def test_inline_policies(self): inline_policy_detail = { "PolicyName": "InlinePolicyForBidenGroup", "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObjectAcl"], "Resource": "*" }] } } inline_policy = InlinePolicy(inline_policy_detail) results = inline_policy.json # print(json.dumps(results, indent=4)) expected_policy_details_results_file = os.path.abspath( os.path.join( os.path.dirname(__file__), os.path.pardir, "files", "scanning", "test_inline_policy_results.json", )) with open(expected_policy_details_results_file) as f: contents = f.read() expected_results = json.loads(contents) self.assertDictEqual(results, expected_results)
def __init__(self, group_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS): """ Initialize the GroupDetail object. :param group_detail: Details about a particular group :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes """ self.create_date = group_detail.get("CreateDate") self.arn = group_detail.get("Arn") self.path = group_detail.get("Path") self.group_id = group_detail.get("GroupId") self.group_name = group_detail.get("GroupName") if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Inline Policies self.inline_policies = [] # If the group itself is NOT excluded, add its inline policies if not self.is_excluded: if group_detail.get("GroupPolicyList"): for policy_detail in group_detail.get("GroupPolicyList"): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id( json.dumps(policy_document)) if not (exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id)): inline_policy = InlinePolicy(policy_detail) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: if group_detail.get("AttachedManagedPolicies"): for policy in group_detail.get("AttachedManagedPolicies"): arn = policy.get("PolicyArn") if not (exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded( get_full_policy_path(arn)) or exclusions.is_policy_excluded( get_policy_name(arn))): attached_managed_policy_details = ( policy_details.get_policy_detail(arn)) self.attached_managed_policies.append( attached_managed_policy_details)
def __init__( self, group_detail: Dict[str, Any], policy_details: ManagedPolicyDetails, exclusions: Exclusions = DEFAULT_EXCLUSIONS, flag_conditional_statements: bool = False, flag_resource_arn_statements: bool = False, ): """ Initialize the GroupDetail object. :param group_detail: Details about a particular group :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes """ self.create_date = group_detail.get("CreateDate") self.arn = group_detail.get("Arn") self.path = group_detail["Path"] self.group_id = group_detail["GroupId"] self.group_name = group_detail["GroupName"] # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints self.flag_conditional_statements = flag_conditional_statements self.flag_resource_arn_statements = flag_resource_arn_statements if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Inline Policies self.inline_policies = [] # If the group itself is NOT excluded, add its inline policies if not self.is_excluded: for policy_detail in group_detail.get("GroupPolicyList", []): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not (exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id)): # NOTE: The Exclusions were not here before the #254 fix (which was an unfiled bug I just discovered) so the presence of this might break some older unit tests. Might need to fix that. inline_policy = InlinePolicy( policy_detail, exclusions=exclusions, flag_conditional_statements=flag_conditional_statements, flag_resource_arn_statements= flag_resource_arn_statements) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: for policy in group_detail.get("AttachedManagedPolicies", []): arn = policy.get("PolicyArn") if not (exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded( get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn))): attached_managed_policy_details = policy_details.get_policy_detail( arn) self.attached_managed_policies.append( attached_managed_policy_details)
def _inline_policies_details(self, group_policies_list): if group_policies_list: for policy in group_policies_list: inline_policy = InlinePolicy(policy) self.inline_policies.append(inline_policy)
def __init__( self, user_detail: Dict[str, Any], policy_details: ManagedPolicyDetails, all_group_details: GroupDetailList, exclusions: Exclusions = DEFAULT_EXCLUSIONS, flag_conditional_statements: bool = False, flag_resource_arn_statements: bool = False, ) -> None: """ Initialize the UserDetail object. :param user_detail: Details about a particular user :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the user can inherit those attributes :param all_group_details: """ self.create_date = user_detail.get("CreateDate") self.arn = user_detail.get("Arn") self.path = user_detail["Path"] self.user_id = user_detail["UserId"] self.user_name = user_detail["UserName"] if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints self.flag_conditional_statements = flag_conditional_statements self.flag_resource_arn_statements = flag_resource_arn_statements # Groups self.groups: List[GroupDetail] = [] group_list = user_detail.get("GroupList") if group_list: self._add_group_details(group_list, all_group_details) # self.inline_policies = user_detail.get("UserPolicyList") # self.groups = user_detail.get("GroupList") # Inline Policies self.inline_policies = [] # If the user itself is NOT excluded, add its inline policies if not self.is_excluded: for policy_detail in user_detail.get("UserPolicyList", []): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not (exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id)): inline_policy = InlinePolicy( policy_detail, exclusions=exclusions, flag_conditional_statements=flag_conditional_statements, flag_resource_arn_statements= flag_resource_arn_statements) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the user itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: for policy in user_detail.get("AttachedManagedPolicies", []): arn = policy.get("PolicyArn") if not (exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded( get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn))): attached_managed_policy_details = policy_details.get_policy_detail( arn) self.attached_managed_policies.append( attached_managed_policy_details)
def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS): """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail.get("Path") self.role_name = role_detail.get("RoleName") self.role_id = role_detail.get("RoleId") self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed").get("LastUsedDate") self.role_detail = role_detail # just to reference later in debugging if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again." ) self.is_excluded = self._is_excluded(exclusions) # Metadata in object form if role_detail.get("AssumeRolePolicyDocument"): self.assume_role_policy_document = AssumeRolePolicyDocument(role_detail.get("AssumeRolePolicyDocument")) else: self.assume_role_policy_document = None # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList") # Inline Policies self.inline_policies = [] # If the role itself is NOT excluded, add its inline policies if not self.is_excluded: if role_detail.get("RolePolicyList"): for policy_detail in role_detail.get("RolePolicyList"): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not ( exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id) ): inline_policy = InlinePolicy(policy_detail) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: if role_detail.get("AttachedManagedPolicies"): for policy in role_detail.get("AttachedManagedPolicies"): arn = policy.get("PolicyArn") if not ( exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded(get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn)) ): attached_managed_policy_details = policy_details.get_policy_detail(arn) self.attached_managed_policies.append(attached_managed_policy_details)
def __init__( self, role_detail: Dict[str, Any], policy_details: ManagedPolicyDetails, exclusions: Exclusions = DEFAULT_EXCLUSIONS, flag_conditional_statements: bool = False, flag_resource_arn_statements: bool = False, ) -> None: """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail["Path"] self.role_name = role_detail["RoleName"] self.role_id = role_detail["RoleId"] self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed", {}).get("LastUsedDate") self.role_detail = role_detail # just to reference later in debugging if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints self.flag_conditional_statements = flag_conditional_statements self.flag_resource_arn_statements = flag_resource_arn_statements # Metadata in object form self.assume_role_policy_document = None assume_role_policy = role_detail.get("AssumeRolePolicyDocument") if assume_role_policy: self.assume_role_policy_document = AssumeRolePolicyDocument( assume_role_policy) # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList", []) # Inline Policies self.inline_policies = [] # If the role itself is NOT excluded, add its inline policies if not self.is_excluded: for policy_detail in role_detail.get("RolePolicyList", []): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not (exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id)): inline_policy = InlinePolicy( policy_detail, exclusions=exclusions, flag_conditional_statements=flag_conditional_statements, flag_resource_arn_statements= flag_resource_arn_statements) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: for policy in role_detail.get("AttachedManagedPolicies", []): arn = policy.get("PolicyArn") if not (exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded( get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn))): attached_managed_policy_details = policy_details.get_policy_detail( arn) self.attached_managed_policies.append( attached_managed_policy_details)