def query_arn_table(name, service, list_arn_types, fmt):
"""Query the ARN Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Get a list of all RAW ARN formats available through the service.
if name is None and list_arn_types is False:
output = get_raw_arns_for_service(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
# Get a list of all the ARN types per service, paired with the RAW ARNs
elif name is None and list_arn_types:
output = get_arn_types_for_service(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get the raw ARN format for the `cloud9` service with the short name
# `environment`
else:
output = get_arn_type_details(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
return output
def test_get_arn_types_for_service(self):
"""querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs"""
expected_results = {
"accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
"bucket": "arn:${Partition}:s3:::${BucketName}",
"object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
"job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
results = get_arn_types_for_service("s3")
self.maxDiff = None
for expected_result in expected_results:
self.assertTrue(expected_result in results)
def test_get_arn_types_for_service(self):
"""querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs"""
desired_output = {
"accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
"bucket": "arn:${Partition}:s3:::${BucketName}",
"object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
"job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
output = get_arn_types_for_service(db_session, "s3")
# print(output)
self.maxDiff = None
self.assertDictEqual(desired_output, output)
def test_get_arn_types_for_service(self):
"""querying.arns.get_arn_types_for_service: Tests function that grabs arn_type and raw_arn pairs"""
expected_results = {
"accesspoint":
"arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
"bucket": "arn:${Partition}:s3:::${BucketName}",
"object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
"job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
results = get_arn_types_for_service("s3")
# print(json.dumps(results, indent=4))
self.maxDiff = None
self.assertEqual(results, expected_results)
def test_services_with_multiple_pages_apigateway(self):
"""Ensure that apigateway v1 and apigateway v2 actions are both present in the ses namespace"""
# API Gateway Management V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigatewaymanagement.html
self.assertTrue(
"apigateway:AddCertificateToDomain" in self.all_actions)
self.assertTrue(
"apigateway:RemoveCertificateFromDomain" in self.all_actions)
self.assertTrue("apigateway:SetWebACL" in self.all_actions)
# API Gateway Management V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigatewaymanagement.html
# API Gateway V2 doesn't have any unique actions in but it does have some unique resource types. Let's make sure those resource types are in the IAM Definition.
# Resource types unique to API Gateway V2:
resource_types = get_arn_types_for_service("apigateway")
resource_types = list(resource_types.keys())
self.assertTrue("AccessLogSettings" in resource_types)
# Resource types unique to API Gateway V1:
self.assertTrue("RestApi" in resource_types)
def arn_table(name, service, list_arn_types):
"""Query the ARN Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Get a list of all RAW ARN formats available through the service.
if name is None and list_arn_types is False:
raw_arns = get_raw_arns_for_service(db_session, service)
for item in raw_arns:
print(item)
# Get a list of all the ARN types per service, paired with the RAW ARNs
elif name is None and list_arn_types:
output = get_arn_types_for_service(db_session, service)
print(json.dumps(output, indent=4))
# Get the raw ARN format for the `cloud9` service with the short name
# `environment`
else:
output = get_arn_type_details(db_session, service, name)
print(json.dumps(output, indent=4))
def query_arn_table(name, service, list_arn_types, fmt):
"""Query the ARN Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Get a list of all RAW ARN formats available through the service.
if name is None and list_arn_types is False:
output = get_raw_arns_for_service(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
# Get a list of all the ARN types per service, paired with the RAW ARNs
elif name is None and list_arn_types:
output = get_arn_types_for_service(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get the raw ARN format for the `cloud9` service with the short name
# `environment`
else:
output = get_arn_type_details(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
return output
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.arns import get_arn_types_for_service
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_arn_types_for_service(db_session, "s3")
print(json.dumps(output, indent=4))
"""
Output:
{
"accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
"bucket": "arn:${Partition}:s3:::${BucketName}",
"object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
"job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
"""
#!/usr/bin/env python
from policy_sentry.querying.arns import get_arn_types_for_service
import json
if __name__ == '__main__':
output = get_arn_types_for_service("s3")
print(json.dumps(output, indent=4))
"""
Output:
{
"accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
"bucket": "arn:${Partition}:s3:::${BucketName}",
"object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
"job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
"""
