def test_remove_actions_not_matching_access_level(self):
"""querying.actions.remove_actions_not_matching_access_level"""
actions_list = [
"ecr:batchgetimage", # read
"ecr:createrepository", # write
"ecr:describerepositories", # list
"ecr:tagresource", # tagging
"ecr:setrepositorypolicy", # permissions management
]
# print("Read ")
self.maxDiff = None
# Read
read_result = remove_actions_not_matching_access_level(
db_session, actions_list, "read")
self.assertListEqual(read_result, ["ecr:BatchGetImage"])
# Write
write_result = remove_actions_not_matching_access_level(
db_session, actions_list, "write")
self.assertListEqual(write_result, ["ecr:CreateRepository"])
# List
list_result = remove_actions_not_matching_access_level(
db_session, actions_list, "list")
self.assertListEqual(list_result, ["ecr:DescribeRepositories"])
# Tagging
tagging_result = remove_actions_not_matching_access_level(
db_session, actions_list, "tagging")
self.assertListEqual(tagging_result, ["ecr:TagResource"])
# Permissions management
permissions_result = remove_actions_not_matching_access_level(
db_session, actions_list, "permissions-management")
self.assertListEqual(permissions_result, ["ecr:SetRepositoryPolicy"])
def remove_read_level_actions(actions_list):
"""Given a set of actions, return that list of actions,
but only with actions at the 'Write', 'Tagging', or 'Permissions management' levels"""
write_actions = remove_actions_not_matching_access_level(actions_list, "Write")
permissions_management_actions = remove_actions_not_matching_access_level(
actions_list, "Permissions management"
)
tagging_actions = remove_actions_not_matching_access_level(actions_list, "Tagging")
modify_actions = tagging_actions + write_actions + permissions_management_actions
return modify_actions
def remove_read_level_actions(actions_list: List[str]) -> List[str]:
"""Given a set of actions, return that list of actions,
but only with actions at the 'Write', 'Tagging', or 'Permissions management' levels"""
modify_actions: List[str] = remove_actions_not_matching_access_level(
actions_list, "Write")
modify_actions.extend(
remove_actions_not_matching_access_level(actions_list,
"Permissions management"))
modify_actions.extend(
remove_actions_not_matching_access_level(actions_list, "Tagging"))
return modify_actions
def test_remove_actions_not_matching_access_level(self):
# TODO: This method normalized the access level unnecessarily. Make sure to change that in the final iteration
"""querying.actions.remove_actions_not_matching_access_level"""
actions_list = [
"ecr:batchgetimage", # read
"ecr:createrepository", # write
"ecr:describerepositories", # list
"ecr:tagresource", # tagging
"ecr:setrepositorypolicy", # permissions management
]
self.maxDiff = None
# Read
result = remove_actions_not_matching_access_level(
actions_list, "Read"
)
self.assertListEqual(result, ["ecr:BatchGetImage"])
# Write
result = remove_actions_not_matching_access_level(
actions_list, "Write"
)
self.assertListEqual(result, ["ecr:CreateRepository"])
# List
result = remove_actions_not_matching_access_level(
actions_list, "List"
)
self.assertListEqual(result, ["ecr:DescribeRepositories"])
# Tagging
result = remove_actions_not_matching_access_level(
actions_list, "Tagging"
)
self.assertListEqual(result, ["ecr:TagResource"])
# Permissions management
result = remove_actions_not_matching_access_level(
actions_list, "Permissions management"
)
self.assertListEqual(result, ["ecr:SetRepositoryPolicy"])
bad_actions_list = [
"codecommit:CreatePullRequest",
"codecommit:CreatePullRequestApprovalRule",
"codecommit:CreateRepository",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DeleteBranch",
"codecommit:DeleteFile",
]
def tagging_actions_without_constraints(self) -> List[str]:
"""Where applicable, returns a list of 'Tagging' level IAM actions in the statement that
do not have resource constraints"""
result = []
if not self.has_resource_constraints:
result = remove_actions_not_matching_access_level(
self.restrictable_actions, "Tagging")
return result
def write_actions_without_constraints(self):
"""Where applicable, returns a list of 'Write' level IAM actions in the statement that
do not have resource constraints"""
result = []
if not self.has_resource_constraints:
result = remove_actions_not_matching_access_level(
self.expanded_actions, "Write")
return result
def permissions_management_actions_without_constraints(self):
"""Where applicable, returns a list of 'Permissions management' IAM actions in the statement that
do not have resource constraints"""
result = []
if not self.has_resource_constraints:
result = remove_actions_not_matching_access_level(
self.expanded_actions, "Permissions management")
return result
def write_actions_without_constraints(self) -> List[str]:
"""Where applicable, returns a list of 'Write' level IAM actions in the statement that
do not have resource constraints"""
result = []
if (not self.has_resource_constraints
# Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
or self.flag_resource_arn_statements):
result = remove_actions_not_matching_access_level(
self.restrictable_actions, "Write")
result.sort()
return result
def analyze_statement_by_access_level(statement_json, access_level):
"""
Determine if a statement has any actions with a given access level.
