def disableOutdatedCredentials()

in hq/app/services/IamRemediationService.scala [49:82]

• 26 lines of code
• 4 McCabe index (conditional complexity)

  def disableOutdatedCredentials()(implicit ec: ExecutionContext): Attempt[Unit] = {
    val now = new DateTime()
    val result = for {
      // lookup essential configuration
      notificationTopicArn <- getAnghammaradSNSTopicArn(config)
      tableName <- getIamDynamoTableName(config)
      serviceAccountIds <- getAccountsForIamRemediationService(config)
      allowedAwsAccountIds <- getAllowedAccountsForStage(config) // this tells us which AWS accounts we are allowed to make changes to
      // fetch IAM data from the application cache
      rawCredsReports = cacheService.getAllCredentials
      accountsCredReports = getCredsReportDisplayForAccount(rawCredsReports)
      // identify users with outdated credentials for each account, from the credentials report
      accountUsersWithOutdatedCredentials = identifyAllUsersWithOutdatedCredentials(accountsCredReports, now)
      // DB lookup of previous SHQ activity for each user to produce a list of "candidate" vulnerabilities
      vulnerabilitiesWithRemediationHistory <- lookupActivityHistory(accountUsersWithOutdatedCredentials, dynamo, tableName)
      // based on activity history, decide which of these candidates have outstanding SHQ operations
      outstandingOperations = calculateOutstandingAccessKeyOperations(vulnerabilitiesWithRemediationHistory, now)
      // we'll only perform operations on accounts that have been configured as eligible
      filteredOperations = partitionOperationsByAllowedAccounts(outstandingOperations, allowedAwsAccountIds, serviceAccountIds)
      // we won't execute these operations, but can log them instead
      _ = filteredOperations.operationsOnAccountsThatAreNotAllowed.foreach(dummyOperation)
      // now we know what operations need to be performed, so let's run each of those
      results <- Attempt.traverse(filteredOperations.allowedOperations)(performRemediationOperation(_, now, notificationTopicArn, tableName))
    } yield results
    result.tap {
      case Left(failedAttempt) =>
        logger.error(
          s"Failure during 'disable outdated credentials' job: ${failedAttempt.logMessage}",
          failedAttempt.firstException.orNull  // make sure the exception goes into the log, if present
        )
      case Right(operationIds) =>
        logger.info(s"Successfully completed 'disable outdated credentials' job, with ${operationIds.length} operations")
    }.unit
  }