def test_determine_actions_to_expand(self):
"""
test_determine_actions_to_expand: provide expanded list of actions, like ecr:*
:return:
"""
action_list = ["ecr:*"]
self.maxDiff = None
desired_result = [
'ecr:batchchecklayeravailability', 'ecr:deleterepository',
'ecr:getauthorizationtoken', 'ecr:getlifecyclepolicy',
'ecr:deleterepositorypolicy', 'ecr:getdownloadurlforlayer',
'ecr:untagresource', 'ecr:startlifecyclepolicypreview',
'ecr:listimages', 'ecr:completelayerupload', 'ecr:tagresource',
'ecr:getrepositorypolicy', 'ecr:initiatelayerupload',
'ecr:setrepositorypolicy', 'ecr:startimagescan',
'ecr:putlifecyclepolicy', 'ecr:deletelifecyclepolicy',
'ecr:describeimages', 'ecr:describeimagescanfindings',
'ecr:createrepository', 'ecr:describerepositories',
'ecr:batchgetimage', 'ecr:putimage',
'ecr:putimagescanningconfiguration', 'ecr:putimagetagmutability',
'ecr:getlifecyclepolicypreview', 'ecr:listtagsforresource',
'ecr:uploadlayerpart', 'ecr:batchdeleteimage'
]
print(determine_actions_to_expand(db_session, action_list))
self.maxDiff = None
self.assertListEqual(
sorted(determine_actions_to_expand(db_session, action_list)),
sorted(desired_result))
def test_a_determine_actions_to_expand_not_upper_camelcase(self):
"""test_determine_actions_to_expand_not_upper_camelcase: The nOtCaMeLcAsE version of the same test"""
action_list = ["ecr:pUt*"]
self.maxDiff = None
expected_results = [
"ecr:PutImage",
"ecr:PutImageScanningConfiguration",
"ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy",
]
result = determine_actions_to_expand(action_list)
print(result)
self.maxDiff = None
results = determine_actions_to_expand(action_list)
for expected_result in expected_results:
self.assertTrue(expected_result in results)
def test_determine_actions_to_expand(self):
"""
test_determine_actions_to_expand: provide expanded list of actions, like ecr:*
:return:
"""
action_list = ["ecr:*"]
self.maxDiff = None
desired_result = [
"ecr:BatchCheckLayerAvailability", "ecr:BatchDeleteImage",
"ecr:BatchGetImage", "ecr:CompleteLayerUpload",
"ecr:CreateRepository", "ecr:DeleteLifecyclePolicy",
"ecr:DeleteRepository", "ecr:DeleteRepositoryPolicy",
"ecr:DescribeImageScanFindings", "ecr:DescribeImages",
"ecr:DescribeRepositories", "ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload", "ecr:ListImages",
"ecr:ListTagsForResource", "ecr:PutImage",
"ecr:PutImageScanningConfiguration", "ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy", "ecr:SetRepositoryPolicy",
"ecr:StartImageScan", "ecr:StartLifecyclePolicyPreview",
"ecr:TagResource", "ecr:UntagResource", "ecr:UploadLayerPart"
]
# print(determine_actions_to_expand(action_list))
self.maxDiff = None
self.assertListEqual(
sorted(determine_actions_to_expand(action_list)),
sorted(desired_result),
)
def test_a_determine_actions_to_expand_not_upper_camelcase(self):
"""test_determine_actions_to_expand_not_upper_camelcase: The nOtCaMeLcAsE version of the same test"""
action_list = ["ecr:pUt*"]
self.maxDiff = None
desired_result = [
"ecr:PutImage",
"ecr:PutImageScanningConfiguration",
"ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy",
]
result = determine_actions_to_expand(action_list)
print(result)
self.maxDiff = None
self.assertListEqual(
sorted(determine_actions_to_expand(action_list)),
sorted(desired_result),
)
def expanded_actions(self):
"""Expands the full list of allowed actions from the Policy/"""
if self.actions:
expanded = determine_actions_to_expand(self.actions)
expanded.sort()
return expanded
elif self.not_action:
return self.not_action_effective_actions
else:
raise Exception( # pragma: no cover
"The Policy should include either NotAction or Action in the statement."
