def test_crud_schema(self): """test_actions_schema: Validates that the user-supplied YAML is working for CRUD mode""" result = check_crud_schema(valid_cfg_for_crud) self.assertTrue(result) self.assertTrue(check_crud_schema(valid_crud_with_one_item_only)) with self.assertRaises(Exception): check_crud_schema(invalid_crud_with_mispelled_category)
def process_template(self, db_session, cfg, minimize=None): """ Process the Policy Sentry template as a dict. This auto-detects whether or not the file is in CRUD mode or Actions mode. :param db_session: SQLAlchemy database session object :param cfg: The loaded YAML as a dict. Must follow Policy Sentry dictated format. :param minimize: Minimize the resulting statement with *safe* usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none. """ try: if "mode" in cfg.keys(): if cfg["mode"] == "crud": check_crud_schema(cfg) if "wildcard" in cfg.keys(): provided_wildcard_actions = cfg["wildcard"] if isinstance(provided_wildcard_actions, list): verified_wildcard_actions = remove_actions_that_are_not_wildcard_arn_only( db_session, provided_wildcard_actions) if len(verified_wildcard_actions) > 0: self.add_by_list_of_actions( db_session, verified_wildcard_actions) if "read" in cfg.keys(): if cfg["read"] is not None and cfg["read"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["read"], "Read") if "write" in cfg.keys(): if cfg["write"] is not None and cfg["write"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["write"], "Write") if "list" in cfg.keys(): if cfg["list"] is not None and cfg["list"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["list"], "List") if "permissions-management" in cfg.keys(): if (cfg["permissions-management"] is not None and cfg["permissions-management"][0] != ""): self.add_by_arn_and_access_level( db_session, cfg["permissions-management"], "Permissions management", ) if "tagging" in cfg.keys(): if cfg["tagging"] is not None and cfg["tagging"][ 0] != "": self.add_by_arn_and_access_level( db_session, cfg["tagging"], "Tagging") if cfg["mode"] == "actions": check_actions_schema(cfg) # for policy in cfg[template]: if "actions" in cfg.keys(): if cfg["actions"] is not None: self.add_by_list_of_actions( db_session, cfg["actions"]) except IndexError: raise Exception( "IndexError: list index out of range. This is likely due to an ARN in your list " "equaling ''. Please evaluate your YML file and try again.") rendered_policy = self.get_rendered_policy(db_session, minimize) return rendered_policy
def write_policy_with_access_levels(db_session, cfg, minimize_statement=None): """ Writes an IAM policy given a dict containing Access Levels and ARNs. """ check_crud_schema(cfg) arn_action_group = ArnActionGroup() arn_dict = arn_action_group.process_resource_specific_acls(cfg, db_session) policy = print_policy(arn_dict, db_session, minimize_statement) return policy
def process_template(self, db_session, cfg, minimize=None): """ Process the Policy Sentry template as a dict. This auto-detects whether or not the file is in CRUD mode or Actions mode. :param db_session: SQLAlchemy database session object :param cfg: The loaded YAML as a dict. Must follow Policy Sentry dictated format. :param minimize: Minimize the resulting statement with *safe* usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none. """ # try: if "mode" in cfg.keys(): if cfg["mode"] == "crud": check_crud_schema(cfg) if "wildcard-only" in cfg.keys(): if "single-actions" in cfg["wildcard-only"]: if cfg["wildcard-only"]["single-actions"]: if cfg["wildcard-only"]["single-actions"][0] != "": provided_wildcard_actions = cfg[ "wildcard-only"]["single-actions"] self.add_wildcard_only_actions( db_session, provided_wildcard_actions) if "service-read" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-read"]: if cfg["wildcard-only"]["service-read"][0] != "": service_read = cfg["wildcard-only"][ "service-read"] self.add_wildcard_only_actions_matching_services_and_access_level( db_session, service_read, "Read") if "service-write" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-write"]: if cfg["wildcard-only"]["service-write"][0] != "": service_write = cfg["wildcard-only"][ "service-write"] self.add_wildcard_only_actions_matching_services_and_access_level( db_session, service_write, "Write") if "service-list" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-list"]: if cfg["wildcard-only"]["service-list"][0] != "": service_list = cfg["wildcard-only"][ "service-list"] self.add_wildcard_only_actions_matching_services_and_access_level( db_session, service_list, "List") if "service-tagging" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-tagging"]: if cfg["wildcard-only"]["service-tagging"][0] != "": service_tagging = cfg["wildcard-only"][ "service-tagging"] self.add_wildcard_only_actions_matching_services_and_access_level( db_session, service_tagging, "Tagging") if "service-permissions-management" in cfg[ "wildcard-only"]: if cfg["wildcard-only"][ "service-permissions-management"]: if (cfg["wildcard-only"] ["service-permissions-management"][0] != ""): service_permissions_management = cfg[ "wildcard-only"][ "service-permissions-management"] self.add_wildcard_only_actions_matching_services_and_access_level( db_session, service_permissions_management, "Permissions management", ) if "read" in cfg.keys(): if cfg["read"] is not None and cfg["read"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["read"], "Read") if "write" in cfg.keys(): if cfg["write"] is not None and cfg["write"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["write"], "Write") if "list" in cfg.keys(): if cfg["list"] is not None and cfg["list"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["list"], "List") if "permissions-management" in cfg.keys(): if (cfg["permissions-management"] is not None and cfg["permissions-management"][0] != ""): self.add_by_arn_and_access_level( db_session, cfg["permissions-management"], "Permissions management", ) if "tagging" in cfg.keys(): if cfg["tagging"] is not None and cfg["tagging"][0] != "": self.add_by_arn_and_access_level( db_session, cfg["tagging"], "Tagging") if cfg["mode"] == "actions": check_actions_schema(cfg) if "actions" in cfg.keys(): if cfg["actions"] is not None and cfg["actions"][0] != "": self.add_by_list_of_actions(db_session, cfg["actions"]) rendered_policy = self.get_rendered_policy(db_session, minimize) return rendered_policy
def process_template(self, cfg, minimize=None): """ Process the Policy Sentry template as a dict. This auto-detects whether or not the file is in CRUD mode or Actions mode. Arguments: cfg: The loaded YAML as a dict. Must follow Policy Sentry dictated format. minimize: Minimize the resulting statement with *safe* usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none. Returns: Dictionary: The rendered IAM JSON Policy """ if cfg.get("mode") == "crud": logger.debug("CRUD mode selected") check_crud_schema(cfg) # EXCLUDE ACTIONS if cfg.get("exclude-actions"): if cfg.get("exclude-actions")[0] != "": self.add_exclude_actions(cfg["exclude-actions"]) # WILDCARD ONLY SECTION if cfg.get("wildcard-only"): if cfg.get("wildcard-only").get("single-actions"): if cfg["wildcard-only"]["single-actions"][0] != "": provided_wildcard_actions = cfg["wildcard-only"][ "single-actions"] logger.debug( f"Requested wildcard-only actions: {str(provided_wildcard_actions)}" ) self.wildcard_only_single_actions = provided_wildcard_actions if cfg.get("wildcard-only").get("service-read"): if cfg["wildcard-only"]["service-read"][0] != "": service_read = cfg["wildcard-only"]["service-read"] logger.debug( f"Requested wildcard-only actions: {str(service_read)}" ) self.wildcard_only_service_read = service_read if cfg.get("wildcard-only").get("service-write"): if cfg["wildcard-only"]["service-write"][0] != "": service_write = cfg["wildcard-only"]["service-write"] logger.debug( f"Requested wildcard-only actions: {str(service_write)}" ) self.wildcard_only_service_write = service_write if cfg.get("wildcard-only").get("service-list"): if cfg["wildcard-only"]["service-list"][0] != "": service_list = cfg["wildcard-only"]["service-list"] logger.debug( f"Requested wildcard-only actions: {str(service_list)}" ) self.wildcard_only_service_list = service_list if cfg.get("wildcard-only").get("service-tagging"): if cfg["wildcard-only"]["service-tagging"][0] != "": service_tagging = cfg["wildcard-only"][ "service-tagging"] logger.debug( f"Requested wildcard-only actions: {str(service_tagging)}" ) self.wildcard_only_service_tagging = service_tagging if cfg.get("wildcard-only").get( "service-permissions-management"): if cfg["wildcard-only"]["service-permissions-management"][ 0] != "": service_permissions_management = cfg["wildcard-only"][ "service-permissions-management"] logger.debug( f"Requested wildcard-only actions: {str(service_permissions_management)}" ) self.wildcard_only_service_permissions_management = service_permissions_management # Process the wildcard-only section self.process_wildcard_only_actions() # Standard access levels if cfg.get("read"): if cfg["read"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['read'])}") self.add_by_arn_and_access_level(cfg["read"], "Read") if cfg.get("write"): if cfg["write"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['write'])}") self.add_by_arn_and_access_level(cfg["write"], "Write") if cfg.get("list"): if cfg["list"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['list'])}") self.add_by_arn_and_access_level(cfg["list"], "List") if cfg.get("tagging"): if cfg["tagging"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['tagging'])}") self.add_by_arn_and_access_level(cfg["tagging"], "Tagging") if cfg.get("permissions-management"): if cfg["permissions-management"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['permissions-management'])}" ) self.add_by_arn_and_access_level( cfg["permissions-management"], "Permissions management") # SKIP RESOURCE CONSTRAINTS if cfg.get("skip-resource-constraints"): if cfg["skip-resource-constraints"][0] != "": logger.debug( f"Requested override: the actions {str(cfg['skip-resource-constraints'])} will " f"skip resource constraints.") self.add_skip_resource_constraints( cfg["skip-resource-constraints"]) for skip_resource_constraints_action in self.skip_resource_constraints: self.add_action_without_resource_constraint( skip_resource_constraints_action, "SkipResourceConstraints") elif cfg.get("mode") == "actions": check_actions_schema(cfg) if "actions" in cfg.keys(): if cfg["actions"] is not None and cfg["actions"][0] != "": self.add_by_list_of_actions(cfg["actions"]) rendered_policy = self.get_rendered_policy(minimize) return rendered_policy
