def test_get_actions_from_statement(self): """Test get_actions_from_statement""" privileges = Privileges(self.aws_api_list) stmt = {"Action": ["s3:PutObject"], "Resource": "*", "Effect": "Allow"} self.assertEquals(privileges.get_actions_from_statement(stmt), {'s3:putobject': True}) stmt = { "Action": ["s3:PutObject*"], "Resource": "*", "Effect": "Allow" } self.assertEquals( privileges.get_actions_from_statement(stmt), { 's3:putobject': True, 's3:putobjectacl': True, 's3:putobjecttagging': True }) stmt = {"Action": ["s3:*ObjectT*"], "Resource": "*", "Effect": "Allow"} self.assertEquals( privileges.get_actions_from_statement(stmt), { 's3:deleteobjecttagging': True, 's3:getobjecttagging': True, 's3:getobjecttorrent': True, 's3:putobjecttagging': True })
def test_get_actions_from_statement_with_conditions(self): """ Test that even when we are denied access based on a condition, the actions are still marked as allowed. """ privileges = Privileges(self.aws_api_list) policy = [{ "Sid": "AllowAllActionsForEC2", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Sid": "DenyStopAndTerminateWhenMFAIsNotPresent", "Effect": "Deny", "Action": ["ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": False } } }] for stmt in policy: privileges.add_stmt(stmt) self.assertTrue('ec2:startinstances' in privileges.determine_allowed()) self.assertTrue('ec2:stopinstances' in privileges.determine_allowed())
def test_get_actions_from_statement_with_resources(self): """ Test that even when we are denied access to one resource, the actions are still marked as allowed. """ privileges = Privileges(self.aws_api_list) policy = [{ "Action": "s3:*", "Effect": "Allow", "Resource": "*" }, { "Action": "s3:CreateBucket", "Effect": "Deny", "Resource": "*" }, { "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::super-sensitive-bucket", "arn:aws:s3:::super-sensitive-bucket/*" ] }] for stmt in policy: privileges.add_stmt(stmt) self.assertTrue('s3:deletebucket' in privileges.determine_allowed()) self.assertTrue( 's3:createbucket' not in privileges.determine_allowed())
def test_policy(self): """Test having multiple statements, some allowed, some denied""" privileges = Privileges(self.aws_api_list) # Create a privilege object with some allowed and denied stmt = {"Action": ["s3:*ObjectT*"], "Resource": "*", "Effect": "Allow"} privileges.add_stmt(stmt) stmt = {'Action': ['s3:GetObjectTagging', 's3:GetObjectTorrent'], "Resource": "*", "Effect": "Deny"} privileges.add_stmt(stmt) self.assertEquals(privileges.determine_allowed(), ['s3:putobjecttagging', 's3:deleteobjecttagging'])
def test_get_actions_from_statement_with_array_of_resources(self): """ Test array of resources """ privileges = Privileges(self.aws_api_list) policy = [{ "Action": "s3:*", "Effect": "Allow", "Resource": "*" }, { "Action": "s3:CreateBucket", "Effect": "Deny", "Resource": ["arn:aws:s3:::super-sensitive-bucket", "*"] }] for stmt in policy: privileges.add_stmt(stmt) self.assertTrue('s3:deletebucket' in privileges.determine_allowed()) self.assertTrue( 's3:createbucket' not in privileges.determine_allowed())