def test_get_actions_from_policy(self):
"""util.policy_files.get_actions_from_policy"""
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:getauthorizationtoken",
"ecr:batchchecklayeravailability",
"ecr:getdownloadurlforlayer",
"ecr:getrepositorypolicy",
"ecr:describerepositories",
"ecr:listimages",
"ecr:describeimages",
"ecr:batchgetimage",
"ecr:initiatelayerupload",
"ecr:uploadlayerpart",
"ecr:completelayerupload",
"ecr:putimage",
],
"Resource": "*",
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
],
}
actions_list = get_actions_from_policy(policy)
desired_actions_list = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
]
self.maxDiff = None
print(json.dumps(actions_list, indent=4))
self.assertListEqual(desired_actions_list, actions_list)
def analyze_by_access_level(db_session, policy_json, access_level):
"""
Determine if a policy has any actions with a given access level. This is particularly useful when determining who
has 'Permissions management' level access
:param db_session: SQLAlchemy database session
:param policy_json: a dictionary representing the AWS JSON policy
:param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
"""
requested_actions = get_actions_from_policy(policy_json)
expanded_actions = determine_actions_to_expand(db_session,
requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
db_session, expanded_actions, access_level)
return actions_by_level
def analyze_by_access_level(policy_json, access_level):
"""
Determine if a policy has any actions with a given access level. This is particularly useful when determining who
has 'Permissions management' level access
Arguments:
policy_json: a dictionary representing the AWS JSON policy
access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
Return:
List: A list of actions
"""
expanded_policy = get_expanded_policy(policy_json)
requested_actions = get_actions_from_policy(expanded_policy)
# expanded_actions = determine_actions_to_expand(requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
requested_actions, access_level)
return actions_by_level
def test_get_actions_from_policy(self):
"""test_get_actions_from_policy: Verify that the get_actions_from_policy function is grabbing the actions
from a dict properly"""
policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories", "ecr:ListImages",
"ecr:DescribeImages", "ecr:BatchGetImage",
"ecr:InitiateLayerUpload", "ecr:UploadLayerPart",
"ecr:CompleteLayerUpload", "ecr:PutImage"
],
"Resource":
"*"
}, {
"Sid":
"AllowManageOwnAccessKeys",
"Effect":
"Allow",
"Action": [
"iam:CreateAccessKey", "iam:DeleteAccessKey",
"iam:ListAccessKeys", "iam:UpdateAccessKey"
],
"Resource":
"arn:aws:iam::*:user/${aws:username}"
}]
}
actions_list = get_actions_from_policy(policy)
desired_actions_list = [
'ecr:batchchecklayeravailability', 'ecr:batchgetimage',
'ecr:completelayerupload', 'ecr:describeimages',
'ecr:describerepositories', 'ecr:getauthorizationtoken',
'ecr:getdownloadurlforlayer', 'ecr:getrepositorypolicy',
'ecr:initiatelayerupload', 'ecr:listimages', 'ecr:putimage',
'ecr:uploadlayerpart', 'iam:createaccesskey',
'iam:deleteaccesskey', 'iam:listaccesskeys', 'iam:updateaccesskey'
]
self.maxDiff = None
self.assertListEqual(desired_actions_list, actions_list)
import json
POLICY_JSON_TO_EXPAND = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"cloud9:*",
],
"Resource": "*"
}]
}
if __name__ == '__main__':
db_session = connect_db('bundled')
requested_actions = get_actions_from_policy(POLICY_JSON_TO_EXPAND)
expanded_actions = determine_actions_to_expand(db_session,
requested_actions)
print(json.dumps(expanded_actions, indent=4))
"""
Output:
[
"cloud9:createenvironmentec2",
"cloud9:createenvironmentmembership",
"cloud9:deleteenvironment",
"cloud9:deleteenvironmentmembership",
"cloud9:describeenvironmentmemberships",
"cloud9:describeenvironments",
"cloud9:describeenvironmentstatus",
"cloud9:getusersettings",