From 650423d5286e28a75bc1163fcbffeb8c6f96382c Mon Sep 17 00:00:00 2001
From: paigekim29 <70982342+paigekim29@users.noreply.github.com>
Date: Sat, 23 Apr 2022 02:17:09 +0900
Subject: [PATCH 1/3] Fix #9313 dynamic configuration typo (#9314)

---
 docs/gitbook/configuration/dynamic-configuration.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/gitbook/configuration/dynamic-configuration.md b/docs/gitbook/configuration/dynamic-configuration.md
index e1a639174..b7c468a5f 100644
--- a/docs/gitbook/configuration/dynamic-configuration.md
+++ b/docs/gitbook/configuration/dynamic-configuration.md
@@ -41,7 +41,7 @@ group_mapping:
 * We store IAM inline policy permission templates in dynamic configuration. This is where you can add templates that fit your organization's needs, and it will show up in the dropdown menu for the inline policy editor. Here's an example of how you can add templates to your dynamic config:
 
 ```yaml
-permission_tempaltes:
+permission_templates:
     -   key: default
         text: Default Template
         value: |-

From fc58b9a558235cf50a84d184bf6d160112502c0e Mon Sep 17 00:00:00 2001
From: Paul Mowat <paulmowat@gmail.com>
Date: Tue, 3 May 2022 23:48:04 +0100
Subject: [PATCH 2/3] feat: add roles.allowed_tag_keys configuration (#9317)

* feat: add roles.allowed_tag_keys configuration

* fix: changing to use a single condition

* fix: revert back to previous logic

* fix: quote lint issue
---
 consoleme/lib/aws.py                          | 25 +++++++++++++++++--
 .../gitbook/configuration/resource-syncing.md | 10 ++++++++
 example_config/example_config_base.yaml       |  2 ++
 tests/lib/test_aws.py                         | 20 +++++++++++++++
 4 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/consoleme/lib/aws.py b/consoleme/lib/aws.py
index 0a5669244..4805bd120 100644
--- a/consoleme/lib/aws.py
+++ b/consoleme/lib/aws.py
@@ -1849,7 +1849,7 @@ def allowed_to_sync_role(
     This function determines whether ConsoleMe is allowed to sync or otherwise manipulate an IAM role. By default,
     ConsoleMe will sync all roles that it can get its grubby little hands on. However, ConsoleMe administrators can tell
     ConsoleMe to only sync roles with either 1) Specific ARNs, or 2) Specific tag key/value pairs. All configured tags
-    must exist on the role for ConsoleMe to sync it.
+    must exist on the role for ConsoleMe to sync it., or 3) Specific tag keys
 
     Here's an example configuration for a tag-based restriction:
 
@@ -1872,6 +1872,15 @@ def allowed_to_sync_role(
         - arn:aws:iam::333333333333:role/role-name-here-1
     ```
 
+    And another one for an tag key based restriction:
+
+    ```
+    roles:
+      allowed_tag_keys:
+        - cosoleme-authorized
+        - consoleme-authorized-cli-only
+    ```
+
     :param
         arn: The AWS role arn
         role_tags: A dictionary of role tags
@@ -1880,12 +1889,24 @@ def allowed_to_sync_role(
     """
     allowed_tags = config.get("roles.allowed_tags", {})
     allowed_arns = config.get("roles.allowed_arns", [])
-    if not allowed_tags and not allowed_arns:
+    allowed_tag_keys = config.get("roles.allowed_tag_keys", [])
+    if not allowed_tags and not allowed_arns and not allowed_tag_keys:
         return True
 
     if role_arn in allowed_arns:
         return True
 
+    # Convert list of role tag dicts to an array of tag keys
+    # ex:
+    # role_tags = [{'Key': 'consoleme-authorized', 'Value': 'consoleme_admins'},
+    # {'Key': 'Description', 'Value': 'ConsoleMe OSS Demo Role'}]
+    # so: actual_tag_keys = ['consoleme-authorized', 'Description']
+    actual_tag_keys = [d["Key"] for d in role_tags]
+
+    # If any allowed tag key exists in the role's actual_tags this condition will pass
+    if allowed_tag_keys and any(x in allowed_tag_keys for x in actual_tag_keys):
+        return True
+
     # Convert list of role tag dicts to a single key/value dict of tags
     # ex:
     # role_tags = [{'Key': 'consoleme-authorized', 'Value': 'consoleme_admins'},
diff --git a/docs/gitbook/configuration/resource-syncing.md b/docs/gitbook/configuration/resource-syncing.md
index 9d9c9d4ea..9531da081 100644
--- a/docs/gitbook/configuration/resource-syncing.md
+++ b/docs/gitbook/configuration/resource-syncing.md
@@ -25,6 +25,16 @@ roles:
     tag1: value1
     tag2: value2
 ```
+Note that all tag keys and values must match for a role to be allowed.
+
+You can also allow roles based on a list of tag keys. The role will be allowed if any of the tag keys exist against it.
+
+```text
+roles:
+  allowed_tag_keys:
+    - consoleme-authorized
+    - consoleme-authorized-cli-only
+```
 
