def test_remove_actions_not_matching_access_level(self): """querying.actions.remove_actions_not_matching_access_level""" actions_list = [ "ecr:batchgetimage", # read "ecr:createrepository", # write "ecr:describerepositories", # list "ecr:tagresource", # tagging "ecr:setrepositorypolicy", # permissions management ] # print("Read ") self.maxDiff = None # Read read_result = remove_actions_not_matching_access_level( db_session, actions_list, "read") self.assertListEqual(read_result, ["ecr:BatchGetImage"]) # Write write_result = remove_actions_not_matching_access_level( db_session, actions_list, "write") self.assertListEqual(write_result, ["ecr:CreateRepository"]) # List list_result = remove_actions_not_matching_access_level( db_session, actions_list, "list") self.assertListEqual(list_result, ["ecr:DescribeRepositories"]) # Tagging tagging_result = remove_actions_not_matching_access_level( db_session, actions_list, "tagging") self.assertListEqual(tagging_result, ["ecr:TagResource"]) # Permissions management permissions_result = remove_actions_not_matching_access_level( db_session, actions_list, "permissions-management") self.assertListEqual(permissions_result, ["ecr:SetRepositoryPolicy"])
def remove_read_level_actions(actions_list): """Given a set of actions, return that list of actions, but only with actions at the 'Write', 'Tagging', or 'Permissions management' levels""" write_actions = remove_actions_not_matching_access_level(actions_list, "Write") permissions_management_actions = remove_actions_not_matching_access_level( actions_list, "Permissions management" ) tagging_actions = remove_actions_not_matching_access_level(actions_list, "Tagging") modify_actions = tagging_actions + write_actions + permissions_management_actions return modify_actions
def remove_read_level_actions(actions_list: List[str]) -> List[str]: """Given a set of actions, return that list of actions, but only with actions at the 'Write', 'Tagging', or 'Permissions management' levels""" modify_actions: List[str] = remove_actions_not_matching_access_level( actions_list, "Write") modify_actions.extend( remove_actions_not_matching_access_level(actions_list, "Permissions management")) modify_actions.extend( remove_actions_not_matching_access_level(actions_list, "Tagging")) return modify_actions
def test_remove_actions_not_matching_access_level(self): # TODO: This method normalized the access level unnecessarily. Make sure to change that in the final iteration """querying.actions.remove_actions_not_matching_access_level""" actions_list = [ "ecr:batchgetimage", # read "ecr:createrepository", # write "ecr:describerepositories", # list "ecr:tagresource", # tagging "ecr:setrepositorypolicy", # permissions management ] self.maxDiff = None # Read result = remove_actions_not_matching_access_level( actions_list, "Read" ) self.assertListEqual(result, ["ecr:BatchGetImage"]) # Write result = remove_actions_not_matching_access_level( actions_list, "Write" ) self.assertListEqual(result, ["ecr:CreateRepository"]) # List result = remove_actions_not_matching_access_level( actions_list, "List" ) self.assertListEqual(result, ["ecr:DescribeRepositories"]) # Tagging result = remove_actions_not_matching_access_level( actions_list, "Tagging" ) self.assertListEqual(result, ["ecr:TagResource"]) # Permissions management result = remove_actions_not_matching_access_level( actions_list, "Permissions management" ) self.assertListEqual(result, ["ecr:SetRepositoryPolicy"]) bad_actions_list = [ "codecommit:CreatePullRequest", "codecommit:CreatePullRequestApprovalRule", "codecommit:CreateRepository", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DeleteBranch", "codecommit:DeleteFile", ]
def tagging_actions_without_constraints(self) -> List[str]: """Where applicable, returns a list of 'Tagging' level IAM actions in the statement that do not have resource constraints""" result = [] if not self.has_resource_constraints: result = remove_actions_not_matching_access_level( self.restrictable_actions, "Tagging") return result
def write_actions_without_constraints(self): """Where applicable, returns a list of 'Write' level IAM actions in the statement that do not have resource constraints""" result = [] if not self.has_resource_constraints: result = remove_actions_not_matching_access_level( self.expanded_actions, "Write") return result
