def expand(action): # FIXME [MJ] change the name to be more descriptive
"""
expand the action wildcards into a full action
"""
db_session = connect_db(DATABASE_FILE_PATH)
all_actions = get_all_actions(db_session)
if isinstance(action, list):
expanded_actions = []
for item in action:
expanded_actions.extend(expand(item))
return expanded_actions
if "*" in action:
expanded = [
expanded_action.lower()
# for expanded_action in all_permissions
for expanded_action in all_actions
if fnmatch.fnmatchcase(expanded_action.lower(), action.lower())
]
# if we get a wildcard for a tech we've never heard of, just return the
# wildcard
if not expanded:
print(
"ERROR: The action {} references a wildcard for an unknown resource.".format(action))
return [action.lower()]
return expanded
return [action.lower()]
def print_policy(arn_dict_with_actions_and_resources,
db_session,
minimize=None):
"""
Builds the policy dictionary given the output of write_policy_with_access_levels or write_policy_with_actions.
"""
statement = []
all_actions = get_all_actions(db_session)
for sid in arn_dict_with_actions_and_resources:
actions = arn_dict_with_actions_and_resources[sid]['actions']
if minimize is not None and isinstance(minimize, int):
actions = minimize_statement_actions(actions,
all_actions,
minchars=minimize)
statement.append({
"Sid":
arn_dict_with_actions_and_resources[sid]['name'],
"Effect":
"Allow",
"Action":
actions,
"Resource":
arn_dict_with_actions_and_resources[sid]['arns']
})
policy = {"Version": policy_language_version, "Statement": statement}
return policy
def print_policy(arn_dict_with_actions_and_resources,
db_session,
minimize=None):
"""
Prints the least privilege policy
"""
statement = []
all_actions = get_all_actions(db_session)
for sid in arn_dict_with_actions_and_resources:
actions = arn_dict_with_actions_and_resources[sid]['actions']
if minimize is not None and isinstance(minimize, int):
actions = minimize_statement_actions(actions,
all_actions,
minchars=minimize)
statement.append({
"Sid":
arn_dict_with_actions_and_resources[sid]['name'],
"Effect":
"Allow",
"Action":
actions,
"Resource":
arn_dict_with_actions_and_resources[sid]['arns']
})
policy = {"Version": POLICY_LANGUAGE_VERSION, "Statement": statement}
return policy
def test_minimize_statement_actions(self):
actions_to_minimize = [
"kms:creategrant", "kms:createcustomkeystore",
"ec2:authorizesecuritygroupegress",
"ec2:authorizesecuritygroupingress"
]
desired_result = ['ec2:authorizes*', 'kms:createc*', 'kms:createg*']
all_actions = get_all_actions(db_session)
minchars = None
# minimized_actions_list = minimize_statement_actions(desired_actions, all_actions, minchars)
self.assertListEqual(
sorted(
minimize_statement_actions(actions_to_minimize, all_actions,
minchars)), sorted(desired_result))