Feature/ccm (#222)

* Add files via upload

add huaweicloud Kafka custodian

* Changes set-config
Delete json-diff

* delete import

* rename set_config

* Feature/dns (#9)

add dns actions, filters, UTs

* Feature/dns (#10)

* add readme_dns

* add readme_dns

* add readme_dns

* Update readme_dns.md

* Update readme_dns.md

* add dns

* update readme_dns

* update kafka

* update client

* update dns

* update dns

* update dns
add dns_test

* update dns_test
update mock

* add mock

* update dns

* Delete tools/c7n_huaweicloud/c7n_huaweicloud/resources/dns_files directory

* update dns lint

* lint modify

* lint modify

* modify

* modify

* update test

---------

Co-authored-by: Liu Wenyu <[email protected]>

* Create readme_dns.md

* feat:ccm服务开发

* feat:scm服务开发

* feat:mock文件提交

* fix:修复查询DC资源测试用例报错的问题

* fix:修改lint门禁

* fix:lint门禁修改

* fix:lint门禁修改

* fix:test门禁修改

* fix:test门禁修改

* fix:修改lint门禁

* fix:mock文件修改

* Update ci.yml

* feat:修改scm代码

* fix:test门禁处理

* fix:test门禁处理

* fix:test门禁处理

* fix:test门禁修改

* fix:test门禁修改

* fix:test门禁处理

* fix:门禁处理

* fix:test门禁修改

* fix:删除poetry.lock文件中阿里云镜像依赖

* fxi:删除阿里云镜像依赖

* fix: client change

* Update ci.yml

* fix:tag_resource_type修改

* fix:修改test门禁

* feat:添加tag_resource_type相关代码

* feat:ccm新需求开发

* feat:ccm服务新需求开发

* feat:ccm资源名称修改及ccm标签增强

* fix:lint门禁修改

* feat:修改查询标签的client

* fix:修改lint门禁

* fix:test门禁修改

* feat:删除多余重复代码

* feat:ccm需求更改

* fix:lint门禁修改

* fix:test门禁处理

* feat:ccm需求更改

* fix:lint门禁修改

* fix:lint门禁修改

* feat:ccm服务添加issue_name filter

* fix:修改lint门禁问题

* fix:修改issue——name测试用例

* fix:修改issue——name测试用例mock文件

* fix:mock文件提交

* fix:gitignore文件中删除多余代码

* feat:私有证书列表添加按create_time过滤的filter

* feat:lint门禁修改和创建时间提交

* fix:修改tag_resource_type的判断条件

* fix:test门禁处理

* fix:test门禁处理

* fix:ccm mock文件还原

* feat:scm服务名称修改

* feat:scm添加查询tags的功能

* fix:tags添加修改

* fix:lts_transfer mock文件去除分页

* fix:分页参数修改

* fix:修改分页参数

* fix:修改mock文件

* fix:修改lint门禁

* fix:添加异常抛出

* fix:修改异常抛出

* fix:修改lint门禁

* fix:抛出异常逻辑修改

* feat:ccm添加obs桶策略过滤

* fix:修改lint门禁问题

* feat:修改obs桶策略判断逻辑

* fix:修改lint门禁

---------

Co-authored-by: franklwy <[email protected]>
Co-authored-by: Liu Wenyu <[email protected]>
Co-authored-by: zfc1996 <[email protected]>
Co-authored-by: zyw0599 <[email protected]>

Author: 5 people

.gitignore

@@ -62,5 +62,3 @@ venv*/
 
 # files generated during "make data-update"
 iam_docs/
-huaweicloudsdkccm
-output

tools/c7n_huaweicloud/c7n_huaweicloud/resources/ccm.py

@@ -17,6 +17,14 @@
 log = logging.getLogger('custodian.huaweicloud.resources.ccm')
 
