def test_write_crud_policy_with_library_only(self): """test_write_crud_policy_with_library_only: Write an actions mode policy without using the command line at all (library only)""" db_session = connect_db('bundled') crud_template = get_crud_template_dict() wildcard_actions_to_add = [ "kms:createcustomkeystore", "cloudhsm:describeclusters" ] print(crud_template) crud_template['policy_with_crud_levels'][0]['name'] = "MyPolicy" crud_template['policy_with_crud_levels'][0][ 'description'] = "Description" crud_template['policy_with_crud_levels'][0]['role_arn'] = "somearn" crud_template['policy_with_crud_levels'][0]['read'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['policy_with_crud_levels'][0]['write'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['policy_with_crud_levels'][0]['list'].append( "arn:aws:s3:::example-org-sbx-vmimport/stuff") crud_template['policy_with_crud_levels'][0][ 'permissions-management'].append( "arn:aws:kms:us-east-1:123456789012:key/123456") crud_template['policy_with_crud_levels'][0]['wildcard'].extend( wildcard_actions_to_add) crud_template['policy_with_crud_levels'][0]['tagging'].append( "arn:aws:ssm:us-east-1:123456789012:parameter/test") # Modify it policy = write_policy_with_access_levels(db_session, crud_template, None) # print(json.dumps(policy, indent=4)) self.assertDictEqual(desired_crud_policy, policy)
def test_write_crud_policy_with_library_only(self): """test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)""" db_session = connect_db("bundled") crud_template = get_crud_template_dict() wildcard_actions_to_add = [ "kms:CreateCustomKeyStore", # "cloudhsm:describeclusters", ] crud_template["mode"] = "crud" crud_template["read"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ) crud_template["write"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ) crud_template["list"].append("arn:aws:s3:::example-org-sbx-vmimport/stuff") crud_template["permissions-management"].append( "arn:aws:kms:us-east-1:123456789012:key/123456" ) crud_template["wildcard"].extend(wildcard_actions_to_add) crud_template["tagging"].append( "arn:aws:ssm:us-east-1:123456789012:parameter/test" ) # Modify it sid_group = SidGroup() minimize = None policy = sid_group.process_template( db_session, crud_template, minimize=minimize ) # print("desired_crud_policy") # print(json.dumps(desired_crud_policy, indent=4)) # print("policy") # print(json.dumps(policy, indent=4)) self.maxDiff = None self.assertDictEqual(desired_crud_policy, policy)
def test_write_crud_policy_with_library_only(self): """test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)""" another_crud_template = get_crud_template_dict() wildcard_actions_to_add = [ "kms:CreateCustomKeyStore", # "cloudhsm:describeclusters", ] another_crud_template["mode"] = "crud" another_crud_template["read"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") another_crud_template["write"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") another_crud_template["list"].append( "arn:aws:s3:::example-org-sbx-vmimport/stuff") another_crud_template["permissions-management"].append( "arn:aws:kms:us-east-1:123456789012:key/123456") another_crud_template["tagging"].append( "arn:aws:ssm:us-east-1:123456789012:parameter/test") another_crud_template["wildcard-only"]["single-actions"].extend( wildcard_actions_to_add) another_crud_template["sts"]["assume-role"].append( "arn:aws:iam::123456789012:role/demo") # Modify it sid_group = SidGroup() # minimize = None result = sid_group.process_template(another_crud_template) expected_statement_ids = [ "MultMultNone", "SecretsmanagerReadSecret", "SecretsmanagerWriteSecret", "S3ListObject", "SsmTaggingParameter", "KmsPermissionsmanagementKey", "AssumeRole" ] self.maxDiff = None print(json.dumps(result, indent=4)) for statement in result.get("Statement"): self.assertTrue(statement.get("Sid") in expected_statement_ids)
def test_gh_211_write_with_empty_access_level_lists(self): crud_template = get_crud_template_dict() crud_template['read'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['write'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") # crud_template['list'].append("arn:aws:s3:::mybucket/stuff") # by commenting out the line below, you should not get an IndexError # crud_template['permissions-management'].append("arn:aws:kms:us-east-1:123456789012:key/123456") # crud_template['tagging'].append("arn:aws:ssm:us-east-1:123456789012:parameter/test") wildcard_actions_to_add = [ "kms:createcustomkeystore", "cloudhsm:describeclusters" ] crud_template['wildcard-only']['single-actions'].extend( wildcard_actions_to_add) result = write_policy_with_template(crud_template) # print(json.dumps(result, indent=4)) expected_statement_ids = [ "MultMultNone", "SecretsmanagerReadSecret", "SecretsmanagerWriteSecret", ] for statement in result.get("Statement"): self.assertTrue(statement.get("Sid") in expected_statement_ids)
