def test_get_actions_that_support_wildcard_arns_only(self): """querying.actions.get_actions_that_support_wildcard_arns_only""" # Variant 1: Secrets manager expected_results = [ "secretsmanager:GetRandomPassword", "secretsmanager:ListSecrets", ] results = get_actions_that_support_wildcard_arns_only("secretsmanager") self.maxDiff = None for result in results: self.assertTrue(result in expected_results) # Variant 2: ECR results = get_actions_that_support_wildcard_arns_only("ecr") expected_results = [ "ecr:DeleteRegistryPolicy", "ecr:DescribeRegistry", "ecr:GetAuthorizationToken", "ecr:GetRegistryPolicy", "ecr:PutRegistryPolicy", "ecr:PutReplicationConfiguration" ] # print(json.dumps(results, indent=4)) for result in results: self.assertTrue(result in expected_results) # Variant 3: All actions output = get_actions_that_support_wildcard_arns_only("all") # print(len(output)) self.assertTrue(len(output) > 3000)
def test_get_actions_that_support_wildcard_arns_only(self): """querying.actions.get_actions_that_support_wildcard_arns_only""" desired_output = [ "secretsmanager:GetRandomPassword", "secretsmanager:ListSecrets", ] output = get_actions_that_support_wildcard_arns_only("secretsmanager") self.maxDiff = None self.assertListEqual(desired_output, output) output = get_actions_that_support_wildcard_arns_only("ecr") self.assertEqual(output, ["ecr:GetAuthorizationToken"]) # print(json.dumps(output, indent=4)) output = get_actions_that_support_wildcard_arns_only("all")
def remove_actions_that_are_not_wildcard_arn_only(db_session, actions_list): """ Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot. :param db_session: SQL Alchemy database session object :param actions_list: A list of actions :return: An updated list of actions :rtype: list """ # remove duplicates, if there are any actions_list = list(dict.fromkeys(actions_list)) actions_list_placeholder = [] for action in actions_list: try: service_name, action_name = action.split(":") except ValueError as v_e: # We will skip the action because this likely means that the wildcard action provided is not valid. logger.debug(v_e) logger.debug( "The value provided in wildcard-only section is not formatted properly." ) continue rows = get_actions_that_support_wildcard_arns_only( db_session, service_name) for row in rows: if row.lower() == action.lower(): actions_list_placeholder.append( f"{service_name}:{action_name}") return actions_list_placeholder
def action_table(name, service, access_level, condition, wildcard_only): """Query the Action Table from the Policy Sentry database""" db_session = connect_db(DATABASE_FILE_PATH) # Actions on all services if service == "all": all_services = get_all_service_prefixes(db_session) if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") results = [] for serv in all_services: output = get_actions_with_access_level(db_session, serv, level) results.extend(output) for result in results: print(result) # Get a list of all services in the database else: print("All services in the database:\n") for item in all_services: print(item) elif name is None and access_level: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(db_session, service, level) print(json.dumps(output, indent=4)) # Get a list of all IAM actions under the service that support the # specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(db_session, service, condition) print(json.dumps(output, indent=4)) # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only( db_session, service) print(json.dumps(output, indent=4)) elif name and access_level is None: output = get_action_data(db_session, service, name) print(json.dumps(output, indent=4)) else: print(f"All IAM actions available to {service}:") # Get a list of all IAM Actions available to the service action_list = get_actions_for_service(db_session, service) print(f"ALL {service} actions:") for item in action_list: print(item)
def test_get_actions_that_support_wildcard_arns_only(self): """test_get_actions_that_support_wildcard_arns_only: Tests function that shows all actions that support * resources only.""" desired_output = [ "secretsmanager:createsecret", "secretsmanager:getrandompassword", "secretsmanager:listsecrets" ] output = get_actions_that_support_wildcard_arns_only( db_session, "secretsmanager") self.maxDiff = None print(output) self.assertListEqual(desired_output, output)
def test_get_actions_that_support_wildcard_arns_only(self): """querying.actions.get_actions_that_support_wildcard_arns_only""" desired_output = [ "secretsmanager:CreateSecret", "secretsmanager:GetRandomPassword", "secretsmanager:ListSecrets", ] output = get_actions_that_support_wildcard_arns_only( db_session, "secretsmanager") self.maxDiff = None print(output) self.assertListEqual(desired_output, output)
#!/usr/bin/env python from policy_sentry.shared.database import connect_db from policy_sentry.querying.actions import get_actions_that_support_wildcard_arns_only import json if __name__ == '__main__': db_session = connect_db('bundled') output = get_actions_that_support_wildcard_arns_only( db_session, "secretsmanager") print(json.dumps(output, indent=4)) """ Output: [ "secretsmanager:createsecret", "secretsmanager:getrandompassword", "secretsmanager:listsecrets" ] """
def query_action_table(name, service, access_level, condition, wildcard_only, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not wildcard_only: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and wildcard_only: print( f"{service} {access_level.upper()} actions that must use wildcards in the resources block:" ) access_level = transform_access_level_text(access_level) output = get_actions_at_access_level_that_support_wildcard_arns_only( service, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
def query_action_table(name, service, access_level, condition, resource_type, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" if os.path.exists(LOCAL_DATASTORE_FILE_PATH): logger.info( f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/" ) else: # Otherwise, leverage the datastore inside the python package logger.debug("Leveraging the bundled IAM Definition.") # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print_list(output=output, fmt=fmt) # Get a list of all services in the database elif resource_type == "*": print("ALL actions that do not support resource ARN constraints") output = get_actions_that_support_wildcard_arns_only(service) print_dict(output=output, fmt=fmt) else: print("All services in the database:\n") output = all_services print_list(output=output, fmt=fmt) elif name is None and access_level and not resource_type: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print_dict(output=output, fmt=fmt) elif name is None and access_level and resource_type: print( f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:" ) access_level = transform_access_level_text(access_level) output = get_actions_with_arn_type_and_access_level( service, resource_type, access_level) print_dict(output=output, fmt=fmt) # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print_dict(output=output, fmt=fmt) # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif resource_type: print( f"IAM actions under {service} service that have the resource type {resource_type}:" ) output = get_actions_matching_arn_type(service, resource_type) print_dict(output=output, fmt=fmt) elif name and access_level is None: output = get_action_data(service, name) print_dict(output=output, fmt=fmt) else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print_list(output=output, fmt=fmt) return output