 
+class ObsSdkError():
+    def __init__(self, code, message, request_id):
+        self.error_code = code
+        self.error_msg = message
+        self.request_id = request_id
+        self.encoded_auth_msg = ""
+
+
 @resources.register('ccm-private-ca')
 class CertificateAuthority(QueryResourceManager):
     """Huawei Cloud Certificate Authority Resource Manager
@@ -71,9 +79,8 @@ def augment(self, resources):
                         # Convert response tags to standard dict format
                         tags = []
                         for tag in response.tags:
-                            if hasattr(tag, 'key') and hasattr(tag, 'value'):
-                                tags.append(
-                                    {'key': tag.key, 'value': tag.value})
+                            tags.append(
+                                {'key': tag.key, 'value': tag.value})
                         resource['tags'] = tags
                     else:
                         resource['tags'] = []
@@ -289,13 +296,31 @@ def process(self, resources, event=None):
 
                     if should_include:
                         results.append(resource)
+                elif resp.status == 403:
+                    error_obj = ObsSdkError(
+                        "PermissionDenied,Please confirm that",
+                        "you have 'obs:bucket:GetBucketPublicAccessBlock' permission",
+                        ""
+                    )
+                    raise exceptions.ClientRequestException(
+                        resp.status, error_obj)
+                elif resp.status >= 300:
+                    error_obj = ObsSdkError(
+                        "RequestFailed",
+                        f"Request failed, status code: {resp.status}",
+                        ""
+                    )
+                    raise exceptions.ClientRequestException(
+                        resp.status, error_obj)
 
             except exceptions.ClientRequestException as e:
                 # Log the error but don't include the resource in results
                 log.error(
                     f"Failed to get bucket PublicAccessBlock for {obs_bucket_name}: {e.error_msg}")
-                continue
-
+                if e.status_code == 403:
+                    raise e
+                else:
+                    continue
         return results
 
 
@@ -377,6 +402,197 @@ def process(self, resources, event=None):
         return results
 
