diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml new file mode 100644 index 0000000..131c639 --- /dev/null +++ b/.github/workflows/linting.yml @@ -0,0 +1,11 @@ +name: Linting +on: [push, pull_request] +jobs: + lint: + # Run per push for internal contributers. This isn't possible for forked pull requests, + # so we'll need to run on PR events for external contributers. + # String comparison below is case insensitive. + if: github.event_name == 'push' || github.event.pull_request.head.repo.fork + runs-on: ubuntu-latest + steps: + - uses: 'phantomcyber/dev-cicd-tools/github-actions/lint@main' diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..712cc1b --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,28 @@ +name: Semgrep +on: + pull_request_target: + branches: + - next + - main + push: + branches: + - next + - main +jobs: + semgrep: + runs-on: ubuntu-latest + steps: + - if: github.event_name == 'push' + run: | + echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + echo "REF=${{ github.REF }}" >> $GITHUB_ENV + - if: github.event_name == 'pull_request_target' + run: | + echo "REPOSITORY=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV + echo "REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + - uses: 'phantomcyber/dev-cicd-tools/github-actions/semgrep@main' + with: + SEMGREP_DEPLOYMENT_ID: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + REPOSITORY: ${{ github.repository }} + REF: ${{ github.ref }} diff --git a/.github/workflows/start-release.yml b/.github/workflows/start-release.yml new file mode 100644 index 0000000..7d47230 --- /dev/null +++ b/.github/workflows/start-release.yml @@ -0,0 +1,9 @@ +name: Start Release +on: workflow_dispatch +jobs: + start-release: + runs-on: ubuntu-latest + steps: + - uses: 'phantomcyber/dev-cicd-tools/github-actions/start-release@main' + with: + GITHUB_TOKEN: ${{ secrets.SOAR_APPS_TOKEN }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 38e1594..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,3 +0,0 @@ -include: - - project: 'phantom/appscript' - file: 'gitlab-ci/.gitlab-ci.yml' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..7f5e431 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,11 @@ +repos: +- repo: https://github.com/phantomcyber/dev-cicd-tools + rev: v1.8 + hooks: + - id: org-hook + - id: package-app-dependencies +- repo: https://github.com/Yelp/detect-secrets + rev: v1.1.0 + hooks: + - id: detect-secrets + args: ['--no-verify', '--exclude-files', '^awssts.json$'] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..b3cc507 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,2 @@ +# Contributing +For more information about contributing to Splunk SOAR Apps please take a look at our app [Contribution Guide](https://github.com/splunk-soar-connectors/.github/blob/main/.github/CONTRIBUTING.md)! diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..53ef397 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright (c) 2021-2022 Splunk Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/Makefile b/Makefile deleted file mode 100644 index 8a098e0..0000000 --- a/Makefile +++ /dev/null @@ -1,82 +0,0 @@ -# Makefile for Phantom apps CI -# created oct-2018 by michellel & jacobd at splunk -# -# Usage: -# make local - to bring up docker for local dev -# make - pipeline targets build / upload -# make secrets - list any required secret values -# -# Credentials can be passed as environment variables or docker secret files -# under /run/secrets - - -# Variables set by GitLab -WORKSPACE ?= $(shell grep WORKSPACE: docker-compose.yml | cut -d : -f 2) -CI_COMMIT_REF_NAME ?= $(shell git branch | grep "\*" | cut -d ' ' -f 2) - -# Git variables -GIT_SERVER ?= cd.splunkdev.com -RELEASE_GROUP ?= phantom -RELEASE_REPO ?= app_release -RELEASE_DIR := $(WORKSPACE)/$(RELEASE_REPO) - -# Docker variables -export IMAGE_TAG ?= $(shell grep ^image: .gitlab-ci.yml | cut -d : -f 3) - -# Variables sent to app_release for test/build/release scripts -export APP_DIR ?