def test_should_guess_only_specific_actions_and_fix_upper_lowercase():
input_policy = PolicyDocument(Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action(
'ec2', 'DetachVolume'),
],
Resource=["*"]),
])
expected_output = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('ec2', 'DetachVolume'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('ec2', 'AttachVolume'),
Action('ec2', 'DescribeVolumes'),
],
Resource=["*"]),
])
runner = CliRunner()
result = runner.invoke(
cli.root_group,
args=["guess", "--only", "Attach", "--only", "describe"],
input=input_policy.to_json())
assert result.exit_code == 0
assert parse_policy_document(result.output) == expected_output
def test_should_group_by_action_and_resource_independent_of_order():
records = [
Record("rds.amazonaws.com", "ListTagsForResource",
["arn:aws:rds:eu-central-1:111111111111:db:some-db"]),
Record("rds.amazonaws.com", "SomethingDifferent",
["arn:aws:rds:eu-central-1:111111111111:db:a-third-db"]),
Record("rds.amazonaws.com", "ListTagsForResource",
["arn:aws:rds:eu-central-1:111111111111:db:some-other-db"]),
]
expected = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect="Allow",
Action=[
Action("rds", "ListTagsForResource"),
],
Resource=[
"arn:aws:rds:eu-central-1:111111111111:db:some-db",
"arn:aws:rds:eu-central-1:111111111111:db:some-other-db",
]),
Statement(
Effect="Allow",
Action=[
Action("rds", "SomethingDifferent"),
],
Resource=[
"arn:aws:rds:eu-central-1:111111111111:db:a-third-db",
]),
])
actual = generate_policy(records)
assert actual == expected
def test_should_guess_all_matching_statements():
input_policy = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('sts', 'AssumeRole'),
],
Resource=["arn:aws:iam::111111111111:role/someRole"])
])
expected_output = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('autoscaling', 'CreateLaunchConfiguration'),
Action('autoscaling', 'DeleteLaunchConfiguration'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('sts', 'AssumeRole'),
],
Resource=["arn:aws:iam::111111111111:role/someRole"])
])
runner = CliRunner()
result = runner.invoke(cli.root_group,
args=["guess"],
input=input_policy.to_json())
assert result.exit_code == 0
assert parse_policy_document(result.output) == expected_output
def test_json_parses_to_policy_document():
pd = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('sts', 'AssumeRole'),
],
Resource=["arn:aws:iam::111111111111:role/someRole"])
])
assert parse_policy_document(StringIO(
pd.to_json())).to_json() == pd.to_json()
def test_policy_document_renders_to_json():
pd = PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"]),
Statement(Effect="Allow",
Action=[
Action('sts', 'AssumeRole'),
],
Resource=["arn:aws:iam::111111111111:role/someRole"])
])
expected_json = '''\
{
"Statement": [
{
"Action": [
"autoscaling:DescribeLaunchConfigurations"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::111111111111:role/someRole"
]
}
],
"Version": "2012-10-17"
}'''
assert json.loads(pd.to_json()) == json.loads(expected_json)
def generate_policy(selected_records):
"""Generates a policy from a set of records"""
statements = pipe(
selected_records, mapz(Record.to_statement),
filterz(lambda statement: statement is not None),
_combine_statements_by(lambda statement: statement.Resource),
_combine_statements_by(lambda statement: statement.Action), sortedz())
return PolicyDocument(
Version="2012-10-17",
Statement=statements,
)
def test_should_allow_events_that_dont_map_to_statement():
records = [
Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"),
Record("sts.amazonaws.com", "GetCallerIdentity")
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"])
])
def test_should_remove_duplicate_actions():
records = [
Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"),
Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"),
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
],
Resource=["*"])
])
def test_should_generate_simple_policy():
records = [
Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"),
Record("sts.amazonaws.com", "AssumeRole")
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action('autoscaling',
'DescribeLaunchConfigurations'),
Action('sts', 'AssumeRole'),
],
Resource=["*"])
])
def test_should_sort_actions_alphabetically():
records = [
Record("ec2.amazonaws.com", "DescribeSecurityGroups"),
Record("rds.amazonaws.com", "ListTagsForResource"),
Record("ec2.amazonaws.com", "DescribeInstances"),
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action("ec2", "DescribeInstances"),
Action("ec2", "DescribeSecurityGroups"),
Action("rds", "ListTagsForResource"),
],
Resource=["*"])
])
def test_should_group_by_resources_and_combine_statements_with_same_actions_but_different_resources(
):
records = [
Record("rds.amazonaws.com", "ListTagsForResource",
["arn:aws:rds:eu-central-1:111111111111:db:some-db"]),
Record("rds.amazonaws.com", "ListTagsForResource",
["arn:aws:rds:eu-central-1:111111111111:db:some-other-db"]),
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect="Allow",
Action=[
Action("rds", "ListTagsForResource"),
],
Resource=[
"arn:aws:rds:eu-central-1:111111111111:db:some-db",
"arn:aws:rds:eu-central-1:111111111111:db:some-other-db",
])
])
def test_should_group_by_resources():
records = [
Record("ec2.amazonaws.com", "DescribeSecurityGroups"),
Record("rds.amazonaws.com", "ListTagsForResource",
["arn:aws:rds:eu-central-1:111111111111:db:some-db"]),
Record("ec2.amazonaws.com", "DescribeInstances"),
]
assert generate_policy(records) == PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(Effect="Allow",
Action=[
Action("ec2", "DescribeInstances"),
Action("ec2", "DescribeSecurityGroups"),
],
Resource=["*"]),
Statement(
Effect="Allow",
Action=[
Action("rds", "ListTagsForResource"),
],
Resource=["arn:aws:rds:eu-central-1:111111111111:db:some-db"])
])
def guess_statements(policy, allowed_prefixes):
"""Guess additional create actions"""
extended_statements = [item for statement in policy.Statement
for item in _extend_statement(statement, allowed_prefixes)]
return PolicyDocument(Version=policy.Version, Statement=extended_statements)