def test_match_action_resource_policy_elements(self): """Test if we're correctly testing Action/Resource elements in resource policies""" bucket_policy_1 = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': '*', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::bucket/object' }] } bucket_policy_2 = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Deny', 'Principal': '*', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::bucket/object' }] } iam_user_1 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::bucket/object' }] }, 'single_user_policy', 'asdf1', '1') iam_user_2 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::bucket/object' }] }, 'single_user_policy', 'asdf2', '2') rpa_result = resource_policy_authorization( iam_user_1, '000000000000', bucket_policy_1, 's3:GetObject', 'arn:aws:s3:::bucket/object', {}) self.assertTrue(rpa_result == ResourcePolicyEvalResult.NODE_MATCH) rpa_result = resource_policy_authorization( iam_user_1, '000000000000', bucket_policy_1, 's3:PutObject', 'arn:aws:s3:::bucket/object', {}) self.assertTrue(rpa_result == ResourcePolicyEvalResult.NO_MATCH)
def test_condition_key_handling_in_resources(self): test_node = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 'iam:CreateAccessKey', 'Resource': 'arn:aws:iam::000000000000:user/${aws:username}' }] }) self.assertTrue(has_matching_statement(test_node, 'Allow', 'iam:CreateAccessKey', test_node.arn, {'aws:username': '******'}))
def test_inferred_keys(self): test_node = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*' }] }, user_name='infer') inferred_keys = _infer_condition_keys(test_node, {}) self.assertTrue('aws:username' in inferred_keys) self.assertTrue(inferred_keys['aws:username'] == 'infer')
def test_permissions_boundary_no_resource_policy(self): """In the case of no resource policy, the effective permissions are the "intersection" of the caller's identity policies + the boundary policy. Both the user's identity policies + boundary policy must permit the API call. A matching deny statement in either set will deny the whole call. """ boundary = Policy( 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess', 'AmazonS3ReadOnlyAccess', { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*", "Effect": "Allow" } ] } ) iam_user_1 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*' }] }, 'admin_policy', 'asdf1', '1' ) iam_user_1.permissions_boundary = boundary self.assertTrue( local_check_authorization(iam_user_1, 's3:GetObject', 'arn:aws:s3:::bucket/object', {}) ) self.assertFalse( local_check_authorization(iam_user_1, 's3:PutObject', 'arn:aws:s3:::bucket/object', {}) )
def test_arn_condition(self): """ Validate the following conditions are correctly handled: ArnEquals, ArnLike, ArnNotEquals, ArnNotLike. Note, ArnEquals and ArnLike have the same behavior, as well as ArnNotEquals and ArnNotLike Validated against the Simulator API TODO: Check on ForAnyValue and ForAllValues """ # ArnEquals (and ArnLike) testing: no wildcards test_arn_equals = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ArnEquals': { 'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1', } } }] }) self.assertTrue( local_check_authorization( test_arn_equals, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'})) self.assertFalse( local_check_authorization( test_arn_equals, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'})) # ArnEquals (and ArnLike) testing: wildcards test_arn_equals_wild = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ArnEquals': { 'aws:SourceArn': 'arn:aws:iam::*:user/test1', } } }] }) self.assertTrue( local_check_authorization( test_arn_equals_wild, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'}, )) self.assertFalse( local_check_authorization( test_arn_equals_wild, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'}, )) # ArnNotEquals (and ArnNotLike) testing: wildcards test_arn_equals_wild = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ArnNotLike': { 'aws:SourceArn': 'arn:aws:iam::*:user/test1', } } }] }) self.assertFalse( local_check_authorization( test_arn_equals_wild, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'}, )) self.assertTrue( local_check_authorization( test_arn_equals_wild, 'iam:CreateUser', '*', {'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'}, )) self.assertFalse( local_check_authorization( test_arn_equals_wild, 'iam:CreateUser', '*', {'aws:SourceArn': 'test2'}, ))