)
def _not_action_effective_actions(self) -> Optional[List[str]]:
"""If NotAction is used, calculate the allowed actions - i.e., what it would be """
effective_actions = []
if not self.not_action:
return None
not_actions_expanded_lowercase = [
a.lower() for a in determine_actions_to_expand(self.not_action)
]
# Effect: Allow && Resource != "*"
if not self.has_resource_wildcard and self.effect_allow:
opposite_actions = []
for arn in self.resources:
actions_specific_to_arn = get_actions_matching_arn(arn)
if actions_specific_to_arn:
opposite_actions.extend(actions_specific_to_arn)
for opposite_action in opposite_actions:
# If it's in NotActions, then it is not an action we want
if opposite_action.lower(
) not in not_actions_expanded_lowercase:
effective_actions.append(opposite_action)
effective_actions.sort()
return effective_actions
# Effect: Allow, Resource == "*", and Action == prefix:*
if self.has_resource_wildcard and self.effect_allow:
# Then we calculate the reverse using all_actions
# If it's in NotActions, then it is not an action we want
effective_actions = [
action for action in ALL_ACTIONS
if action.lower() not in not_actions_expanded_lowercase
]
effective_actions.sort()
return effective_actions
if self.has_resource_wildcard and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return effective_actions
if not self.has_resource_wildcard and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return effective_actions
# only including this so Pylint doesn't yell at us
return None # pragma: no cover
def _not_action_effective_actions(self):
"""If NotAction is used, calculate the allowed actions - i.e., what it would be """
effective_actions = []
if not self.not_action:
return None
not_actions_expanded = determine_actions_to_expand(self.not_action)
not_actions_expanded_lowercase = [
x.lower() for x in not_actions_expanded
]
# Effect: Allow && Resource != "*"
if self.has_resource_constraints and self.effect_allow:
opposite_actions = []
for arn in self.resources:
actions_specific_to_arn = get_actions_matching_arn(arn)
if actions_specific_to_arn:
opposite_actions.extend(get_actions_matching_arn(arn))
for opposite_action in opposite_actions:
# If it's in NotActions, then it is not an action we want
if opposite_action.lower() in not_actions_expanded_lowercase:
pass
# Otherwise add it
else:
effective_actions.append(opposite_action)
effective_actions.sort()
return effective_actions
# Effect: Allow, Resource != "*", and Action == prefix:*
elif not self.has_resource_constraints and self.effect_allow:
# Then we calculate the reverse using all_actions
for action in all_actions:
# If it's in NotActions, then it is not an action we want
if action.lower() in not_actions_expanded_lowercase:
pass
# Otherwise add it
else:
effective_actions.append(action)
effective_actions.sort()
return effective_actions
elif self.has_resource_constraints and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return None
elif not self.has_resource_constraints and self.effect_deny:
logger.debug(
"NOTE: Haven't decided if we support Effect Deny here?")
return None
# only including this so Pylint doesn't yell at us
else:
return None # pragma: no cover
POLICY_JSON_TO_EXPAND = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"cloud9:*",
],
"Resource": "*"
}]
}
if __name__ == '__main__':
db_session = connect_db('bundled')
requested_actions = get_actions_from_policy(POLICY_JSON_TO_EXPAND)
expanded_actions = determine_actions_to_expand(db_session,
requested_actions)
print(json.dumps(expanded_actions, indent=4))
"""
Output:
[
"cloud9:createenvironmentec2",
"cloud9:createenvironmentmembership",
"cloud9:deleteenvironment",
"cloud9:deleteenvironmentmembership",
"cloud9:describeenvironmentmemberships",
"cloud9:describeenvironments",
"cloud9:describeenvironmentstatus",
"cloud9:getusersettings",
"cloud9:listenvironments",
"cloud9:updateenvironment",