def test_deny_statement(): statement = [ { "action": [ "*", ], "resource": [ "*", ], "effect": "Allow", }, { "action": [ "S3:GetObject", ], "resource": [ "*", ], "effect": "Deny", }, ] assert (False, True) == permission_relationships.evaluate_policy_for_permission( statement, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_multiple_comma(): statements = [ { "action": [ "s3:?et*", ], "resource": ["arn:aws:s3:::????bucket"], "effect": "Allow", }, ] assert (True, False) == permission_relationships.evaluate_policy_for_permission( statements, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_resource_substring(): statements = [{ "action": [ "s3.*", ], "resource": [ "arn:aws:s3:::test", ], "effect": "Allow", }] assert (False, False) == permission_relationships.evaluate_policy_for_permission( statements, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_notaction_malformed(): statements = [{ "notaction": [ "s3.*", ], "resource": [ "*", ], "effect": "Allow", }] assert (True, False) == permission_relationships.evaluate_policy_for_permission( statements, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_admin_statements(): statement = [{ "action": [ "*", ], "resource": [ "*", ], "effect": "Allow", }] assert (True, False) == permission_relationships.evaluate_policy_for_permission( statement, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_single_permission_resource_non_match(): statement = [ { "action": [ "s3:Get*", ], "resource": [ "arn:aws:s3:::nottest", ], "effect": "Allow", }, ] assert (False, False) == permission_relationships.evaluate_policy_for_permission( statement, ["S3:GetObject"], "arn:aws:s3:::testbucket", )
def test_multiple_non_matching_permission(): statement = [ { "action": [ "S3:GetObject", ], "resource": [ "*", ], "effect": "Allow", }, ] assert (False, False) == permission_relationships.evaluate_policy_for_permission( statement, ["S3:PutObject", "S3:ListBuckets"], "arn:aws:s3:::testbucket", )