mozilla · g-k · Jan 31, 2018 · Jan 31, 2018 · g-k · Jan 31, 2018
diff --git a/aws/client.py b/aws/client.py
@@ -114,7 +114,6 @@ def get_aws_resource(service_name,
                                      kwargs=call_kwargs)
         ckey = cache_key(call)
 
-
         if debug_calls:
             print('calling', call)
 

diff --git a/aws/ec2/helpers.py b/aws/ec2/helpers.py
@@ -60,6 +60,7 @@ def ip_permission_cidr_allows_all_ips(ipp):
 
     return False
 
+
 def ip_permission_grants_access_to_group_with_id(ipp, security_group_id):
     """
     Returns True if an EC2 security group IP permission opens access to
@@ -144,7 +145,7 @@ def ec2_security_group_opens_all_ports_to_self(ec2_security_group):
 
     for ipp in ec2_security_group['IpPermissions']:
         if ip_permission_opens_all_ports(ipp) and \
-            ip_permission_grants_access_to_group_with_id(ipp, self_group_id):
+              ip_permission_grants_access_to_group_with_id(ipp, self_group_id):
             return True
 
     return False

diff --git a/aws/ec2/resources.py b/aws/ec2/resources.py
@@ -6,29 +6,31 @@
 def ec2_instances():
     "http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_instances"
     # Note: extracting Reservations.Instances drops EC2-Classic Groups at Reservations.Groups
-    return botocore_client\
-      .get('ec2', 'describe_instances', [], {})\
-      .extract_key('Reservations')\
-      .flatten()\
-      .extract_key('Instances')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'ec2', 'describe_instances', [], {})\
+        .extract_key('Reservations')\
+        .flatten()\
+        .extract_key('Instances')\
+        .flatten()\
+        .values()
+
 
 def ec2_security_groups():
     "http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_security_groups"
-    return botocore_client\
-      .get('ec2', 'describe_security_groups', [], {})\
-      .extract_key('SecurityGroups')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'ec2', 'describe_security_groups', [], {})\
+        .extract_key('SecurityGroups')\
+        .flatten()\
+        .values()
+
 
 def ec2_ebs_volumes():
     "http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_volumes"
-    return botocore_client\
-      .get('ec2', 'describe_volumes', [], {})\
-      .extract_key('Volumes')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'ec2', 'describe_volumes', [], {})\
+        .extract_key('Volumes')\
+        .flatten()\
+        .values()
 
 
 def ec2_security_groups_with_in_use_flag():

diff --git a/aws/ec2/test_ec2_instance_has_required_tags.py b/aws/ec2/test_ec2_instance_has_required_tags.py
@@ -4,6 +4,7 @@
 from aws.ec2.resources import ec2_instances
 from conftest import parse_opt
 
+
 @pytest.fixture
 def required_tag_names(pytestconfig):
     return frozenset(parse_opt(pytestconfig.getoption('--aws-require-tags')))
@@ -34,5 +35,5 @@ def test_ec2_instance_has_required_tags(ec2_instance, required_tag_names):
 
     # set difference to find required tags not on instance
     missing_tag_names = required_tag_names - instance_tag_names
-    assert not missing_tag_names, \
-      "EC2 Instance {0[InstanceId]} missing required tags {1!r}".format(ec2_instance, missing_tag_names)
+    assert not missing_tag_names, "EC2 Instance {0[InstanceId]} missing required tags {1!r}".format(
+          ec2_instance, missing_tag_names)
diff --git a/aws/ec2/test_ec2_security_group_in_use.py b/aws/ec2/test_ec2_security_group_in_use.py
@@ -1,7 +1,7 @@
 import pytest
 
-from aws.ec2.resources import \
-    ec2_security_groups_with_in_use_flag
+from aws.ec2.resources import ec2_security_groups_with_in_use_flag
+
 
 @pytest.mark.ec2
 @pytest.mark.parametrize('ec2_security_group',

diff --git a/aws/iam/resources.py b/aws/iam/resources.py
@@ -1,59 +1,66 @@
 from conftest import botocore_client
 
