def test_s3_policies(self): policies = load_data("iam/s3-policies.json") checker = PolicyChecker({ "allowed_accounts": set(["123456789012"]), "allowed_vpc": set(["vpc-12345678"]), "allowed_vpce": set(["vpce-12345678", "vpce-87654321"]), }) for p, expected in zip( policies, [ True, False, False, True, False, True, False, True, False, True, False, True, False, True, ], ): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies(self): policies = load_data("iam/s3-policies.json") checker = PolicyChecker( { "allowed_accounts": set(["123456789012"]), "allowed_vpc": set(["vpc-12345678"]), "allowed_vpce": set(["vpce-12345678", "vpce-87654321"]), } ) for p, expected in zip( policies, [ True, False, False, True, False, True, False, True, False, True, False, True, False, True, ], ): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_everyone_only(self): policies = load_data("iam/s3-principal.json") checker = PolicyChecker({"everyone_only": True}) for p, expected in zip(policies, [True, True, False, False, False, False]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_everyone_only(self): policies = load_data('iam/s3-principal.json') checker = PolicyChecker({ 'everyone_only': True}) for p, expected in zip( policies, [True, True, False, False, False, False]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self): policies = load_data("iam/s3-conditions.json") checker = PolicyChecker({ "allowed_accounts": set(["123456789012"]), "allowed_vpc": set(["vpc-12345678"]), }) for p, expected in zip(policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_sqs_policies(self): policies = load_data("iam/sqs-policies.json") checker = PolicyChecker({"allowed_accounts": set(["221800032964"])}) for p, expected in zip( policies, [False, True, True, False, False, False, False, False]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self): policies = load_data('iam/s3-conditions.json') checker = PolicyChecker({ 'allowed_accounts': set(['123456789012']), 'allowed_vpc': set(['vpc-12345678']) }) for p, expected in zip(policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_sqs_policies(self): policies = load_data("iam/sqs-policies.json") checker = PolicyChecker({"allowed_accounts": set(["221800032964"])}) for p, expected in zip( policies, [False, True, True, False, False, False, False, False] ): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies_vpc(self): policies = load_data('iam/s3-policies.json') checker = PolicyChecker({'allowed_accounts': set(['123456789012'])}) for p, expected in zip(policies, [ True, False, False, True, False, True, False, False, False, False ]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self): policies = load_data('iam/s3-conditions.json') checker = PolicyChecker({ 'allowed_accounts': set(['123456789012']), 'allowed_vpc': set(['vpc-12345678'])}) for p, expected in zip( policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_principal_org_id(self): policies = load_data("iam/s3-orgid.json") checker = PolicyChecker( { "allowed_orgid": set(["o-goodorg"]) } ) for p, expected in zip(policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self): policies = load_data("iam/s3-conditions.json") checker = PolicyChecker( { "allowed_accounts": set(["123456789012"]), "allowed_vpc": set(["vpc-12345678"]), } ) for p, expected in zip(policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)
def test_not_principal_allowed(self): policy = { 'Id': 'Foo', "Version": "2012-10-17", 'Statement': [ {'Action': 'SQS:ReceiveMessage', 'Effect': 'Deny', 'Principal': '*'}, {'Action': 'SQS:SendMessage', 'Effect': 'Allow', 'NotPrincipal': '90120'}]} checker = PolicyChecker( {'allowed_accounts': set(['221800032964'])}) self.assertTrue(bool(checker.check(policy)))
def test_not_principal_allowed(self): policy = { "Id": "Foo", "Version": "2012-10-17", "Statement": [ {"Action": "SQS:ReceiveMessage", "Effect": "Deny", "Principal": "*"}, { "Action": "SQS:SendMessage", "Effect": "Allow", "NotPrincipal": "90120", }, ], } checker = PolicyChecker({"allowed_accounts": set(["221800032964"])}) self.assertTrue(bool(checker.check(policy)))
def test_s3_principal_org_id(self): policies = load_data("iam/s3-orgid.json") checker = PolicyChecker({"allowed_orgid": set(["o-goodorg"])}) for p, expected in zip(policies, [False, True]): violations = checker.check(p) self.assertEqual(bool(violations), expected)