Merge pull request #4322 from jmcrawford45/jaredcrawford-PS-4420

hosssha · web-flow · commit 12a1c5d427c7 · 2023-02-13T15:43:55.000-08:00
Implement clean for S3DestinationPlugin, add confirm on dest remove
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,10 @@
 Changelog
 =========
 
+Unreleased
+~~~~~~~~~~~~~~~~~~~~
+This release adds an implementation of `S3DestinationPlugin.clean`. This means that when S3 destinations are removed via
+the UI, Lemur will now delete the associated AWS resource(s).
 
 1.2.0 - `2022-01-31`
 ~~~~~~~~~~~~~~~~~~~~
diff --git a/lemur/plugins/lemur_aws/plugin.py b/lemur/plugins/lemur_aws/plugin.py
@@ -32,7 +32,7 @@
 .. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
 .. moduleauthor:: Harm Weites <harm@weites.com>
 """
-
+from os.path import join
 import sys
 from acme.errors import ClientError
 from flask import current_app
@@ -591,9 +591,7 @@ def upload(self, name, body, private_key, chain, options, **kwargs):
             s3.put(
                 self.get_option("bucket", options),
                 self.get_option("region", options),
-                "{prefix}/{name}.{extension}".format(
-                    prefix=self.get_option("prefix", options), name=name, extension=ext
-                ),
+                join(self.get_option("prefix", options), f"{name}.{ext}"),
                 data,
                 self.get_option("encrypt", options),
                 account_number=self.get_option("accountNumber", options),
@@ -669,6 +667,12 @@ def delete_acme_token(self, token_path, options, **kwargs):
                                                                "filename": filename})
         return response
 
+    def clean(self, certificate, options, **kwargs):
+        prefix = self.get_option("prefix", options)
+        s3.delete(bucket_name=self.get_option("bucket", options),
+                  prefixed_object_name=join(prefix, f"{certificate.name}.pem"),
+                  account_number=self.get_option("accountNumber", options))
+
 
 class SNSNotificationPlugin(ExpirationNotificationPlugin):
     title = "AWS SNS"
diff --git a/lemur/plugins/lemur_aws/tests/test_plugin.py b/lemur/plugins/lemur_aws/tests/test_plugin.py
@@ -1,3 +1,5 @@
+from collections import namedtuple
+from os.path import join
 import boto3
 from moto import mock_sts, mock_s3, mock_ec2, mock_elb, mock_elbv2, mock_acm
 
@@ -9,6 +11,58 @@ def test_get_certificates(app):
     assert p
 
 
+@mock_sts()
+@mock_s3()
+def test_clean(app):
+    from lemur.common.utils import check_validation
+    from lemur.plugins.base import plugins
+
+    bucket = "public-bucket"
+    account = "123456789012"
+    prefix = "some-path/more-path/"
+
+    additional_options = [
+        {
+            "name": "bucket",
+            "value": bucket,
+            "type": "str",
+            "required": True,
+            "validation": check_validation(r"[0-9a-z.-]{3,63}"),
+            "helpMessage": "Must be a valid S3 bucket name!",
+        },
+        {
+            "name": "accountNumber",
+            "type": "str",
+            "value": account,
+            "required": True,
+            "validation": check_validation(r"[0-9]{12}"),
+            "helpMessage": "A valid AWS account number with permission to access S3",
+        },
+        {
+            "name": "prefix",
+            "type": "str",
+            "value": prefix,
+            "required": False,
+            "helpMessage": "Must be a valid S3 object prefix!",
+        },
+    ]
+
+    s3_client = boto3.client('s3')
+    s3_client.create_bucket(Bucket=bucket)
+
+    p = plugins.get("aws-s3")
+    Certificate = namedtuple("Certificate", ["name"])
+    certificate = Certificate(name="certificate")
+    s3_client.put_object(
+        Bucket=bucket,
+        Body="PEM_DATA",
+        Key=join(prefix, f"{certificate.name}.pem"),
+    )
+    assert s3_client.list_objects(Bucket=bucket)["Contents"]
+    p.clean(certificate, additional_options)
+    assert "Contents" not in s3_client.list_objects(Bucket=bucket)
+
+
 @mock_sts()
 @mock_s3()
 def test_upload_acme_token(app):
diff --git a/lemur/static/app/angular/certificates/certificate/destinations.tpl.html b/lemur/static/app/angular/certificates/certificate/destinations.tpl.html
@@ -21,7 +21,7 @@
                 <td><a class="btn btn-sm btn-info" href="#/destinations/{{ destination.id }}/certificates">{{ destination.label }}</a></td>
                 <td><span class="text-muted">{{ destination.description }}</span></td>
                 <td>
-                    <button type="button" ng-click="certificate.removeDestination($index)" class="btn btn-danger btn-sm pull-right">Remove</button>
+                    <button type="button" ng-click="certificate.removeDestination($index)" confirm-click="Proceed to delete certificate resources in {{ destination.label }}?" class="btn btn-danger btn-sm pull-right">Remove</button>
                 </td>
             </tr>
         </table>
