def test_allows_specific_actions(self):
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"iam:PassRole", "ssm:GetParameter", "s3:GetObject",
"ssm:GetParameter", "ssm:GetParameters",
"ssm:GetParametersByPath", "secretsmanager:GetSecretValue"
],
"Resource":
"*"
}]
}
policy_document = PolicyDocument(test_policy)
results = policy_document.allows_specific_actions_without_constraints(
["iam:PassRole"])
self.assertListEqual(results, ["iam:PassRole"])
# Input should be case insensitive, but give the pretty CamelCase action name result
results = policy_document.allows_specific_actions_without_constraints(
["iam:passrole"])
self.assertListEqual(results, ["iam:PassRole"])
# Verify that it will find the high priority read-only actions that we care about
high_priority_read_only_actions = [
"s3:GetObject", "ssm:GetParameter", "ssm:GetParameters",
"ssm:GetParametersByPath", "secretsmanager:GetSecretValue"
]
results = policy_document.allows_specific_actions_without_constraints(
high_priority_read_only_actions)
self.assertListEqual(results, high_priority_read_only_actions)
def test_allows_specific_actions(self):
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"iam:PassRole", "ssm:GetParameter", "s3:GetObject",
"ssm:GetParameter", "ssm:GetParameters",
"ssm:GetParametersByPath", "secretsmanager:GetSecretValue",
"s3:PutObject", "ec2:CreateTags"
],
"Resource":
"*"
}]
}
policy_document = PolicyDocument(test_policy)
results = policy_document.allows_specific_actions_without_constraints(
["iam:PassRole"])
self.assertListEqual(results, ["iam:PassRole"])
# Input should be case insensitive, but give the pretty CamelCase action name result
results = policy_document.allows_specific_actions_without_constraints(
["iam:passrole"])
self.assertListEqual(results, ["iam:PassRole"])
# Verify that it will find the high priority read-only actions that we care about
high_priority_read_only_actions = [
"s3:GetObject", "ssm:GetParameter", "ssm:GetParameters",
"ssm:GetParametersByPath", "secretsmanager:GetSecretValue"
]
results = policy_document.allows_specific_actions_without_constraints(
high_priority_read_only_actions)
self.assertCountEqual(results, high_priority_read_only_actions)
results = policy_document.permissions_management_without_constraints
self.assertListEqual(results, ["iam:PassRole"])
results = policy_document.write_actions_without_constraints
self.assertListEqual(results, ["s3:PutObject"])
results = policy_document.tagging_actions_without_constraints
self.assertListEqual(results, ["ec2:CreateTags"])
results = policy_document.allows_data_exfiltration_actions
expected_results = high_priority_read_only_actions
self.assertCountEqual(results, expected_results)
with self.assertRaises(Exception):
results = policy_document.allows_specific_actions_without_constraints(
"iam:passrole")