def test_documented_ddb_authorization_behavior(self): test_node = _build_user_with_policy({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:*:*:table/Thread", "Condition": { "ForAllValues:StringEquals": { "dynamodb:Attributes": ["ID", "Message", "Tags"] } } }] }) self.assertTrue( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:attributes': ['ID', 'Message', 'Tags']})) self.assertTrue( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:attributes': ['ID', 'Message']})) self.assertTrue( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {})) self.assertFalse( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:Attributes': ['ID', 'Message', 'Tags', 'Password'] })) test_node = _build_user_with_policy({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:*:*:table/Thread", "Condition": { "ForAnyValue:StringEquals": { "dynamodb:Attributes": ["ID", "Message", "Tags"] } } }] }) self.assertTrue( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:Attributes': ['ID', 'Message', 'Tags']})) self.assertTrue( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:Attributes': ['Tags', 'Password']})) self.assertFalse( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {'dynamodb:Attributes': ['Password']})) self.assertFalse( local_check_authorization( test_node, 'dynamodb:GetItem', 'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {}))
def test_bool_condition_handling(self): """ Validate the following conditions are handled: * Bool TODO: Check on ForAnyValue and ForAllValues """ # Bool: true test_node_true = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'Bool': { 'aws:SecureTransport': 'true' } } }] }) self.assertTrue( local_check_authorization(test_node_true, 'iam:CreateUser', '*', {'aws:SecureTransport': 'true'})) self.assertTrue( local_check_authorization(test_node_true, 'iam:CreateUser', '*', {'aws:SecureTransport': 'True'})) self.assertFalse( local_check_authorization(test_node_true, 'iam:CreateUser', '*', {'aws:SecureTransport': 'tru'})) self.assertFalse( local_check_authorization(test_node_true, 'iam:CreateUser', '*', {'aws:SecureTransport': ''})) self.assertFalse( local_check_authorization(test_node_true, 'iam:CreateUser', '*', {'aws:SecureTransport': 'false'})) # Bool: false test_node_false = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'Bool': { 'aws:SecureTransport': 'false' } } }] }) self.assertTrue( local_check_authorization(test_node_false, 'iam:CreateUser', '*', {'aws:SecureTransport': 'false'})) self.assertFalse( local_check_authorization(test_node_false, 'iam:CreateUser', '*', {'aws:SecureTransport': 'true'})) self.assertTrue( local_check_authorization( test_node_false, 'iam:CreateUser', '*', {'aws:SecureTransport': 'asdf'})) # policy sim behavior self.assertTrue( local_check_authorization(test_node_false, 'iam:CreateUser', '*', {'aws:SecureTransport': 't'}))
def test_ipaddress_condition_handling(self): """ Validate the following conditions are handled: * IpAddress * NotIpAddress TODO: Check on ForAnyValue and ForAllValues """ # IpAddress: single IP test_node_ipaddress = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'IpAddress': { 'aws:SourceIp': '10.0.0.1' } } }] }) self.assertTrue( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '10.0.0.1'})) self.assertFalse( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '10.0.0.2'})) # IpAddress: IP range test_node_ipaddress = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'IpAddress': { 'aws:SourceIp': '10.0.0.0/8' } } }] }) self.assertTrue( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '10.0.0.1'})) self.assertFalse( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '127.0.0.1'})) # IpAddress: IP ranges test_node_ipaddress = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'IpAddress': { 'aws:SourceIp': ['10.0.0.0/8', '127.0.0.0/8'] } } }] }) self.assertTrue( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '10.0.0.1'})) self.assertTrue( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '127.0.0.1'})) self.assertFalse( local_check_authorization(test_node_ipaddress, 'iam:CreateUser', '*', {'aws:SourceIp': '192.168.0.1'}))
