o PgJS@sddlmZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZddlmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZmZd ZedeGdddeZej !dddZ"ddZ#ddZ$ddZ%ddZ&ddZ'e eGddde(Z)Gd d!d!e)Z*Gd"d#d#e)Z+Gd$d%d%e)Z,Gd&d'd'e)Z-Gd(d)d)e-Z.Gd*d+d+e-Z/d,d-Z0d.d/Z1d0dZ2d1d2Z3dS)3)print_functionN)ABCMeta) add_metaclass)Template)Enum)CRITICAL) getLogger)Policy)parse_arguments get_regions) query_awsget_parameter_file)AccountRegionCreate IAM reportpolicyuniversec@seZdZdZdZdS) OutputFormatjsonhtmlN)__name__ __module__ __qualname__rrrr5/var/www/html/post/cloudmapper/commands/iam_report.pyrsrweb account-data iam_reportcCs|SNr)srrrtolinksrcCsg}ttjdt}|dd}|d|D]u}|d}id|dd|dd |d d |d d |dd|dd|dd|dd|dd|dd|dd|dd|dd|d d!|d"d#|d$d%|d&|d'|d(|d)|d*|d+d,}|j|q|S)-Nziam-get-credential-reportContent r,userarnuser_creation_timepassword_enabledpassword_last_usedpassword_last_changedpassword_next_rotation mfa_activeaccess_key_1_activeaccess_key_1_last_rotated access_key_1_last_used_date access_key_1_last_used_region access_key_1_last_used_service access_key_2_active access_key_2_last_rotatedaccess_key_2_last_used_dateaccess_key_2_last_used_region)access_key_2_last_used_service cert_1_activecert_1_last_rotated cert_2_activecert_2_last_rotated)r regionaccountsplitpopappend)users json_blob csv_lineslinepartsr#rrrload_credential_report#sb        rXc Csg|d|dD]a}i}||d<t|dd|dd}t|dd|}||d <d |d <tj|d d dd}|dD]'} d| vrdtj| dd dd} || j| d<| d|jkrdd|d <nq=|||d<q dS)NUserDetailListRoleDetailListauthiamz&generate-service-last-accessed-detailsArnJobIdz!get-service-last-accessed-details last_accessT is_inactiveJobCompletionDaterr7%Y-%m-%dServicesLastAccessedLastAuthenticateddays_since_last_useF)r datetimestrptimedaysmax_age) rNprincipal_statsjson_account_auth_detailsargsprincipal_authstatsjob_idjson_last_access_detailsjob_completion_dateservicelast_access_daterrrget_access_advisorQsJ rtcCs8d}d}|D]}|d7}|ddkr|d7}q||dS)Nrr%TotalAuthenticatedEntities) service_countservice_used_countr)service_last_accessedrvrwservice_last_accessrrrget_service_count_and_usedxs  rzcCsd|}d|||||S)N serviceChartz
)format) principal services_usedservices_grantedchartidrrrhtml_service_chartsrc@seZdZdZdZdZdZddZddZddZ d d Z d d Z d dZ ddZ ddZddZddZddZddZddZdS) graph_nodeNcCs d|||di}|S)Ndata)idnametype)keyrget_type)selfresponserrrcytoscape_dataszgraph_node.cytoscape_datacC|jSr_graph_node__keyrrrrrzgraph_node.keycC ||_dSrr)rrrrrset_key zgraph_node.set_keycCrr)_graph_node__name)rrrrrset_namerzgraph_node.set_namecCs|jdkr |S|jS)Nr)rrrrrrrs zgraph_node.namecCdSrrrrrr is_principalzgraph_node.is_principalcCrrrrrrrrrzgraph_node.get_typecC|j|dSr)_graph_node__childrenrRrnoderrr add_childzgraph_node.add_childcCrr)_graph_node__parentsrRrrrr add_parentrzgraph_node.add_parentcCrr)rrrrrchildrenrzgraph_node.childrencCrr)rrrrrparentsrzgraph_node.parentsc Cs|i}|D]5}|D],\}}||g}|r|}ng}|D] }|d||q#|||||<qq|S)Nz{}.