def test_write_crud_policy_with_library_only(self):
"""test_write_crud_policy_with_library_only: Write an actions mode policy without using the command line at all (library only)"""
db_session = connect_db('bundled')
crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
print(crud_template)
crud_template['policy_with_crud_levels'][0]['name'] = "MyPolicy"
crud_template['policy_with_crud_levels'][0][
'description'] = "Description"
crud_template['policy_with_crud_levels'][0]['role_arn'] = "somearn"
crud_template['policy_with_crud_levels'][0]['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['policy_with_crud_levels'][0]['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['policy_with_crud_levels'][0]['list'].append(
"arn:aws:s3:::example-org-sbx-vmimport/stuff")
crud_template['policy_with_crud_levels'][0][
'permissions-management'].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
crud_template['policy_with_crud_levels'][0]['wildcard'].extend(
wildcard_actions_to_add)
crud_template['policy_with_crud_levels'][0]['tagging'].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
# Modify it
policy = write_policy_with_access_levels(db_session, crud_template,
None)
# print(json.dumps(policy, indent=4))
self.assertDictEqual(desired_crud_policy, policy)
def test_write_crud_policy_with_library_only(self):
"""test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)"""
db_session = connect_db("bundled")
crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:CreateCustomKeyStore",
# "cloudhsm:describeclusters",
]
crud_template["mode"] = "crud"
crud_template["read"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
)
crud_template["write"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
)
crud_template["list"].append("arn:aws:s3:::example-org-sbx-vmimport/stuff")
crud_template["permissions-management"].append(
"arn:aws:kms:us-east-1:123456789012:key/123456"
)
crud_template["wildcard"].extend(wildcard_actions_to_add)
crud_template["tagging"].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test"
)
# Modify it
sid_group = SidGroup()
minimize = None
policy = sid_group.process_template(
db_session, crud_template, minimize=minimize
)
# print("desired_crud_policy")
# print(json.dumps(desired_crud_policy, indent=4))
# print("policy")
# print(json.dumps(policy, indent=4))
self.maxDiff = None
self.assertDictEqual(desired_crud_policy, policy)
def test_write_crud_policy_with_library_only(self):
"""test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)"""
another_crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:CreateCustomKeyStore",
# "cloudhsm:describeclusters",
]
another_crud_template["mode"] = "crud"
another_crud_template["read"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
another_crud_template["write"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
another_crud_template["list"].append(
"arn:aws:s3:::example-org-sbx-vmimport/stuff")
another_crud_template["permissions-management"].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
another_crud_template["tagging"].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
another_crud_template["wildcard-only"]["single-actions"].extend(
wildcard_actions_to_add)
another_crud_template["sts"]["assume-role"].append(
"arn:aws:iam::123456789012:role/demo")
# Modify it
sid_group = SidGroup()
# minimize = None
result = sid_group.process_template(another_crud_template)
expected_statement_ids = [
"MultMultNone", "SecretsmanagerReadSecret",
"SecretsmanagerWriteSecret", "S3ListObject", "SsmTaggingParameter",
"KmsPermissionsmanagementKey", "AssumeRole"
]
self.maxDiff = None
print(json.dumps(result, indent=4))
for statement in result.get("Statement"):
self.assertTrue(statement.get("Sid") in expected_statement_ids)
def test_gh_211_write_with_empty_access_level_lists(self):
crud_template = get_crud_template_dict()
crud_template['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
# crud_template['list'].append("arn:aws:s3:::mybucket/stuff")
# by commenting out the line below, you should not get an IndexError
# crud_template['permissions-management'].append("arn:aws:kms:us-east-1:123456789012:key/123456")
# crud_template['tagging'].append("arn:aws:ssm:us-east-1:123456789012:parameter/test")
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
crud_template['wildcard-only']['single-actions'].extend(
wildcard_actions_to_add)
result = write_policy_with_template(crud_template)
