Add SSL connection related error logs

Author: JoeJesse

SecretsManagerMongoDBRotationMultiUser/lambda_function.py

@@ -1,6 +1,7 @@
 # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 
+import re
 import boto3
 import json
 import logging
@@ -380,8 +381,13 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
         client = MongoClient(host=secret_dict['host'], port=port, connectTimeoutMS=5000, serverSelectionTimeoutMS=5000, ssl=use_ssl)
         db = client[dbname]
         db.authenticate(secret_dict['username'], secret_dict['password'])
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return db
-    except errors.PyMongoError:
+    except errors.PyMongoError as e:
+        if 'SSL handshake failed' in e.args[0]:
+            logger.error("Unable to establish SSL/TLS handshake, check that SSL/TLS is enabled on the host: %s" % secret_dict['host'])
+        elif re.search("hostname '.+' doesn't match", e.args[0]):
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 

SecretsManagerMongoDBRotationSingleUser/lambda_function.py

@@ -1,6 +1,7 @@
 # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 
+import re
 import boto3
 import json
 import logging
@@ -374,8 +375,13 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
         client = MongoClient(host=secret_dict['host'], port=port, connectTimeoutMS=5000, serverSelectionTimeoutMS=5000, ssl=use_ssl)
         db = client[dbname]
         db.authenticate(secret_dict['username'], secret_dict['password'])
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return db
-    except errors.PyMongoError:
+    except errors.PyMongoError as e:
+        if 'SSL handshake failed' in e.args[0]:
+            logger.error("Unable to establish SSL/TLS handshake, check that SSL/TLS is enabled on the host: %s" % secret_dict['host'])
+        elif re.search("hostname '.+' doesn't match", e.args[0]):
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 

SecretsManagerRDSMariaDBRotationMultiUser/lambda_function.py

@@ -396,8 +396,11 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
     try:
         # Checks hostname and verifies server certificate implictly when 'ca' key is in 'ssl' dictionary
         conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl=ssl)
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pymysql.OperationalError:
+    except pymysql.OperationalError as e:
+        if 'certificate verify failed: IP address mismatch' in e.args[1]:
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 
@@ -496,7 +499,7 @@ def is_rds_replica_database(replica_dict, master_dict):
     try:
         describe_response = rds_client.describe_db_instances(DBInstanceIdentifier=replica_instance_id)
     except Exception as err:
-        logger.warn("Encountered error while verifying rds replica status: %s" % err)
+        logger.warning("Encountered error while verifying rds replica status: %s" % err)
         return False
     instances = describe_response['DBInstances']
 

SecretsManagerRDSMariaDBRotationSingleUser/lambda_function.py

@@ -373,8 +373,11 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
     try:
         # Checks hostname and verifies server certificate implictly when 'ca' key is in 'ssl' dictionary
         conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl=ssl)
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pymysql.OperationalError:
+    except pymysql.OperationalError as e:
+        if 'certificate verify failed: IP address mismatch' in e.args[1]:
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 

SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py

@@ -408,8 +408,11 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
     try:
         # Checks hostname and verifies server certificate implictly when 'ca' key is in 'ssl' dictionary
         conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl=ssl)
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pymysql.OperationalError:
+    except pymysql.OperationalError as e:
+        if 'certificate verify failed: IP address mismatch' in e.args[1]:
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 
@@ -546,7 +549,7 @@ def is_rds_replica_database(replica_dict, master_dict):
     try:
         describe_response = rds_client.describe_db_instances(DBInstanceIdentifier=replica_instance_id)
     except Exception as err:
-        logger.warn("Encountered error while verifying rds replica status: %s" % err)
+        logger.warning("Encountered error while verifying rds replica status: %s" % err)
         return False
     instances = describe_response['DBInstances']
 

SecretsManagerRDSMySQLRotationSingleUser/lambda_function.py

@@ -376,8 +376,11 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
     try:
         # Checks hostname and verifies server certificate implictly when 'ca' key is in 'ssl' dictionary
         conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl=ssl)
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pymysql.OperationalError:
+    except pymysql.OperationalError as e:
+        if 'certificate verify failed: IP address mismatch' in e.args[1]:
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
         return None
 
 