def test_datetime_condition_handling(self): """ Validate the following conditions are correctly handled: DateEquals DateNotEquals DateLessThan DateLessThanEquals DateGreaterThan DateGreaterThanEquals TODO: Check on ForAnyValue and ForAllValues """ # DateEquals test_node_date_equals = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateEquals': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertTrue( local_check_authorization( test_node_date_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:00Z'})) self.assertTrue( local_check_authorization(test_node_date_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '1533859200.0'})) self.assertTrue( local_check_authorization(test_node_date_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '1533859200'})) self.assertFalse( local_check_authorization(test_node_date_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '1533859201'})) self.assertFalse( local_check_authorization( test_node_date_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'})) # DateNotEquals test_node_date_not_equals = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateNotEquals': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertFalse( local_check_authorization( test_node_date_not_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:00Z'})) self.assertTrue( local_check_authorization( test_node_date_not_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'})) # DateGreaterThan test_node_date_greater_than = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateGreaterThan': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertFalse( local_check_authorization( test_node_date_greater_than, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:00Z'})) self.assertTrue( local_check_authorization( test_node_date_greater_than, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'})) # DateGreaterThanEquals test_node_date_greater_than_equals = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateGreaterThanEquals': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertFalse( local_check_authorization( test_node_date_greater_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-09T23:59:59Z'})) self.assertTrue( local_check_authorization( test_node_date_greater_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:00Z'})) self.assertTrue( local_check_authorization( test_node_date_greater_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'})) # DateLessThan test_node_date_less_than = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateLessThan': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertTrue( local_check_authorization( test_node_date_less_than, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-09T23:59:59Z'})) self.assertFalse( local_check_authorization( test_node_date_less_than, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'})) # DateLessThanEquals test_node_date_less_than_equals = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'DateLessThanEquals': { 'aws:CurrentTime': '2018-08-10T00:00:00Z' } } }] }) self.assertTrue( local_check_authorization( test_node_date_less_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-09T23:59:59Z'})) self.assertTrue( local_check_authorization( test_node_date_less_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:00Z'})) self.assertFalse( local_check_authorization( test_node_date_less_than_equals, 'iam:CreateUser', '*', {'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
def test_null_condition_handling(self): """ Validate the following conditions are correctly handled: Null, ForAnyValue:Null, ForAllValues:Null Validated against the Simulator API """ # Basic use validation test_node_null = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'Null': { 'aws:username': '******', # aws:username MUST NOT be present 'aws:userid': 'false' # aws:userid MUST be present } } }] }) self.assertTrue( local_check_authorization(test_node_null, 'iam:CreateUser', '*', { 'aws:userid': 'asdf', 'aws:username': '' })) self.assertFalse( local_check_authorization(test_node_null, 'iam:CreateUser', '*', { 'aws:userid': '', 'aws:username': '' })) # Array use validation test_node_null_array = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'Null': { 'aws:username': ['true', 'false'], # doesn't matter if it's in or not } } }] }) self.assertTrue( local_check_authorization(test_node_null_array, 'iam:CreateUser', '*', {'aws:username': ''})) self.assertTrue( local_check_authorization(test_node_null_array, 'iam:CreateUser', '*', {'aws:username': '******'})) # ForAllValues: validation test_node_null_forallvalues_1 = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ForAllValues:Null': { # For all valid context values... 'aws:username': '******', # aws:username MUST be present } } }] }) self.assertTrue( local_check_authorization(test_node_null_forallvalues_1, 'iam:CreateUser', '*', {'aws:username': '******'})) self.assertTrue( local_check_authorization(test_node_null_forallvalues_1, 'iam:CreateUser', '*', {'aws:username': ''})) test_node_null_forallvalues_2 = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ForAllValues:Null': { # For all valid context values... 