catalin/moto
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add ParameterFilters to SSM describe_parameters

Browse source
This commit is contained in:
gruebel 2019-09-21 16:55:43 +02:00
commit 2cfd3398f6
4 changed files with 794 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

233
moto/ssm/models.py
View file

@ -1,5 +1,6 @@
from __future__ import unicode_literals
import re
from collections import defaultdict
from moto.core import BaseBackend, BaseModel
@ -12,6 +13,8 @@ import time
import uuid
import itertools
from .exceptions import ValidationException, InvalidFilterValue, InvalidFilterOption, InvalidFilterKey
class Parameter(BaseModel):
def __init__(self, name, value, type, description, allowed_pattern, keyid,
@ -25,12 +28,15 @@ class Parameter(BaseModel):
self.version = version
if self.type == 'SecureString':
if not self.keyid:
self.keyid = 'alias/aws/ssm'
self.value = self.encrypt(value)
else:
self.value = value
def encrypt(self, value):
return 'kms:{}:'.format(self.keyid or 'default') + value
return 'kms:{}:'.format(self.keyid) + value
def decrypt(self, value):
if self.type != 'SecureString':
@ -217,6 +223,7 @@ class SimpleSystemManagerBackend(BaseBackend):
self._parameters = {}
self._resource_tags = defaultdict(lambda: defaultdict(dict))
self._commands = []
self._errors = []
# figure out what region we're in
for region, backend in ssm_backends.items():
@ -239,6 +246,179 @@ class SimpleSystemManagerBackend(BaseBackend):
pass
return result
def describe_parameters(self, filters, parameter_filters):
if filters and parameter_filters:
raise ValidationException('You can use either Filters or ParameterFilters in a single request.')
self._validate_parameter_filters(parameter_filters, by_path=False)
result = []
for param in self._parameters:
ssm_parameter = self._parameters[param]
if not self._match_filters(ssm_parameter, parameter_filters):
continue
if filters:
for filter in filters:
if filter['Key'] == 'Name':
k = ssm_parameter.name
for v in filter['Values']:
if k.startswith(v):
result.append(ssm_parameter)
break
elif filter['Key'] == 'Type':
k = ssm_parameter.type
for v in filter['Values']:
if k == v:
result.append(ssm_parameter)
break
elif filter['Key'] == 'KeyId':
k = ssm_parameter.keyid
if k:
for v in filter['Values']:
if k == v:
result.append(ssm_parameter)
break
continue
result.append(ssm_parameter)
return result
def _validate_parameter_filters(self, parameter_filters, by_path):
for index, filter_obj in enumerate(parameter_filters or []):
key = filter_obj['Key']
values = filter_obj.get('Values', [])
if key == 'Path':
option = filter_obj.get('Option', 'OneLevel')
else:
option = filter_obj.get('Option', 'Equals')
if not re.match(r'^tag:.+|Name|Type|KeyId|Path|Label|Tier$', key):
self._errors.append(self._format_error(
key='parameterFilters.{index}.member.key'.format(index=(index + 1)),
value=key,
constraint='Member must satisfy regular expression pattern: tag:.+|Name|Type|KeyId|Path|Label|Tier',
))
if len(key) > 132:
self._errors.append(self._format_error(
key='parameterFilters.{index}.member.key'.format(index=(index + 1)),
value=key,
constraint='Member must have length less than or equal to 132',
))
if len(option) > 10:
self._errors.append(self._format_error(
key='parameterFilters.{index}.member.option'.format(index=(index + 1)),
value='over 10 chars',
constraint='Member must have length less than or equal to 10',
))
if len(values) > 50:
self._errors.append(self._format_error(
key='parameterFilters.{index}.member.values'.format(index=(index + 1)),
value=values,
constraint='Member must have length less than or equal to 50',
))
if any(len(value) > 1024 for value in values):
self._errors.append(self._format_error(
key='parameterFilters.{index}.member.values'.format(index=(index + 1)),
value=values,
constraint='[Member must have length less than or equal to 1024, Member must have length greater than or equal to 1]',
))
self._raise_errors()
filter_keys = []
for filter_obj in (parameter_filters or []):
key = filter_obj['Key']
values = filter_obj.get('Values')
if key == 'Path':
option = filter_obj.get('Option', 'OneLevel')
else:
option = filter_obj.get('Option', 'Equals')
if not by_path and key == 'Label':
raise InvalidFilterKey('The following filter key is not valid: Label. Valid filter keys include: [Path, Name, Type, KeyId, Tier].')
if not values:
raise InvalidFilterValue('The following filter values are missing : null for filter key Name.')
if key in filter_keys:
raise InvalidFilterKey(