{}) rget_services_alloweditemsgetrrRr|rextend)rserviceschildrrsource source_list source_pathrrrrrs     zgraph_node.get_services_allowedcCsg|_g|_dSr)rrrrrr__init__s zgraph_node.__init__)rrrrrrrrrrrrrrrrrrrrrrrrrs$ rcs0eZdZdZddZddZfddZZS) user_nodeNcCdSNTrrrrrrrzuser_node.is_principalcCr)Nr#rrrrrrrzuser_node.get_typecst||d||d||_|dD]}||d}||||q|dgD] }t||}||| <q3|dgD] }| ddd |d |}||}||||qGdS) Nr]UserNameAttachedManagedPolicies PolicyArnUserPolicyList GroupListrgroupPath) superrrr_user_node__authrrrinline_policy_noder)rr[ auth_graphpolicy policy_node group_name group_key group_node __class__rrrs"         zuser_node.__init__)rrrrrrr __classcell__rrrrrs rc,eZdZddZddZfddZZS) role_nodecCrrrrrrrrrzrole_node.is_principalcCr)Nrolerrrrrrrzrole_node.get_typect||d||d|dD]}||d}||||q|dgD] }t||}|||<q0dS)Nr]RoleNamerrRolePolicyList rrrrrrrrrrr[rrrrrrr      zrole_node.__init__rrrrrrrrrrrrrcr)rcCrNFrrrrrrrzgroup_node.is_principalcCr)Nrrrrrrrrzgroup_node.get_typecr)Nr] GroupNamerrGroupPolicyListrrrrrrrzgroup_node.__init__rrrrrrrrc@s,eZdZiZdZddZddZddZdS)rNcCrrrrrrrrrzpolicy_node.is_principalcCs.i}|j}|D] }|g||<q |Sr)_policy_node__policy_summaryaction_summarykeysr)rrrrrrrrrs z policy_node.get_services_allowedcCs||_t||_dSr)_policy_node__policy_documentr r)rdocrrrset_policy_document%szpolicy_node.set_policy_document)rrrrrrrrrrrrrs  rc$eZdZddZfddZZS)managed_policy_nodecCr)Nzmanaged policyrrrrrr+rzmanaged_policy_node.get_typecsNt||d||d|dD] }|dr$||dqdS)Nr] PolicyNamePolicyVersionListIsDefaultVersionDocument)rrrrr)rr[ policy_docrrrr.s  zmanaged_policy_node.__init__rrrrrrrrrrr*rcr)rcCr)Nz inline policyrrrrrr8rzinline_policy_node.get_typecsXt||d|d||d||||||ddS)Nz/policy/rPolicyDocument)rrrrrrr)rparentr[rrrr;s   zinline_policy_node.__init__rrrrrr7rrcCsi}|dD] }t|||d<|dD]}|dr%||d|dqq|dD] }t||||d<q+|dD] }t||||d<q;|dD] }t||||d<qK|S) NPoliciesr]rrrGroupDetailListrYrZ)rrrrr)r[ iam_graphrpolicy_versionrr#rrrr get_iam_graphDs     rcCsg}|D]}||}t|dkst|dkr#|||q|D]}||}|D]}d||ddi}||q0q&|S)Nrredge)rtargetr)lenrrrRrr)rcytoscape_jsonkrrrrrrbuild_cytoscape_graphYs   rc( CsPi}d}t|dkrtd|}z ttjtWn ty&Ynwt tj ddd}t | }Wdn1sBwYi}t d|}i}td|j|j|d<|j|d <tjd |d <d |d <|jrwd|d <t|D]} t|| } | jdkrt| jd| }t| |||q{g} g} g} |D]A\}}d|dvr|dd|d<d|d<|dr| |q| |q|dd|d<d|d<|dr| |q| |qtdt|}t|}t tj dddd}tj ||ddWdn 1s wYtd g|d!