+
 def iam_users():
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_users"
-    return botocore_client\
-      .get('iam', 'list_users', [], {})\
-      .extract_key('Users')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'iam', 'list_users', [], {})\
+        .extract_key('Users')\
+        .flatten()\
+        .values()
+
 
 def iam_inline_policies(username):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_user_policies"
-    return botocore_client\
-      .get('iam', 'list_user_policies', [], {'UserName': username})\
-      .extract_key('PolicyNames')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'iam', 'list_user_policies', [], {'UserName': username})\
+        .extract_key('PolicyNames')\
+        .flatten()\
+        .values()
+
 
 def iam_managed_policies(username):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_attached_user_policies"
-    return botocore_client\
-      .get('iam', 'list_attached_user_policies', [], {'UserName': username})\
-      .extract_key('AttachedPolicies')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'iam', 'list_attached_user_policies', [], {'UserName': username})\
+        .extract_key('AttachedPolicies')\
+        .flatten()\
+        .values()
+
 
 def iam_user_groups(username):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_groups_for_user"
-    return botocore_client\
-      .get('iam', 'list_groups_for_user', [], {'UserName': username})\
-      .extract_key('Groups')\
-      .flatten()\
-      .values()
+    return botocore_client.get(
+        'iam', 'list_groups_for_user', [], {'UserName': username})\
+        .extract_key('Groups')\
+        .flatten()\
+        .values()
+
 
 def iam_user_group_inline_policies(username):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_group_policies"
     return [
-        botocore_client\
-        .get('iam', 'list_group_policies', [], {'GroupName': group['GroupName']})\
-        .extract_key('PolicyNames')\
-        .flatten()\
+        botocore_client
+        .get('iam', 'list_group_policies', [], {'GroupName': group['GroupName']})
+        .extract_key('PolicyNames')
+        .flatten()
         .values()
         for group in iam_user_groups(username)
     ]
 
+
 def iam_user_group_managed_policies(username):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_attached_group_policies"
     return [
-        botocore_client\
-        .get('iam', 'list_attached_group_policies', [], {'GroupName': group['GroupName']})\
-        .extract_key('AttachedPolicies')\
-        .flatten()\
+        botocore_client
+        .get('iam', 'list_attached_group_policies', [], {'GroupName': group['GroupName']})
+        .extract_key('AttachedPolicies')
+        .flatten()
         .values()
         for group in iam_user_groups(username)
     ]
 
+
 def iam_all_user_policies(username):
     '''
     Gets all policies that can be attached to a user. This includes:
@@ -80,6 +87,7 @@ def iam_all_user_policies(username):
 
     return inline + managed
 
+
 def iam_users_with_policies():
     return [
         {
@@ -88,49 +96,56 @@ def iam_users_with_policies():
         } for user in iam_users()
     ]
 
+
 def iam_admin_login_profiles():
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile"
     return iam_login_profiles([user for user in iam_users_with_policies() if user_is_admin(user)])
 
+
 def iam_admin_mfa_devices():
     "botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices"
     return iam_mfa_devices([user for user in iam_users_with_policies() if user_is_admin(user)])
 
+
 def iam_user_login_profiles():
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile"
     return iam_login_profiles([user for user in iam_users()])
 
+
 def iam_user_mfa_devices():
     "botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices"
     return iam_mfa_devices([user for user in iam_users()])
 
+
 def iam_login_profiles(users):
     "http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile"
     return [
-        botocore_client\
+        botocore_client
         .get('iam',
              'get_login_profile',
              [],
              {'UserName': user['UserName']},
-             result_from_error=lambda error, call: {'LoginProfile': None})\
-        .extract_key('LoginProfile')\
+             result_from_error=lambda error, call: {'LoginProfile': None})
+        .extract_key('LoginProfile')
         .values()[0]
         for user in users
     ]
 
