def test_allows_specific_actions(self): test_policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:PassRole", "ssm:GetParameter", "s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue" ], "Resource": "*" }] } policy_document = PolicyDocument(test_policy) results = policy_document.allows_specific_actions_without_constraints( ["iam:PassRole"]) self.assertListEqual(results, ["iam:PassRole"]) # Input should be case insensitive, but give the pretty CamelCase action name result results = policy_document.allows_specific_actions_without_constraints( ["iam:passrole"]) self.assertListEqual(results, ["iam:PassRole"]) # Verify that it will find the high priority read-only actions that we care about high_priority_read_only_actions = [ "s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue" ] results = policy_document.allows_specific_actions_without_constraints( high_priority_read_only_actions) self.assertListEqual(results, high_priority_read_only_actions)
def test_allows_specific_actions(self): test_policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:PassRole", "ssm:GetParameter", "s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue", "s3:PutObject", "ec2:CreateTags" ], "Resource": "*" }] } policy_document = PolicyDocument(test_policy) results = policy_document.allows_specific_actions_without_constraints( ["iam:PassRole"]) self.assertListEqual(results, ["iam:PassRole"]) # Input should be case insensitive, but give the pretty CamelCase action name result results = policy_document.allows_specific_actions_without_constraints( ["iam:passrole"]) self.assertListEqual(results, ["iam:PassRole"]) # Verify that it will find the high priority read-only actions that we care about high_priority_read_only_actions = [ "s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue" ] results = policy_document.allows_specific_actions_without_constraints( high_priority_read_only_actions) self.assertCountEqual(results, high_priority_read_only_actions) results = policy_document.permissions_management_without_constraints self.assertListEqual(results, ["iam:PassRole"]) results = policy_document.write_actions_without_constraints self.assertListEqual(results, ["s3:PutObject"]) results = policy_document.tagging_actions_without_constraints self.assertListEqual(results, ["ec2:CreateTags"]) results = policy_document.allows_data_exfiltration_actions expected_results = high_priority_read_only_actions self.assertCountEqual(results, expected_results) with self.assertRaises(Exception): results = policy_document.allows_specific_actions_without_constraints( "iam:passrole")