SecretsManagerRDSOracleRotationMultiUser/lambda_function.py

@@ -17,8 +17,8 @@ def lambda_handler(event, context):
     This handler uses the master-user rotation scheme to rotate an RDS Oracle user credential. During the first rotation, this
     scheme logs into the database as the master user, creates a new user (appending _CLONE to the username), and grants the
     new user all of the permissions from the user being rotated. Once the secret is in this state, every subsequent rotation
-    simply creates a new secret with the AWSPREVIOUS user credentials, adds any missing permissions that are in the current
-    secret, changes that user's password, and then marks the latest secret as AWSCURRENT.
+    simply creates a new secret with the AWSPREVIOUS user credentials, changes that user's password, and then marks the
+    latest secret as AWSCURRENT.
 
     The Secret SecretString is expected to be a JSON string with the following format:
     {
@@ -206,7 +206,7 @@ def set_secret(service_client, arn, token):
     escaped_current = cur.fetchone()[0]
 
     # Passwords cannot have double quotes in Oracle, remove any double quotes to allow the password to be properly escaped
-    pending_password = pending_dict['password'].replace("\"","")
+    pending_password = pending_dict['password'].replace("\"", "")
 
     # Check to see if the user already exists
     cur.execute("SELECT USERNAME FROM DBA_USERS WHERE USERNAME=:username", username=pending_dict['username'].upper())
@@ -219,7 +219,8 @@ def set_secret(service_client, arn, token):
         cur.execute("CREATE USER %s IDENTIFIED BY \"%s\"" % (escaped_username, pending_password))
         for grant_type in ['ROLE_GRANT', 'SYSTEM_GRANT', 'OBJECT_GRANT']:
             try:
-                cur.execute("SELECT DBMS_METADATA.GET_GRANTED_DDL(:grant_type, :username) FROM DUAL", grant_type=grant_type, username=current_dict['username'].upper())
+                cur.execute("SELECT DBMS_METADATA.GET_GRANTED_DDL(:grant_type, :username) FROM DUAL", grant_type=grant_type,
+                            username=current_dict['username'].upper())
                 results = cur.fetchall()
                 for row in results:
                     sql = row[0].read().strip(' \n\t').replace("%s" % escaped_current, "%s" % escaped_username)
@@ -325,8 +326,9 @@ def get_connection(secret_dict):
         conn = cx_Oracle.connect(secret_dict['username'],
                                  secret_dict['password'],
                                  secret_dict['host'] + ':' + port + '/' + secret_dict['dbname'])
+        logger.info("Successfully established connection as user '%s' with host: '%s'" % (secret_dict['username'], secret_dict['host']))
         return conn
-    except (cx_Oracle.DatabaseError, cx_Oracle.OperationalError) :
+    except (cx_Oracle.DatabaseError, cx_Oracle.OperationalError):
         return None
 
 
@@ -398,6 +400,7 @@ def get_alt_username(current_username):
             raise ValueError("Unable to clone user, username length with _CLONE appended would exceed 30 characters")
         return new_username.upper()
 
+
 def is_rds_replica_database(replica_dict, master_dict):
     """Validates that the database of a secret is a replica of the database of the master secret
 
@@ -424,7 +427,7 @@ def is_rds_replica_database(replica_dict, master_dict):
     try:
         describe_response = rds_client.describe_db_instances(DBInstanceIdentifier=replica_instance_id)
     except Exception as err:
-        logger.warn("Encountered error while verifying rds replica status: %s" % err)
+        logger.warning("Encountered error while verifying rds replica status: %s" % err)
         return False
     instances = describe_response['DBInstances']
 
@@ -435,4 +438,4 @@ def is_rds_replica_database(replica_dict, master_dict):
 
     # DB Instance identifiers are unique - can only be one result
     current_instance = instances[0]
-    return master_instance_id == current_instance.get('ReadReplicaSourceDBInstanceIdentifier')
+    return master_instance_id == current_instance.get('ReadReplicaSourceDBInstanceIdentifier')

SecretsManagerRDSOracleRotationSingleUser/lambda_function.py

@@ -173,7 +173,7 @@ def set_secret(service_client, arn, token):
     conn = get_connection(current_dict)
     if not conn and previous_dict:
         # If both current and pending do not work, try previous
-        conn = get_connection(pending_dict)
+        conn = get_connection(previous_dict)
 
