Ejemplo n.º 1
0
    def test_inline_policies(self):
        inline_policy_detail = {
            "PolicyName": "InlinePolicyForBidenGroup",
            "PolicyDocument": {
                "Version":
                "2012-10-17",
                "Statement": [{
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": ["s3:GetObject", "s3:PutObjectAcl"],
                    "Resource": "*"
                }]
            }
        }
        inline_policy = InlinePolicy(inline_policy_detail)
        results = inline_policy.json
        # print(json.dumps(results, indent=4))

        expected_policy_details_results_file = os.path.abspath(
            os.path.join(
                os.path.dirname(__file__),
                os.path.pardir,
                "files",
                "scanning",
                "test_inline_policy_results.json",
            ))
        with open(expected_policy_details_results_file) as f:
            contents = f.read()
            expected_results = json.loads(contents)

        self.assertDictEqual(results, expected_results)
Ejemplo n.º 2
0
    def __init__(self,
                 group_detail,
                 policy_details,
                 exclusions=DEFAULT_EXCLUSIONS):
        """
        Initialize the GroupDetail object.

        :param group_detail: Details about a particular group
        :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes
        """
        self.create_date = group_detail.get("CreateDate")
        self.arn = group_detail.get("Arn")
        self.path = group_detail.get("Path")
        self.group_id = group_detail.get("GroupId")
        self.group_name = group_detail.get("GroupName")

        if not isinstance(exclusions, Exclusions):
            raise Exception(
                "The exclusions provided is not an Exclusions type object. "
                "Please supply an Exclusions object and try again.")
        self.is_excluded = self._is_excluded(exclusions)

        # Inline Policies
        self.inline_policies = []
        # If the group itself is NOT excluded, add its inline policies
        if not self.is_excluded:
            if group_detail.get("GroupPolicyList"):
                for policy_detail in group_detail.get("GroupPolicyList"):
                    policy_name = policy_detail.get("PolicyName")
                    policy_document = policy_detail.get("PolicyDocument")
                    policy_id = get_non_provider_id(
                        json.dumps(policy_document))
                    if not (exclusions.is_policy_excluded(policy_name)
                            or exclusions.is_policy_excluded(policy_id)):
                        inline_policy = InlinePolicy(policy_detail)
                        self.inline_policies.append(inline_policy)

        # Managed Policies (either AWS-managed or Customer managed)
        self.attached_managed_policies = []
        # If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies
        if not self.is_excluded:
            if group_detail.get("AttachedManagedPolicies"):
                for policy in group_detail.get("AttachedManagedPolicies"):
                    arn = policy.get("PolicyArn")
                    if not (exclusions.is_policy_excluded(arn)
                            or exclusions.is_policy_excluded(
                                get_full_policy_path(arn))
                            or exclusions.is_policy_excluded(
                                get_policy_name(arn))):
                        attached_managed_policy_details = (
                            policy_details.get_policy_detail(arn))
                        self.attached_managed_policies.append(
                            attached_managed_policy_details)
Ejemplo n.º 3
0
    def __init__(
        self,
        group_detail: Dict[str, Any],
        policy_details: ManagedPolicyDetails,
        exclusions: Exclusions = DEFAULT_EXCLUSIONS,
        flag_conditional_statements: bool = False,
        flag_resource_arn_statements: bool = False,
    ):
        """
        Initialize the GroupDetail object.

        :param group_detail: Details about a particular group
        :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes
        """
        self.create_date = group_detail.get("CreateDate")
        self.arn = group_detail.get("Arn")
        self.path = group_detail["Path"]
        self.group_id = group_detail["GroupId"]
        self.group_name = group_detail["GroupName"]

        # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
        self.flag_conditional_statements = flag_conditional_statements
        self.flag_resource_arn_statements = flag_resource_arn_statements

        if not isinstance(exclusions, Exclusions):
            raise Exception(
                "The exclusions provided is not an Exclusions type object. "
                "Please supply an Exclusions object and try again.")
        self.is_excluded = self._is_excluded(exclusions)

        # Inline Policies
        self.inline_policies = []
        # If the group itself is NOT excluded, add its inline policies
        if not self.is_excluded:
            for policy_detail in group_detail.get("GroupPolicyList", []):
                policy_name = policy_detail.get("PolicyName")
                policy_document = policy_detail.get("PolicyDocument")
                policy_id = get_non_provider_id(json.dumps(policy_document))
                if not (exclusions.is_policy_excluded(policy_name)
                        or exclusions.is_policy_excluded(policy_id)):
                    # NOTE: The Exclusions were not here before the #254 fix (which was an unfiled bug I just discovered) so the presence of this might break some older unit tests. Might need to fix that.
                    inline_policy = InlinePolicy(
                        policy_detail,
                        exclusions=exclusions,
                        flag_conditional_statements=flag_conditional_statements,
                        flag_resource_arn_statements=
                        flag_resource_arn_statements)
                    self.inline_policies.append(inline_policy)

