def test_s3_policies(self):
policies = load_data("iam/s3-policies.json")
checker = PolicyChecker({
"allowed_accounts":
set(["123456789012"]),
"allowed_vpc":
set(["vpc-12345678"]),
"allowed_vpce":
set(["vpce-12345678", "vpce-87654321"]),
})
for p, expected in zip(
policies,
[
True,
False,
False,
True,
False,
True,
False,
True,
False,
True,
False,
True,
False,
True,
],
):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies(self):
policies = load_data("iam/s3-policies.json")
checker = PolicyChecker(
{
"allowed_accounts": set(["123456789012"]),
"allowed_vpc": set(["vpc-12345678"]),
"allowed_vpce": set(["vpce-12345678", "vpce-87654321"]),
}
)
for p, expected in zip(
policies,
[
True,
False,
False,
True,
False,
True,
False,
True,
False,
True,
False,
True,
False,
True,
],
):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_everyone_only(self):
policies = load_data("iam/s3-principal.json")
checker = PolicyChecker({"everyone_only": True})
for p, expected in zip(policies,
[True, True, False, False, False, False]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_everyone_only(self):
policies = load_data('iam/s3-principal.json')
checker = PolicyChecker({
'everyone_only': True})
for p, expected in zip(
policies, [True, True, False, False, False, False]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self):
policies = load_data("iam/s3-conditions.json")
checker = PolicyChecker({
"allowed_accounts": set(["123456789012"]),
"allowed_vpc": set(["vpc-12345678"]),
})
for p, expected in zip(policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_sqs_policies(self):
policies = load_data("iam/sqs-policies.json")
checker = PolicyChecker({"allowed_accounts": set(["221800032964"])})
for p, expected in zip(
policies,
[False, True, True, False, False, False, False, False]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self):
policies = load_data('iam/s3-conditions.json')
checker = PolicyChecker({
'allowed_accounts': set(['123456789012']),
'allowed_vpc': set(['vpc-12345678'])
})
for p, expected in zip(policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_sqs_policies(self):
policies = load_data("iam/sqs-policies.json")
checker = PolicyChecker({"allowed_accounts": set(["221800032964"])})
for p, expected in zip(
policies, [False, True, True, False, False, False, False, False]
):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies_vpc(self):
policies = load_data('iam/s3-policies.json')
checker = PolicyChecker({'allowed_accounts': set(['123456789012'])})
for p, expected in zip(policies, [
True, False, False, True, False, True, False, False, False,
False
]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self):
policies = load_data('iam/s3-conditions.json')
checker = PolicyChecker({
'allowed_accounts': set(['123456789012']),
'allowed_vpc': set(['vpc-12345678'])})
for p, expected in zip(
policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_principal_org_id(self):
policies = load_data("iam/s3-orgid.json")
checker = PolicyChecker(
{
"allowed_orgid": set(["o-goodorg"])
}
)
for p, expected in zip(policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_s3_policies_multiple_conditions(self):
policies = load_data("iam/s3-conditions.json")
checker = PolicyChecker(
{
"allowed_accounts": set(["123456789012"]),
"allowed_vpc": set(["vpc-12345678"]),
}
)
for p, expected in zip(policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
def test_not_principal_allowed(self):
policy = {
'Id': 'Foo',
"Version": "2012-10-17",
'Statement': [
{'Action': 'SQS:ReceiveMessage',
'Effect': 'Deny',
'Principal': '*'},
{'Action': 'SQS:SendMessage',
'Effect': 'Allow',
'NotPrincipal': '90120'}]}
checker = PolicyChecker(
{'allowed_accounts': set(['221800032964'])})
self.assertTrue(bool(checker.check(policy)))
def test_not_principal_allowed(self):
policy = {
'Id': 'Foo',
"Version": "2012-10-17",
'Statement': [
{'Action': 'SQS:ReceiveMessage',
'Effect': 'Deny',
'Principal': '*'},
{'Action': 'SQS:SendMessage',
'Effect': 'Allow',
'NotPrincipal': '90120'}]}
checker = PolicyChecker(
{'allowed_accounts': set(['221800032964'])})
self.assertTrue(bool(checker.check(policy)))
def test_not_principal_allowed(self):
policy = {
"Id": "Foo",
"Version": "2012-10-17",
"Statement": [
{"Action": "SQS:ReceiveMessage", "Effect": "Deny", "Principal": "*"},
{
"Action": "SQS:SendMessage",
"Effect": "Allow",
"NotPrincipal": "90120",
},
],
}
checker = PolicyChecker({"allowed_accounts": set(["221800032964"])})
self.assertTrue(bool(checker.check(policy)))
def test_not_principal_allowed(self):
policy = {
"Id": "Foo",
"Version": "2012-10-17",
"Statement": [
{"Action": "SQS:ReceiveMessage", "Effect": "Deny", "Principal": "*"},
{
"Action": "SQS:SendMessage",
"Effect": "Allow",
"NotPrincipal": "90120",
},
],
}
checker = PolicyChecker({"allowed_accounts": set(["221800032964"])})
self.assertTrue(bool(checker.check(policy)))
def test_s3_principal_org_id(self):
policies = load_data("iam/s3-orgid.json")
checker = PolicyChecker({"allowed_orgid": set(["o-goodorg"])})
for p, expected in zip(policies, [False, True]):
violations = checker.check(p)
self.assertEqual(bool(violations), expected)
