Python Policy Exemples

Exemple #1

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_allowed_actions_raw_case_preserve_and_insensitive(action_expander):
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Allowlist1",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "AllowlistTestingDupeIsIgnored",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "Allowlist3",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "s3:GET*"
                ]
            }
        ]
    }""", action_expander)
    assert user_policy.allow_actions_raw == {'sts:*', 's3:GET*'}

Exemple #2

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_denied_actions_explicit_case_insensitive(action_expander):
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Allow1",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "Deny1",
                "Effect": "Deny",
                "Resource": "*",
                "Action": [
                    "sts:ASSUME*"
                ]
            }
        ]
    }""", action_expander)
    assert user_policy.denied_actions_explicit == {
        'sts:AssumeRole', 'sts:AssumeRoleWithWebIdentity',
        'sts:AssumeRoleWithSAML'
    }, 'We expect the deny actions to be accurate when using ASSUME*'

Exemple #3

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_denied_actions_explicit(action_expander):
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Allow1",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "Deny1",
                "Effect": "Deny",
                "Resource": "*",
                "Action": [
                    "sts:Assume*"
                ]
            }
        ]
    }""", action_expander)
    assert user_policy.denied_actions_explicit == {
        'sts:AssumeRole', 'sts:AssumeRoleWithWebIdentity',
        'sts:AssumeRoleWithSAML'
    }, 'We expect the deny actions returned unaltered and the case to be preserved'

Exemple #4

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_deny_actions_raw_case_preserved(action_expander):
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Allow1",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "Deny1",
                "Effect": "Deny",
                "Resource": "*",
                "Action": [
                    "sts:ASSUME*"
                ]
            }
        ]
    }""", action_expander)
    assert user_policy.deny_actions_raw == {'sts:ASSUME*'}, \
        'We expect the deny actions returned unaltered and the case to be preserved'

Exemple #5

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_allowed_actions_allow_with_explict_deny(action_expander):
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Allow1",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "Deny1",
                "Effect": "Deny",
                "Resource": "*",
                "Action": [
                    "sts:Assume*"
                ]
            }
        ]
    }""", action_expander)
    assert user_policy.allowed_actions == {
        # full list of sts actions
        'sts:AssumeRole',
        'sts:AssumeRoleWithSAML',
        'sts:AssumeRoleWithWebIdentity',
        'sts:DecodeAuthorizationMessage',
        'sts:GetCallerIdentity',
        'sts:GetFederationToken'
    }

Exemple #6

def test_implicit_deny_case_insensitive(action_expander):
    # user is asking for all of sts
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSts",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "STS:*"
                ]
            }
        ]
    }""", action_expander)
    # The SCP is allowing all of S3.  sts is not mentioned so it is implicitly denied
    scp = ServiceControlPolicy(
        """{
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AllowS3",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Action": [
                        "S3:*"
                    ]
                }
            ]
        }""", action_expander)

    result = scp.effect_on(user_policy)

    assert result.denied_actions == {
        'sts:DecodeAuthorizationMessage', 'sts:AssumeRole', 'sts:GetCallerIdentity',
        'sts:AssumeRoleWithWebIdentity', 'sts:AssumeRoleWithSAML',
        'sts:GetFederationToken'}, \
        'We expect all off the sts actions to be implicitly denied'

Exemple #7

Fichier : test_policy.py Projet : samkeen/policy-tools

def test_denied_actions_explicit_multiple_statements(action_expander):
    expanded_actions = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSts",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "AllowStsTestingDupeIsIgnored",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sts:*"
                ]
            },
            {
                "Sid": "AllowS3Get",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "s3:Get*"
                ]
            },
            {
                "Sid": "DenyStsAssume",
                "Effect": "Deny",
                "Resource": "*",
                "Action": [
                    "sts:Assume*"
                ]
            }
        ]
    }""", action_expander)
    assert expanded_actions.allowed_actions == {
        's3:GetAccelerateConfiguration', 's3:GetAccountPublicAccessBlock',
        's3:GetAnalyticsConfiguration', 's3:GetBucketAcl', 's3:GetBucketCORS',
        's3:GetBucketLocation', 's3:GetBucketLogging',
        's3:GetBucketNotification', 's3:GetBucketPolicy',
        's3:GetBucketPolicyStatus', 's3:GetBucketPublicAccessBlock',
        's3:GetBucketRequestPayment', 's3:GetBucketTagging',
        's3:GetBucketVersioning', 's3:GetBucketWebsite',
        's3:GetEncryptionConfiguration', 's3:GetInventoryConfiguration',
        's3:GetLifecycleConfiguration', 's3:GetMetricsConfiguration',
        's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging',
        's3:GetObjectTorrent', 's3:GetObjectVersion', 's3:GetObjectVersionAcl',
        's3:GetObjectVersionForReplication', 's3:GetObjectVersionTagging',
        's3:GetObjectVersionTorrent', 's3:GetReplicationConfiguration',
        'sts:AssumeRole', 'sts:AssumeRoleWithSAML',
        'sts:AssumeRoleWithWebIdentity', 'sts:DecodeAuthorizationMessage',
        'sts:GetCallerIdentity', 'sts:GetFederationToken'
    }
    assert expanded_actions.denied_actions_explicit == {
        'sts:AssumeRole', 'sts:AssumeRoleWithSAML',
        'sts:AssumeRoleWithWebIdentity'
    }

Exemple #8

def test_implicit_deny_allow_mix(action_expander):
    # user is asking for all of sts and all of sqs
    user_policy = Policy(
        """{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSts",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sqs:*"
                ]
            },
            {
                "Sid": "AllowEfs",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "elastictranscoder:*"
                ]
            }
        ]
    }""", action_expander)
    # The SCP is allowing "read only" on s3 and sqs
    scp = ServiceControlPolicy(
        """{
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AllowS3Read",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Action": [
                        "sqs:Get*",
                        "sqs:List*"
                    ]
                },
                {
                    "Sid": "AllowElasticTranscoderRead",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Action": [
                        "elastictranscoder:Read*",
                        "elastictranscoder:List*"
                    ]
                }
            ]
        }""", action_expander)

    result = scp.effect_on(user_policy)

    assert result.denied_actions == {'sqs:SetQueueAttributes',
                                     'sqs:PurgeQueue',
                                     'sqs:DeleteMessageBatch',
                                     'sqs:ReceiveMessage',
                                     'sqs:RemovePermission',
                                     'sqs:ChangeMessageVisibilityBatch',
                                     'sqs:SendMessageBatch',
                                     'sqs:CreateQueue',
                                     'sqs:TagQueue',
                                     'sqs:AddPermission',
                                     'sqs:UntagQueue',
                                     'sqs:SendMessage',
                                     'sqs:DeleteMessage',
                                     'sqs:ChangeMessageVisibility',
                                     'sqs:DeleteQueue',
                                     'elastictranscoder:TestRole',
                                     'elastictranscoder:CreatePipeline',
                                     'elastictranscoder:DeletePipeline',
                                     'elastictranscoder:UpdatePipelineNotifications',
                                     'elastictranscoder:DeletePreset',
                                     'elastictranscoder:CancelJob',
                                     'elastictranscoder:CreateJob',
                                     'elastictranscoder:UpdatePipelineStatus',
                                     'elastictranscoder:CreatePreset',
                                     'elastictranscoder:UpdatePipeline'}, \
        'We expect all off the sts actions to be implicitly denied'