python-blessclient/blessclient/bless_config.py at a7ea7a745cfedbf0319447ac7d9a7a6d88ad8829 · lyft/python-blessclient · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
from __future__ import absolute_import
from six.moves.configparser import SafeConfigParser


class BlessConfig(object):

    DEFAULT_CONFIG = {
        'user_session_length': '64800',
        'usebless_role_session_length': '3600',
        'update_sshagent': 'true',
        'remote_user': '',
        'ca_backend': 'bless',
    }

    def __init__(self):
        self.blessconfig = None

    def _get_region_kms_config(self, region, config):
        section = 'REGION_{}'.format(region)
        return {
            'kmskey': config.get(section, 'kmsauthkey'),
            'context': {
                'to': config.get('MAIN', 'kms_service_name'),
                'user_type': 'user'
            },
            'awsregion': config.get(section, 'awsregion')
        }

    def parse_config_file(self, config_file):
        config = SafeConfigParser(self.DEFAULT_CONFIG)
        config.readfp(config_file)

        blessconfig = {
            'CLIENT_CONFIG': {
                'domain_regex': config.get('CLIENT', 'domain_regex'),
                'cache_dir': config.get('CLIENT', 'cache_dir'),
                'cache_file': config.get('CLIENT', 'cache_file'),
                'mfa_cache_dir': config.get('CLIENT', 'mfa_cache_dir'),
                'mfa_cache_file': config.get('CLIENT', 'mfa_cache_file'),
                'ip_urls': [s.strip() for s in config.get('CLIENT', 'ip_urls').split(",")],
                'update_script': config.get('CLIENT', 'update_script'),
                'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent')
            },
            'BLESS_CONFIG': {
                'ca_backend': config.get('MAIN', 'ca_backend'),
                'userrole': config.get('LAMBDA', 'user_role'),
                'accountid': config.get('LAMBDA', 'account_id'),
                'functionname': config.get('LAMBDA', 'functionname'),
                'functionversion': config.get('LAMBDA', 'functionversion'),
                'certlifetime': config.getint('LAMBDA', 'certlifetime'),
                'ipcachelifetime': config.getint('LAMBDA', 'ipcachelifetime'),
                'timeoutconfig': {
                    'connect': config.getint('LAMBDA', 'timeout_connect'),
                    'read': config.getint('LAMBDA', 'timeout_read')
                }
            },
            'AWS_CONFIG': {
                'bastion_ips': config.get('MAIN', 'bastion_ips'),
                'remote_user': config.get('MAIN', 'remote_user')
            },
            'REGION_ALIAS': {}
        }

        if blessconfig['BLESS_CONFIG']['ca_backend'].lower() == 'hashicorp-vault':
            blessconfig['VAULT_CONFIG'] = {
                'vault_addr': config.get('VAULT', 'vault_addr'),
                'auth_mount': config.get('VAULT', 'auth_mount'),
                'ssh_backend_mount': config.get('VAULT', 'ssh_backend_mount'),
                'ssh_backend_role': config.get('VAULT', 'ssh_backend_role'),
            }

        regions = config.get('MAIN', 'region_aliases').split(",")
        regions = [region.strip() for region in regions]
        for region in regions:
            region = region.upper()
            kms_region_key = 'KMSAUTH_CONFIG_{}'.format(region)
            blessconfig.update({kms_region_key: self._get_region_kms_config(region, config)})
            blessconfig['REGION_ALIAS'].update({region: blessconfig[kms_region_key]['awsregion']})
        return blessconfig

    def get(self, section):
        if section in self.blessconfig:
            return self.blessconfig[section]
        else:
            raise ValueError('{} was not a valid section in blessconfig'.format(section))

    def set_config(self, config):
        self.blessconfig = config

    def get_config(self):
        return self.blessconfig

    def get_region_alias_from_aws_region(self, aws_region):
        for alias, region in self.blessconfig['REGION_ALIAS'].items():
            if region == aws_region:
                return alias
        raise ValueError('Unexpected region: {}'.format(aws_region))

    def get_client_config(self):
        return self.blessconfig['CLIENT_CONFIG']

    def set_client_config(self, key, value):
        if key in self.blessconfig['CLIENT_CONFIG']:
            self.blessconfig['CLIENT_CONFIG'][key] = value
            return True
        else:
            return False

    def get_lambda_config(self):
        return self.blessconfig['BLESS_CONFIG']

    def set_lambda_config(self, key, value):
        if key in self.blessconfig['BLESS_CONFIG']:
            self.blessconfig['BLESS_CONFIG'][key] = value
            return True
        else:
            return False

    def get_aws_config(self):
        return self.blessconfig['AWS_CONFIG']