         # Make sure the user/host from previous and pending match
         if previous_dict['username'] != pending_dict['username']:
@@ -195,10 +195,10 @@ def set_secret(service_client, arn, token):
     escaped_username = cur.fetchone()[0]
 
     # Passwords cannot have double quotes in Oracle, remove any double quotes to allow the password to be properly escaped
-    pending_password = pending_dict['password'].replace("\"","")
+    pending_password = pending_dict['password'].replace("\"", "")
 
     # Now set the password to the pending password
-    sql="ALTER USER %s IDENTIFIED BY \"%s\"" % (escaped_username, pending_dict['password'])
+    sql = "ALTER USER %s IDENTIFIED BY \"%s\"" % (escaped_username, pending_dict['password'])
     cur.execute(sql)
     conn.commit()
     logger.info("setSecret: Successfully set password for user %s in Oracle DB for secret arn %s." % (pending_dict['username'], arn))
@@ -295,8 +295,9 @@ def get_connection(secret_dict):
         conn = cx_Oracle.connect(secret_dict['username'],
                                  secret_dict['password'],
                                  secret_dict['host'] + ':' + port + '/' + secret_dict['dbname'])
+        logger.info("Successfully established connection as user '%s' with host: '%s'" % (secret_dict['username'], secret_dict['host']))
         return conn
-    except (cx_Oracle.DatabaseError, cx_Oracle.OperationalError) :
+    except (cx_Oracle.DatabaseError, cx_Oracle.OperationalError):
         return None
 
 

SecretsManagerRDSPostgreSQLRotationMultiUser/lambda_function.py

@@ -1,6 +1,7 @@
 # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 
+import re
 import boto3
 import json
 import logging
@@ -398,8 +399,15 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
         else:
             conn = pgdb.connect(host=secret_dict['host'], user=secret_dict['username'], password=secret_dict['password'], database=dbname, port=port,
                                 connect_timeout=5, sslmode='disable')
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pg.InternalError:
+    except pg.InternalError as e:
+        if "server does not support SSL, but SSL was required" in e.args[0]:
+            logger.error("Unable to establish SSL/TLS handshake, SSL/TLS is not enabled on the host: %s" % secret_dict['host'])
+        elif re.search('server common name ".+" does not match host name ".+"', e.args[0]):
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
+        elif re.search('no pg_hba.conf entry for host ".+", SSL off', e.args[0]):
+            logger.error("Unable to establish SSL/TLS handshake, SSL/TLS is enforced on the host: %s" % secret_dict['host'])
         return None
 
 
@@ -500,7 +508,7 @@ def is_rds_replica_database(replica_dict, master_dict):
     try:
         describe_response = rds_client.describe_db_instances(DBInstanceIdentifier=replica_instance_id)
     except Exception as err:
-        logger.warn("Encountered error while verifying rds replica status: %s" % err)
+        logger.warning("Encountered error while verifying rds replica status: %s" % err)
         return False
     instances = describe_response['DBInstances']
 

SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py

@@ -1,6 +1,7 @@
 # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 
+import re
 import boto3
 import json
 import logging
@@ -382,8 +383,15 @@ def connect_and_authenticate(secret_dict, port, dbname, use_ssl):
         else:
             conn = pgdb.connect(host=secret_dict['host'], user=secret_dict['username'], password=secret_dict['password'], database=dbname, port=port,
                                 connect_timeout=5, sslmode='disable')
+        logger.info("Successfully established %s connection as user '%s' with host: '%s'" % ("SSL/TLS" if use_ssl else "non SSL/TLS", secret_dict['username'], secret_dict['host']))
         return conn
-    except pg.InternalError:
+    except pg.InternalError as e:
+        if "server does not support SSL, but SSL was required" in e.args[0]:
+            logger.error("Unable to establish SSL/TLS handshake, SSL/TLS is not enabled on the host: %s" % secret_dict['host'])
+        elif re.search('server common name ".+" does not match host name ".+"', e.args[0]):
+            logger.error("Hostname verification failed when estlablishing SSL/TLS Handshake with host: %s" % secret_dict['host'])
+        elif re.search('no pg_hba.conf entry for host ".+", SSL off', e.args[0]):
+            logger.error("Unable to establish SSL/TLS handshake, SSL/TLS is enforced on the host: %s" % secret_dict['host'])
         return None