#!/usr/bin/env python from policy_sentry.writing.template import get_crud_template_dict from policy_sentry.command.write_policy import write_policy_with_template import json if __name__ == '__main__': crud_template = get_crud_template_dict() wildcard_actions_to_add = [ "kms:createcustomkeystore", "cloudhsm:describeclusters" ] crud_template['mode'] = 'crud' crud_template['read'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['write'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['list'].append("arn:aws:s3:::example-org-sbx-vmimport/stuff") crud_template['permissions-management'].append( "arn:aws:kms:us-east-1:123456789012:key/123456") crud_template['wildcard'].extend(wildcard_actions_to_add) crud_template['tagging'].append( "arn:aws:ssm:us-east-1:123456789012:parameter/test") # Modify it policy = write_policy_with_template(crud_template) print(json.dumps(policy, indent=4)) """ Output: { "Version": "2012-10-17",
def test_gh_211_write_with_empty_access_level_lists(self): expected_results = { "Version": "2012-10-17", "Statement": [{ "Sid": "MultMultNone", "Effect": "Allow", "Action": ["cloudhsm:DescribeClusters", "kms:CreateCustomKeyStore"], "Resource": ["*"] }, { "Sid": "SecretsmanagerReadSecret", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ] }, { "Sid": "SecretsmanagerWriteSecret", "Effect": "Allow", "Action": [ "secretsmanager:CancelRotateSecret", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:PutSecretValue", "secretsmanager:RestoreSecret", "secretsmanager:RotateSecret", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ] }] } crud_template = get_crud_template_dict() crud_template['read'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") crud_template['write'].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") # crud_template['list'].append("arn:aws:s3:::mybucket/stuff") # by commenting out the line below, you should not get an IndexError # crud_template['permissions-management'].append("arn:aws:kms:us-east-1:123456789012:key/123456") # crud_template['tagging'].append("arn:aws:ssm:us-east-1:123456789012:parameter/test") wildcard_actions_to_add = [ "kms:createcustomkeystore", "cloudhsm:describeclusters" ] crud_template['wildcard-only']['single-actions'].extend( wildcard_actions_to_add) result = write_policy_with_template(crud_template) # print(json.dumps(result, indent=4)) self.assertDictEqual(result, expected_results)
def test_write_crud_policy_with_library_only(self): """test_write_crud_policy_with_library_only: Write a policy in CRUD mode without using the command line at all (library only)""" another_crud_template = get_crud_template_dict() wildcard_actions_to_add = [ "kms:CreateCustomKeyStore", # "cloudhsm:describeclusters", ] another_crud_template["mode"] = "crud" another_crud_template["read"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") another_crud_template["write"].append( "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret") another_crud_template["list"].append( "arn:aws:s3:::example-org-sbx-vmimport/stuff") another_crud_template["permissions-management"].append( "arn:aws:kms:us-east-1:123456789012:key/123456") another_crud_template["tagging"].append( "arn:aws:ssm:us-east-1:123456789012:parameter/test") another_crud_template["wildcard-only"]["single-actions"].extend( wildcard_actions_to_add) # Modify it sid_group = SidGroup() # minimize = None result = sid_group.process_template(another_crud_template) # print("desired_crud_policy") # print(json.dumps(desired_crud_policy, indent=4)) # print("policy") expected_result = { "Version": "2012-10-17", "Statement": [{ "Sid": "MultMultNone", "Effect": "Allow", "Action": ["cloudhsm:DescribeClusters", "kms:CreateCustomKeyStore"], "Resource": ["*"] }, { "Sid": "SecretsmanagerReadSecret", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ] }, { "Sid": "SecretsmanagerWriteSecret", "Effect": "Allow", "Action": [ "secretsmanager:CancelRotateSecret", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:PutSecretValue", "secretsmanager:RestoreSecret", "secretsmanager:RotateSecret", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret" ] }, { "Sid": "S3ListObject", "Effect": "Allow", "Action": ["s3:ListMultipartUploadParts"], "Resource": ["arn:aws:s3:::example-org-sbx-vmimport/stuff"] }, { "Sid": "SsmTaggingParameter", "Effect": "Allow", "Action": ["ssm:AddTagsToResource", "ssm:RemoveTagsFromResource"], "Resource": ["arn:aws:ssm:us-east-1:123456789012:parameter/test"] }, { "Sid": "KmsPermissionsmanagementKey", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:PutKeyPolicy", "kms:RetireGrant", "kms:RevokeGrant" ], "Resource": ["arn:aws:kms:us-east-1:123456789012:key/123456"] }] } print(json.dumps(result, indent=4)) self.maxDiff = None self.assertDictEqual(result, desired_crud_policy)