def test_deny_statement():
statement = [
{
"action": [
"*",
],
"resource": [
"*",
],
"effect": "Allow",
},
{
"action": [
"S3:GetObject",
],
"resource": [
"*",
],
"effect": "Deny",
},
]
assert (False,
True) == permission_relationships.evaluate_policy_for_permission(
statement,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_multiple_comma():
statements = [
{
"action": [
"s3:?et*",
],
"resource": ["arn:aws:s3:::????bucket"],
"effect": "Allow",
},
]
assert (True,
False) == permission_relationships.evaluate_policy_for_permission(
statements,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_resource_substring():
statements = [{
"action": [
"s3.*",
],
"resource": [
"arn:aws:s3:::test",
],
"effect": "Allow",
}]
assert (False,
False) == permission_relationships.evaluate_policy_for_permission(
statements,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_notaction_malformed():
statements = [{
"notaction": [
"s3.*",
],
"resource": [
"*",
],
"effect": "Allow",
}]
assert (True,
False) == permission_relationships.evaluate_policy_for_permission(
statements,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_admin_statements():
statement = [{
"action": [
"*",
],
"resource": [
"*",
],
"effect": "Allow",
}]
assert (True,
False) == permission_relationships.evaluate_policy_for_permission(
statement,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_single_permission_resource_non_match():
statement = [
{
"action": [
"s3:Get*",
],
"resource": [
"arn:aws:s3:::nottest",
],
"effect": "Allow",
},
]
assert (False,
False) == permission_relationships.evaluate_policy_for_permission(
statement,
["S3:GetObject"],
"arn:aws:s3:::testbucket",
)
def test_multiple_non_matching_permission():
statement = [
{
"action": [
"S3:GetObject",
],
"resource": [
"*",
],
"effect": "Allow",
},
]
assert (False,
False) == permission_relationships.evaluate_policy_for_permission(
statement,
["S3:PutObject", "S3:ListBuckets"],
"arn:aws:s3:::testbucket",
)
