1010from email .mime .multipart import MIMEMultipart
1111from email .mime .base import MIMEBase
1212
13+ logger = logging .getLogger ()
14+ logger .setLevel (logging .INFO )
1315# Get Resource Principal Credentials
1416signer = oci .auth .signers .get_resource_principals_signer ()
1517
@@ -139,10 +141,15 @@ def send_email(subject,secret_client,cfg,BODY_HTML,report_data,recipient,report_
139141 #server.send_message(msg)
140142 server .close ()
141143
142- def get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,resource ,resource_id ,type ,cfg ,except_user ,report_data ):
144+ def get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,resource ,resource_id ,type ,cfg ,except_user ,report_data ,enable_delete_on_expiry ):
145+
143146 report_date = str (datetime .datetime .strftime (datetime .datetime .now (), "%Y-%b-%d" ))
144147 identifier = resource_id
145- created_time = datetime .datetime .strptime ((resource .meta ).created , "%Y-%m-%dT%H:%M:%S.%fZ" )
148+ if resource_id == "console_password" :
149+ created_time = datetime .datetime .strptime (resource , "%Y-%m-%dT%H:%M:%S.%fZ" )
150+
151+ else :
152+ created_time = datetime .datetime .strptime ((resource .meta ).created , "%Y-%m-%dT%H:%M:%S.%fZ" )
146153 warning_date = created_time + datetime .timedelta (days = int (cfg ["warning_in_days" ]))
147154 critical_date = created_time + datetime .timedelta (days = int (cfg ["critical_in_days" ]))
148155 expiry_date = created_time + datetime .timedelta (days = int (cfg ["expiry_in_days" ]))
@@ -153,15 +160,16 @@ def get_body_html(identity_domains_client,BODY_HTML,domain_name,credential_check
153160 severity = "Expired"
154161
155162 # Delete the credential
156- user_to_check = str (user_name )+ "@" + str (domain_name )
157- if user_to_check .lower () not in except_user :
158- logging .getLogger ().info (f'Deleting { resource .id } { type } { user_name } { domain_name } )
159- if type == "api_key" :
160- identity_domains_client .delete_api_key (resource .id )
161- elif type == "auth_token" :
162- identity_domains_client .delete_auth_token (resource .id )
163- elif type == "customer_secret_key" :
164- identity_domains_client .delete_customer_secret_key (resource .id )
163+ if enable_delete_on_expiry == "true" :
164+ user_to_check = str (user_name )+ "@" + str (domain_name )
165+ if user_to_check .lower () not in except_user :
166+ logging .getLogger ().info (f'Deleting { resource .id } { type } { user_name } { domain_name } )
167+ if type == "api_key" :
168+ identity_domains_client .delete_api_key (resource .id )
169+ elif type == "auth_token" :
170+ identity_domains_client .delete_auth_token (resource .id )
171+ elif type == "customer_secret_key" :
172+ identity_domains_client .delete_customer_secret_key (resource .id )
165173
166174 elif critical_date < datetime .datetime .now ():
167175 credential_check = False
@@ -186,6 +194,7 @@ def handler(ctx, data: io.BytesIO=None):
186194 cfg = ctx .Config ()
187195 domain_ids = cfg ["domain_ocids" ]
188196 except_user_input = cfg ["exception_users" ].split ("," )
197+ enable_delete_on_expiry = cfg ['enable_delete_on_expiry' ].lower ()
189198 except_user = []
190199 for item in except_user_input :
191200 except_user .append (str (item ).lower ())
@@ -218,7 +227,7 @@ def handler(ctx, data: io.BytesIO=None):
218227 while list_users_response .has_next_page :
219228 list_users_response = identity_domains_client .list_users (page = list_users_response .next_page )
220229 users .extend (list_users_response .data .resources )
221- logging .getLogger ().info ('fetched ' + str (len (users )) + ' users' )
230+ logging .getLogger ().info ('fetched ' + str (len (users )) + ' users' + ' for domain : ' + domain_name )
