def query_arn_table(name, service, list_arn_types, fmt): """Query the ARN Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" if os.path.exists(LOCAL_DATASTORE_FILE_PATH): logger.info( f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/" ) else: # Otherwise, leverage the datastore inside the python package logger.debug("Leveraging the bundled IAM Definition.") # Get a list of all RAW ARN formats available through the service. if name is None and list_arn_types is False: output = get_raw_arns_for_service(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] # Get a list of all the ARN types per service, paired with the RAW ARNs elif name is None and list_arn_types: output = get_arn_types_for_service(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get the raw ARN format for the `cloud9` service with the short name # `environment` else: output = get_arn_type_details(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] return output
def test_get_arn_types_for_service(self): """querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs""" expected_results = { "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", "bucket": "arn:${Partition}:s3:::${BucketName}", "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", } results = get_arn_types_for_service("s3") self.maxDiff = None for expected_result in expected_results: self.assertTrue(expected_result in results)
def test_get_arn_types_for_service(self): """querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs""" desired_output = { "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", "bucket": "arn:${Partition}:s3:::${BucketName}", "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", } output = get_arn_types_for_service(db_session, "s3") # print(output) self.maxDiff = None self.assertDictEqual(desired_output, output)
def test_get_arn_types_for_service(self): """querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs""" expected_results = { "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", "bucket": "arn:${Partition}:s3:::${BucketName}", "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", } results = get_arn_types_for_service("s3") # print(json.dumps(results, indent=4)) self.maxDiff = None self.assertEqual(results, expected_results)
def test_services_with_multiple_pages_apigateway(self): """Ensure that apigateway v1 and apigateway v2 actions are both present in the ses namespace""" # API Gateway Management V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigatewaymanagement.html self.assertTrue( "apigateway:AddCertificateToDomain" in self.all_actions) self.assertTrue( "apigateway:RemoveCertificateFromDomain" in self.all_actions) self.assertTrue("apigateway:SetWebACL" in self.all_actions) # API Gateway Management V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigatewaymanagement.html # API Gateway V2 doesn't have any unique actions in but it does have some unique resource types. Let's make sure those resource types are in the IAM Definition. # Resource types unique to API Gateway V2: resource_types = get_arn_types_for_service("apigateway") resource_types = list(resource_types.keys()) self.assertTrue("AccessLogSettings" in resource_types) # Resource types unique to API Gateway V1: self.assertTrue("RestApi" in resource_types)
def arn_table(name, service, list_arn_types): """Query the ARN Table from the Policy Sentry database""" db_session = connect_db(DATABASE_FILE_PATH) # Get a list of all RAW ARN formats available through the service. if name is None and list_arn_types is False: raw_arns = get_raw_arns_for_service(db_session, service) for item in raw_arns: print(item) # Get a list of all the ARN types per service, paired with the RAW ARNs elif name is None and list_arn_types: output = get_arn_types_for_service(db_session, service) print(json.dumps(output, indent=4)) # Get the raw ARN format for the `cloud9` service with the short name # `environment` else: output = get_arn_type_details(db_session, service, name) print(json.dumps(output, indent=4))
def query_arn_table(name, service, list_arn_types, fmt): """Query the ARN Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" # Get a list of all RAW ARN formats available through the service. if name is None and list_arn_types is False: output = get_raw_arns_for_service(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] # Get a list of all the ARN types per service, paired with the RAW ARNs elif name is None and list_arn_types: output = get_arn_types_for_service(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get the raw ARN format for the `cloud9` service with the short name # `environment` else: output = get_arn_type_details(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] return output
#!/usr/bin/env python from policy_sentry.shared.database import connect_db from policy_sentry.querying.arns import get_arn_types_for_service import json if __name__ == '__main__': db_session = connect_db('bundled') output = get_arn_types_for_service(db_session, "s3") print(json.dumps(output, indent=4)) """ Output: { "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", "bucket": "arn:${Partition}:s3:::${BucketName}", "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", } """
#!/usr/bin/env python from policy_sentry.querying.arns import get_arn_types_for_service import json if __name__ == '__main__': output = get_arn_types_for_service("s3") print(json.dumps(output, indent=4)) """ Output: { "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", "bucket": "arn:${Partition}:s3:::${BucketName}", "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", } """