def get_actions_matching_condition_key(db_session, service, condition_key): """ Get a list of actions under a service that allow the use of a specified condition key :param db_session: SQLAlchemy database session :param service: A single AWS service prefix :param condition_key: The condition key to look for. :return: A list of actions """ actions_list = [] looking_for = "%{0}%".format(condition_key) if service: rows = db_session.query(ActionTable).filter( and_( ActionTable.service.ilike(service), ActionTable.condition_keys.ilike(looking_for), ) ) for row in rows: action = get_full_action_name(row.service, row.name) actions_list.append(action) else: rows = db_session.query(ActionTable).filter( and_(ActionTable.condition_keys.ilike(looking_for)) ) for row in rows: action = get_full_action_name(row.service, row.name) actions_list.append(action) return actions_list
def get_actions_with_access_level(db_session, service, access_level): """ Get a list of actions in a service under different access levels. :param db_session: SQLAlchemy database session object :param service: A single AWS service prefix, like `s3` or `kms` :param access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging' :return: A list of actions """ actions_list = [] all_services = get_all_service_prefixes(db_session) if service == "all": for serv in all_services: output = get_actions_with_access_level(db_session, serv, access_level) actions_list.extend(output) rows = db_session.query(ActionTable).filter( and_( ActionTable.service.like(service), ActionTable.access_level.ilike(access_level), ) ) # Create a list of actions under each service. Use this list to pass in to the remove_actions_not_matching_access_level function # which will give you the list of actions you want. for row in rows: action = get_full_action_name(row.service, row.name) if action not in actions_list: actions_list.append(action) return actions_list
def get_actions_at_access_level_that_support_wildcard_arns_only( db_session, service, access_level ): """ Get a list of actions at an access level that do not support restricting the action to resource ARNs. :param db_session: SQLAlchemy database session object :param service: A single AWS service prefix, like `s3` or `kms` :param access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging' :return: A list of actions """ actions_list = [] rows = db_session.query(ActionTable.service, ActionTable.name).filter( and_( ActionTable.service.ilike(service), ActionTable.resource_arn_format.like("*"), ActionTable.access_level.ilike(access_level), ActionTable.name.notin_( db_session.query(ActionTable.name).filter( ActionTable.resource_arn_format.notlike("*") ) ), ) ) for row in rows: actions_list.append(get_full_action_name(row.service, row.name)) return actions_list
def get_actions_matching_condition_crud_and_arn(db_session, condition_key, access_level, raw_arn): """ Get a list of IAM Actions matching a condition key, CRUD level, and raw ARN format. :param db_session: SQL Alchemy database session :param condition_key: A condition key, like aws:TagKeys :param access_level: Access level that matches the database value. "Read", "Write", "List", "Tagging", or "Permissions management" :param raw_arn: The raw ARN format in the database, like arn:${Partition}:s3:::${BucketName} :return: List of IAM Actions """ actions_list = [] looking_for = "%{0}%".format(condition_key) if raw_arn == "*": rows = db_session.query(ActionTable).filter( and_( # ActionTable.service.ilike(service), ActionTable.access_level.ilike(access_level), ActionTable.resource_arn_format.is_(raw_arn), ActionTable.condition_keys.ilike(looking_for), )) else: service = get_service_from_arn(raw_arn) rows = db_session.query(ActionTable).filter( and_( ActionTable.service.ilike(service), ActionTable.access_level.ilike(access_level), ActionTable.resource_arn_format.ilike(raw_arn), ActionTable.condition_keys.ilike(looking_for), )) for row in rows: action = get_full_action_name(row.service, row.name) actions_list.append(action) return actions_list
def remove_actions_that_are_not_wildcard_arn_only(db_session, actions_list): """ Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot. :param db_session: SQL Alchemy database session object :param actions_list: A list of actions :return: An updated list of actions :rtype: list """ # remove duplicates, if there are any actions_list_unique = list(dict.fromkeys(actions_list)) actions_list_placeholder = [] for action in actions_list_unique: service = get_service_from_action(action) action_name = get_action_name_from_action(action) rows = db_session.query(ActionTable.service, ActionTable.name).filter( and_( ActionTable.service.ilike(service), ActionTable.name.ilike(action_name), ActionTable.resource_arn_format.like("*"), ActionTable.name.notin_( db_session.query(ActionTable.name).filter( ActionTable.resource_arn_format.notlike('*'))))) for row in rows: if row.service == service and row.name == action_name: actions_list_placeholder.append( get_full_action_name(service, action_name)) return actions_list_placeholder
def get_actions_that_support_wildcard_arns_only(db_session, service): """ Get a list of actions that do not support restricting the action to resource ARNs. :param db_session: SQLAlchemy database session object :param service: A single AWS service prefix, like `s3` or `kms` :return: A list of actions """ actions_list = [] rows = db_session.query(ActionTable.service, ActionTable.name).filter( and_( ActionTable.service.ilike(service), ActionTable.resource_arn_format.like("*"), ActionTable.name.notin_( db_session.query(ActionTable.name).filter( ActionTable.resource_arn_format.notlike('*'))))) for row in rows: actions_list.append(get_full_action_name(row.service, row.name)) return actions_list
def get_actions_with_arn_type_and_access_level(db_session, service, resource_type_name, access_level): """ Get a list of actions in a service under different access levels, specific to an ARN format. :param db_session: SQLAlchemy database session object :param service: A single AWS service prefix, like `s3` or `kms` :param resource_type_name: The ARN type name, like `bucket` or `key` :return: A list of actions """ actions_list = [] rows = db_session.query(ActionTable).filter( and_(ActionTable.service.ilike(service), ActionTable.resource_type_name.ilike(resource_type_name), ActionTable.access_level.ilike(access_level))) for row in rows: action = get_full_action_name(row.service, row.name) if action not in actions_list: actions_list.append(action) return actions_list