def test_get_actions_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_that_support_wildcard_arns_only"""
# Variant 1: Secrets manager
expected_results = [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets",
]
results = get_actions_that_support_wildcard_arns_only("secretsmanager")
self.maxDiff = None
for result in results:
self.assertTrue(result in expected_results)
# Variant 2: ECR
results = get_actions_that_support_wildcard_arns_only("ecr")
expected_results = [
"ecr:DeleteRegistryPolicy", "ecr:DescribeRegistry",
"ecr:GetAuthorizationToken", "ecr:GetRegistryPolicy",
"ecr:PutRegistryPolicy", "ecr:PutReplicationConfiguration"
]
# print(json.dumps(results, indent=4))
for result in results:
self.assertTrue(result in expected_results)
# Variant 3: All actions
output = get_actions_that_support_wildcard_arns_only("all")
# print(len(output))
self.assertTrue(len(output) > 3000)
def test_get_actions_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_that_support_wildcard_arns_only"""
desired_output = [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets",
]
output = get_actions_that_support_wildcard_arns_only("secretsmanager")
self.maxDiff = None
self.assertListEqual(desired_output, output)
output = get_actions_that_support_wildcard_arns_only("ecr")
self.assertEqual(output, ["ecr:GetAuthorizationToken"])
# print(json.dumps(output, indent=4))
output = get_actions_that_support_wildcard_arns_only("all")
def remove_actions_that_are_not_wildcard_arn_only(db_session, actions_list):
"""
Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.
:param db_session: SQL Alchemy database session object
:param actions_list: A list of actions
:return: An updated list of actions
:rtype: list
"""
# remove duplicates, if there are any
actions_list = list(dict.fromkeys(actions_list))
actions_list_placeholder = []
for action in actions_list:
try:
service_name, action_name = action.split(":")
except ValueError as v_e:
# We will skip the action because this likely means that the wildcard action provided is not valid.
logger.debug(v_e)
logger.debug(
"The value provided in wildcard-only section is not formatted properly."
)
continue
rows = get_actions_that_support_wildcard_arns_only(
db_session, service_name)
for row in rows:
if row.lower() == action.lower():
actions_list_placeholder.append(
f"{service_name}:{action_name}")
return actions_list_placeholder
def action_table(name, service, access_level, condition, wildcard_only):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
for result in results:
print(result)
# Get a list of all services in the database
else:
print("All services in the database:\n")
for item in all_services:
print(item)
elif name is None and access_level:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(json.dumps(output, indent=4))
# Get a list of all IAM actions under the service that support the
# specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(json.dumps(output, indent=4))
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(json.dumps(output, indent=4))
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(json.dumps(output, indent=4))
else:
print(f"All IAM actions available to {service}:")
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
for item in action_list:
print(item)
def test_get_actions_that_support_wildcard_arns_only(self):
"""test_get_actions_that_support_wildcard_arns_only: Tests function that shows all
actions that support * resources only."""
desired_output = [
"secretsmanager:createsecret", "secretsmanager:getrandompassword",
"secretsmanager:listsecrets"
]
output = get_actions_that_support_wildcard_arns_only(
db_session, "secretsmanager")
self.maxDiff = None
print(output)
self.assertListEqual(desired_output, output)
def test_get_actions_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_that_support_wildcard_arns_only"""
desired_output = [
"secretsmanager:CreateSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets",
]
output = get_actions_that_support_wildcard_arns_only(
db_session, "secretsmanager")
self.maxDiff = None
print(output)
self.assertListEqual(desired_output, output)
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.actions import get_actions_that_support_wildcard_arns_only
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_actions_that_support_wildcard_arns_only(
db_session, "secretsmanager")
print(json.dumps(output, indent=4))
"""
Output:
[
"secretsmanager:createsecret",
"secretsmanager:getrandompassword",
"secretsmanager:listsecrets"
]
"""
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
def query_action_table(name,
service,
access_level,
condition,
resource_type,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print_list(output=output, fmt=fmt)
# Get a list of all services in the database
elif resource_type == "*":
print("ALL actions that do not support resource ARN constraints")
output = get_actions_that_support_wildcard_arns_only(service)
print_dict(output=output, fmt=fmt)
else:
print("All services in the database:\n")
output = all_services
print_list(output=output, fmt=fmt)
elif name is None and access_level and not resource_type:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print_dict(output=output, fmt=fmt)
elif name is None and access_level and resource_type:
print(
f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_with_arn_type_and_access_level(
service, resource_type, access_level)
print_dict(output=output, fmt=fmt)
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print_dict(output=output, fmt=fmt)
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif resource_type:
print(
f"IAM actions under {service} service that have the resource type {resource_type}:"
)
output = get_actions_matching_arn_type(service, resource_type)
print_dict(output=output, fmt=fmt)
elif name and access_level is None:
output = get_action_data(service, name)
print_dict(output=output, fmt=fmt)
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print_list(output=output, fmt=fmt)
return output