= $(shell pwd) -export APP_REPO_NAME ?= $(shell basename $(APP_DIR)) -export APP_BRANCH ?= $(CI_COMMIT_REF_NAME) -export TEST_BRANCH ?= master - -# Pipeline secrets -SECRETS = app_artf_token mc_artf_token gitlab_api_token app_deploy_key -ifneq ($(wildcard /run/secrets/.),) - # Load secrets if specified in filesystem rather than variables - export GITLAB_API_TOKEN ?= $(shell cat /run/secrets/gitlab_api_token) - export APP_ARTF_TOKEN ?= $(shell cat /run/secrets/app_artf_token) - export MC_ARTF_TOKEN ?= $(shell cat /run/secrets/mc_artf_token) - export APP_DEPLOY_KEY ?= $(shell cat /run/secrets/app_deploy_key) -endif - -APP_RELEASE_TARGETS = test upload build release deploy -.PHONY: checkout local secrets list_secrets $(APP_RELEASE_TARGETS) - -checkout: $(RELEASE_DIR) -$(RELEASE_DIR): /tmp/ssh-agent - $(info Clone the $(RELEASE_REPO) repo into $(RELEASE_DIR)) - @git clone git@$(GIT_SERVER):$(RELEASE_GROUP)/$(RELEASE_REPO).git $(RELEASE_DIR) - $(info Checkout the test branch: $(TEST_BRANCH)) - @cd $(RELEASE_DIR) && git checkout $(TEST_BRANCH) - -$(APP_RELEASE_TARGETS): checkout - @cd $(RELEASE_DIR) && make $@ - -local: secrets - $(info Setting up local development instance) - $(info Make sure you have run:) - $(info docker login repo.splunk.com) - docker-compose up -d - $(info Working directory is mapped to $(DOCKER_WORK). To connect:) - $(info docker exec -it -w $(DOCKER_WORK) local_qa-local_1 bash) - -/tmp/ssh-agent: - $(info Starting ssh agent) - @mkdir -p -m 700 ~/.ssh - @ssh-keyscan -p 22 $(GIT_SERVER) >> ~/.ssh/known_hosts - @eval $(shell ssh-agent -s >$@) - @if [ -s /run/secrets/app_deploy_key ]; then \ - cp /run/secrets/app_deploy_key ~/.ssh/id_rsa && \ - source $@ && ssh-add ~/.ssh/id_rsa; \ - else \ - cp ~/.ssh/app_deploy_key ~/.ssh/id_rsa && \ - chmod 600 ~/.ssh/id_rsa && \ - cat $@ && \ - source $@ && ssh-add ~/.ssh/id_rsa; \ - fi - -SECRET_FILES = $(foreach I,$(SECRETS),~/.docker/secrets/$I) -secrets: list_secrets $(SECRET_FILES) -list_secrets: - $(info From .docker/secrets these files are loaded:) - $(info $(SECRETS)) diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..877e230 --- /dev/null +++ b/NOTICE @@ -0,0 +1,27 @@ +Splunk SOAR AWS Security Token Service +Copyright (c) 2021-2022 Splunk Inc. + +Third-party Software Attributions: + +Library: boto3 +Version: 1.17.30 +License: Apache 2.0 +Copyright 2013-2017 Amazon.com, Inc + +Library: botocore +Version: 1.20.30 +License: Apache 2.0 +Copyright 2008-2011 Andrey Petrov and contributors +Copyright 2012 Kenneth Reitz +Copyright 2012-2017 Amazon.com, Inc +Copyright 2013 Kenneth Reitz + +Library: requests +Version: 2.25.0 +License: Apache 2.0 +Kenneth Reitz + +Library: six +Version: 1.15.0 +License: MIT +Copyright 2010-2020 Benjamin Peterson diff --git a/README.md b/README.md new file mode 100644 index 0000000..5212dea --- /dev/null +++ b/README.md @@ -0,0 +1,116 @@ +[comment]: # "Auto-generated SOAR connector documentation" +# AWS Security Token Service + +Publisher: Splunk +Connector Version: 1\.2\.9 +Product Vendor: AWS +Product Name: Security Token Service +Product Version Supported (regex): "\.\*" +Minimum Product Version: 4\.10\.0\.40961 + +This app integrates with AWS Security Token Service and allows a user to retrieve a temporary set of credentials for some specified account + +[comment]: # " File: README.md" +[comment]: # " Copyright (c) 2021-2022 Splunk Inc." +[comment]: # "" +[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');" +[comment]: # "you may not use this file except in compliance with the License." +[comment]: # "You may obtain a copy of the License at" +[comment]: # "" +[comment]: # " http://www.apache.org/licenses/LICENSE-2.0" +[comment]: # "" +[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under" +[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND," +[comment]: # "either express or implied. See the