예제 #1
0
 def test_write_policy_beijing(self):
     """test_write_policy_beijing: Tests ARNs with the partiion `aws-cn` instead of just `aws`"""
     arn_action_group = ArnActionGroup()
     govcloud_arn_list_from_user = [
         "arn:aws-cn:s3:::example-org-s3-access-logs"
     ]
     access_level = "Permissions management"
     desired_output = {
         'Version':
         '2012-10-17',
         'Statement': [{
             'Sid':
             'S3PermissionsmanagementBucket',
             'Effect':
             'Allow',
             'Action': [
                 's3:deletebucketpolicy', 's3:putbucketacl',
                 's3:putbucketpolicy', 's3:putbucketpublicaccessblock'
             ],
             'Resource': ['arn:aws-cn:s3:::example-org-s3-access-logs']
         }]
     }
     arn_action_group.add(db_session, govcloud_arn_list_from_user,
                          access_level)
     arn_action_group.update_actions_for_raw_arn_format(db_session)
     arn_dict = arn_action_group.get_policy_elements(db_session)
     policy = print_policy(arn_dict, db_session)
     # print(policy)
     self.assertEqual(policy, desired_output)
예제 #2
0
 def test_print_policy_with_actions_having_dependencies(self):
     desired_output = {
         "Version":
         "2012-10-17",
         "Statement": [{
             "Sid":
             "KmsPermissionsmanagementKmskey",
             "Effect":
             "Allow",
             "Action": ["kms:creategrant"],
             "Resource":
             ["arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}"]
         }, {
             "Sid":
             "MultMultNone",
             "Effect":
             "Allow",
             "Action":
             ["kms:createcustomkeystore", "cloudhsm:describeclusters"],
             "Resource": ["*"]
         }]
     }
     supplied_actions = actions_test_data_1
     supplied_actions = get_dependent_actions(db_session, supplied_actions)
     arn_action_group = ArnActionGroup()
     arn_dict = arn_action_group.process_list_of_actions(
         supplied_actions, db_session)
     self.maxDiff = None
     policy = print_policy(arn_dict, db_session)
     self.assertDictEqual(policy, desired_output)
예제 #3
0
    def test_wildcard_when_not_necessary(self):
        """test_wildcard_when_not_necessary: Attempts bypass of CRUD mode wildcard-only"""
        cfg = {
            'policy_with_crud_levels': [{
                'name':
                'RoleNameWithCRUD',
                'description':
                'Why I need these privs',
                'role_arn':
                'arn:aws:iam::123456789012:role/RiskyEC2',
                'permissions-management':
                ['arn:aws:s3:::example-org-s3-access-logs'],
                'wildcard': [
                    # The first three are legitimately wildcard only.
                    # Verify with `policy_sentry query action-table --service secretsmanager --wildcard-only`
                    'ram:enablesharingwithawsorganization',
                    'ram:getresourcepolicies',
                    'secretsmanager:createsecret',
                    # This last one can be "secret" ARN type OR wildcard. We want to prevent people from
                    # bypassing this mechanism, while allowing them to explicitly
                    # request specific privs that require wildcard mode. This next value -
                    # secretsmanager:putsecretvalue - is an example of someone trying to beat the tool.
                    'secretsmanager:putsecretvalue'
                ]
            }]
        }
        arn_action_group = ArnActionGroup()

        arn_dict = arn_action_group.process_resource_specific_acls(
            cfg, db_session)
        output = print_policy(arn_dict, db_session, None)
        print(json.dumps(output, indent=4))
        desired_output = {
            "Version":
            "2012-10-17",
            "Statement": [{
                "Sid":
                "MultMultNone",
                "Effect":
                "Allow",
                "Action": [
                    "ram:enablesharingwithawsorganization",
                    "ram:getresourcepolicies", "secretsmanager:createsecret"
                ],
                "Resource": ["*"]
            }, {
                "Sid":
                "S3PermissionsmanagementBucket",
                "Effect":
                "Allow",
                "Action": [
                    "s3:deletebucketpolicy", "s3:putbucketacl",
                    "s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
                ],
                "Resource": ["arn:aws:s3:::example-org-s3-access-logs"]
            }]
        }
        self.maxDiff = None
        self.assertDictEqual(output, desired_output)