 
+@CertificateAuthority.filter_registry.register('obs-bucket-policy')
+class CertificateAuthorityObsBucketPolicyFilter(Filter):
+    """Filter certificate authorities by their OBS bucket policy configuration
+
+    This filter checks if the OBS bucket associated with a CA has proper policy
+    configuration for secure access. It filters out CAs whose OBS bucket policy
+    doesn't meet both of the following criteria:
+
+    1. Has a statement with sid='deny_except_agency' and effect='Deny', and NotPrincipal
+       contains at least one ID where the part after the last '/' equals 'PCAAccessPrivateOBS',
+       and Action equals 'PutObject'
+    2. Has a statement with sid='allow_agency' and effect='Allow', and Principal
+       contains at least one ID where the part after the last '/' equals 'PCAAccessPrivateOBS',
+       and Action equals 'PutObject'
+
+    You can also specify a domain_id to check if the Principal and NotPrincipal IDs
+    contain this domain_id.
+
+    :example:
+
+    .. code-block:: yaml
+
+        policies:
+          - name: find-cas-with-improper-obs-bucket-policy
+            resource: huaweicloud.ccm-private-ca
+            filters:
+              - type: obs-bucket-policy
+                domain_id: xxxxxx
+    """
+    schema = type_schema(
+        'obs-bucket-policy',
+        domain_id={'type': 'string'}
+    )
+
+    def process(self, resources, event=None):
+        session = local_session(self.manager.session_factory)
+        obs_client = session.client('obs')
+
+        # Get domain_id from filter parameters
+        domain_id = self.data.get('domain_id')
+
+        results = []
+
+        for resource in resources:
+            # Check if CRL configuration exists and has OBS bucket name
+            crl_config = resource.get('crl_configuration', {})
+            if not crl_config:
+                self.log.debug(
+                    f"CA {resource.get('name')} has no CRL configuration")
+                results.append(resource)
+                continue
+
+            # Get OBS bucket name
+            obs_bucket_name = crl_config.get('obs_bucket_name')
+            if not obs_bucket_name:
+                self.log.debug(
+                    f"CA {resource.get('name')} has no OBS bucket specified")
+                results.append(resource)
+                continue
+
+            try:
+                # Call getBucketPolicy
+                response = obs_client.getBucketPolicy(obs_bucket_name)
+
+                # Check if bucket policy exists
+                if response.status < 300 and hasattr(response, 'body'):
+                    policy_json = response.body.policyJSON
+                    if not policy_json:
+                        self.log.debug(
+                            f"OBS bucket {obs_bucket_name} has no policy")
+                        resource['obs_bucket_policy_check'] = "No policy found"
+                        results.append(resource)
+                        continue
+
+                    # Parse policy JSON
+                    import json
+                    try:
+                        policy = json.loads(policy_json)
+                        resource['obs_bucket_policy'] = policy
+
+                        # Validate policy statements
+                        if not self.validate_policy_statements(
+                                policy, resource, obs_bucket_name, domain_id):
+                            results.append(resource)
+                    except json.JSONDecodeError:
+                        self.log.error(
+                            f"Failed to parse policy JSON for bucket {obs_bucket_name}")
+                        resource['obs_bucket_policy_check'] = "Invalid policy JSON format"
+                        results.append(resource)
+                elif response.status == 403:
+                    error_obj = ObsSdkError(
+                        "PermissionDenied,Please confirm that",
+                        "you have 'obs:bucket:GetBucketPolicy' permission",
+                        ""
+                    )
+                    raise exceptions.ClientRequestException(
+                        response.status, error_obj)
+                else:
+                    error_obj = ObsSdkError(
+                        "RequestFailed",
+                        f"Request failed, status code: {response.status}",
+                        ""
+                    )
+                    resource['obs_bucket_policy_check'] = (
+                        f"Failed to get policy: Status {response.status}")
+                    raise exceptions.ClientRequestException(
+                        response.status, error_obj)
+            except exceptions.ClientRequestException as e:
+                self.log.error(
+                    f"Failed to get bucket policy for {obs_bucket_name}: {e.error_msg}")
+                resource['obs_bucket_policy_check'] = f"Error: {e.error_msg}"
+                results.append(resource)
+                if e.status_code == 403:
+                    raise e
+                else:
+                    continue
+
+        return results
+
+    def validate_policy_statements(self, policy, resource, obs_bucket_name, domain_id=None):
+        """Validate if policy statements meet required criteria"""
+        statements = policy.get('Statement', [])
+
+        # Initialize flags for conditions
+        has_deny_except_agency = False
+        has_allow_agency = False
+
+        for statement in statements:
+            sid = statement.get('Sid', '')
+            effect = statement.get('Effect', '')
+            action = statement.get('Action', '')
+
+            # Convert action to list if it's a string
+            if isinstance(action, str):
+                action = [action]
+
+            # Check for deny_except_agency condition
+            if sid == 'deny_except_agency' and effect == 'Deny' and 'PutObject' in action:
+                obs_resources = statement.get('Resource', [])
+                obs_resources_valid = False
+                for obs_resource in obs_resources:
+                    if obs_bucket_name in obs_resource:
+                        obs_resources_valid = True
+                        break
+                if obs_resources_valid:
+                    not_principal = statement.get('NotPrincipal', {})
+                    not_principal_ids = not_principal.get('ID', [])
+
+                    # Convert to list if it's a string
+                    if isinstance(not_principal_ids, str):
+                        not_principal_ids = [not_principal_ids]
+                    domain_id_match_str = 'domain/' + domain_id + ':agency/PCAAccessPrivateOBS'
+
+                    for principal_id in not_principal_ids:
+                        if domain_id_match_str == principal_id:
+                            has_deny_except_agency = True
+                            break
+
+            # Check for allow_agency condition
+            if sid == 'allow_agency' and effect == 'Allow' and 'PutObject' in action:
+                obs_resources = statement.get('Resource', [])
+                obs_resources_valid = False
+                for obs_resource in obs_resources:
+                    if obs_bucket_name in obs_resource:
+                        obs_resources_valid = True
+                        break
+                if obs_resources_valid:
+                    principal = statement.get('Principal', {})
+                    principal_ids = principal.get('ID', [])
+
+                    # Convert to list if it's a string
+                    if isinstance(principal_ids, str):
+                        principal_ids = [principal_ids]
+                    domain_id_match_str = 'domain/' + domain_id + ':agency/PCAAccessPrivateOBS'
+                    for principal_id in principal_ids:
+                        if domain_id_match_str == principal_id:
+                            has_allow_agency = True
+                            break
+
+        # Record the check results in the resource
+        resource['obs_bucket_policy_check'] = {
+            'has_deny_except_agency': has_deny_except_agency,
+            'has_allow_agency': has_allow_agency,
+            'is_valid': has_deny_except_agency and has_allow_agency,
+            'domain_id_checked': domain_id is not None
+        }
+
+        # Return True if both conditions are met, False otherwise
+        return has_deny_except_agency and has_allow_agency
+
+
 @CertificateAuthority.action_registry.register('disable')
 class DisableCertificateAuthority(HuaweiCloudBaseAction):
     """Disable Certificate Authority
@@ -484,9 +700,8 @@ def augment(self, resources):
                         # Convert response tags to standard dict format
                         tags = []
                         for tag in response.tags:
-                            if hasattr(tag, 'key') and hasattr(tag, 'value'):
-                                tags.append(
-                                    {'key': tag.key, 'value': tag.value})
+                            tags.append(
+                                {'key': tag.key, 'value': tag.value})
                         resource['tags'] = tags
                     else:
                         resource['tags'] = []