:param statement_json: a dictionary representing a statement from an AWS JSON policy
:param access_level: The access level - either 'Read', 'List', 'Write', 'Tagging', or 'Permissions management'
"""
requested_actions = get_actions_from_statement(statement_json)
expanded_actions = determine_actions_to_expand(requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
expanded_actions, access_level
)
return actions_by_level
def analyze_by_access_level(db_session, policy_json, access_level):
"""
Determine if a policy has any actions with a given access level. This is particularly useful when determining who
has 'Permissions management' level access
:param db_session: SQLAlchemy database session
:param policy_json: a dictionary representing the AWS JSON policy
:param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
"""
requested_actions = get_actions_from_policy(policy_json)
expanded_actions = determine_actions_to_expand(db_session,
requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
db_session, expanded_actions, access_level)
return actions_by_level
def analyze_statement_by_access_level(db_session, statement_json,
access_level):
"""
Determine if a statement has any actions with a given access level.
:param db_session: SQLAlchemy database session
:param statement_json: a dictionary representing a statement from an AWS JSON policy
:param access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
"""
requested_actions = get_actions_from_statement(statement_json)
expanded_actions = determine_actions_to_expand(db_session,
requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
db_session, expanded_actions, access_level)
return actions_by_level
def test_remove_actions_not_matching_access_level(self):
"""test_remove_actions_not_matching_access_level: Verify remove_actions_not_matching_access_level is working as expected"""
actions_list = [
"ecr:BatchGetImage", # Read
"ecr:CreateRepository", # Write
"ecr:DescribeRepositories", # List
"ecr:TagResource", # Tagging
"ecr:SetRepositoryPolicy", # Permissions management
]
print("Read")
self.maxDiff = None
# Read
self.assertListEqual(
remove_actions_not_matching_access_level(db_session, actions_list,
"read"),
["ecr:batchgetimage"])
# Write
self.assertListEqual(
remove_actions_not_matching_access_level(db_session, actions_list,
"write"),
["ecr:createrepository"])
# List
self.assertListEqual(
remove_actions_not_matching_access_level(db_session, actions_list,
"list"),
["ecr:describerepositories"])
# Tagging
self.assertListEqual(
remove_actions_not_matching_access_level(db_session, actions_list,
"tagging"),
["ecr:tagresource"])
# Permissions management
self.assertListEqual(
remove_actions_not_matching_access_level(db_session, actions_list,
"permissions-management"),
["ecr:setrepositorypolicy"])
def analyze_by_access_level(policy_json, access_level):
"""
Determine if a policy has any actions with a given access level. This is particularly useful when determining who
has 'Permissions management' level access
Arguments:
policy_json: a dictionary representing the AWS JSON policy
access_level: The normalized access level - either 'read', 'list', 'write', 'tagging', or 'permissions-management'
Return:
List: A list of actions
"""
expanded_policy = get_expanded_policy(policy_json)
requested_actions = get_actions_from_policy(expanded_policy)
# expanded_actions = determine_actions_to_expand(requested_actions)
actions_by_level = remove_actions_not_matching_access_level(
requested_actions, access_level)
return actions_by_level