License for the specific language governing permissions" +[comment]: # "and limitations under the License." +[comment]: # "" +## Asset Configuration + +There are two ways to configure an AWS STS asset. The first is to configure the **access_key** , +**secret_key** and **region** variables. If it is preferred to use a role and Phantom is running as +an EC2 instance, the **use_role** checkbox can be checked instead. This will allow the role that is +attached to the instance to be used. Please see the [AWS EC2 and IAM +documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) +for more information. + +## Assuming a Role + +When calling the **assume_role** action, a dictionary containing the **AccessKeyId** , +**SecretAccessKey** , **SessionToken** and **Expiration** key/value pairs with data path +**assume_role_1:action_result.data.\*.Credentials** will be returned. This dictionary can be passed +directly into the **credentials** parameter in another AWS app's action within a playbook. These +credentials will be used to override the asset configuration of that app when executing the action. +This is true whether the receiving action's asset is configured with the access key and secret key +or if the EC2 instance role credentials are used. + + +### Configuration Variables +The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Security Token Service asset in SOAR. + +VARIABLE | REQUIRED | TYPE | DESCRIPTION +-------- | -------- | ---- | ----------- +**access\_key** | optional | password | Access Key +**secret\_key** | optional | password | Secret Key +**region** | required | string | Default Region +**use\_role** | optional | boolean | Use attached role when running Phantom in EC2 + +### Supported Actions +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration +[assume role](#action-assume-role) - Assume a role + +## action: 'test connectivity' +Validate the asset configuration for connectivity using supplied configuration + +Type: **test** +Read only: **True** + +#### Action Parameters +No parameters are required for this action + +#### Action Output +No Output + +## action: 'assume role' +Assume a role + +Type: **generic** +Read only: **False** + +Retrieve a token for a specified role and user account\. + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**role\_arn** | required | Role ARN | string | `aws role arn` +**role\_session\_name** | required | Role Session Name | string | `aws role session name` +**role\_session\_duration** | optional | Role Session Duration \(Seconds\) | numeric | +**external\_id** | optional | External ID | string | `aws external id` +**region** | optional | Region, overrides default region in asset configuration | string | + +#### Action Output +DATA PATH | TYPE | CONTAINS +--------- | ---- | -------- +action\_result\.parameter\.role\_session\_name | string | `aws role session name` +action\_result\.parameter\.external\_id | string | `aws external id` +action\_result\.parameter\.role\_arn | string | `aws role arn` +action\_result\.status | string | +action\_result\.message | string | +action\_result\.data\.\*\.Credentials | string | `aws credentials` +action\_result\.data\.\*\.Credentials\.Expiration | string | +action\_result\.data\.\*\.Credentials\.AccessKeyId | string | +action\_result\.data\.\*\.Credentials\.SessionToken | string | +action\_result\.data\.\*\.Credentials\.SecretAccessKey | string | +action\_result\.data\.\*\.AssumedRoleUser\.Arn | string | +action\_result\.data\.\*\.AssumedRoleUser\.AssumedRoleId | string | +action\_result\.data\.\*\.ResponseMetadata\.RequestId | string | +action\_result\.data\.\*\.ResponseMetadata\.HTTPHeaders\.date | string | +action\_result\.data\.\*\.ResponseMetadata\.HTTPHeaders\.content\-type | string | +action\_result\.data\.\*\.ResponseMetadata\.HTTPHeaders\.content\-length | string | +action\_result\.data\.\*\.ResponseMetadata\.HTTPHeaders\.x\-amzn\-requestid | string | +action\_result\.data\.