'aws:username': '******', # aws:username MUST NOT be present } } }] }) self.assertFalse( local_check_authorization(test_node_null_forallvalues_2, 'iam:CreateUser', '*', {'aws:username': '******'})) self.assertTrue( local_check_authorization(test_node_null_forallvalues_2, 'iam:CreateUser', '*', {'aws:username': ''})) # ForAnyValue: validation test_node_null_foranyvalue_1 = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ForAnyValue:Null': { # Among the valid context values... 'aws:username': '******', # aws:username MUST NOT be present (cannot fulfill this) } } }] }) self.assertFalse( local_check_authorization(test_node_null_foranyvalue_1, 'iam:CreateUser', '*', {'aws:username': '******'})) self.assertFalse( local_check_authorization(test_node_null_foranyvalue_1, 'iam:CreateUser', '*', {'aws:username': ''})) test_node_null_foranyvalue_2 = _build_user_with_policy({ 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*', 'Condition': { 'ForAnyValue:Null': { # Among the valid context values... 'aws:username': '******', # aws:username MUST be present } } }] }) self.assertTrue( local_check_authorization(test_node_null_foranyvalue_2, 'iam:CreateUser', '*', {'aws:username': '******'})) self.assertFalse( local_check_authorization(test_node_null_foranyvalue_2, 'iam:CreateUser', '*', {'aws:username': ''}))
def test_iam_assume_role(self): """Test that we are correctly validating policies for calls to `sts:AssumeRole`""" trust_doc_1 = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'AWS': 'arn:aws:iam::000000000000:root' }, 'Action': 'sts:AssumeRole' }] } trust_doc_2 = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'AWS': 'arn:aws:iam::999999999999:root' }, 'Action': 'sts:AssumeRole' }] } iam_user_1 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Resource': '*' }] }, 'single_user_policy', 'asdf1', '1') iam_user_2 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': '*' }] }, 'single_user_policy', 'asdf2', '2') # account root + iam policy => authorized self.assertTrue( local_check_authorization_full( iam_user_1, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1, '000000000000')) # iam policy only => not authorized self.assertFalse( local_check_authorization_full( iam_user_1, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/test1', {}, trust_doc_2, '000000000000')) # account root only => not authorized self.assertFalse( local_check_authorization_full( iam_user_2, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1, '000000000000')) # Neither the account root nor the iam policy => not authorized self.assertFalse( local_check_authorization_full( iam_user_2, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/test1', {}, trust_doc_2, '000000000000')) # A user from another account other_account_node = Node( 'arn:aws:iam::999999999999:role/test_other', 'ARIA00', [ Policy( 'arn:aws:iam::999999999999:role/test_other', 'inline1', { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Resource': '*' }] }) ], [], {}, [], 0, False, False, None, False, None) self.assertFalse( local_check_authorization_full( other_account_node, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1, '000000000000'))
def test_permissions_boundary_with_resource_policy(self): boundary_1 = Policy( 'arn:aws:iam::aws:policy/AssumeJumpRole', 'AssumeJumpRole', { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::000000000000:role/JumpRole", "Effect": "Allow" } ] } ) iam_user_1 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': '*', 'Resource': '*' }] }, 'admin_policy', 'asdf1', '1' ) iam_user_1.permissions_boundary = boundary_1 boundary_2 = Policy( 'arn:aws:iam::aws:policy/EmptyPolicy', 'EmptyPolicy', { "Version": "2012-10-17", "Statement": [] } ) iam_user_2 = _build_user_with_policy( { 'Version': '2012-10-17', 'Statement': [] }, 'admin_policy', 'asdf2', '2' ) iam_user_2.permissions_boundary = boundary_2 trust_doc = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'AWS': [ 'arn:aws:iam::000000000000:user/asdf2', 'arn:aws:iam::000000000000:root' ] }, 'Action': 'sts:AssumeRole' }] } self.assertTrue( local_check_authorization_full( iam_user_1, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/JumpRole', {}, trust_doc, '000000000000' ) ) self.assertTrue( local_check_authorization_full( iam_user_2, 'sts:AssumeRole', 'arn:aws:iam::000000000000:role/JumpRole', {}, trust_doc, '000000000000' ) )