def CodeCommitLogInGroup(in_user, in_group):
print("----------- Testing User Groups -----------")
user = User(in_user)
group = Group(in_group)
if group.in_group(user):
print("User In Group Test")
else:
print("User Not In Group Test")
print("----------- Finished User Groups -----------")
def last_user_commit(repo, in_branch, in_group):
print("----------- Testing last_user_commit -----------")
event = Log.get_last_confirmed_commit(repo, in_branch)
group = Group(in_group)
if group.in_group(event.identity):
print("User In Group")
else:
print("User Not In Group")
print("----------- Finished last_user_commit -----------")
def handle(self):
print("Running PolicyChecker")
try:
if self.event.get_params() is not {}:
param = self.event.get_params()
if 'group' not in param:
raise Exception("PolicyChecker Needs A Master 'Group'")
policy_group_name = param['group']
policy_group = IAMGroup(policy_group_name)
users = IAMUser.get_all_users()
errors = []
for user in users:
if policy_group.in_group(user=user):
continue
user_policy: List[UserPolicies] = user.policies
for up_policy in user_policy:
for statement in up_policy.statements:
for policy, conditions in statement.actions.items(
):
if policy in [
'*', 'codecommit', 's3', 'lambda',
'codepipeline'
]:
for condition in conditions:
if '*' in condition or 'Put' in condition or 'Delete' in \
condition or 'Update' in condition or 'Disable' in condition:
errors.append({
'user':
user.name,
'policy':
policy,
'statement':
condition
})
if len(errors) > 0:
error_string = "Error, too over permissive users:\n"
for error in errors:
error_string = error_string + "User:{0} Policy:{1} Statement:{2}\n".format(
error['user'], error['policy'], error['statement'])
raise Exception(error_string)
self.accept()
return
else:
raise Exception("Passed in param wasn't valid")
except Exception as err:
print("FAILED TEST")
self.fail(errorMessage=str(err))
raise err
self.fail()
def CodeCommitLog(in_user):
print("----------- Testing User Groups -----------")
user = User(in_user)
group = Group.create("StephenTestingGroup")
if group.in_group(user):
print("User Not In Group Test : Failed")
else:
print("User Not In Group Test : Passed")
group.add_to_group(user)
if group.in_group(user):
print("User In Group Test : Passed")
else:
print("User In Group Test : Failed")
group.delete()
print("----------- Finished User Groups -----------")
def handle(self):
print("Running MultiChecker")
try:
if self.event.get_params() is not {}:
param = self.event.get_params()
if 'group' not in param:
raise Exception('Group Parameter is Missing')
SuperGroup = IAMGroup(param['group'])
parse = Parser()
events = parse.fetch(lookup_attributes=[
LookupAttribute(key="EventSource",
value="codecommit.amazonaws.com"),
LookupAttribute(key="EventSource",
value="s3.amazonaws.com"),
LookupAttribute(key="EventSource",
value="codepipeline.amazonaws.com"),
LookupAttribute(key="EventSource",
value="lambda.amazonaws.com")
],
start_time=datetime.now() +
timedelta(hours=-15))
errors = []
for event in events:
if isinstance(event, Event):
if isinstance(event.identity, IAMRoot):
errors.append({
'message': 'IAM Root Was Active',
'event': event
})
continue
if isinstance(event.identity,
IAMUser) and SuperGroup.in_group(
event.identity):
continue
if isinstance(event, CTCodePipeline):
if isinstance(event.identity, IAMUser) and event.event_name in\
[
"UpdatePipeline",
"DeletePipeline",
"DisableStageTransition",
"DeleteWebhook",
"PutJobFailureResult",
'EnableStageTransition'
]:
errors.append({
'message':
'A Non-authorised User Used {0} on a pipeline'
.format(event.event_name),
'event':
event
})
if isinstance(event, LambdaEvents):
if isinstance(event.identity, IAMUser) and event.event_name in\
[
"DeleteFunction",
"UpdateFunctionCode",
"DeleteWebhook",
"UpdateFunctionConfiguration",
'UpdateEventSourceMapping',
"DeleteEventSourceMapping",
"RemovePermission",
"AddPermission",
"RemoveLayerVersionPermission"
]:
errors.append({
'message':
'A Non-authorised User Used {0} on a Lambda Function'
.format(event.event_name),
'event':
event
})
if isinstance(event, AWSS3Event):
if isinstance(event.identity, IAMUser) and event.event_name in\
[
"DeleteBucket",
"PutObject",
"ReplicateDelete",
"PutEncryptionConfiguration",
'DeleteObject',
"DeleteObjectVersion",
"PutBucketLogging",
"PutBucketObjectLockConfiguration",
"PutBucketVersioning",
"PutBucketPublicAccessBlock",
"ObjectOwnerOverrideToBucketOwner",
"PutBucketPolicy",
"DeleteBucketPolicy"
]:
errors.append({
'message':
'A Non-authorised User Used {0} on a Lambda Function'
.format(event.event_name),
'event':
event
})
if len(errors) > 0:
error_message = "FAILED MultiChecker for the following reasons:\n"
for error in errors:
error_message = error_message + "Time: {0} EventSource : {2} EventName: {3} " \
"Username: {4} Reason: {1}\n".format(error['event'].event_time,
error['message'],
error['event'].event_source,
error['event'].event_name,
error['event'].username)
raise Exception(error_message)
print("PASSED")
self.accept()
return
raise Exception("Passed in param wasn't valid")
except Exception as err:
print("FAILED TEST")
self.fail(errorMessage=str(err))
raise err
self.fail()
# print("Time: {4} EventSource: {0} EventName: {1} EventType: {2} UserName: {3}".format(event.event_source,
# event.event_name,
# event.event_type,
# event.username,
# event.event_time)
# )