        # Managed Policies (either AWS-managed or Customer managed)
        self.attached_managed_policies = []
        # If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies
        if not self.is_excluded:
            for policy in group_detail.get("AttachedManagedPolicies", []):
                arn = policy.get("PolicyArn")
                if not (exclusions.is_policy_excluded(arn)
                        or exclusions.is_policy_excluded(
                            get_full_policy_path(arn)) or
                        exclusions.is_policy_excluded(get_policy_name(arn))):
                    attached_managed_policy_details = policy_details.get_policy_detail(
                        arn)
                    self.attached_managed_policies.append(
                        attached_managed_policy_details)
Ejemplo n.º 4
0
 def _inline_policies_details(self, group_policies_list):
     if group_policies_list:
         for policy in group_policies_list:
             inline_policy = InlinePolicy(policy)
             self.inline_policies.append(inline_policy)
Ejemplo n.º 5
0
    def __init__(
        self,
        user_detail: Dict[str, Any],
        policy_details: ManagedPolicyDetails,
        all_group_details: GroupDetailList,
        exclusions: Exclusions = DEFAULT_EXCLUSIONS,
        flag_conditional_statements: bool = False,
        flag_resource_arn_statements: bool = False,
    ) -> None:
        """
        Initialize the UserDetail object.

        :param user_detail: Details about a particular user
        :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
        so the user can inherit those attributes
        :param all_group_details:
        """
        self.create_date = user_detail.get("CreateDate")
        self.arn = user_detail.get("Arn")
        self.path = user_detail["Path"]
        self.user_id = user_detail["UserId"]
        self.user_name = user_detail["UserName"]

        if not isinstance(exclusions, Exclusions):
            raise Exception(
                "The exclusions provided is not an Exclusions type object. "
                "Please supply an Exclusions object and try again.")
        self.is_excluded = self._is_excluded(exclusions)

        # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
        self.flag_conditional_statements = flag_conditional_statements
        self.flag_resource_arn_statements = flag_resource_arn_statements

        # Groups
        self.groups: List[GroupDetail] = []
        group_list = user_detail.get("GroupList")
        if group_list:
            self._add_group_details(group_list, all_group_details)
        # self.inline_policies = user_detail.get("UserPolicyList")
        # self.groups = user_detail.get("GroupList")

        # Inline Policies
        self.inline_policies = []
        # If the user itself is NOT excluded, add its inline policies
        if not self.is_excluded:
            for policy_detail in user_detail.get("UserPolicyList", []):
                policy_name = policy_detail.get("PolicyName")
                policy_document = policy_detail.get("PolicyDocument")
                policy_id = get_non_provider_id(json.dumps(policy_document))
                if not (exclusions.is_policy_excluded(policy_name)
                        or exclusions.is_policy_excluded(policy_id)):
                    inline_policy = InlinePolicy(
                        policy_detail,
                        exclusions=exclusions,
                        flag_conditional_statements=flag_conditional_statements,
                        flag_resource_arn_statements=
                        flag_resource_arn_statements)
                    self.inline_policies.append(inline_policy)

        # Managed Policies (either AWS-managed or Customer managed)
        self.attached_managed_policies = []
        # If the user itself is NOT excluded, add its AWS-managed or Customer-managed policies
        if not self.is_excluded:
            for policy in user_detail.get("AttachedManagedPolicies", []):
                arn = policy.get("PolicyArn")
                if not (exclusions.is_policy_excluded(arn)
                        or exclusions.is_policy_excluded(
                            get_full_policy_path(arn)) or
                        exclusions.is_policy_excluded(get_policy_name(arn))):
                    attached_managed_policy_details = policy_details.get_policy_detail(
                        arn)
                    self.attached_managed_policies.append(
                        attached_managed_policy_details)
Ejemplo n.º 6
0
    def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS):
        """
        Initialize the RoleDetail object.

        :param role_detail: Details about a particular Role
        :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
        so the role can inherit those attributes
        """
        # Metadata
        self.path = role_detail.get("Path")
        self.role_name = role_detail.get("RoleName")
        self.role_id = role_detail.get("RoleId")
        self.arn = role_detail.get("Arn")
        self.create_date = role_detail.get("CreateDate")
        self.tags = role_detail.get("Tags")
        self.role_last_used = role_detail.get("RoleLastUsed").get("LastUsedDate")
        self.role_detail = role_detail  # just to reference later in debugging
        if not isinstance(exclusions, Exclusions):
            raise Exception(
                "The exclusions provided is not an Exclusions type object. "
                "Please supply an Exclusions object and try again."
            )
        self.is_excluded = self._is_excluded(exclusions)