\*\.ResponseMetadata\.RetryAttempts | numeric | +action\_result\.data\.\*\.ResponseMetadata\.HTTPStatusCode | numeric | +action\_result\.parameter\.role\_session\_duration | numeric | +action\_result\.parameter\.region | string | +action\_result\.summary | string | +summary\.total\_objects | numeric | +summary\.total\_objects\_successful | numeric | \ No newline at end of file diff --git a/__init__.py b/__init__.py index eda9291..a3461fb 100644 --- a/__init__.py +++ b/__init__.py @@ -1,8 +1,14 @@ # File: __init__.py # -# Copyright (c) 2021 Splunk Inc. +# Copyright (c) 2021-2022 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# -- +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. diff --git a/awssts.json b/awssts.json index 8969ad0..b7a7c05 100644 --- a/awssts.json +++ b/awssts.json @@ -8,11 +8,12 @@ "logo_dark": "logo_awssts_dark.svg", "product_name": "Security Token Service", "python_version": "3", + "fips_compliant": true, "product_version_regex": ".*", "publisher": "Splunk", - "license": "Copyright (c) 2021 Splunk Inc.", - "app_version": "1.2.7", - "utctime_updated": "2021-10-13T19:14:50.000000Z", + "license": "Copyright (c) 2021-2022 Splunk Inc.", + "app_version": "1.2.9", + "utctime_updated": "2022-01-19T00:52:27.000000Z", "package_name": "phantom_awssts", "main_module": "awssts_connector.py", "min_phantom_version": "4.10.0.40961", @@ -30,9 +31,41 @@ "module": "botocore", "input_file": "wheels/botocore-1.20.30-py2.py3-none-any.whl" }, + { + "module": "certifi", + "input_file": "wheels/certifi-2021.10.8-py2.py3-none-any.whl" + }, + { + "module": "chardet", + "input_file": "wheels/chardet-3.0.4-py2.py3-none-any.whl" + }, + { + "module": "idna", + "input_file": "wheels/idna-2.10-py2.py3-none-any.whl" + }, { "module": "jmespath", "input_file": "wheels/jmespath-0.10.0-py2.py3-none-any.whl" + }, + { + "module": "python_dateutil", + "input_file": "wheels/python_dateutil-2.8.2-py2.py3-none-any.whl" + }, + { + "module": "requests", + "input_file": "wheels/requests-2.25.0-py2.py3-none-any.whl" + }, + { + "module": "s3transfer", + "input_file": "wheels/s3transfer-0.3.7-py2.py3-none-any.whl" + }, + { + "module": "six", + "input_file": "wheels/six-1.15.0-py2.py3-none-any.whl" + }, + { + "module": "urllib3", + "input_file": "wheels/urllib3-1.26.7-py2.py3-none-any.whl" } ] }, diff --git a/awssts_connector.py b/awssts_connector.py index aa046ff..f0e49bc 100644 --- a/awssts_connector.py +++ b/awssts_connector.py @@ -1,26 +1,31 @@ -# -- # File: awssts_connector.py # -# Copyright (c) 2021 Splunk Inc. +# Copyright (c) 2021-2022 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# -- +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. +# +# +import json +from datetime import datetime -# Phantom App imports import phantom.app as phantom -from phantom.base_connector import BaseConnector +import requests +import six +from boto3 import Session, client +from botocore.config import Config from phantom.action_result import ActionResult +from phantom.base_connector import BaseConnector -# Usage of the consts file is recommended from awssts_consts import * -from boto3 import client, Session -from datetime import datetime -from botocore.config import Config -import requests -import json -import six class RetVal(tuple): @@ -234,8 +239,10 @@ def _handle_get_ec2_role(self): def main(): - import pudb import argparse + import sys + + import pudb pudb.set_trace() @@ -244,12 +251,14 @@ def main(): argparser.add_argument('input_test_json', help='Input Test JSON file') argparser.add_argument('-u', '--username', help='username', required=False) argparser.add_argument('-p', '--password', help='password', required=False) + argparser.add_argument('-v', '--verify', action='store_true', help='verify', required=False, default=False) args = argparser.parse_args() session_id = None username = args.username password = args.password + verify = args.verify if username is not None and