222231 for user in users :
223232 user_ocid = user .ocid
224233 user_name = user .user_name
@@ -263,18 +272,28 @@ def handler(ctx, data: io.BytesIO=None):
263272 # get list of api keys for user
264273 list_api_keys_response = identity_domains_client .list_api_keys (filter = f'user.ocid eq \" { user_ocid } \" ' ).data
265274 for api_key in list_api_keys_response .resources :
266- BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,api_key ,api_key .fingerprint ,"api_key" ,cfg ,except_user ,report_data )
275+ BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,api_key ,api_key .fingerprint ,"api_key" ,cfg ,except_user ,report_data , enable_delete_on_expiry )
267276
268277 list_auth_tokens_response = identity_domains_client .list_auth_tokens (filter = f'user.ocid eq \" { user_ocid } \" ' ).data
269278 for auth_token in list_auth_tokens_response .resources :
270- BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,auth_token ,auth_token .description ,"auth_token" ,cfg ,except_user ,report_data )
279+ BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,auth_token ,auth_token .description ,"auth_token" ,cfg ,except_user ,report_data , enable_delete_on_expiry )
271280
272281 list_customer_secret_keys_response = identity_domains_client .list_customer_secret_keys (filter = f'user.ocid eq \" { user_ocid } \" ' ).data
273282 for csk in list_customer_secret_keys_response .resources :
274- BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,csk ,csk .access_key ,"customer_secret_key" ,cfg ,except_user ,report_data )
283+ BODY_HTML ,credential_check ,report_data = get_body_html (identity_domains_client ,BODY_HTML ,domain_name ,credential_check ,user_name ,user_email ,csk ,csk .access_key ,"customer_secret_key" ,cfg ,except_user ,report_data ,enable_delete_on_expiry )
284+
285+ password_info = identity_domains_client .search_users (
286+ user_search_request = oci .identity_domains .models .UserSearchRequest (
287+ schemas = ["urn:ietf:params:scim:api:messages:2.0:SearchRequest" ],
288+ attribute_sets = ["all" ],
289+ filter = f'ocid eq \" { user_ocid } \" '
290+ ),
291+ ).data .resources
292+ pswd_last_modified = password_info [0 ].urn_ietf_params_scim_schemas_oracle_idcs_extension_password_state_user .last_successful_set_date
293+ BODY_HTML , credential_check , report_data = get_body_html (identity_domains_client , BODY_HTML ,domain_name , credential_check , user_name , user_email , pswd_last_modified , "console_password" ,"console_password" , cfg , except_user ,report_data ,enable_delete_on_expiry )
275294
276- if credential_check :
277- logging .getLogger ().info ('all credentials for user ' + user_name + ' are healthy' )
295+ # if credential_check:
296+ # logging.getLogger().info('all credentials for user ' + user_name + ' are healthy')
278297
279298 if credential_check :
280299 continue
@@ -298,7 +317,7 @@ def handler(ctx, data: io.BytesIO=None):
298317 """
299318 #recipient = str(user_email).split(",")
300319 recipient = str (user_email )
301- logging .getLogger ().info ('sending email' )
320+ # logging.getLogger().info('sending email')
302321 send_email (SUBJECT ,secret_client ,cfg ,BODY_HTML ,"" ,recipient )
303322
304323 if report_requested :
@@ -325,4 +344,4 @@ def handler(ctx, data: io.BytesIO=None):
325344 except (Exception , ValueError ) as ex :
326345 logging .getLogger ().info ('error parsing json payload: ' + str (ex ))
327346
328- return response .Response (ctx , response_data = json .dumps ({"message" : "success" }),headers = {"Content-Type" : "application/json" })
347+ return response .Response (ctx , response_data = json .dumps ({"message" : "success" }),headers = {"Content-Type" : "application/json" })
0 commit comments