 Alternatively, you can provide an explicit list of roles you want managed by Consoleme by adding this configuration:
 
diff --git a/example_config/example_config_base.yaml b/example_config/example_config_base.yaml
index 634182fa3..e563fbf63 100644
--- a/example_config/example_config_base.yaml
+++ b/example_config/example_config_base.yaml
@@ -184,9 +184,11 @@ challenge_url:
 # Parameters:
 #  allowed_tags: map[string]string: if non-empty, consoleme will only consider roles tags mapped here
 #  allowed_arns: list[string]:  if non-empty, consoleme will only consider the role arns in this list
+#  allowed_tag_keys: list[string]:  if non-empty, consoleme will only consider roles with a tag key mapped here
 # roles:
 #   allowed_tags: {}
 #   allowed_arns: []
+#   allows_tag_keys: []
 
 # This section provides an opt-out for caching in the policies table on the /policies page. You can
 # opt-out of each resource type that's typically cached. By default, nothing is skipped; everything
diff --git a/tests/lib/test_aws.py b/tests/lib/test_aws.py
index bf1e08e64..4b769633b 100644
--- a/tests/lib/test_aws.py
+++ b/tests/lib/test_aws.py
@@ -341,6 +341,26 @@ def test_allowed_to_sync_role(self):
 
         self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), True)
 
+        # Allow - allowed_tag_keys exists in role
+        CONFIG.config = {
+            **CONFIG.config,
+            "roles": {
+                "allowed_tag_keys": ["testtag"],
+            },
+        }
+
+        self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), True)
+
+        # Reject - No tag key
+        CONFIG.config = {
+            **CONFIG.config,
+            "roles": {
+                "allowed_tag_keys": ["unknown"],
+            },
+        }
+
+        self.assertEqual(allowed_to_sync_role(test_role_arn, test_role_tags), False)
+
         CONFIG.config = old_config
 
     def test_remove_temp_policies(self):

From ac7af73afb8b738ef5117327c4f44affbd4db29e Mon Sep 17 00:00:00 2001
From: Michael <michael@mikansystems.com>
Date: Fri, 10 Jun 2022 16:34:27 -0700
Subject: [PATCH 3/3] switch to Math.ceil() for page calculation (#9319)

---
 ui/src/components/blocks/datatable/DataTableComponent.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/src/components/blocks/datatable/DataTableComponent.js b/ui/src/components/blocks/datatable/DataTableComponent.js
index a7a37ef3c..9c4a239ec 100644
--- a/ui/src/components/blocks/datatable/DataTableComponent.js
+++ b/ui/src/components/blocks/datatable/DataTableComponent.js
@@ -47,7 +47,7 @@ const DataTableComponent = ({ config }) => {
   };
 
   const rowsPerPage = tableConfig.rowsPerPage || DEFAULT_ROWS_PER_PAGE;
-  const totalPages = parseInt(filteredData.length / rowsPerPage, 10);
+  const totalPages = Math.ceil(filteredData.length / rowsPerPage);
 
   if (isLoading) {
     return (