def resolve(self):
if self._Actions is not None:
return self._Actions
if self._explicit_actions is None:
self._resolve_action_statement()
if self._explicit_resources is None:
self._resolve_resource_statement()
if self._explicit_principals is None:
self._resolve_principal_statement()
actions = Elements()
for action in self.actions():
# Rewrite
resources = Elements()
for affected in ACTIONS[action]["Affects"]:
resources.update(
Elements(self._explicit_resources.get(affected)))
for resource in resources:
# Action conditions comprise of resource level permission conditions
# variants AND statement conditions
condition = self._explicit_resource_conditions[resource.id()]
condition = [{
**condition[i],
**self._explicit_conditions
} for i in range(len(condition))]
condition = json.dumps(condition) \
if len(condition[0]) > 0 else "[]"
for principal in self._explicit_principals:
actions.add(
Action(properties={
"Name": action,
"Description": ACTIONS[action]["Description"],
"Effect": self._statement["Effect"],
"Access": ACTIONS[action]["Access"],
"Reference": ACTIONS[action]["Reference"],
"Condition": condition
},
source=principal,
target=resource))
# Unset resource level permission conditions
for resource in self._explicit_resources:
resource.condition = []
self._Actions = actions
return self._Actions
def actions(self):
if self._actions is not None:
return self._actions
(principals, actions, resources,
conditions) = (self.principals(), Elements(), self.resources(),
self.conditions())
for action in self._get_actions():
action_resources = Elements()
# Actions that do not affect specific resource types.
if ACTIONS[action]["Affects"] == {}:
action_resources.update(
Elements(self.__resources.get("CatchAll")))
for affected_type in ACTIONS[action]["Affects"].keys():
# Ignore mutable actions affecting built in policies
if (affected_type == "AWS::Iam::Policy"
and ACTIONS[action]["Access"]
in ["Permissions Management", "Write"]):
action_resources.update([
a for a in resources.get(affected_type)
if str(a).split(':')[4] != "aws"
])
else:
action_resources.update(resources.get(affected_type))
for resource in action_resources:
# Action conditions comprise of resource-level conditions and statement conditions
resource_conditions = list(conditions[str(resource)] if str(
resource) in conditions else [{}])
statement_conditions = dict(
self.__statement["Condition"] if "Condition" in
self.__statement.keys() else {})
# Add the two together
condition = json.dumps([
{
**resource_conditions[i],
**statement_conditions
} for i in range(len(resource_conditions))
]) if (len(resource_conditions[0]) + len(statement_conditions)) > 0 \
else "[]"
# Incorporate all items from ACTIONS.py
supplementary = next((ACTIONS[action]["Affects"][r]
for r in resource.labels()
if r in ACTIONS[action]["Affects"]), {})
for principal in self._principals:
actions.add(
Action(properties={
"Name": action,
"Description": ACTIONS[action]["Description"],
"Effect": self.__statement["Effect"],
"Access": ACTIONS[action]["Access"],
"Reference": ACTIONS[action]["Reference"],
"Condition": condition,
**supplementary
},
source=principal,
target=resource))
# Unset resource level permission conditions
for resource in self._resources:
resource.condition = []
self._actions = actions
return self._actions
def resolve(self):
if self._Actions is not None:
return self._Actions
if self._explicit_actions is None:
self._resolve_action_statement()
if self._explicit_resources is None:
self._resolve_resource_statement()
if self._explicit_principals is None:
self._resolve_principal_statement()
actions = Elements()
for action in self.actions():
resources = Elements()
# Actions that do not affect specific resource types.
if ACTIONS[action]["Affects"] == {}:
resources.update(
Elements(self._explicit_resources.get("CatchAll")))
for affected_type in ACTIONS[action]["Affects"].keys():
affected = self._explicit_resources.get(affected_type)
# Ignore mutable actions affecting built in policies
if affected_type == "AWS::Iam::Policy" \
and ACTIONS[action]["Access"] in ["Permissions Management", "Write"]:
affected = [
a for a in affected if str(a).split(':')[4] != "aws"
]
resources.update(Elements(affected))
for resource in resources:
# Action conditions comprise of resource level permission conditions
# variants AND statement conditions
condition = self._explicit_resource_conditions[resource.id()]
condition = [{
**condition[i],
**self._explicit_conditions
} for i in range(len(condition))]
condition = json.dumps(condition) \
if len(condition[0]) > 0 else "[]"
supplementary = next((ACTIONS[action]["Affects"][r]
for r in resource.labels()
if r in ACTIONS[action]["Affects"]), {})
for principal in self._explicit_principals:
actions.add(
Action(properties={
"Name": action,
"Description": ACTIONS[action]["Description"],
"Effect": self._statement["Effect"],
"Access": ACTIONS[action]["Access"],
"Reference": ACTIONS[action]["Reference"],
"Condition": condition,
**supplementary
},
source=principal,
target=resource))
# Unset resource level permission conditions
for resource in self._explicit_resources:
resource.condition = []
self._Actions = actions
return self._Actions