+    _instance = None
+    _initialized = False
+    _is_org_management = False
+    _management_account_id = None
+    _current_account_id = None
+    _error_message = None
+    _logger = logging.getLogger(__name__)
+
+    def __new__(cls):
+        if cls._instance is None:
+            cls._instance = super(OrgMgmtChecker, cls).__new__(cls)
+        return cls._instance
+
+    def __init__(self):
+        if not self._initialized:
+            self._initialized = True
+
+    def initialize(self, session: boto3.Session) -> None:
+        """Initialize the checker with a session"""
+        try:
+            # Get current account ID
+            sts_client = session.client('sts')
+            self._current_account_id = sts_client.get_caller_identity()['Account']
+            
+            # Get organization details
+            org_client = session.client('organizations')
+            try:
+                org_details = org_client.describe_organization()['Organization']
+                self._management_account_id = org_details.get('MasterAccountId')  # For older API versions
+                if not self._management_account_id:
+                    self._management_account_id = org_details.get('ManagementAccountId')  # For newer API versions
+                
+                # Check if current account is management account
+                self._is_org_management = self._current_account_id == self._management_account_id
+                self._error_message = None
+                
+                if self._logger.isEnabledFor(logging.DEBUG):
+                    self._logger.debug(f"Current Account: {self._current_account_id}")
+                    self._logger.debug(f"Management Account: {self._management_account_id}")
+                    self._logger.debug(f"Is Management: {self._is_org_management}")
+                
+            except ClientError as e:
+                error_code = e.response['Error']['Code']
+                if error_code == 'AWSOrganizationsNotInUseException':
+                    self._error_message = "AWS Organizations is not in use for this account"
+                else:
+                    self._error_message = f"Organizations API error: {str(e)}"
+                self._is_org_management = False
+                self._management_account_id = None
+                
+        except Exception as e:
+            self._error_message = str(e)
+            self._is_org_management = False
+            self._management_account_id = None
+            if self._logger.isEnabledFor(logging.DEBUG):
+                self._logger.debug(f"Error during initialization: {str(e)}")
+
+    def verify_org_management(self) -> Tuple[bool, Optional[str]]:
+        """
+        Verify if current account is organization management account
+        Returns: (is_management_account, error_message)
+        """
+        return self._is_org_management, self._error_message
+
+    def get_management_account_id(self) -> Optional[str]:
+        """Get the management account ID if available"""
+        return self._management_account_id
+
+    def get_current_account_id(self) -> Optional[str]:
+        """Get the current account ID"""
+        return self._current_account_id
+
+    @property
+    def is_initialized(self) -> bool:
+        """Check if the checker has been initialized"""
+        return self._initialized

sraverify/lib/outputs.py

@@ -0,0 +1,46 @@
+"""
+Output handling for sraverify scan results
+"""
+import csv
+from typing import List, Dict
+
+# Required fields as per developer guide
+REQUIRED_FIELDS = [
+    'CheckId',
+    'Status',
+    'Region',
+    'Severity',
+    'Title',
+    'Description',
+    'ResourceId',
+    'ResourceType',
+    'AccountId',
+    'CheckedValue',
+    'ActualValue',
+    'Remediation',
+    'Service',
+    'CheckLogic',
+    'CheckType'  
+]
+
+def write_csv_output(findings: List[Dict], output_file: str):
+    """
+    Write scan findings to a CSV file ensuring all required fields are present
+    """
+    # Always create the CSV file, even if there are no findings
+    if not findings:
+        findings = []
+    
+    # Ensure each finding has all required fields
+    for finding in findings:
+        for field in REQUIRED_FIELDS:
+            if field not in finding:
+                finding[field] = ''  # Add empty string for missing fields
+    
+    with open(output_file, 'w', newline='') as csvfile:
+        writer = csv.DictWriter(csvfile, fieldnames=REQUIRED_FIELDS)
+        writer.writeheader()
+        for finding in findings:
+            # Only write the required fields, in the correct order
+            row = {field: finding.get(field, '') for field in REQUIRED_FIELDS}
+            writer.writerow(row)

