def test_get_actions_matching_condition_key(self):
"""querying.actions.get_actions_matching_condition_key"""
desired_results = ['ses:SendEmail']
results = get_actions_matching_condition_key("ses",
"ses:FeedbackAddress")
# print(output)
self.maxDiff = None
print(results)
self.assertListEqual(results, desired_results)
def action_table(name, service, access_level, condition, wildcard_only):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
for result in results:
print(result)
# Get a list of all services in the database
else:
print("All services in the database:\n")
for item in all_services:
print(item)
elif name is None and access_level:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(json.dumps(output, indent=4))
# Get a list of all IAM actions under the service that support the
# specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(json.dumps(output, indent=4))
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(json.dumps(output, indent=4))
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(json.dumps(output, indent=4))
else:
print(f"All IAM actions available to {service}:")
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
for item in action_list:
print(item)
def test_get_actions_matching_condition_key(self):
"""querying.actions.get_actions_matching_condition_key"""
results = get_actions_matching_condition_key("ses",
"ses:FeedbackAddress")
desired_results = [
'ses:SendBulkTemplatedEmail', 'ses:SendCustomVerificationEmail',
'ses:SendEmail', 'ses:SendRawEmail', 'ses:SendTemplatedEmail'
]
# print(output)
self.maxDiff = None
print(results)
self.assertListEqual(results, desired_results)
def test_get_actions_matching_condition_key(self):
"""test_get_actions_matching_condition_key: Tests a function that gathers all instances in
the action tables where the condition key exists."""
desired_output = [
'ses:sendemail', 'ses:sendbulktemplatedemail',
'ses:sendcustomverificationemail', 'ses:sendemail',
'ses:sendrawemail', 'ses:sendtemplatedemail'
]
output = get_actions_matching_condition_key(db_session, "ses",
"ses:FeedbackAddress")
print(output)
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self):
"""querying.actions.get_actions_matching_condition_key"""
desired_output = [
'ses:SendEmail', 'ses:SendBulkTemplatedEmail',
'ses:SendCustomVerificationEmail', 'ses:SendEmail',
'ses:SendRawEmail', 'ses:SendTemplatedEmail'
]
output = get_actions_matching_condition_key(db_session, "ses",
"ses:FeedbackAddress")
# print(output)
self.maxDiff = None
print(output)
self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self):
"""querying.actions.get_actions_matching_condition_key"""
desired_output = [
"ses:sendemail",
"ses:sendbulktemplatedemail",
"ses:sendcustomverificationemail",
"ses:sendemail",
"ses:sendrawemail",
"ses:sendtemplatedemail",
]
output = get_actions_matching_condition_key(
db_session, "ses", "ses:FeedbackAddress"
)
# print(output)
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self):
"""querying.actions.get_actions_matching_condition_key"""
results = get_actions_matching_condition_key(
"ses", "ses:FeedbackAddress"
)
expected_results = [
# 'ses:SendBulkTemplatedEmail',
# 'ses:SendCustomVerificationEmail',
'ses:SendEmail',
# 'ses:SendRawEmail',
# 'ses:SendTemplatedEmail'
]
# print(output)
self.maxDiff = None
print(results)
for expected_result in expected_results:
self.assertTrue(expected_result in results)
def query_action_table(name,
service,
access_level,
condition,
resource_type,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not resource_type:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and resource_type:
print(
f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_with_arn_type_and_access_level(
service, resource_type, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif resource_type:
print(
f"IAM actions under {service} service that have the resource type {resource_type}:"
)
output = get_actions_matching_arn_type(service, resource_type)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.actions import get_actions_matching_condition_key
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_actions_matching_condition_key(db_session, "ses",
"ses:FeedbackAddress")
print(json.dumps(output, indent=4))
"""
Output:
[
'ses:sendemail',
'ses:sendbulktemplatedemail',
'ses:sendcustomverificationemail',
'ses:sendemail',
'ses:sendrawemail',
'ses:sendtemplatedemail'
]
"""
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
