def test_full_policy_explicit_allow():
policies = {
"ListAllow": [{
"action": [
"s3:listobject"
"dynamodb:query",
],
"resource": [
"*",
],
"effect": "Allow",
}],
"explicitallow": [{
"action": [
"s3:getobject",
],
"resource": [
"arn:aws:s3:::testbucket",
],
"effect": "Allow",
}],
}
assert permission_relationships.principal_allowed_on_resource(
policies,
"arn:aws:s3:::testbucket",
["S3:GetObject"],
)
def test_full_policy_no_explicit_allow():
policies = {
"ListAllow": [{
"action": [
"s3:List*",
],
"resource": [
"*",
],
"effect": "Allow",
}],
"PutAllow": [{
"action": [
"s3:Put*",
],
"resource": [
"arn:aws:s3:::testbucket",
],
"effect": "Allow",
}],
}
assert not permission_relationships.principal_allowed_on_resource(
policies,
"arn:aws:s3:::testbucket",
["S3:GetObject"],
)
def test_full_policy_explicit_deny():
policies = {
"fakeallow": [{
"action": [
"s3:*",
],
"resource": [
"*",
],
"effect": "Allow",
}],
"fakedeny": [{
"action": [
"s3:*",
],
"resource": [
"arn:aws:s3:::testbucket",
],
"effect": "Deny",
}],
}
assert not permission_relationships.principal_allowed_on_resource(
policies,
"arn:aws:s3:::testbucket",
["S3:GetObject"],
)
def test_permissions_list():
###
# Tests that the an exception is thrown if the permissions is not a list
###
try:
assert not permission_relationships.principal_allowed_on_resource(
GET_OBJECT_LOWERCASE_RESOURCE_WILDCARD,
"arn:aws:s3:::testbucket",
"S3:GetObject",
)
assert False
except ValueError:
assert True
def sync_assumerole_relationships(
neo4j_session: neo4j.Session,
current_aws_account_id: str,
aws_update_tag: str,
common_job_parameters: Dict,
) -> None:
# Must be called after load_role
# Computes and syncs the STS_ASSUME_ROLE allow relationship
logger.debug("Syncing assume role for account '%s'.",
current_aws_account_id)
query_potential_matches = """
MATCH (:AWSAccount{id:{AccountId}})-[:RESOURCE]->(target:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(source:AWSPrincipal)
WHERE NOT source.arn ENDS WITH 'root'
AND NOT source.type = 'Service'
AND NOT source.type = 'Federated'
RETURN target.arn AS target_arn,
source.arn AS source_arn
"""
ingest_policies_assume_role = """
MATCH (source:AWSPrincipal{arn: {SourceArn}})
WITH source
MATCH (role:AWSRole{arn: {TargetArn}})
WITH role, source
MERGE (source)-[r:STS_ASSUMEROLE_ALLOW]->(role)
ON CREATE SET r.firstseen = timestamp()
SET r.lastupdated = {aws_update_tag}
"""
results = neo4j_session.run(
query_potential_matches,
AccountId=current_aws_account_id,
)
potential_matches = [(r["source_arn"], r["target_arn"]) for r in results]
for source_arn, target_arn in potential_matches:
policies = get_policies_for_principal(neo4j_session, source_arn)
if principal_allowed_on_resource(policies, target_arn,
["sts:AssumeRole"]):
neo4j_session.run(
ingest_policies_assume_role,
SourceArn=source_arn,
TargetArn=target_arn,
aws_update_tag=aws_update_tag,
)
run_cleanup_job(
'aws_import_roles_policy_cleanup.json',
neo4j_session,
common_job_parameters,
)