def permissions_management_actions_without_constraints(self): """Where applicable, returns a list of 'Permissions management' IAM actions in the statement that do not have resource constraints""" result = [] if not self.has_resource_constraints: result = remove_actions_not_matching_access_level( self.expanded_actions, "Permissions management") return result
def write_actions_without_constraints(self) -> List[str]: """Where applicable, returns a list of 'Write' level IAM actions in the statement that do not have resource constraints""" result = [] if (not self.has_resource_constraints # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints or self.flag_resource_arn_statements): result = remove_actions_not_matching_access_level( self.restrictable_actions, "Write") result.sort() return result
def analyze_statement_by_access_level(statement_json, access_level): """ Determine if a statement has any actions with a given access level. :param statement_json: a dictionary representing a statement from an AWS JSON policy :param access_level: The access level - either 'Read', 'List', 'Write', 'Tagging', or 'Permissions management' """ requested_actions = get_actions_from_statement(statement_json) expanded_actions = determine_actions_to_expand(requested_actions) actions_by_level = remove_actions_not_matching_access_level( expanded_actions, access_level ) return actions_by_level
def analyze_by_access_level(db_session, policy_json, access_level): """ Determine if a policy has any actions with a given access level. This is particularly useful when determining who has 'Permissions management' level access :param db_session: SQLAlchemy database session :param policy_json: a dictionary representing the AWS JSON policy :param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management' """ requested_actions = get_actions_from_policy(policy_json) expanded_actions = determine_actions_to_expand(db_session, requested_actions) actions_by_level = remove_actions_not_matching_access_level( db_session, expanded_actions, access_level) return actions_by_level
def analyze_statement_by_access_level(db_session, statement_json, access_level): """ Determine if a statement has any actions with a given access level. :param db_session: SQLAlchemy database session :param statement_json: a dictionary representing a statement from an AWS JSON policy :param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management' """ requested_actions = get_actions_from_statement(statement_json) expanded_actions = determine_actions_to_expand(db_session, requested_actions) actions_by_level = remove_actions_not_matching_access_level( db_session, expanded_actions, access_level) return actions_by_level
def test_remove_actions_not_matching_access_level(self): """test_remove_actions_not_matching_access_level: Verify remove_actions_not_matching_access_level is working as expected""" actions_list = [ "ecr:BatchGetImage", # Read "ecr:CreateRepository", # Write "ecr:DescribeRepositories", # List "ecr:TagResource", # Tagging "ecr:SetRepositoryPolicy", # Permissions management ] print("Read") self.maxDiff = None # Read self.assertListEqual( remove_actions_not_matching_access_level(db_session, actions_list, "read"), ["ecr:batchgetimage"]) # Write self.assertListEqual( remove_actions_not_matching_access_level(db_session, actions_list, "write"), ["ecr:createrepository"]) # List self.assertListEqual( remove_actions_not_matching_access_level(db_session, actions_list, "list"), ["ecr:describerepositories"]) # Tagging self.assertListEqual( remove_actions_not_matching_access_level(db_session, actions_list, "tagging"), ["ecr:tagresource"]) # Permissions management self.assertListEqual( remove_actions_not_matching_access_level(db_session, actions_list, "permissions-management"), ["ecr:setrepositorypolicy"])
def analyze_by_access_level(policy_json, access_level): """ Determine if a policy has any actions with a given access level. This is particularly useful when determining who has 'Permissions management' level access Arguments: policy_json: a dictionary representing the AWS JSON policy access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management' Return: List: A list of actions """ expanded_policy = get_expanded_policy(policy_json) requested_actions = get_actions_from_policy(expanded_policy) # expanded_actions = determine_actions_to_expand(requested_actions) actions_by_level = remove_actions_not_matching_access_level( requested_actions, access_level) return actions_by_level