tools/c7n_huaweicloud/c7n_huaweicloud/resources/scm.py

@@ -6,9 +6,10 @@
 from huaweicloudsdkscm.v3 import (
     # Certificate management related
     DeleteCertificateRequest,
+    ListTagsByCertificateRequest,
 )
 
-from c7n.utils import type_schema
+from c7n.utils import type_schema, local_session
 from c7n_huaweicloud.provider import resources
 from c7n_huaweicloud.query import QueryResourceManager, TypeInfo
 from c7n_huaweicloud.actions.base import HuaweiCloudBaseAction
@@ -21,7 +22,7 @@ class Scm(QueryResourceManager):
 
     class resource_type(TypeInfo):
         service = 'ccm-ssl-certificate'
-        enum_spec = ('list_certificates', 'certificates', None)
+        enum_spec = ('list_certificates', 'certificates', 'offset', 50)
         id = 'id'
         name = 'name'
         filter_name = 'name'
@@ -30,6 +31,47 @@ class resource_type(TypeInfo):
         # Set tag resource type for TMS operations
         tag_resource_type = 'scm'
 
+    def augment(self, resources):
+        # Query tags for each certificate and add them to the resource properties
+        session = local_session(self.session_factory)
+        client = session.client('ccm-ssl-certificate')
+
+        for resource in resources:
+            try:
+                # Get certificate ID
+                resource_id = resource.get('id')
+                if not resource_id:
+                    continue
+
+                # Use ListTagsByCertificateRequest to query tags for this certificate
+                request = ListTagsByCertificateRequest()
+                request.resource_id = resource_id
+
+                try:
+                    # Call the API to get tags
+                    response = client.list_tags_by_certificate(request)
+
+                    # Check if tags are available in the response
+                    if hasattr(response, 'tags') and response.tags is not None:
+                        # Convert response tags to standard dict format
+                        tags = []
+                        for tag in response.tags:
+                            tags.append(
+                                {'key': tag.key, 'value': tag.value})
+                        resource['tags'] = tags
+                    else:
+                        resource['tags'] = []
+                except exceptions.ClientRequestException as e:
+                    log.warning(
+                        f"Failed to retrieve tags for certificate {resource_id}: {e.error_msg}")
+                    resource['tags'] = []
+            except Exception as e:
+                log.error(
+                    f"Error retrieving tags for certificate {resource.get('id')}: {str(e)}")
+                resource['tags'] = []
+
+        return resources
+
 
 @Scm.action_registry.register('delete')
 class DeleteCertificateAction(HuaweiCloudBaseAction):