<t!| D]#}t"||d"d#}|d!|||dd|d$|d%d&qg|d'<t!| D]#}t"||d"d#}|d'|||dd|d$|d%d&qJg|d(<t!| D]}d)}||ddkrd*}|d(||||dd+qvg|d,<|D]M\}}|drqi}||d-<d|dvrd)|d.<|dd/|d-<|dd|d0<d|dvrd*|d.<|dd/|d-<|dd|d0<||dd/}|#}tj$|d"d1d2d3d }g|d4<|d"d#D]H}d5}|%d6d5d5kr(|tj$|d6d2d3d j&}d }|d5ks4|d7kr6d8}|%|d9d:g}d; |}|d4||d<||d=q |d%d>g}g|d?<|dd/d2d@}|D]}|d?t'|dA||dBql|ddC} g|dD<| D]}!|dDt'|!dE|!dFdBq|d%dGg} | (|d%dHgg|dI<| D]}!|dI|!dFtj)|!dJdddKqd|dvrtj)|ddLdd|dM<|d,|qg|d?<|dND]r}t'|d/|dOdB}"||d/}#g|"dP<|#*D]}$|"dPt'|$+|$dBqg|"dD<|dCD]}!|"dDt'|!dE|!dFdBq,g|"dI<|dQD]}!|"dI|!dFtj)|!dJdddKqH|d?|"qg|dR<|dSD][}!t'|!d/|!dFd dT}dU|!d/vrdV|dW<||!d/}%g|dX<|%*D]}$|dXt'|$+|$dBq|!dYD]}&|&dZrtj)|&d[dd|d\<q|dR|qp|j,t-j.krt d]td}'|'/|j0|d^Wdn 1swYn&|j,t-jkrt d_td}'t ||'Wdn 1swYtd`t|j,j1dS)arNr%z2This command only works with one account at a time templatesziam_report.htmlrzCreating IAM report for: {} account_name account_idrbreport_generated_timergraphz;
z us-east-1z%iam-get-account-authorization-detailsrr[ short_namerrr`rr#z* Generating IAM graphrrz data.jsonwr+)indentz#* Generating the rest of the reportrSr_rcrwrv)r$rr~rrolesinactive_principalsz%z)r$iconr principalsr$rr]rrarr7r-rdZbadServiceNamespaceunknown; ServiceName)stylerlast_userrgroupsrzgroup/)link_idrrmanaged_policiesrrrrinline_policiesr)rdocumentAssumeRolePolicyDocument assume_rolerrmembersrpoliciesr)rrmanagedzarn:aws:iam::aws:policyz3AWS managed policy
r attachmentsrrrr z{}.html)tz{}.jsonzReport written to {}.{})2r ExceptionrQosmkdirpathdirnameREPORT_OUTPUT_FILEOSErroropenjoinrreadrprintr|rlocal_idrfnowstrftime show_graphr rr rOrtrrRrrrdumpsortedrzrrgrrhrrdumpsrrrequested_outputrrwriterendervalue)(accountsconfigrlrjrkrOreport_templatetemplater region_jsonrNrSrrr}rnrroutfileservice_countsrpprincipal_nodeprivilege_sources report_daterrrrrr arn_prefixrr rgrrrversionfrrrrks                                  cCsnt}|jdddtd|jddddd |jd d tjtd d |jddt||\}}}t|||dS)Nz --max-agezSNumber of days a user or role hasn't been used before it's marked dead. Default: 90r)helpdefaultrz--graphzDisplay a graph. Default: Falser store_true)r6destactionz--outputz@Set the output type for the report. [json | html]. Default: htmlr#)r6r7rr9F)r) argparseArgumentParser add_argumentintrr set_defaultsr r) argumentsparserrlr'r(rrrruns. rB)4 __future__rr;rrfos.pathrabcrsixrjinja2renumrloggingrrpolicyuniverse.policyr shared.commonr r shared.queryr r shared.nodesrr__description__setLevelrrrrrrXrtrzrobjectrrrrrrrrrrrBrrrrsL        .' A