def test_get_actions_at_access_level_that_support_wildcard_arns_only(self):
"""test_get_actions_at_access_level_that_support_wildcard_arns_only: Test function that gets a list of
wildcard-only actions in a service under different access levels"""
permissions_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Permissions management")
list_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "List")
read_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Read")
self.assertListEqual(permissions_output,
['s3:putaccountpublicaccessblock'])
self.assertListEqual(list_output, ['s3:listallmybuckets'])
self.assertListEqual(read_output, [
's3:getaccesspoint', 's3:getaccountpublicaccessblock',
's3:listaccesspoints'
])
def test_get_actions_at_access_level_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_at_access_level_that_support_wildcard_arns_only"""
read_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"secretsmanager", "Read")
list_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"secretsmanager", "List")
write_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"secretsmanager", "Write")
tagging_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"secretsmanager", "Tagging")
permissions_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"s3", "Permissions management")
# print(json.dumps(read_output, indent=4))
# print(json.dumps(list_output, indent=4))
# print(json.dumps(write_output, indent=4))
# print(json.dumps(tagging_output, indent=4))
# print(json.dumps(permissions_output, indent=4))
self.assertListEqual(read_output, ['secretsmanager:GetRandomPassword'])
self.assertListEqual(list_output, ['secretsmanager:ListSecrets'])
self.assertListEqual(write_output, [])
self.assertListEqual(tagging_output, [])
self.assertListEqual(permissions_output,
["s3:PutAccountPublicAccessBlock"])
all_permissions_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"all", "Permissions management")
all_write_output = get_actions_at_access_level_that_support_wildcard_arns_only(
"all", "Write")
print(len(all_permissions_output) + len(all_write_output))
def test_get_actions_at_access_level_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_at_access_level_that_support_wildcard_arns_only"""
permissions_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Permissions management")
list_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "List")
read_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Read")
self.assertListEqual(permissions_output,
["s3:PutAccountPublicAccessBlock"])
self.assertListEqual(list_output, ["s3:ListAllMyBuckets"])
self.assertListEqual(
read_output,
[
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
],
)
def test_get_actions_at_access_level_that_support_wildcard_arns_only(self):
"""querying.actions.get_actions_at_access_level_that_support_wildcard_arns_only"""
permissions_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Permissions management"
)
list_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "List"
)
read_output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, "s3", "Read"
)
self.assertListEqual(permissions_output, ["s3:putaccountpublicaccessblock"])
self.assertListEqual(list_output, ["s3:listallmybuckets"])
self.assertListEqual(
read_output,
[
"s3:getaccesspoint",
"s3:getaccountpublicaccessblock",
"s3:listaccesspoints",
],
)
def add_wildcard_only_actions_matching_services_and_access_level(
self, services, access_level):
"""
Arguments:
services: A list of AWS services
access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permissions management', or 'Tagging'
"""
wildcard_only_actions_to_add = []
for service in services:
actions = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
wildcard_only_actions_to_add.extend(actions)
self.add_wildcard_only_actions(wildcard_only_actions_to_add)
def get_wildcard_only_actions_matching_services_and_access_level(
services, access_level):
"""
Get a list of wildcard-only actions matching the services and access level
Arguments:
services: A list of AWS services
access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permissions management', or 'Tagging'
Returns:
List: A list of wildcard-only actions matching the services and access level
"""
wildcard_only_actions_to_add = []
for service in services:
actions = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
wildcard_only_actions_to_add.extend(actions)
return wildcard_only_actions_to_add
def action_table(name, service, access_level, condition, wildcard_only, fmt):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
print(yaml.dump(results)) if fmt == "yaml" else [
print(result) for result in results
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
print(yaml.dump(all_services)) if fmt == "yaml" else [
print(item) for item in all_services
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
print(yaml.dump(action_list)) if fmt == "yaml" else [
print(item) for item in action_list
]
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
