Example #1
0
 def test_print_policy_with_actions_having_dependencies(self):
     desired_output = {
             "Version": "2012-10-17",
             "Statement": [
                 {
                     "Sid": "KmsPermissionsmanagementKey",
                     "Effect": "Allow",
                     "Action": [
                         "kms:creategrant"
                     ],
                     "Resource": [
                         "arn:aws:kms:${Region}:${Account}:key/${KeyId}"
                     ]
                 },
                 {
                     "Sid": "MultMultNone",
                     "Effect": "Allow",
                     "Action": [
                         "kms:createcustomkeystore",
                         "cloudhsm:describeclusters"
                     ],
                     "Resource": [
                         "*"
                     ]
                 }
             ]
         }
     supplied_actions = actions_test_data_1
     supplied_actions = get_dependent_actions(db_session, supplied_actions)
     arn_action_group = ArnActionGroup()
     arn_dict = arn_action_group.process_list_of_actions(supplied_actions, db_session)
     self.maxDiff = None
     policy = print_policy(arn_dict, db_session)
     self.assertDictEqual(policy, desired_output)
Example #2
0
    def test_missing_access_levels(self):
        """
        test_missing_access_levels: write-policy --crud command when YAML File is missing access levels
        :return:
        """
        cfg_with_missing_access_levels = {
            "roles_with_crud_levels": [{
                "name":
                "RoleNameWithCRUD",
                "description":
                "Why I need these privs",
                "arn":
                "arn:aws:iam::559410426617:role/RiskyEC2",
                "list": [
                    "arn:aws:s3:::example-org-flow-logs",
                    "arn:aws:s3:::example-org-sbx-vmimport/stuff"
                ],
                "tag": ["arn:aws:ssm:us-east-1:123456789012:parameter/test"],
                "permissions-management":
                ["arn:aws:s3:::example-org-s3-access-logs"]
            }]
        }

        with self.assertRaises(SystemExit):
            arn_action_group = ArnActionGroup()
            arn_dict = arn_action_group.process_resource_specific_acls(
                cfg_with_missing_access_levels, db_session)
Example #3
0
    def test_wildcard_when_not_necessary(self):
        """test_wildcard_when_not_necessary: Attempts bypass of CRUD mode wildcard-only"""
        cfg = {
            'roles_with_crud_levels': [{
                'name':
                'RoleNameWithCRUD',
                'description':
                'Why I need these privs',
                'arn':
                'arn:aws:iam::123456789012:role/RiskyEC2',
                'permissions-management':
                ['arn:aws:s3:::example-org-s3-access-logs'],
                'wildcard': [
                    # The first three are legitimately wildcard only.
                    # Verify with `policy_sentry query action-table --service secretsmanager --wildcard-only`
                    'ram:enablesharingwithawsorganization',
                    'ram:getresourcepolicies',
                    'secretsmanager:createsecret',
                    # This last one can be "secret" ARN type OR wildcard. We want to prevent people from
                    # bypassing this mechanism, while allowing them to explicitly
                    # request specific privs that require wildcard mode. This next value -
                    # secretsmanager:putsecretvalue - is an example of someone trying to beat the tool.
                    'secretsmanager:putsecretvalue'
                ]
            }]
        }
        arn_action_group = ArnActionGroup()

        arn_dict = arn_action_group.process_resource_specific_acls(
            cfg, db_session)
        output = print_policy(arn_dict, db_session, None)
        print(json.dumps(output, indent=4))
        desired_output = {
            "Version":
            "2012-10-17",
            "Statement": [{
                "Sid":
                "MultMultNone",
                "Effect":
                "Allow",
                "Action": [
                    "ram:enablesharingwithawsorganization",
                    "ram:getresourcepolicies", "secretsmanager:createsecret"
                ],
                "Resource": ["*"]
            }, {
                "Sid":
                "S3PermissionsmanagementBucket",
                "Effect":
                "Allow",
                "Action": [
                    "s3:deletebucketpolicy", "s3:putbucketacl",
                    "s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
                ],
                "Resource": ["arn:aws:s3:::example-org-s3-access-logs"]
            }]
        }
        self.maxDiff = None
        self.assertDictEqual(output, desired_output)
Example #4
0
def write_policy_with_access_levels(cfg, db_session, minimize_statement=False):
    """
    Writes an IAM policy given a dict containing Access Levels and ARNs.
