def test_get_actions_from_statement(self):
"""Test get_actions_from_statement"""
privileges = Privileges(self.aws_api_list)
stmt = {"Action": ["s3:PutObject"], "Resource": "*", "Effect": "Allow"}
self.assertEquals(privileges.get_actions_from_statement(stmt),
{'s3:putobject': True})
stmt = {
"Action": ["s3:PutObject*"],
"Resource": "*",
"Effect": "Allow"
}
self.assertEquals(
privileges.get_actions_from_statement(stmt), {
's3:putobject': True,
's3:putobjectacl': True,
's3:putobjecttagging': True
})
stmt = {"Action": ["s3:*ObjectT*"], "Resource": "*", "Effect": "Allow"}
self.assertEquals(
privileges.get_actions_from_statement(stmt), {
's3:deleteobjecttagging': True,
's3:getobjecttagging': True,
's3:getobjecttorrent': True,
's3:putobjecttagging': True
})
def test_get_actions_from_statement_with_conditions(self):
"""
Test that even when we are denied access based on a condition,
the actions are still marked as allowed.
"""
privileges = Privileges(self.aws_api_list)
policy = [{
"Sid": "AllowAllActionsForEC2",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}, {
"Sid": "DenyStopAndTerminateWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": ["ec2:StopInstances", "ec2:TerminateInstances"],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": False
}
}
}]
for stmt in policy:
privileges.add_stmt(stmt)
self.assertTrue('ec2:startinstances' in privileges.determine_allowed())
self.assertTrue('ec2:stopinstances' in privileges.determine_allowed())
def test_get_actions_from_statement_with_resources(self):
"""
Test that even when we are denied access to one resource,
the actions are still marked as allowed.
"""
privileges = Privileges(self.aws_api_list)
policy = [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
}, {
"Action": "s3:CreateBucket",
"Effect": "Deny",
"Resource": "*"
}, {
"Action":
"s3:*",
"Effect":
"Deny",
"Resource": [
"arn:aws:s3:::super-sensitive-bucket",
"arn:aws:s3:::super-sensitive-bucket/*"
]
}]
for stmt in policy:
privileges.add_stmt(stmt)
self.assertTrue('s3:deletebucket' in privileges.determine_allowed())
self.assertTrue(
's3:createbucket' not in privileges.determine_allowed())
def test_policy(self):
"""Test having multiple statements, some allowed, some denied"""
privileges = Privileges(self.aws_api_list)
# Create a privilege object with some allowed and denied
stmt = {"Action": ["s3:*ObjectT*"], "Resource": "*", "Effect": "Allow"}
privileges.add_stmt(stmt)
stmt = {'Action': ['s3:GetObjectTagging', 's3:GetObjectTorrent'],
"Resource": "*",
"Effect": "Deny"}
privileges.add_stmt(stmt)
self.assertEquals(privileges.determine_allowed(),
['s3:putobjecttagging', 's3:deleteobjecttagging'])
def test_get_actions_from_statement_with_array_of_resources(self):
"""
Test array of resources
"""
privileges = Privileges(self.aws_api_list)
policy = [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
}, {
"Action": "s3:CreateBucket",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::super-sensitive-bucket", "*"]
}]
for stmt in policy:
privileges.add_stmt(stmt)
self.assertTrue('s3:deletebucket' in privileges.determine_allowed())
self.assertTrue(
's3:createbucket' not in privileges.determine_allowed())