def get_actions_matching_arn(arn):
"""
Given a user-supplied ARN, get a list of all actions that correspond to that ARN.
Arguments:
arn: A user-supplied arn
Returns:
List: A list of all actions that can match it.
"""
raw_arns = get_matching_raw_arns(arn)
results = []
for raw_arn in raw_arns:
resource_type_name = get_resource_type_name_with_raw_arn(raw_arn)
service_prefix = get_service_from_arn(raw_arn)
service_prefix_data = get_service_prefix_data(service_prefix)
for action_name, action_data in service_prefix_data[
"privileges"].items():
# for some_action in service_prefix_data["privileges"]:
for resource_name, resource_data in action_data[
"resource_types"].items():
this_resource_type = resource_data["resource_type"].strip("*")
if this_resource_type.lower() == resource_type_name.lower():
results.append(
f"{service_prefix}:{action_data['privilege']}")
results = list(dict.fromkeys(results))
results.sort()
return results
def add_by_arn_and_access_level(self,
arn_list,
access_level,
conditions_block=None):
"""
This adds the user-supplied ARN(s), service prefixes, access levels, and condition keys (if applicable) given
by the user. It derives the list of IAM actions based on the user's requested ARNs and access levels.
Arguments:
arn_list: Just a list of resource ARNs.
access_level: "Read", "List", "Tagging", "Write", or "Permissions management"
conditions_block: Optionally, a condition block with one or more conditions
"""
for arn in arn_list:
service_prefix = get_service_from_arn(arn)
service_action_data = get_action_data(service_prefix, "*")
for service_prefix in service_action_data:
for row in service_action_data[service_prefix]:
if (does_arn_match(arn, row["resource_arn_format"])
and row["access_level"] == access_level):
raw_arn_format = row["resource_arn_format"]
resource_type_name = get_resource_type_name_with_raw_arn(
raw_arn_format)
sid_namespace = create_policy_sid_namespace(
service_prefix, access_level, resource_type_name)
actions = get_actions_with_arn_type_and_access_level(
service_prefix, resource_type_name, access_level)
# Make supplied actions lowercase
# supplied_actions = [x.lower() for x in actions]
supplied_actions = actions.copy()
dependent_actions = get_dependent_actions(
supplied_actions)
# List comprehension to get all dependent actions that are not in the supplied actions.
dependent_actions = [
x for x in dependent_actions
if x not in supplied_actions
]
if len(dependent_actions) > 0:
for dep_action in dependent_actions:
self.add_action_without_resource_constraint(
dep_action)
# self.add_action_without_resource_constraint(
# str.lower(dep_action)
# )
temp_sid_dict = {
"arn": [arn],
"service": service_prefix,
"access_level": access_level,
"arn_format": raw_arn_format,
"actions": actions,
"conditions": [], # TODO: Add conditions
}
if sid_namespace in self.sids.keys():
# If the ARN already exists there, skip it.
if arn not in self.sids[sid_namespace]["arn"]:
self.sids[sid_namespace]["arn"].append(arn)
# If it did not exist before at all, create it.
else:
self.sids[sid_namespace] = temp_sid_dict
def get_actions_matching_arn(arn):
"""Given a user-supplied arn, get a list of all actions that can match it."""
raw_arn = get_matching_raw_arn(arn)
resource_type_name = get_resource_type_name_with_raw_arn(raw_arn)
service_prefix = get_service_from_arn(raw_arn)
service_prefix_data = get_service_prefix_data(service_prefix)
results = []
for some_action in service_prefix_data["privileges"]:
for some_resource_type in some_action["resource_types"]:
this_resource_type = some_resource_type["resource_type"].strip("*")
if this_resource_type.lower() == resource_type_name.lower():
results.append(f"{service_prefix}:{some_action['privilege']}")
results = list(dict.fromkeys(results))
results.sort()
return results
def test_get_resource_type_name_with_raw_arn(self):
"""querying.arns.get_resource_type_name_with_raw_arn"""
raw_arn = "arn:${Partition}:cloud9:${Region}:${Account}:environment:${ResourceId}"
self.assertTrue(get_resource_type_name_with_raw_arn(raw_arn),
"environment")
