simonrob · simonrob · Mar 9, 2023 · Dec 5, 2022 · Dec 5, 2022 · Dec 5, 2022
diff --git a/emailproxy.py b/emailproxy.py
@@ -292,6 +292,10 @@ def _load():
             AppConfig._GLOBALS = configparser.SectionProxy(AppConfig._PARSER, APP_SHORT_NAME)
         AppConfig._SERVERS = [s for s in config_sections if CONFIG_SERVER_MATCHER.match(s)]
         AppConfig._ACCOUNTS = [s for s in config_sections if '@' in s]
+
+        if AppConfig.aws_secrets_accounts():
+            AppConfig.aws_secrets_fetch()
+
         AppConfig._LOADED = True
 
     @staticmethod
@@ -337,9 +341,141 @@ def add_account(username):
     @staticmethod
     def save():
         if AppConfig._LOADED:
+            if AppConfig.aws_secrets_accounts():
+                config_to_write = AppConfig.aws_secrets_save()
+            else:
+                config_to_write = AppConfig._PARSER
+
             with open(CONFIG_FILE_PATH, mode='w', encoding='utf-8') as config_output:
-                AppConfig._PARSER.write(config_output)
+                config_to_write.write(config_output)
+
+    @staticmethod
+    def aws_secrets_accounts():
+        return [a for a in AppConfig._ACCOUNTS if 'aws_secret' in AppConfig._PARSER[a]]
+
+    @staticmethod
+    def aws_secrets_ids():
+        return dict.fromkeys([AppConfig._PARSER[account]['aws_secret'] for account in AppConfig.aws_secrets_accounts()], {})
+
+    @staticmethod
+    def aws_secrets_boto3client():
+        try:
+            # Load dependencies and create client
+            global boto3
+            import boto3
+            global botocore
+            import botocore.exceptions
+            aws_client = boto3.client('secretsmanager')
+        except Exception as e:
+            Log.error('Failed to load AWS SDK - "aws_secret" is specified in config file for some accounts, have you installed requirements-aws-secrets.txt?')
+            Log.debug(Log.error_string(e))
+            return
+        else:
+            return aws_client
+
+    @staticmethod
+    def aws_secrets_debuglog_boto3error(err):
+        Log.debug(err.response.get("Error", {}).get("Code") + ":",
+                  err.response.get("Error", {}).get("Message"))
+
+    @staticmethod
+    def aws_secrets_fetch():
+        aws_client = AppConfig.aws_secrets_boto3client()
+        if aws_client:
+            # Create dict of AWS Secret IDs across all accounts
+            aws_secrets = AppConfig.aws_secrets_ids()
+
+            # Download AWS Secrets
+            for secret_id in aws_secrets:
+                try:
+                    get_secret_value_response = aws_client.get_secret_value(SecretId=secret_id)
+                except botocore.exceptions.ClientError as err_getsecret:
+                    if err_getsecret.response['Error']['Code'] == 'ResourceNotFoundException':
+                        Log.info('Fetching AWS Secret "%s" - secret does not exist or does not contain a secret value' % (secret_id))
+                    elif err_getsecret.response['Error']['Code'] == 'AccessDeniedException':
+                        Log.error('Fetching AWS Secret "%s" - access denied, does IAM user have "secretsmanager:GetSecretValue" permissions?' % (secret_id))
+                    else:
+                        Log.error('Fetching AWS Secret "%s" - unexpected error, see debug logs for details' % (secret_id))
+                    AppConfig.aws_secrets_debuglog_boto3error(err_getsecret)
+                else:
+                    aws_secrets[secret_id] = json.loads(get_secret_value_response['SecretString'])
+
+            # Update local config in memory
+            for account in AppConfig.aws_secrets_accounts():
+                if account in aws_secrets[AppConfig._PARSER[account]['aws_secret']]:
+                    for key in ['token_salt','access_token','access_token_expiry','refresh_token']:
+                        AppConfig._PARSER.set(account, key, aws_secrets[AppConfig._PARSER[account]['aws_secret']][account][key])
+        else:
+            Log.error('Failed to fetch OAuth 2.0 tokens from AWS Secrets Manager')
+
+    @staticmethod
+    def aws_secrets_save():
+        # Create deep copy of config, which will not contain OAuth 2.0 tokens
+        appconfig_to_save = configparser.ConfigParser()
+        appconfig_to_save.read_dict(AppConfig._PARSER)
+
+        # Create dict of AWS Secret IDs across all accounts
+        aws_secrets = AppConfig.aws_secrets_ids()
+
+        # Populate dict with OAuth 2.0 tokens from each account, removing those tokens from config to be saved
+        TOKEN_KEYS = ['token_salt','access_token','access_token_expiry','refresh_token']
+        for account in AppConfig.aws_secrets_accounts():
+            aws_secrets[appconfig_to_save[account]['aws_secret']][account] = { key : appconfig_to_save[account][key] for key in TOKEN_KEYS }
+            for key in TOKEN_KEYS:
+                appconfig_to_save.remove_option(account, key)
+
+        # Update AWS Secrets
+        aws_client = AppConfig.aws_secrets_boto3client()
+        if aws_client:
+            for secret_id in aws_secrets:
+                try:
+                    aws_client.put_secret_value(
+                        SecretId=secret_id,
+                        SecretString=json.dumps(aws_secrets[secret_id]),
+                    )
+                except botocore.exceptions.ClientError as err_putsecret:
+                    if err_putsecret.response['Error']['Code'] == 'ResourceNotFoundException':
+                        if secret_id.startswith('arn:'):
+                            Log.error('Failed to store OAuth 2.0 tokens in AWS Secret "%s" - secret does not exist, cannot create a secret with a specific ARN'  % (secret_id))
+                            AppConfig.aws_secrets_debuglog_boto3error(err_putsecret)
+                        else:
+                            Log.error('AWS Secret "%s" does not exist - attempting to create it'  % (secret_id))
+                            AppConfig.aws_secrets_debuglog_boto3error(err_putsecret)
+                            try:
+                                aws_client.create_secret(
+                                    Name=secret_id,
+                                    ForceOverwriteReplicaSecret=False
+                                )
+                            except botocore.exceptions.ClientError as err_createsecret:
+                                if err_createsecret.response['Error']['Code'] == 'AccessDeniedException':
+                                    Log.error('Failed to store OAuth 2.0 tokens in AWS Secret "%s" - access denied in attempt to create it. does your IAM user have "secretsmanager:CreateSecret" permissions?'  % (secret_id))
+                                else:
+                                    Log.error('Failed to store OAuth 2.0 tokens in AWS Secret "%s" - attempt to create it failed with unexpected error, see debug logs for details')
+                                AppConfig.aws_secrets_debuglog_boto3error(err_createsecret)
+                            else:
+                                Log.info('Created AWS Secret "%s"' % (secret_id))
+                                try:
+                                    aws_client.put_secret_value(
+                                        SecretId=secret_id,
+                                        SecretString=json.dumps(aws_secrets[secret_id]),
+                                    )
+                                except botocore.exceptions.ClientError as err_putsecret_aftercreate:
+                                    if err_putsecret_aftercreate.response['Error']['Code'] == 'AccessDeniedException':
+                                        Log.error('Failed to store OAuth 2.0 tokens in AWS Secret "%s" - access denied, does IAM user have "secretsmanager:PutSecretValue" permissions?' % (secret_id))
+                                    else:
+                                        Log.error('Failed to store OAuth 2.0 tokens in AWS Secret "%s" - unexpected error, see debug logs for details')
+                                    AppConfig.aws_secrets_debuglog_boto3error(err_putsecret_aftercreate)
+                    elif err_putsecret.response['Error']['Code'] == 'AccessDeniedException':
+                        Log.error('Failed to store OAuth tokens in AWS Secret "%s" - access denied, does IAM user have "secretsmanager:PutSecretValue" permissions?' % (secret_id))
+                        AppConfig.aws_secrets_debuglog_boto3error(err_putsecret)
+                    else:
+                        Log.error('Failed to store OAuth tokens in AWS Secret "%s" - unexpected error, see debug logs for details' % (secret_id))
+                        AppConfig.aws_secrets_debuglog_boto3error(err_putsecret)
+        else:
+            Log.error('Failed to store OAuth 2.0 tokens in AWS Secrets Manager')
 
+        # Return copy of config without OAuth 2.0 tokens to write to disk
+        return appconfig_to_save
 
 class OAuth2Helper:
     @staticmethod

diff --git a/requirements-aws-secrets.txt b/requirements-aws-secrets.txt
@@ -0,0 +1,22 @@
+# This file contains the requirements to store OAuth 2.0 tokens remotely in
+# [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), rather than
+# storing them in the local configuration file.
+# 
+# - This will only be applied to accounts which have an `aws_secret` parameter
+#   configured in the local configuration file, containing the ARN or name of
+#   the secret.
+#
+# - To use AWS Secrets Manager you must also set up authentication credentials for your AWS account:
+#   https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#configuration
+#
+#     - The minimal required permissions for each AWS Secret used are:
+#         "secretsmanager:GetSecretValue"
+#         "secretsmanager:PutSecretValue"
+#
+#     - If an AWS Secret does not yet exist, the following permissions are also required:
+#         "secretsmanager:CreateSecret"
+
+boto3
+
+# include core requirements (separated in order to support usage without GUI-only dependencies)
+-r requirements-no-gui.txt