in tools/api-key-rotation/api_key_rotation_checker/main.py [0:0]
def key_analysis(projects, rotation_period):
"""
Performs our rotation analysis on the available API keys.
Args:
projects - A list of GCP projects and their metadata
rotation_period - The rotation period in days (default is 90)
"""
logging.info(
"Grabbing keys and performing analysis for a rotation periods of %s days.. \n", rotation_period) # pylint: disable = line-too-long
# Get the date x (default 90) days ago
rotation_date = x_days_ago(rotation_period)
# Generates an access token
# for our API requests
access_token = create_token()
# This variable is used to hold our keys depending on their creation date
keys_needing_rotation=[]
keys_not_needing_rotation=[]
# For each project, extract the project ID
for project in projects:
project_id = project["projectId"]
try:
# Use the project ID and access token to find
# the API keys for each project
apikeys = requests.get(
f"https://apikeys.googleapis.com/v1/projects/{project_id}/apiKeys/", # pylint: disable = line-too-long
params={"access_token": access_token}
).json()
except exceptions.PermissionDenied:
continue
# If API keys exist, proceed
if "keys" in apikeys:
# Access our nested keys
# so we can iterate through the list
apikeys = apikeys["keys"]
# For each key in our dictionaries
# (API keys are dictionaries)
for apikey in apikeys:
# Google removed the "createdBy" field
# so only legacy keys have it
if "createdBy" in apikey:
# Create our API key object
# if it has "createdBy"
key_object = ApiKey(
apikey["keyId"],
apikey["displayName"],
apikey["createdBy"],
apikey["createTime"],
project_id)
else:
# Create our API key object
# if it does NOT have "createdBy"
key_object = ApiKey(
apikey["keyId"],
apikey["displayName"],
"None",
apikey["createTime"],
project_id)
# We need to convert
# our creation time for comparison
converted_creation_date = time_convert(key_object)
# Extract API Key ID for logging
key_id = key_object.key_id
# If our key is older than x days (default 90)
# based on our compare_dates function
# add api key to appropriate variable container
logging.info("Checking API key: %s creation date.. \n", key_id)
# Convert to JSON for logging
key_object_json = key_object.to_json()
if compare_dates(converted_creation_date, rotation_date):
keys_needing_rotation.append(key_object_json)
else:
keys_not_needing_rotation.append(key_object_json)
# Format our API keys
keys_needing_rotation = "\n".join(keys_needing_rotation)
keys_not_needing_rotation = "\n".join(keys_not_needing_rotation)
# Once analysis is complete for all keys,
# log results
if keys_needing_rotation:
logging.warning(
"Found API keys older than %s days. Please rotate: \n%s \n", rotation_period, keys_needing_rotation) # pylint: disable = line-too-long
if keys_not_needing_rotation:
logging.info(
"The following API key(s) are not older than %s days: \n%s", rotation_period, keys_not_needing_rotation) # pylint: disable = line-too-long