password is None: @@ -262,7 +271,7 @@ def main(): login_url = AwsSecureTokenServiceConnector._get_phantom_base_url() + '/login' print("Accessing the Login page") - r = requests.get(login_url, verify=False) + r = requests.get(login_url, verify=verify, timeout=DEFAULT_TIMEOUT) csrftoken = r.cookies['csrftoken'] data = dict() @@ -275,11 +284,11 @@ def main(): headers['Referer'] = login_url print("Logging into Platform to get the session id") - r2 = requests.post(login_url, verify=False, data=data, headers=headers) + r2 = requests.post(login_url, verify=verify, data=data, headers=headers, timeout=DEFAULT_TIMEOUT) session_id = r2.cookies['sessionid'] except Exception as e: print("Unable to get session id from the platform. Error: " + str(e)) - exit(1) + sys.exit(1) with open(args.input_test_json) as f: in_json = f.read() @@ -296,7 +305,7 @@ def main(): ret_val = connector._handle_action(json.dumps(in_json), None) print(json.dumps(json.loads(ret_val), indent=4)) - exit(0) + sys.exit(0) if __name__ == '__main__': diff --git a/awssts_consts.py b/awssts_consts.py index f7898d4..1d9c4da 100644 --- a/awssts_consts.py +++ b/awssts_consts.py @@ -1,13 +1,17 @@ -# -- # File: awssts_consts.py # -# Copyright (c) 2021 Splunk Inc. +# Copyright (c) 2021-2022 Splunk Inc. # -# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part -# without a valid written license from Splunk Inc. is PROHIBITED. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# -- - +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under +# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the License for the specific language governing permissions +# and limitations under the License. STS_JSON_ACCESS_KEY = "access_key" STS_JSON_SECRET_KEY = "secret_key" @@ -31,6 +35,7 @@ "US GovCloud West": "us-gov-west-1", } +DEFAULT_TIMEOUT = 30 DEFAULT_ROLE_SESSION_DURATION = 3600 DEFAULT_ROLE_SESSION_NAME = 'Request_from_Phantom' ASSUME_ROLE_SUCCESS_MSG = 'Successfully retrieved assume role credentials from region {}' diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 8c5b25d..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: "3.2" - -services: - app_tester: - image: repo.splunk.com/splunk/infra/phantom_apps_tester:${IMAGE_TAG:-latest} - environment: - BUILD_USER_ID: ${USER:-localbuild} - TEST_BRANCH: ${TEST_BRANCH:-master} - WORKSPACE: /builds/phantom-apps - volumes: - - .:/builds/phantom-apps/${APP_REPO_NAME} - command: sleep 28800 - secrets: - - app_artf_token - - mc_artf_token - - app_deploy_key - - gitlab_api_token - -secrets: - mc_artf_token: - file: ~/.docker/secrets/mc_artf_token - app_artf_token: - file: ~/.docker/secrets/app_artf_token - app_deploy_key: - file: ~/.docker/secrets/app_deploy_key - gitlab_api_token: - file: ~/.docker/secrets/gitlab_api_token diff --git a/exclude_files.txt b/exclude_files.txt index 7ce3549..bf3da16 100644 --- a/exclude_files.txt +++ b/exclude_files.txt @@ -4,4 +4,4 @@ Makefile .git* whitesource-results whitesource* -gl-*.csv \ No newline at end of file +gl-*.csv diff --git a/readme.html b/readme.html index 681cc83..f6a5fb4 100644 --- a/readme.html +++ b/readme.html @@ -1,8 +1,16 @@ diff --git a/release_notes/1.0.2.md b/release_notes/1.0.2.md new file mode 100644 index 0000000..8fa9f33 --- /dev/null +++ b/release_notes/1.0.2.md @@ -0,0 +1,6 @@ +**AWS Security Token Service Release Notes - Published by Splunk February 25, 2021** + + +**Version 1.0.2 - Released February 25, 2021** + +* Initial Release with Python 3 support diff --git a/release_notes/1.1.1.md b/release_notes/1.1.1.md new file mode 100644 index 0000000..622786f --- /dev/null +++ b/release_notes/1.1.1.md @@ -0,0 +1,6 @@ +**AWS Security Token Service Release Notes - Published by Splunk June 15, 2021** + + +**Version 1.1.1 - Released June 15, 2021** + +* Updated the botocore and boto3 libraries[PAPP-17211] diff --git a/release_notes/1.2.4.md b/release_notes/1.2.4.md new file mode 100644 index 0000000..a5f0334 --- /dev/null +++ b/release_notes/1.2.4.md @@ -0,0 +1,6 @@ +**AWS Security Token Service Release Notes - Published by Splunk October 05, 2021** + + +**Version 1.2.4 - Released October 05, 2021** + +* Added visibility key to hide the 'Use EC2 Role' checkbox on Phantom SaaS [PAPP-20278] diff --git a/release_notes/1.2.7.md b/release_notes/1.2.7.md new file mode 100644 index 0000000..c79784b --- /dev/null +++ b/release_notes/1.2.7.md @@ -0,0 +1,6 @@ +**AWS Security Token Service Release Notes - Published by Splunk October 13, 2021** + + +**Version 1.2.7 - Released October 13, 2021** + +* Removed unnecessary build artifacts diff --git a/release_notes/1.2.9.md b/release_notes/1.2.9.md new file mode 100644 index 0000000..2222086 --- /dev/null +++ b/release_notes/1.2.9.md @@ -0,0 +1,6 @@ +**AWS Security Token Service Release Notes - Published by Splunk January 25, 2022** + + +**Version 1.2.9 - Released January 25, 2022** + +* Marked the app as FIPS Compliant [PAPP-21769] \ No newline at end of file diff --git a/release_notes/release_notes.html b/release_notes/release_notes.html new file mode 100644 index 0000000..a800520 --- /dev/null +++ b/release_notes/release_notes.html @@ -0,0 +1,22 @@ +AWS Security Token Service Release Notes - Published by Splunk January 25, 2022 +

+Version 1.2.9 - Released January 25, 2022 + +Version 1.2.7 - Released October 13, 2021 + +Version 1.2.4 - Released October 05, 2021 + +Version 1.1.1 - Released June 15, 2021 + +Version 1.0.2 - Released February 25, 2021 + diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md new file mode 100644 index 0000000..fbcb2fd --- /dev/null +++ b/release_notes/unreleased.md @@ -0,0 +1 @@ +**Unreleased** diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..98ff1f9 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +boto3==1.17.30 +botocore==1.20.30 +requests==2.25.0 +six==1.15.0 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..127a08b --- /dev/null +++ b/tox.ini @@ -0,0 +1,7 @@ +[flake8] +max-line-length = 145 +max-complexity = 28 +ignore = F403,E128,E126,E111,E121,E127,E731,E201,E202,F405,E722,D,W292 + +[isort] +line_length = 145 diff --git a/wheels/certifi-2021.10.8-py2.py3-none-any.whl b/wheels/certifi-2021.10.8-py2.py3-none-any.whl new file mode 100644 index 0000000..fbcb86b Binary files /dev/null and b/wheels/certifi-2021.10.8-py2.py3-none-any.whl differ diff --git a/wheels/chardet-3.0.4-py2.py3-none-any.whl b/wheels/chardet-3.0.4-py2.py3-none-any.whl new file mode 100644 index 0000000..d276977 Binary files /dev/null and b/wheels/chardet-3.0.4-py2.py3-none-any.whl differ diff --git a/wheels/idna-2.10-py2.py3-none-any.whl b/wheels/idna-2.10-py2.py3-none-any.whl new file mode 100644 index 0000000..41225cb Binary files /dev/null and b/wheels/idna-2.10-py2.py3-none-any.whl differ diff --git a/wheels/python_dateutil-2.8.2-py2.py3-none-any.whl b/wheels/python_dateutil-2.8.2-py2.py3-none-any.whl new file mode 100644 index 0000000..8ffb923 Binary files /dev/null and b/wheels/python_dateutil-2.8.2-py2.py3-none-any.whl differ diff --git a/wheels/requests-2.25.0-py2.py3-none-any.whl b/wheels/requests-2.25.0-py2.py3-none-any.whl new file mode 100644 index 0000000..c3f28e5 Binary files /dev/null and b/wheels/requests-2.25.0-py2.py3-none-any.whl differ diff --git a/wheels/s3transfer-0.3.7-py2.py3-none-any.whl b/wheels/s3transfer-0.3.7-py2.py3-none-any.whl new file mode 100644 index 0000000..97eaef6 Binary files /dev/null and b/wheels/s3transfer-0.3.7-py2.py3-none-any.whl differ diff --git a/wheels/six-1.15.0-py2.py3-none-any.whl b/wheels/six-1.15.0-py2.py3-none-any.whl new file mode 100644 index 0000000..89edace Binary files /dev/null and b/wheels/six-1.15.0-py2.py3-none-any.whl differ diff --git a/wheels/urllib3-1.26.7-py2.py3-none-any.whl b/wheels/urllib3-1.26.7-py2.py3-none-any.whl new file mode 100644 index 0000000..62189e6 Binary files /dev/null and b/wheels/urllib3-1.26.7-py2.py3-none-any.whl differ