    """
    arn_action_group = ArnActionGroup()
    arn_dict = arn_action_group.process_resource_specific_acls(cfg, db_session)
    policy = print_policy(arn_dict, db_session, minimize_statement)
    return policy
Example #5
0
def write_policy_with_actions(cfg, db_session, minimize_statement=False):
    """
    Writes an IAM policy given a dict containing lists of actions.
    """
    roles_with_actions = Roles()
    roles_with_actions.process_actions_config(cfg)
    supplied_actions = []
    for role in roles_with_actions.get_roles():
        supplied_actions.extend(role[3].copy())
    supplied_actions = get_dependent_actions(db_session, supplied_actions)
    arn_action_group = ArnActionGroup()
    arn_dict = arn_action_group.process_list_of_actions(supplied_actions, db_session)
    policy = print_policy(arn_dict, db_session, minimize_statement)
    return policy
Example #6
0
 def test_write_policy(self):
     arn_action_group = ArnActionGroup()
     arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
     access_level = "Permissions management"
     desired_output = {
         'Version': '2012-10-17',
         'Statement': [
             {
                 'Sid': 'S3PermissionsmanagementBucket',
                 'Effect': 'Allow',
                 'Action': [
                     's3:deletebucketpolicy',
                     's3:putbucketacl',
                     's3:putbucketpolicy',
                     's3:putbucketpublicaccessblock'
                 ],
                 'Resource': [
                     'arn:aws:s3:::example-org-s3-access-logs'
                 ]
             }
         ]
     }
     arn_action_group.add(db_session, arn_list_from_user, access_level)
     arn_action_group.update_actions_for_raw_arn_format(db_session)
     arn_dict = arn_action_group.get_policy_elements(db_session)
     policy = print_policy(arn_dict, db_session)
     # print(policy)
     self.assertEqual(policy, desired_output)
 def test_add_s3_permissions_management_arn(self):
     arn_action_group = ArnActionGroup()
     arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
     access_level = "Permissions management"
     desired_output = [{
         'arn': 'arn:aws:s3:::example-org-s3-access-logs',
         'service': 's3',
         'access_level': 'Permissions management',
         'arn_format': 'arn:aws:s3:::${BucketName}',
         'actions': []
     }]
     arn_action_group.add(db_session, arn_list_from_user, access_level)
     print(arn_action_group.get_arns())
     self.assertEqual(arn_action_group.get_arns(), desired_output)
 def test_update_actions_for_raw_arn_format(self):
     arn_action_group = ArnActionGroup()
     arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
     access_level = "Permissions management"
     desired_output = [{
         'arn':
         'arn:aws:s3:::example-org-s3-access-logs',
         'service':
         's3',
         'access_level':
         'Permissions management',
         'arn_format':
         'arn:aws:s3:::${BucketName}',
         'actions': [
             "s3:deletebucketpolicy", "s3:putbucketacl",
             "s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
         ]
     }]
     arn_action_group.add(db_session, arn_list_from_user, access_level)
     arn_action_group.update_actions_for_raw_arn_format(db_session)
     print(arn_action_group.get_arns())
     self.assertEqual(arn_action_group.get_arns(), desired_output)
 def test_get_policy_elements(self):
     arn_action_group = ArnActionGroup()
     arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
     access_level = "Permissions management"
     desired_output = {
         'S3PermissionsmanagementBucket': {
             'name':
             'S3PermissionsmanagementBucket',
             'actions': [
                 's3:deletebucketpolicy', 's3:putbucketacl',
                 's3:putbucketpolicy', 's3:putbucketpublicaccessblock'
             ],
             'arns': ['arn:aws:s3:::example-org-s3-access-logs']
         }
     }
     arn_action_group.add(db_session, arn_list_from_user, access_level)
     arn_action_group.update_actions_for_raw_arn_format(db_session)
     arn_dict = arn_action_group.get_policy_elements(db_session)
     print(arn_dict)
     self.assertEqual(arn_dict, desired_output)