sraverify/lib/progress.py

@@ -0,0 +1,75 @@
+import time
+from typing import Optional
+
+class ScanProgress:
+    SPINNER = ['/', '-', '\\', '|']
+    
+    def __init__(self, total_checks: int):
+        """Initialize the progress tracker.
+        
+        Args:
+            total_checks: The total number of checks to be performed
+        
+        Raises:
+            ValueError: If total_checks is less than or equal to 0
+        """
+        if total_checks <= 0:
+            raise ValueError("total_checks must be greater than 0")
+        self.total_checks = total_checks
+        self.completed_checks = 0
+        self.start_time = time.time()
+        self.current_service: Optional[str] = None
+        self.spinner_index = 0
+        self.last_print_time = 0
+        self.print_interval = 0.1  # Update display every 0.1 seconds
+    
+    @property
+    def progress(self) -> float:
+        """Calculate the progress percentage."""
+        return (self.completed_checks / self.total_checks * 100)
+    
+    @property
+    def duration(self) -> str:
+        """Calculate the elapsed time in minutes:seconds format."""
+        elapsed = int(time.time() - self.start_time)
+        minutes = elapsed // 60
+        seconds = elapsed % 60
+        return f"{minutes}:{seconds:02d}"
+    
+    def update(self, service: str):
+        """Update the current service being scanned."""
+        self.current_service = service
+        self.print_progress()
+        
+    def increment(self):
+        """Increment the completed checks counter."""
+        self.completed_checks += 1
+        self.spinner_index = (self.spinner_index + 1) % len(self.SPINNER)
+        self.print_progress()
+        
+    def print_progress(self):
+        """Print the current progress status with rate limiting."""
+        current_time = time.time()
+        # Only update display if enough time has passed since last update
+        if current_time - self.last_print_time >= self.print_interval:
+            self._do_print()
+            self.last_print_time = current_time
+
+    def _do_print(self):
+        """Actually perform the progress printing."""
+        spinner = self.SPINNER[self.spinner_index]
+        
+        # Calculate the width of the progress bar (50 characters)
+        bar_width = 50
+        filled_length = int(self.progress / 100 * bar_width)
+        bar = '=' * filled_length + ' ' * (bar_width - filled_length)
+        
+        # Format the progress bar with current status
+        print(f"\r-> Scanning {self.current_service} service |{bar}| {spinner} "
+              f"{self.completed_checks}/{self.total_checks} "
+              f"[{self.progress:.0f}%] in {self.duration}", 
+              end="", flush=True)
+    
+    def finish(self):
+        """Complete the progress display with a newline."""
+        print()  # Print newline to finish the progress display

sraverify/lib/regions.py

@@ -0,0 +1,27 @@
+# sraverify/lib/regions.py
+from typing import List, Optional
+import boto3
+
+def get_enabled_regions(session: boto3.Session) -> List[str]:
+    """Get all enabled regions in the AWS account"""
+    try:
+        ec2_client = session.client('ec2', region_name='us-east-1')
+        response = ec2_client.describe_regions(AllRegions=False)
+        return [region['RegionName'] for region in response['Regions']]
+    except Exception as e:
+        raise Exception(f"Failed to get enabled regions: {str(e)}")
+
+def validate_regions(regions: List[str], session: boto3.Session) -> List[str]:
+    """Validate if specified regions are valid and enabled"""
+    try:
+        enabled_regions = set(get_enabled_regions(session))
+        
+        if regions:
+            invalid_regions = set(regions) - enabled_regions
+            if invalid_regions:
+                raise ValueError(f"Invalid or disabled regions: {', '.join(invalid_regions)}")
+            return regions
+        
+        return list(enabled_regions)
+    except Exception as e:
+        raise Exception(f"Failed to validate regions: {str(e)}")

sraverify/lib/session.py

@@ -0,0 +1,23 @@
+# sraverify/lib/session.py
+import boto3
+from typing import Optional
+
+def get_session(region: Optional[str] = None, profile: Optional[str] = None) -> boto3.Session:
+    """Get AWS session with optional region and profile"""
+    try:
+        return boto3.Session(region_name=region, profile_name=profile)
+    except Exception as e:
+        raise Exception(f"Failed to create AWS session: {str(e)}")
+
+def get_regional_session(base_session: boto3.Session, region: str) -> boto3.Session:
+    """Create a new session for a specific region while maintaining credentials"""
+    try:
+        credentials = base_session.get_credentials()
+        return boto3.Session(
+            aws_access_key_id=credentials.access_key,
+            aws_secret_access_key=credentials.secret_key,
+            aws_session_token=credentials.token,
+            region_name=region
+        )
+    except Exception as e:
+        raise Exception(f"Failed to create regional session: {str(e)}")