        # Metadata in object form
        if role_detail.get("AssumeRolePolicyDocument"):
            self.assume_role_policy_document = AssumeRolePolicyDocument(role_detail.get("AssumeRolePolicyDocument"))
        else:
            self.assume_role_policy_document = None

        # TODO: Create a class for InstanceProfileList
        self.instance_profile_list = role_detail.get("InstanceProfileList")

        # Inline Policies
        self.inline_policies = []
        # If the role itself is NOT excluded, add its inline policies
        if not self.is_excluded:
            if role_detail.get("RolePolicyList"):
                for policy_detail in role_detail.get("RolePolicyList"):
                    policy_name = policy_detail.get("PolicyName")
                    policy_document = policy_detail.get("PolicyDocument")
                    policy_id = get_non_provider_id(json.dumps(policy_document))
                    if not (
                        exclusions.is_policy_excluded(policy_name)
                        or exclusions.is_policy_excluded(policy_id)
                    ):
                        inline_policy = InlinePolicy(policy_detail)
                        self.inline_policies.append(inline_policy)

        # Managed Policies (either AWS-managed or Customer managed)
        self.attached_managed_policies = []
        # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
        if not self.is_excluded:
            if role_detail.get("AttachedManagedPolicies"):
                for policy in role_detail.get("AttachedManagedPolicies"):
                    arn = policy.get("PolicyArn")
                    if not (
                        exclusions.is_policy_excluded(arn)
                        or exclusions.is_policy_excluded(get_full_policy_path(arn))
                        or exclusions.is_policy_excluded(get_policy_name(arn))
                    ):
                        attached_managed_policy_details = policy_details.get_policy_detail(arn)
                        self.attached_managed_policies.append(attached_managed_policy_details)
Ejemplo n.º 7
0
    def __init__(
        self,
        role_detail: Dict[str, Any],
        policy_details: ManagedPolicyDetails,
        exclusions: Exclusions = DEFAULT_EXCLUSIONS,
        flag_conditional_statements: bool = False,
        flag_resource_arn_statements: bool = False,
    ) -> None:
        """
        Initialize the RoleDetail object.

        :param role_detail: Details about a particular Role
        :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
        so the role can inherit those attributes
        """
        # Metadata
        self.path = role_detail["Path"]
        self.role_name = role_detail["RoleName"]
        self.role_id = role_detail["RoleId"]
        self.arn = role_detail.get("Arn")
        self.create_date = role_detail.get("CreateDate")
        self.tags = role_detail.get("Tags")
        self.role_last_used = role_detail.get("RoleLastUsed",
                                              {}).get("LastUsedDate")
        self.role_detail = role_detail  # just to reference later in debugging
        if not isinstance(exclusions, Exclusions):
            raise Exception(
                "The exclusions provided is not an Exclusions type object. "
                "Please supply an Exclusions object and try again.")
        self.is_excluded = self._is_excluded(exclusions)
        # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
        self.flag_conditional_statements = flag_conditional_statements
        self.flag_resource_arn_statements = flag_resource_arn_statements

        # Metadata in object form
        self.assume_role_policy_document = None
        assume_role_policy = role_detail.get("AssumeRolePolicyDocument")
        if assume_role_policy:
            self.assume_role_policy_document = AssumeRolePolicyDocument(
                assume_role_policy)

        # TODO: Create a class for InstanceProfileList
        self.instance_profile_list = role_detail.get("InstanceProfileList", [])

        # Inline Policies
        self.inline_policies = []
        # If the role itself is NOT excluded, add its inline policies
        if not self.is_excluded:
            for policy_detail in role_detail.get("RolePolicyList", []):
                policy_name = policy_detail.get("PolicyName")
                policy_document = policy_detail.get("PolicyDocument")
                policy_id = get_non_provider_id(json.dumps(policy_document))
                if not (exclusions.is_policy_excluded(policy_name)
                        or exclusions.is_policy_excluded(policy_id)):
                    inline_policy = InlinePolicy(
                        policy_detail,
                        exclusions=exclusions,
                        flag_conditional_statements=flag_conditional_statements,
                        flag_resource_arn_statements=
                        flag_resource_arn_statements)
                    self.inline_policies.append(inline_policy)

        # Managed Policies (either AWS-managed or Customer managed)
        self.attached_managed_policies = []
        # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
        if not self.is_excluded:
            for policy in role_detail.get("AttachedManagedPolicies", []):
                arn = policy.get("PolicyArn")
                if not (exclusions.is_policy_excluded(arn)
                        or exclusions.is_policy_excluded(
                            get_full_policy_path(arn)) or
                        exclusions.is_policy_excluded(get_policy_name(arn))):
                    attached_managed_policy_details = policy_details.get_policy_detail(
                        arn)
                    self.attached_managed_policies.append(
                        attached_managed_policy_details)