Merge branch 'Netflix:master' into master

foursquare · Jun 10, 2022 · add7812 · add7812
2 parents e58048d + ac7af73
commit add7812
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 4 deletions.
diff --git a/consoleme/lib/aws.py b/consoleme/lib/aws.py
@@ -1849,7 +1849,7 @@ def allowed_to_sync_role(
     This function determines whether ConsoleMe is allowed to sync or otherwise manipulate an IAM role. By default,
     ConsoleMe will sync all roles that it can get its grubby little hands on. However, ConsoleMe administrators can tell
     ConsoleMe to only sync roles with either 1) Specific ARNs, or 2) Specific tag key/value pairs. All configured tags
-    must exist on the role for ConsoleMe to sync it.
+    must exist on the role for ConsoleMe to sync it., or 3) Specific tag keys
 
     Here's an example configuration for a tag-based restriction:
 
@@ -1872,6 +1872,15 @@ def allowed_to_sync_role(
         - arn:aws:iam::333333333333:role/role-name-here-1
     ```
 
+    And another one for an tag key based restriction:
+
+    ```
+    roles:
+      allowed_tag_keys:
+        - cosoleme-authorized
+        - consoleme-authorized-cli-only
+    ```
+
     :param
         arn: The AWS role arn
         role_tags: A dictionary of role tags
@@ -1880,12 +1889,24 @@ def allowed_to_sync_role(
     """
     allowed_tags = config.get("roles.allowed_tags", {})
     allowed_arns = config.get("roles.allowed_arns", [])
-    if not allowed_tags and not allowed_arns:
+    allowed_tag_keys = config.get("roles.allowed_tag_keys", [])
+    if not allowed_tags and not allowed_arns and not allowed_tag_keys:
         return True
 
     if role_arn in allowed_arns:
         return True
 
+    # Convert list of role tag dicts to an array of tag keys
+    # ex:
+    # role_tags = [{'Key': 'consoleme-authorized', 'Value': 'consoleme_admins'},
+    # {'Key': 'Description', 'Value': 'ConsoleMe OSS Demo Role'}]
+    # so: actual_tag_keys = ['consoleme-authorized', 'Description']
+    actual_tag_keys = [d["Key"] for d in role_tags]
+
+    # If any allowed tag key exists in the role's actual_tags this condition will pass
+    if allowed_tag_keys and any(x in allowed_tag_keys for x in actual_tag_keys):
+        return True
+
     # Convert list of role tag dicts to a single key/value dict of tags
     # ex:
     # role_tags = [{'Key': 'consoleme-authorized', 'Value': 'consoleme_admins'},

diff --git a/docs/gitbook/configuration/dynamic-configuration.md b/docs/gitbook/configuration/dynamic-configuration.md
@@ -41,7 +41,7 @@ group_mapping:
 * We store IAM inline policy permission templates in dynamic configuration. This is where you can add templates that fit your organization's needs, and it will show up in the dropdown menu for the inline policy editor. Here's an example of how you can add templates to your dynamic config:
 
 ```yaml
-permission_tempaltes:
+permission_templates:
     -   key: default
         text: Default Template
         value: |-

diff --git a/docs/gitbook/configuration/resource-syncing.md b/docs/gitbook/configuration/resource-syncing.md
@@ -25,6 +25,16 @@ roles:
     tag1: value1
     tag2: value2
 ```
+Note that all tag keys and values must match for a role to be allowed.
+
+You can also allow roles based on a list of tag keys. The role will be allowed if any of the tag keys exist against it.
+
+```text
+roles:
+  allowed_tag_keys:
+    - consoleme-authorized
+    - consoleme-authorized-cli-only
+```
 
 Alternatively, you can provide an explicit list of roles you want managed by Consoleme by adding this configuration:
 

diff --git a/example_config/example_config_base.yaml b/example_config/example_config_base.yaml
@@ -184,9 +184,11 @@ challenge_url:
 # Parameters:
 #  allowed_tags: map[string]string: if non-empty, consoleme will only consider roles tags mapped here
 #  allowed_arns: list[string]:  if non-empty, consoleme will only consider the role arns in this list
+#  allowed_tag_keys: list[string]:  if non-empty, consoleme will only consider roles with a tag key mapped here
 # roles:
 #   allowed_tags: {}
 #   allowed_arns: []
+#   allows_tag_keys: []
 
 # This section provides an opt-out for caching in the policies table on the /policies page. You can
 # opt-out of each resource type that's typically cached. By default, nothing is skipped; everything

diff --git a/tests/lib/test_aws.py b/tests/lib/test_aws.py
@@ -341,6 +341,26 @@ def test_allowed_to_sync_role(self):
 
         self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), True)
 
+        # Allow - allowed_tag_keys exists in role
+        CONFIG.config = {
+            **CONFIG.config,
+            "roles": {
+                "allowed_tag_keys": ["testtag"],
+            },
+        }
+
+        self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), True)
+
+        # Reject - No tag key
+        CONFIG.config = {
+            **CONFIG.config,
+            "roles": {
+                "allowed_tag_keys": ["unknown"],
+            },
+        }
+
+        self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), False)
+
         CONFIG.config = old_config
 
     def test_remove_temp_policies(self):

diff --git a/ui/src/components/blocks/datatable/DataTableComponent.js b/ui/src/components/blocks/datatable/DataTableComponent.js
@@ -47,7 +47,7 @@ const DataTableComponent = ({ config }) => {
   };
 
   const rowsPerPage = tableConfig.rowsPerPage || DEFAULT_ROWS_PER_PAGE;
-  const totalPages = parseInt(filteredData.length / rowsPerPage, 10);
+  const totalPages = Math.ceil(filteredData.length / rowsPerPage);
 
   if (isLoading) {
     return (