def _not_action_effective_actions(self):
"""If NotAction is used, calculate the allowed actions - i.e., what it would be """
effective_actions = []
if not self.not_action:
return None
not_actions_expanded = determine_actions_to_expand(self.not_action)
not_actions_expanded_lowercase = [
x.lower() for x in not_actions_expanded
]
# Effect: Allow && Resource != "*"
if self.has_resource_constraints and self.effect_allow:
opposite_actions = []
for arn in self.resources:
actions_specific_to_arn = get_actions_matching_arn(arn)
if actions_specific_to_arn:
opposite_actions.extend(get_actions_matching_arn(arn))
for opposite_action in opposite_actions:
# If it's in NotActions, then it is not an action we want
if opposite_action.lower() in not_actions_expanded_lowercase:
pass
# Otherwise add it
else:
effective_actions.append(opposite_action)
effective_actions.sort()
return effective_actions
# Effect: Allow, Resource != "*", and Action == prefix:*
elif not self.has_resource_constraints and self.effect_allow:
# Then we calculate the reverse using all_actions
for action in all_actions:
# If it's in NotActions, then it is not an action we want
if action.lower() in not_actions_expanded_lowercase:
pass
# Otherwise add it
else:
effective_actions.append(action)
effective_actions.sort()
return effective_actions
elif self.has_resource_constraints and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return None
elif not self.has_resource_constraints and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return None
# only including this so Pylint doesn't yell at us
else:
return None # pragma: no cover
def test_get_actions_matching_arn(self):
"""querying.actions.get_actions_matching_arn"""
arn = "arn:aws:cloud9:us-east-1:account-id:environment:123456"
results = get_actions_matching_arn(arn)
# print(json.dumps(results, indent=4))
# Don't want to keep an updated list of actions in these tests,
# so let's just test the lengths and look for some contents that should or should not be in there.
self.assertTrue(len(results) > 10)
self.assertTrue("cloud9:ListEnvironments" not in results)
self.assertTrue("cloud9:DeleteEnvironment" in results)
def _not_action_effective_actions(self) -> Optional[List[str]]:
"""If NotAction is used, calculate the allowed actions - i.e., what it would be """
effective_actions = []
if not self.not_action:
return None
not_actions_expanded_lowercase = [
a.lower() for a in determine_actions_to_expand(self.not_action)
]
# Effect: Allow && Resource != "*"
if not self.has_resource_wildcard and self.effect_allow:
opposite_actions = []
for arn in self.resources:
actions_specific_to_arn = get_actions_matching_arn(arn)
if actions_specific_to_arn:
opposite_actions.extend(actions_specific_to_arn)
for opposite_action in opposite_actions:
# If it's in NotActions, then it is not an action we want
if opposite_action.lower(
) not in not_actions_expanded_lowercase:
effective_actions.append(opposite_action)
effective_actions.sort()
return effective_actions
# Effect: Allow, Resource == "*", and Action == prefix:*
if self.has_resource_wildcard and self.effect_allow:
# Then we calculate the reverse using all_actions
# If it's in NotActions, then it is not an action we want
effective_actions = [
action for action in ALL_ACTIONS
if action.lower() not in not_actions_expanded_lowercase
]
effective_actions.sort()
return effective_actions
if self.has_resource_wildcard and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return effective_actions
if not self.has_resource_wildcard and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return effective_actions
# only including this so Pylint doesn't yell at us
return None # pragma: no cover
