Python Exclusions.get_allowed_actions 예제들

예제 #1

파일: statement_detail.py 프로젝트: ekmixon/cloudsplaining

 def missing_resource_constraints(
         self, exclusions: Exclusions = DEFAULT_EXCLUSIONS) -> List[str]:
     """Return a list of any actions - regardless of access level - allowed by the statement that do not leverage
     resource constraints."""
     if not isinstance(exclusions, Exclusions):
         raise Exception(  # pragma: no cover
             "The provided exclusions is not the Exclusions object type. "
             "Please use the Exclusions object.")
     actions_missing_resource_constraints = []
     if len(self.resources) == 1 and self.resources[0] == "*":
         actions_missing_resource_constraints = self.restrictable_actions
     return exclusions.get_allowed_actions(
         actions_missing_resource_constraints)

예제 #2

 def test_new_exclusions_approach(self):
     exclusions_cfg = {
         "policies": ["aws-service-role*"],
         "roles": ["aws-service-role*"],
         "users": [""],
         "include-actions": ["s3:GetObject"],
         "exclude-actions": ["kms:Decrypt"]
     }
     exclusions = Exclusions(exclusions_cfg)
     test_actions_list = [
         "s3:GetObject", "kms:decrypt", "ssm:GetParameter",
         "ec2:DescribeInstances"
     ]
     result = exclusions.get_allowed_actions(test_actions_list)
     self.assertListEqual(
         result,
         ['s3:GetObject', 'ssm:GetParameter', 'ec2:DescribeInstances'])

예제 #3

 def missing_resource_constraints(
         self, exclusions: Exclusions = DEFAULT_EXCLUSIONS) -> List[str]:
     """Return a list of any actions - regardless of access level - allowed by the statement that do not leverage
     resource constraints."""
     if not isinstance(exclusions, Exclusions):
         raise Exception(  # pragma: no cover
             "The provided exclusions is not the Exclusions object type. "
             "Please use the Exclusions object.")
     actions_missing_resource_constraints = []
     if len(self.resources) == 1 and self.resources[0] == "*":
         actions_missing_resource_constraints = self.restrictable_actions
     # Fix #390 - if flag_resource_arn_statements is True, then let's treat this as missing resource constraints so we can flag the action anyway.
     elif self.flag_resource_arn_statements:
         actions_missing_resource_constraints = self.restrictable_actions
     else:
         pass
     result = exclusions.get_allowed_actions(
         actions_missing_resource_constraints)
     result.sort()
     return result