def test_allowed_actions_raw_case_preserve_and_insensitive(action_expander): user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allowlist1", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "AllowlistTestingDupeIsIgnored", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "Allowlist3", "Effect": "Allow", "Resource": "*", "Action": [ "s3:GET*" ] } ] }""", action_expander) assert user_policy.allow_actions_raw == {'sts:*', 's3:GET*'}
def test_denied_actions_explicit_case_insensitive(action_expander): user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow1", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "Deny1", "Effect": "Deny", "Resource": "*", "Action": [ "sts:ASSUME*" ] } ] }""", action_expander) assert user_policy.denied_actions_explicit == { 'sts:AssumeRole', 'sts:AssumeRoleWithWebIdentity', 'sts:AssumeRoleWithSAML' }, 'We expect the deny actions to be accurate when using ASSUME*'
def test_denied_actions_explicit(action_expander): user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow1", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "Deny1", "Effect": "Deny", "Resource": "*", "Action": [ "sts:Assume*" ] } ] }""", action_expander) assert user_policy.denied_actions_explicit == { 'sts:AssumeRole', 'sts:AssumeRoleWithWebIdentity', 'sts:AssumeRoleWithSAML' }, 'We expect the deny actions returned unaltered and the case to be preserved'
def test_deny_actions_raw_case_preserved(action_expander): user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow1", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "Deny1", "Effect": "Deny", "Resource": "*", "Action": [ "sts:ASSUME*" ] } ] }""", action_expander) assert user_policy.deny_actions_raw == {'sts:ASSUME*'}, \ 'We expect the deny actions returned unaltered and the case to be preserved'
def test_allowed_actions_allow_with_explict_deny(action_expander): user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow1", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "Deny1", "Effect": "Deny", "Resource": "*", "Action": [ "sts:Assume*" ] } ] }""", action_expander) assert user_policy.allowed_actions == { # full list of sts actions 'sts:AssumeRole', 'sts:AssumeRoleWithSAML', 'sts:AssumeRoleWithWebIdentity', 'sts:DecodeAuthorizationMessage', 'sts:GetCallerIdentity', 'sts:GetFederationToken' }
def test_implicit_deny_case_insensitive(action_expander): # user is asking for all of sts user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSts", "Effect": "Allow", "Resource": "*", "Action": [ "STS:*" ] } ] }""", action_expander) # The SCP is allowing all of S3. sts is not mentioned so it is implicitly denied scp = ServiceControlPolicy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3", "Effect": "Allow", "Resource": "*", "Action": [ "S3:*" ] } ] }""", action_expander) result = scp.effect_on(user_policy) assert result.denied_actions == { 'sts:DecodeAuthorizationMessage', 'sts:AssumeRole', 'sts:GetCallerIdentity', 'sts:AssumeRoleWithWebIdentity', 'sts:AssumeRoleWithSAML', 'sts:GetFederationToken'}, \ 'We expect all off the sts actions to be implicitly denied'
def test_denied_actions_explicit_multiple_statements(action_expander): expanded_actions = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSts", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "AllowStsTestingDupeIsIgnored", "Effect": "Allow", "Resource": "*", "Action": [ "sts:*" ] }, { "Sid": "AllowS3Get", "Effect": "Allow", "Resource": "*", "Action": [ "s3:Get*" ] }, { "Sid": "DenyStsAssume", "Effect": "Deny", "Resource": "*", "Action": [ "sts:Assume*" ] } ] }""", action_expander) assert expanded_actions.allowed_actions == { 's3:GetAccelerateConfiguration', 's3:GetAccountPublicAccessBlock', 's3:GetAnalyticsConfiguration', 's3:GetBucketAcl', 's3:GetBucketCORS', 's3:GetBucketLocation', 's3:GetBucketLogging', 's3:GetBucketNotification', 's3:GetBucketPolicy', 's3:GetBucketPolicyStatus', 's3:GetBucketPublicAccessBlock', 's3:GetBucketRequestPayment', 's3:GetBucketTagging', 's3:GetBucketVersioning', 's3:GetBucketWebsite', 's3:GetEncryptionConfiguration', 's3:GetInventoryConfiguration', 's3:GetLifecycleConfiguration', 's3:GetMetricsConfiguration', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging', 's3:GetObjectTorrent', 's3:GetObjectVersion', 's3:GetObjectVersionAcl', 's3:GetObjectVersionForReplication', 's3:GetObjectVersionTagging', 's3:GetObjectVersionTorrent', 's3:GetReplicationConfiguration', 'sts:AssumeRole', 'sts:AssumeRoleWithSAML', 'sts:AssumeRoleWithWebIdentity', 'sts:DecodeAuthorizationMessage', 'sts:GetCallerIdentity', 'sts:GetFederationToken' } assert expanded_actions.denied_actions_explicit == { 'sts:AssumeRole', 'sts:AssumeRoleWithSAML', 'sts:AssumeRoleWithWebIdentity' }
def test_implicit_deny_allow_mix(action_expander): # user is asking for all of sts and all of sqs user_policy = Policy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSts", "Effect": "Allow", "Resource": "*", "Action": [ "sqs:*" ] }, { "Sid": "AllowEfs", "Effect": "Allow", "Resource": "*", "Action": [ "elastictranscoder:*" ] } ] }""", action_expander) # The SCP is allowing "read only" on s3 and sqs scp = ServiceControlPolicy( """{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3Read", "Effect": "Allow", "Resource": "*", "Action": [ "sqs:Get*", "sqs:List*" ] }, { "Sid": "AllowElasticTranscoderRead", "Effect": "Allow", "Resource": "*", "Action": [ "elastictranscoder:Read*", "elastictranscoder:List*" ] } ] }""", action_expander) result = scp.effect_on(user_policy) assert result.denied_actions == {'sqs:SetQueueAttributes', 'sqs:PurgeQueue', 'sqs:DeleteMessageBatch', 'sqs:ReceiveMessage', 'sqs:RemovePermission', 'sqs:ChangeMessageVisibilityBatch', 'sqs:SendMessageBatch', 'sqs:CreateQueue', 'sqs:TagQueue', 'sqs:AddPermission', 'sqs:UntagQueue', 'sqs:SendMessage', 'sqs:DeleteMessage', 'sqs:ChangeMessageVisibility', 'sqs:DeleteQueue', 'elastictranscoder:TestRole', 'elastictranscoder:CreatePipeline', 'elastictranscoder:DeletePipeline', 'elastictranscoder:UpdatePipelineNotifications', 'elastictranscoder:DeletePreset', 'elastictranscoder:CancelJob', 'elastictranscoder:CreateJob', 'elastictranscoder:UpdatePipelineStatus', 'elastictranscoder:CreatePreset', 'elastictranscoder:UpdatePipeline'}, \ 'We expect all off the sts actions to be implicitly denied'