'The following filter is duplicated in the request: Name. A request can contain only one occurrence of a specific filter.'
)
if key == 'Path':
if option not in ['Recursive', 'OneLevel']:
raise InvalidFilterOption(
'The following filter option is not valid: {option}. Valid options include: [Recursive, OneLevel].'.format(option=option)
)
if any(value.lower().startswith(('/aws', '/ssm')) for value in values):
raise ValidationException(
'Filters for common parameters can\'t be prefixed with "aws" or "ssm" (case-insensitive). '
'When using global parameters, please specify within a global namespace.'
)
for value in values:
if value.lower().startswith(('/aws', '/ssm')):
raise ValidationException(
'Filters for common parameters can\'t be prefixed with "aws" or "ssm" (case-insensitive). '
'When using global parameters, please specify within a global namespace.'
)
if ('//' in value or
not value.startswith('/') or
not re.match('^[a-zA-Z0-9_.-/]*$', value)):
raise ValidationException(
'The parameter doesn\'t meet the parameter name requirements. The parameter name must begin with a forward slash "/". '
'It can\'t be prefixed with \"aws\" or \"ssm\" (case-insensitive). '
'It must use only letters, numbers, or the following symbols: . (period), - (hyphen), _ (underscore). '
'Special characters are not allowed. All sub-paths, if specified, must use the forward slash symbol "/". '
'Valid example: /get/parameters2-/by1./path0_.'
)
if key == 'Tier':
for value in values:
if value not in ['Standard', 'Advanced', 'Intelligent-Tiering']:
raise InvalidFilterOption(
'The following filter value is not valid: {value}. Valid values include: [Standard, Advanced, Intelligent-Tiering].'.format(value=value)
)
if key == 'Type':
for value in values:
if value not in ['String', 'StringList', 'SecureString']:
raise InvalidFilterOption(
'The following filter value is not valid: {value}. Valid values include: [String, StringList, SecureString].'.format(value=value)
)
if key != 'Path' and option not in ['Equals', 'BeginsWith']:
raise InvalidFilterOption(
'The following filter option is not valid: {option}. Valid options include: [BeginsWith, Equals].'.format(option=option)
)
filter_keys.append(key)
def _format_error(self, key, value, constraint):
return 'Value "{value}" at "{key}" failed to satisfy constraint: {constraint}'.format(
constraint=constraint,
key=key,
value=value,
)
def _raise_errors(self):
if self._errors:
count = len(self._errors)
plural = "s" if len(self._errors) > 1 else ""
errors = "; ".join(self._errors)
self._errors = [] # reset collected errors
raise ValidationException('{count} validation error{plural} detected: {errors}'.format(
count=count, plural=plural, errors=errors,
))
def get_all_parameters(self):
result = []
for k, _ in self._parameters.items():
@ -269,26 +449,53 @@ class SimpleSystemManagerBackend(BaseBackend):
return result
@staticmethod
def _match_filters(parameter, filters=None):
def _match_filters(self, parameter, filters=None):
"""Return True if the given parameter matches all the filters"""
for filter_obj in (filters or []):
key = filter_obj['Key']
option = filter_obj.get('Option', 'Equals')
values = filter_obj.get('Values', [])
what = None
if key == 'Type':
what = parameter.type
elif key == 'KeyId':
what = parameter.keyid
if key == 'Path':
option = filter_obj.get('Option', 'OneLevel')
else:
option = filter_obj.get('Option', 'Equals')
if option == 'Equals'\
and not any(what == value for value in values):
what = None
if key == 'KeyId':
what = parameter.keyid
elif key == 'Name':
what = '/' + parameter.name.lstrip('/')
values = ['/' + value.lstrip('/') for value in values]
elif key == 'Path':
what = '/' + parameter.name.lstrip('/')
values = ['/' + value.strip('/') for value in values]
elif key == 'Type':
what = parameter.type
if what is None:
return False
elif option == 'BeginsWith'\
and not any(what.startswith(value) for value in values):
elif (option == 'BeginsWith' and
not any(what.startswith(value) for value in values)):
return False
elif (option == 'Equals' and
not any(what == value for value in values)):
return False
elif option == 'OneLevel':
if any(value == '/' and len(what.split('/')) == 2 for value in values):
continue
elif any(value != '/' and
what.startswith(value + '/') and
len(what.split('/')) - 1 == len(value.split('/')) for value in values):
continue
else:
return False
elif option == 'Recursive':
if any(value == '/' for value in values):
continue
elif any(what.startswith(value + '/') for value in values):
continue
else:
return False
# True if no false match (or no filters at all)
return True