def lambda_handler()

in force_user_mfa/ForceUserMFA.py [0:0]

• 50 lines of code
• 14 McCabe index (conditional complexity)

def lambda_handler(event, context):
    """Summary

    Args:
        event (TYPE): Description
        context (TYPE): Description

    Returns:
        TYPE: Description
    """
    logdata = create_log_data(event)
    mfaFail = False

    # Verify if user is approved to create new IAM users
    approved = check_approved(logdata['userName'], logdata['userArn'])
    if approved is False:
        if deleteOnFail is True:
            deleteUser(logdata['newUserName'], logdata['serialNumber'])
            print("IAM user " + logdata['userName'] + " not allowed to create users.\nUser " + logdata['newUserName'] + " deleted.")
            sys.exit()
        print("IAM user " + logdata['userName'] + " not allowed to create users.\nUser " + logdata['newUserName'] + " not deleted.")

    # Create virtual MFA
    mfa = create_virtual_mfa(logdata['newUserName'], logdata['newUserArn'])

    # Verify MFA is created and get seed
    if "SerialNumber" in str(mfa):
        logdata['serialNumber'] = mfa['VirtualMFADevice']['SerialNumber']
        seed = mfa['VirtualMFADevice']['Base32StringSeed']
        enableResult = ""
        i = 1
        while enableResult != "Success":
            enableResult = enable_mfa(logdata['newUserName'], logdata['serialNumber'], seed)
            time.sleep(i)
            i += 1
            if i == 10:
                print("MFA Creation failed, aborting")
                mfaFail = True
                if deleteOnFail is True:
                    deleteUser(logdata['newUserName'], logdata['serialNumber'])
                    print("Token creation failed, aborting.\nUser " + logdata['newUserName'] + " deleted.")
                    sys.exit()
                else:
                    print("Token creation failed, aborting.\nUser " + logdata['newUserName'] + " not deleted.")
                    sys.exit()
        print("Seed created")
    else:
        if deleteOnFail is True:
            deleteUser(logdata['newUserName'], logdata['serialNumber'])
            print("Token creation failed, aborting.\nUser " + logdata['newUserName'] + " deleted.")
            sys.exit()
        else:
            print("Token creation failed, aborting.\nUser " + logdata['newUserName'] + " not deleted.")
            sys.exit()

    # Encrypt the seed using aKMS CMK alias MFAUser.
    encryptedSeed = encrypt_string(mfa['VirtualMFADevice']['Base32StringSeed'])

    # Send seed number to user to allow adding it to tokens, can use QR but easier tracking with text.
    send_seed(encryptedSeed)

    # Add encrypted seed to logdata
    logdata['encryptedSeed'] = str(encryptedSeed)

    # Set randomized password if module is enabled
    if createPassword:
        logdata['encryptedPass'] = generate_password(logData[userName])

    # Store seed in parameter store for user to fetch
    store_mfa(logdata['newUserName'], mfa['VirtualMFADevice']['Base32StringSeed'], logdata['region'], logdata['account'])

    # Logging
    if logActions is True:
        result = log_event(logdata)

    print("MFA Created for user " + logdata['newUserName'] + ". Users can retrieve the seed themselves from Parameter Store using:")
    print("aws ssm get-parameters --names mfa-" + logdata['newUserName'] + " --with-decryption  --region " + logdata['region'])
    return 0