def process_template(self, cfg, minimize=None): """ Process the Policy Sentry template as a dict. This auto-detects whether or not the file is in CRUD mode or Actions mode. :param cfg: The loaded YAML as a dict. Must follow Policy Sentry dictated format. :param minimize: Minimize the resulting statement with *safe* usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none. """ if "mode" in cfg.keys(): if cfg["mode"] == "crud": logger.debug("CRUD mode selected") check_crud_schema(cfg) if "wildcard-only" in cfg.keys(): if "single-actions" in cfg["wildcard-only"]: if cfg["wildcard-only"]["single-actions"]: if cfg["wildcard-only"]["single-actions"][0] != "": provided_wildcard_actions = cfg[ "wildcard-only"]["single-actions"] logger.debug( f"Requested wildcard-only actions: {str(provided_wildcard_actions)}" ) self.wildcard_only_single_actions = provided_wildcard_actions if "service-read" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-read"]: if cfg["wildcard-only"]["service-read"][0] != "": service_read = cfg["wildcard-only"][ "service-read"] logger.debug( f"Requested wildcard-only actions: {str(service_read)}" ) self.wildcard_only_service_read = service_read if "service-write" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-write"]: if cfg["wildcard-only"]["service-write"][0] != "": service_write = cfg["wildcard-only"][ "service-write"] logger.debug( f"Requested wildcard-only actions: {str(service_write)}" ) self.wildcard_only_service_write = service_write if "service-list" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-list"]: if cfg["wildcard-only"]["service-list"][0] != "": service_list = cfg["wildcard-only"][ "service-list"] logger.debug( f"Requested wildcard-only actions: {str(service_list)}" ) self.wildcard_only_service_list = service_list if "service-tagging" in cfg["wildcard-only"]: if cfg["wildcard-only"]["service-tagging"]: if cfg["wildcard-only"]["service-tagging"][0] != "": service_tagging = cfg["wildcard-only"][ "service-tagging"] logger.debug( f"Requested wildcard-only actions: {str(service_tagging)}" ) self.wildcard_only_service_tagging = service_tagging if "service-permissions-management" in cfg[ "wildcard-only"]: if cfg["wildcard-only"][ "service-permissions-management"]: if (cfg["wildcard-only"] ["service-permissions-management"][0] != ""): service_permissions_management = cfg[ "wildcard-only"][ "service-permissions-management"] logger.debug( f"Requested wildcard-only actions: {str(service_permissions_management)}" ) self.wildcard_only_service_permissions_management = service_permissions_management self.process_wildcard_only_actions() if "read" in cfg.keys(): if cfg["read"] is not None and cfg["read"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['read'])}") self.add_by_arn_and_access_level(cfg["read"], "Read") if "write" in cfg.keys(): if cfg["write"] is not None and cfg["write"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['write'])}") self.add_by_arn_and_access_level(cfg["write"], "Write") if "list" in cfg.keys(): if cfg["list"] is not None and cfg["list"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['list'])}") self.add_by_arn_and_access_level(cfg["list"], "List") if "permissions-management" in cfg.keys(): if (cfg["permissions-management"] is not None and cfg["permissions-management"][0] != ""): logger.debug( f"Requested access to arns: {str(cfg['permissions-management'])}" ) self.add_by_arn_and_access_level( cfg["permissions-management"], "Permissions management", ) if "tagging" in cfg.keys(): if cfg["tagging"] is not None and cfg["tagging"][0] != "": logger.debug( f"Requested access to arns: {str(cfg['tagging'])}") self.add_by_arn_and_access_level( cfg["tagging"], "Tagging") if "skip-resource-constraints" in cfg.keys(): if cfg["skip-resource-constraints"]: if cfg["skip-resource-constraints"][0] != "": logger.debug( f"Requested override: the actions {str(cfg['skip-resource-constraints'])} will " f"skip resource constraints.") self.add_overrides( cfg["skip-resource-constraints"]) for override_action in self.overrides: self.add_action_without_resource_constraint( override_action, "SkipResourceConstraints") if cfg["mode"] == "actions": check_actions_schema(cfg) if "actions" in cfg.keys(): if cfg["actions"] is not None and cfg["actions"][0] != "": self.add_by_list_of_actions(cfg["actions"]) rendered_policy = self.get_rendered_policy(minimize) return rendered_policy