Example #1
0
def expand_policy(input_file):  # pylint: disable=redefined-builtin
    """
    Expand the * Actions in IAM policy files to improve readability
    """
    with open(input_file) as json_file:
        logger.debug(f"Opening {input_file}")
        data = json.load(json_file)
        policy = get_expanded_policy(data)
        print(json.dumps(policy, indent=4))
Example #2
0
def expand_policy(input_file: str, verbosity: int) -> None:
    """
    Expand the * Actions in IAM policy files to improve readability
    """
    set_log_level(verbosity)

    with open(input_file) as json_file:
        logger.debug(f"Opening {input_file}")
        data = json.load(json_file)
        policy = get_expanded_policy(data)
        print(json.dumps(policy, indent=4))
Example #3
0
def expand_policy(input_file, verbose):  # pylint: disable=redefined-builtin
    """
    Expand the * Actions in IAM policy files to improve readability
    """
    if verbose:
        log_level = getattr(logging, verbose.upper())
        change_log_level(log_level)
    with open(input_file) as json_file:
        logger.debug(f"Opening {input_file}")
        data = json.load(json_file)
        policy = get_expanded_policy(data)
        print(json.dumps(policy, indent=4))
Example #4
0
def analyze_by_access_level(policy_json, access_level):
    """
    Determine if a policy has any actions with a given access level. This is particularly useful when determining who
    has 'Permissions management' level access

    :param policy_json: a dictionary representing the AWS JSON policy
    :param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
    """
    expanded_policy = get_expanded_policy(policy_json)
    requested_actions = get_actions_from_policy(expanded_policy)
    # expanded_actions = determine_actions_to_expand(requested_actions)
    actions_by_level = remove_actions_not_matching_access_level(
        requested_actions, access_level
    )
    return actions_by_level
Example #5
0
 def test_policy_expansion(self):
     """command.expand_policy.get_expanded_policy: Test the expansion of the cloud9 service"""
     policy = {
         "Version":
         "2012-10-17",
         "Statement": [{
             "Sid": "TestSID",
             "Effect": "Allow",
             "Action": ["cloud9:*"],
             "Resource": "*",
         }],
     }
     output = get_expanded_policy(policy)
     # print(json.dumps(output, indent=4))
     desired_output = {
         "Version":
         "2012-10-17",
         "Statement": [{
             "Sid":
             "TestSID",
             "Effect":
             "Allow",
             "Action": [
                 "cloud9:CreateEnvironmentEC2",
                 "cloud9:CreateEnvironmentMembership",
                 "cloud9:DeleteEnvironment",
                 "cloud9:DeleteEnvironmentMembership",
                 "cloud9:DescribeEnvironmentMemberships",
                 "cloud9:DescribeEnvironmentStatus",
                 "cloud9:DescribeEnvironments",
                 "cloud9:GetUserSettings",
                 "cloud9:ListEnvironments",
                 "cloud9:ListTagsForResource",
                 "cloud9:TagResource",
                 "cloud9:UntagResource",
                 "cloud9:UpdateEnvironment",
                 "cloud9:UpdateEnvironmentMembership",
                 "cloud9:UpdateUserSettings",
             ],
             "Resource":
             "*",
         }],
     }
     self.maxDiff = None
     self.assertDictEqual(output, desired_output)
Example #6
0
 def test_policy_expansion(self):
     """command.expand_policy.get_expanded_policy: Test the expansion of the cloud9 service"""
     policy = {
         "Version":
         "2012-10-17",
         "Statement": [{
             "Sid": "TestSID",
             "Effect": "Allow",
             "Action": ["cloud9:*"],
             "Resource": "*",
         }],
     }
     output = get_expanded_policy(policy)
     # print(json.dumps(output, indent=4))
     desired_output = {
         "Version":
         "2012-10-17",
         "Statement": [{
             "Sid":
             "TestSID",
             "Effect":
             "Allow",
             "Action": [
                 "cloud9:CreateEnvironmentEC2",
                 "cloud9:CreateEnvironmentMembership",
                 "cloud9:DeleteEnvironment",
                 "cloud9:DeleteEnvironmentMembership",
                 "cloud9:DescribeEnvironmentMemberships",
                 "cloud9:DescribeEnvironmentStatus",
                 "cloud9:DescribeEnvironments",
                 "cloud9:GetUserSettings",
                 "cloud9:ListEnvironments",
                 "cloud9:ListTagsForResource",
                 "cloud9:TagResource",
                 "cloud9:UntagResource",
                 "cloud9:UpdateEnvironment",
                 "cloud9:UpdateEnvironmentMembership",
                 "cloud9:UpdateUserSettings",
             ],
             "Resource":
             "*",
         }],
     }
     expected_statement_ids = ["TestSID"]
     for statement in output.get("Statement"):
         self.assertTrue(statement.get("Sid") in expected_statement_ids)
     expected_actions = [
         "cloud9:CreateEnvironmentEC2",
         "cloud9:CreateEnvironmentMembership",
         "cloud9:DeleteEnvironment",
         "cloud9:DeleteEnvironmentMembership",
         "cloud9:DescribeEnvironmentMemberships",
         "cloud9:DescribeEnvironmentStatus",
         "cloud9:DescribeEnvironments",
         "cloud9:GetUserSettings",
         "cloud9:ListEnvironments",
         "cloud9:ListTagsForResource",
         "cloud9:TagResource",
         "cloud9:UntagResource",
         "cloud9:UpdateEnvironment",
         "cloud9:UpdateEnvironmentMembership",
         "cloud9:UpdateUserSettings",
     ]
     for action in expected_actions:
         self.assertTrue(action in output["Statement"][0]["Action"])