# print(json.dumps(result, indent=4))
expected_statement_ids = [
"MultMultNone",
"SecretsmanagerReadSecret",
"SecretsmanagerWriteSecret",
]
for statement in result.get("Statement"):
self.assertTrue(statement.get("Sid") in expected_statement_ids)
#!/usr/bin/env python
from policy_sentry.writing.template import get_crud_template_dict
from policy_sentry.command.write_policy import write_policy_with_template
import json
if __name__ == '__main__':
crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
crud_template['mode'] = 'crud'
crud_template['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['list'].append("arn:aws:s3:::example-org-sbx-vmimport/stuff")
crud_template['permissions-management'].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
crud_template['wildcard'].extend(wildcard_actions_to_add)
crud_template['tagging'].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
# Modify it
policy = write_policy_with_template(crud_template)
print(json.dumps(policy, indent=4))
"""
Output:
{
"Version": "2012-10-17",
def test_gh_211_write_with_empty_access_level_lists(self):
expected_results = {
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"MultMultNone",
"Effect":
"Allow",
"Action":
["cloudhsm:DescribeClusters", "kms:CreateCustomKeyStore"],
"Resource": ["*"]
}, {
"Sid":
"SecretsmanagerReadSecret",
"Effect":
"Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
]
}, {
"Sid":
"SecretsmanagerWriteSecret",
"Effect":
"Allow",
"Action": [
"secretsmanager:CancelRotateSecret",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
]
}]
}
crud_template = get_crud_template_dict()
crud_template['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
# crud_template['list'].append("arn:aws:s3:::mybucket/stuff")
# by commenting out the line below, you should not get an IndexError
# crud_template['permissions-management'].append("arn:aws:kms:us-east-1:123456789012:key/123456")
# crud_template['tagging'].append("arn:aws:ssm:us-east-1:123456789012:parameter/test")
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
crud_template['wildcard-only']['single-actions'].extend(
wildcard_actions_to_add)
result = write_policy_with_template(crud_template)
# print(json.dumps(result, indent=4))
self.assertDictEqual(result, expected_results)
def test_write_crud_policy_with_library_only(self):
"""test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)"""
another_crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:CreateCustomKeyStore",
# "cloudhsm:describeclusters",
]
another_crud_template["mode"] = "crud"
another_crud_template["read"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
another_crud_template["write"].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
another_crud_template["list"].append(
"arn:aws:s3:::example-org-sbx-vmimport/stuff")
another_crud_template["permissions-management"].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
another_crud_template["tagging"].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
another_crud_template["wildcard-only"]["single-actions"].extend(
wildcard_actions_to_add)
# Modify it
sid_group = SidGroup()
# minimize = None
result = sid_group.process_template(another_crud_template)
# print("desired_crud_policy")
# print(json.dumps(desired_crud_policy, indent=4))
# print("policy")
expected_result = {
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"MultMultNone",
"Effect":
"Allow",
"Action":
["cloudhsm:DescribeClusters", "kms:CreateCustomKeyStore"],
"Resource": ["*"]
}, {
"Sid":
"SecretsmanagerReadSecret",
"Effect":
"Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
]
}, {
"Sid":
"SecretsmanagerWriteSecret",
"Effect":
"Allow",
"Action": [
"secretsmanager:CancelRotateSecret",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
]
}, {
"Sid":
"S3ListObject",
"Effect":
"Allow",
"Action": ["s3:ListMultipartUploadParts"],
"Resource": ["arn:aws:s3:::example-org-sbx-vmimport/stuff"]
}, {
"Sid":
"SsmTaggingParameter",
"Effect":
"Allow",
"Action":
["ssm:AddTagsToResource", "ssm:RemoveTagsFromResource"],
"Resource":
["arn:aws:ssm:us-east-1:123456789012:parameter/test"]
}, {
"Sid":
"KmsPermissionsmanagementKey",
"Effect":
"Allow",
"Action": [
"kms:CreateGrant", "kms:PutKeyPolicy", "kms:RetireGrant",
"kms:RevokeGrant"
],
"Resource": ["arn:aws:kms:us-east-1:123456789012:key/123456"]
}]
}
print(json.dumps(result, indent=4))
self.maxDiff = None
self.assertDictEqual(result, desired_crud_policy)
