def _get_denied_prefixes_from_desired(desired_actions):
denied_actions = all_permissions.difference(desired_actions)
denied_prefixes = set()
for denied_action in denied_actions:
for denied_prefix in _get_prefixes_for_action(denied_action):
denied_prefixes.add(denied_prefix)
return denied_prefixes
def _invert_actions(actions):
from policyuniverse import all_permissions
return all_permissions.difference(actions)
def getPolicyStatementDetails(statement):
'''
These are the different element of a Policy Statement
i. Action / NotAction
ii. Effect
iii. Resource / NotResource
iv. Sid
v. Condition
vi. Principal / NotPrincipal
Link : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
This function parses the policy statement and gives values for all possible elements of a policy in a standard key value format
'''
# Determining Actions
try:
statement_action = statement['Action']
statement_action_key = "Action"
except KeyError:
statement_action = statement['NotAction']
statement_action_key = "NotAction"
# Stringifying and Replacing list and set characters helps in linearising the lists / sets
# PolicyStatement Relationships contain actions as one of the properties
# Hence sorting is important , as every time the order keeps changing when the string is split.
# Sorting helps from creating duplicate relationships when the data is synced again
statement_action = sorted(
set(
str(statement_action).replace("'", "").replace("{", "").replace(
"}", "").replace("[", "").replace("]",
"").replace(" ",
"").split(",")))
# Determining Resource
try:
statement_resource = statement['Resource']
statement_resource_key = "Resource"
except KeyError:
try:
statement_resource = statement['NotResource']
statement_resource_key = "NotResource"
# In case there is no Resource (AssumeRole Policies do not have Resource mentioned)
except KeyError:
statement_resource = set()
statement_resource_key = ""
# Stringifying and Replacing list and set characters helps in linearising the lists / sets
# PolicyStatement Relationships contain resources as one of the properties
# Hence sorting is important , as every time the order keeps changing when the string is split.
# Sorting helps from creating duplicate relationships when the data is synced again
if statement_resource != set():
statement_resource = sorted(
set(
str(statement_resource).replace("'", "").replace(
"{", "").replace("}", "").replace("[", "").replace(
"]", "").replace(" ", "").split(",")))
# Determining Effect
statement_effect = statement['Effect']
# Determining Principal
# Principals are not part of every type of AWS Policy (Hence need for try and except)
try:
statement_principal = statement['Principal']
statement_principal_key = "Principal"
except KeyError:
# In case of NotPrincipal
try:
statement_principal = statement['NotPrincipal']
statement_principal_key = "NotPrincipal"
# In case there is no principal (General AWS Policies do not have explicit mention of principals)
except KeyError:
statement_principal = set()
statement_principal_key = ""
if statement_principal:
# In case of * as value for Principal
if statement_principal == '*' or statement_principal == ['*']:
# Sub Key should be AWS (Ref :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html -> (Everyone (anonymous users))
principal = OrderedDict()
principal.__setitem__("AWS", ["*"])
statement_principal = principal
for key in statement_principal.keys():
statement_principal[key] = sorted(
set(
str(statement_principal[key]).replace("'", "").replace(
"{", "").replace("}", "").replace("[", "").replace(
"]", "").replace(" ", "").split(",")))
try:
if statement['Condition'] == {}:
statement_condition = ""
else:
# To change it to return to non-string (In case of evaluation)
# As of now , its been stringified as it is just used t display as
# a property of the statement relation and not actually planned to
# evaluate
statement_condition = str(json.dumps(statement['Condition']))
except KeyError:
statement_condition = ""
try:
statement_sid = statement['Sid']
except KeyError:
statement_sid = ""
# Policy Universe's get_actions_from_statement works only in Action and not
# NotAction scenario. Hence temporarily converting the Action key to NotAction
# and expanding the Action's Wild cards
temp = OrderedDict()
not_action_flag = 0
for key in statement.keys():
if key == "Action":
temp.__setitem__(key, statement_action)
elif key == "NotAction":
temp.__setitem__("Action", statement_action)
not_action_flag = 1
else:
temp.__setitem__(key, statement[key])
# statement_aaia_expanded_action variable stores the expanded actions (including inverted NotAction cases).
statement_aaia_expanded_action = ""
if not_action_flag == 0:
statement_aaia_expanded_action = set(
expander_minimizer.get_actions_from_statement(temp))
elif not_action_flag == 1:
# In case of NotAction all the mentioned actions will be inverted and added to statement_aaia_expanded_action
statement_aaia_expanded_action = set(
all_permissions.difference(
expander_minimizer.get_actions_from_statement(temp)))
statement_aaia_expanded_action = sorted(
str(statement_aaia_expanded_action).replace("'", "").replace(
"{",
"").replace("}",
"").replace("[",
"").replace("]",
"").replace(" ",
"").split(","))
statement_aaia_expanded_action = str(
statement_aaia_expanded_action).replace("'", "").replace(
"{", "").replace("}", "").replace("[",
"").replace("]",
"").replace(" ", "")
# ActionKey,ResourceKey,PrincipalKey determines whether it is Action/NotAction , Resource/NotResource and Principal/NotPrincipal respectively in the policy
# wheras the Action,Resource,Policy in the below OrderedDict() returns actions,resources,principal respectively as values
# Example {"NotAction": "iam:*"} will be returned as
# { "ActionKey" : "NotAction, "Action" : "iam:*"}
# Hence one has to consider both ActionKey/ResourceKey/PrincipalKey along with Action/Resource/Principal
# to evaluate the policy
policy_statement_details = OrderedDict()
policy_statement_details.__setitem__('Action', statement_action)
policy_statement_details.__setitem__('ActionKey', statement_action_key)
policy_statement_details.__setitem__('Aaia_ExpandedAction',
statement_aaia_expanded_action)
policy_statement_details.__setitem__('Effect', statement_effect)
policy_statement_details.__setitem__('Resource', statement_resource)
policy_statement_details.__setitem__('ResourceKey', statement_resource_key)
policy_statement_details.__setitem__('Condition', statement_condition)
policy_statement_details.__setitem__('Principal', statement_principal)
policy_statement_details.__setitem__('PrincipalKey',
statement_principal_key)
policy_statement_details.__setitem__('Sid', statement_sid)
return policy_statement_details
