def test_gh_225_s3_conditions(self):
"""querying.actions.get_actions_matching_condition_key"""
results = get_condition_keys_for_service("s3")
# print(json.dumps(results, indent=4))
expected_results = [
"aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}",
"aws:TagKeys", "s3:AccessPointNetworkOrigin",
"s3:DataAccessPointAccount", "s3:DataAccessPointArn",
"s3:ExistingJobOperation", "s3:ExistingJobPriority",
"s3:ExistingObjectTag/<key>", "s3:JobSuspendedCause",
"s3:LocationConstraint", "s3:RequestJobOperation",
"s3:RequestJobPriority", "s3:RequestObjectTag/<key>",
"s3:RequestObjectTagKeys", "s3:VersionId", "s3:authType",
"s3:delimiter", "s3:locationconstraint", "s3:max-keys",
"s3:object-lock-legal-hold", "s3:object-lock-mode",
"s3:object-lock-remaining-retention-days",
"s3:object-lock-retain-until-date", "s3:prefix", "s3:signatureAge",
"s3:signatureversion", "s3:versionid", "s3:x-amz-acl",
"s3:x-amz-content-sha256", "s3:x-amz-copy-source",
"s3:x-amz-grant-full-control", "s3:x-amz-grant-read",
"s3:x-amz-grant-read-acp", "s3:x-amz-grant-write",
"s3:x-amz-grant-write-acp", "s3:x-amz-metadata-directive",
"s3:x-amz-server-side-encryption",
"s3:x-amz-server-side-encryption-aws-kms-key-id",
"s3:x-amz-storage-class", "s3:x-amz-website-redirect-location"
]
self.assertListEqual(results, expected_results)
def test_get_condition_keys_for_service(self):
"""test_get_condition_keys_for_service: Tests function that grabs a list of condition keys per service."""
desired_output = [
'cloud9:EnvironmentId', 'cloud9:EnvironmentName',
'cloud9:InstanceType', 'cloud9:Permissions', 'cloud9:SubnetId',
'cloud9:UserArn'
]
output = get_condition_keys_for_service(db_session, "cloud9")
self.assertEquals(desired_output, output)
def test_get_condition_keys_for_service(self):
"""querying.conditions.get_condition_keys_for_service test"""
desired_output = [
"cloud9:EnvironmentId",
"cloud9:EnvironmentName",
"cloud9:InstanceType",
"cloud9:Permissions",
"cloud9:SubnetId",
"cloud9:UserArn",
]
output = get_condition_keys_for_service(db_session, "cloud9")
self.assertEqual(desired_output, output)
def test_get_condition_keys_for_service(self):
"""querying.conditions.get_condition_keys_for_service test"""
expected_results = [
"aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}",
"aws:TagKeys", "ram:AllowsExternalPrincipals", "ram:PermissionArn",
"ram:Principal", "ram:RequestedAllowsExternalPrincipals",
"ram:RequestedResourceType", "ram:ResourceArn",
"ram:ResourceShareName", "ram:ShareOwnerAccountId"
]
results = get_condition_keys_for_service("ram")
# print(json.dumps(results, indent=4))
self.assertEqual(results, expected_results)
def condition_table(name, service):
"""Query the condition keys table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Get a list of all condition keys available to the service
if name is None:
condition_results = get_condition_keys_for_service(db_session, service)
for item in condition_results:
print(item)
# Get details on the specific condition key
else:
output = get_condition_key_details(db_session, service, name)
print(json.dumps(output, indent=4))
def test_get_condition_keys_for_service(self):
"""querying.conditions.get_condition_keys_for_service test"""
expected_results = [
"aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}",
"aws:TagKeys", "ram:AllowsExternalPrincipals", "ram:PermissionArn",
"ram:PermissionResourceType", "ram:Principal",
"ram:RequestedAllowsExternalPrincipals",
"ram:RequestedResourceType", "ram:ResourceArn",
"ram:ResourceShareName", "ram:ShareOwnerAccountId"
]
results = get_condition_keys_for_service("ram")
for expected_result in expected_results:
self.assertTrue(expected_result in results)
print(results)
def query_condition_table(name, service, fmt="json"):
"""Query the condition table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Get a list of all condition keys available to the service
if name is None:
output = get_condition_keys_for_service(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
# Get details on the specific condition key
else:
output = get_condition_key_details(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
return output
def condition_table(name, service, fmt, log_level):
"""Query the condition keys table from the Policy Sentry database"""
set_log_level(logger, log_level)
db_session = connect_db(DATABASE_FILE_PATH)
# Get a list of all condition keys available to the service
if name is None:
results = get_condition_keys_for_service(db_session, service)
print(yaml.dump(results)) if fmt == "yaml" else [
print(item) for item in results
]
# Get details on the specific condition key
else:
output = get_condition_key_details(db_session, service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
def query_condition_table(name, service, fmt="json"):
"""Query the condition table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Get a list of all condition keys available to the service
if name is None:
output = get_condition_keys_for_service(service)
print_list(output=output, fmt=fmt)
# Get details on the specific condition key
else:
output = get_condition_key_details(service, name)
print_dict(output=output, fmt=fmt)
return output
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.conditions import get_condition_keys_for_service
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_condition_keys_for_service(db_session, "cloud9")
print(json.dumps(output, indent=4))
"""
Output:
[
'cloud9:EnvironmentId',
'cloud9:EnvironmentName',
'cloud9:InstanceType',
'cloud9:Permissions',
'cloud9:SubnetId',
'cloud9:UserArn'
]
"""
#!/usr/bin/env python
from policy_sentry.querying.conditions import get_condition_keys_for_service
import json
if __name__ == '__main__':
output = get_condition_keys_for_service("cloud9")
print(json.dumps(output, indent=4))
"""
Output:
[
'cloud9:EnvironmentId',
'cloud9:EnvironmentName',
'cloud9:InstanceType',
'cloud9:Permissions',
'cloud9:SubnetId',
'cloud9:UserArn'
]
"""