+
 def iam_mfa_devices(users):
     "botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices"
     return [
-        botocore_client\
+        botocore_client
         .get('iam',
              'list_mfa_devices',
              [],
-             {'UserName': user['UserName']})\
-        .extract_key('MFADevices')\
+             {'UserName': user['UserName']})
+        .extract_key('MFADevices')
         .values()[0]
         for user in users
     ]
 
+
 # FIXME
 # Substring matching is _not_ enough of a check, but works for testing.
 # The truth is that we probably shouldn't depend too much on the concept

diff --git a/aws/iam/test_iam_admin_user_without_mfa.py b/aws/iam/test_iam_admin_user_without_mfa.py
@@ -5,6 +5,7 @@
     iam_admin_mfa_devices,
 )
 
+
 @pytest.mark.iam
 @pytest.mark.parametrize(
         ['iam_login_profile', 'iam_user_mfa_devices'],

diff --git a/aws/rds/helpers.py b/aws/rds/helpers.py
@@ -30,15 +30,17 @@ def is_rds_db_snapshot_attr_public_access(rds_db_snapshot_attribute):
     ...
     TypeError: 'NoneType' object is not subscriptable
     """
-    return rds_db_snapshot_attribute['AttributeName'] == 'restore' \
-      and 'any' in rds_db_snapshot_attribute['AttributeValues']
+    return rds_db_snapshot_attribute['AttributeName'] == 'restore' and \
+        'any' in rds_db_snapshot_attribute['AttributeValues']
 
 
 def does_rds_db_security_group_grant_public_access(sg):
     """
     Checks an RDS instance for a DB security group with CIDRIP 0.0.0.0/0
 
-    >>> does_rds_db_security_group_grant_public_access({"IPRanges": [{"CIDRIP": "127.0.0.1/32", "Status": "authorized"}, {"CIDRIP": "0.0.0.0/0", "Status": "authorized"}]})
+    >>> does_rds_db_security_group_grant_public_access(
+    ... {"IPRanges": [{"CIDRIP": "127.0.0.1/32", "Status": "authorized"},
+    ... {"CIDRIP": "0.0.0.0/0", "Status": "authorized"}]})
     True
     >>> does_rds_db_security_group_grant_public_access({"IPRanges": []})
     False
@@ -50,15 +52,19 @@ def does_vpc_security_group_grant_public_access(sg):
     """
     Checks an RDS instance for a VPC security groups with ingress permission ipv4 range 0.0.0.0/0 or ipv6 range :::/0
 
-    >>> does_vpc_security_group_grant_public_access({'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]})
+    >>> does_vpc_security_group_grant_public_access(
+    ... {'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]})
     True
-    >>> does_vpc_security_group_grant_public_access({'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': []}]})
+    >>> does_vpc_security_group_grant_public_access(
+    ... {'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': []}]})
     False
-    >>> does_vpc_security_group_grant_public_access({'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': [{'CidrIp': '192.168.1.0/0'}]}]})
+    >>> does_vpc_security_group_grant_public_access(
+    ... {'IpPermissions': [{'Ipv6Ranges': [], 'IpRanges': [{'CidrIp': '192.168.1.0/0'}]}]})
     False
     """
-    return any(ipr['CidrIp'] == '::/0' for ipp in sg['IpPermissions'] for ipr in ipp['Ipv6Ranges']) or \
-      any(ipr['CidrIp'] == '0.0.0.0/0' for ipp in sg['IpPermissions'] for ipr in ipp['IpRanges'])
+    public_ipv4 = any(ipr['CidrIp'] == '0.0.0.0/0' for ipp in sg['IpPermissions'] for ipr in ipp['IpRanges'])
+    public_ipv6 = any(ipr['CidrIpv6'] == '::/0' for ipp in sg['IpPermissions'] for ipr in ipp['Ipv6Ranges'])
+    return public_ipv4 or public_ipv6
 
 
 def is_rds_db_instance_encrypted(rds_db_instance):