def test_print_policy_with_actions_having_dependencies(self):
desired_output = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KmsPermissionsmanagementKey",
"Effect": "Allow",
"Action": [
"kms:creategrant"
],
"Resource": [
"arn:aws:kms:${Region}:${Account}:key/${KeyId}"
]
},
{
"Sid": "MultMultNone",
"Effect": "Allow",
"Action": [
"kms:createcustomkeystore",
"cloudhsm:describeclusters"
],
"Resource": [
"*"
]
}
]
}
supplied_actions = actions_test_data_1
supplied_actions = get_dependent_actions(db_session, supplied_actions)
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_list_of_actions(supplied_actions, db_session)
self.maxDiff = None
policy = print_policy(arn_dict, db_session)
self.assertDictEqual(policy, desired_output)
def test_missing_access_levels(self):
"""
test_missing_access_levels: write-policy --crud command when YAML File is missing access levels
:return:
"""
cfg_with_missing_access_levels = {
"roles_with_crud_levels": [{
"name":
"RoleNameWithCRUD",
"description":
"Why I need these privs",
"arn":
"arn:aws:iam::559410426617:role/RiskyEC2",
"list": [
"arn:aws:s3:::example-org-flow-logs",
"arn:aws:s3:::example-org-sbx-vmimport/stuff"
],
"tag": ["arn:aws:ssm:us-east-1:123456789012:parameter/test"],
"permissions-management":
["arn:aws:s3:::example-org-s3-access-logs"]
}]
}
with self.assertRaises(SystemExit):
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(
cfg_with_missing_access_levels, db_session)
def test_wildcard_when_not_necessary(self):
"""test_wildcard_when_not_necessary: Attempts bypass of CRUD mode wildcard-only"""
cfg = {
'roles_with_crud_levels': [{
'name':
'RoleNameWithCRUD',
'description':
'Why I need these privs',
'arn':
'arn:aws:iam::123456789012:role/RiskyEC2',
'permissions-management':
['arn:aws:s3:::example-org-s3-access-logs'],
'wildcard': [
# The first three are legitimately wildcard only.
# Verify with `policy_sentry query action-table --service secretsmanager --wildcard-only`
'ram:enablesharingwithawsorganization',
'ram:getresourcepolicies',
'secretsmanager:createsecret',
# This last one can be "secret" ARN type OR wildcard. We want to prevent people from
# bypassing this mechanism, while allowing them to explicitly
# request specific privs that require wildcard mode. This next value -
# secretsmanager:putsecretvalue - is an example of someone trying to beat the tool.
'secretsmanager:putsecretvalue'
]
}]
}
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(
cfg, db_session)
output = print_policy(arn_dict, db_session, None)
print(json.dumps(output, indent=4))
desired_output = {
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"MultMultNone",
"Effect":
"Allow",
"Action": [
"ram:enablesharingwithawsorganization",
"ram:getresourcepolicies", "secretsmanager:createsecret"
],
"Resource": ["*"]
}, {
"Sid":
"S3PermissionsmanagementBucket",
"Effect":
"Allow",
"Action": [
"s3:deletebucketpolicy", "s3:putbucketacl",
"s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
],
"Resource": ["arn:aws:s3:::example-org-s3-access-logs"]
}]
}
self.maxDiff = None
self.assertDictEqual(output, desired_output)
def write_policy_with_access_levels(cfg, db_session, minimize_statement=False):
"""
Writes an IAM policy given a dict containing Access Levels and ARNs.
"""
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(cfg, db_session)
policy = print_policy(arn_dict, db_session, minimize_statement)
return policy
def write_policy_with_actions(cfg, db_session, minimize_statement=False):
"""
Writes an IAM policy given a dict containing lists of actions.
"""
roles_with_actions = Roles()
roles_with_actions.process_actions_config(cfg)
supplied_actions = []
for role in roles_with_actions.get_roles():
supplied_actions.extend(role[3].copy())
supplied_actions = get_dependent_actions(db_session, supplied_actions)
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_list_of_actions(supplied_actions, db_session)
policy = print_policy(arn_dict, db_session, minimize_statement)
return policy
def test_write_policy(self):
arn_action_group = ArnActionGroup()
arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
access_level = "Permissions management"
desired_output = {
'Version': '2012-10-17',
'Statement': [
{
'Sid': 'S3PermissionsmanagementBucket',
'Effect': 'Allow',
'Action': [
's3:deletebucketpolicy',
's3:putbucketacl',
's3:putbucketpolicy',
's3:putbucketpublicaccessblock'
],
'Resource': [
'arn:aws:s3:::example-org-s3-access-logs'
]
}
]
}
arn_action_group.add(db_session, arn_list_from_user, access_level)
arn_action_group.update_actions_for_raw_arn_format(db_session)
arn_dict = arn_action_group.get_policy_elements(db_session)
policy = print_policy(arn_dict, db_session)
# print(policy)
self.assertEqual(policy, desired_output)
def test_add_s3_permissions_management_arn(self):
arn_action_group = ArnActionGroup()
arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
access_level = "Permissions management"
desired_output = [{
'arn': 'arn:aws:s3:::example-org-s3-access-logs',
'service': 's3',
'access_level': 'Permissions management',
'arn_format': 'arn:aws:s3:::${BucketName}',
'actions': []
}]
arn_action_group.add(db_session, arn_list_from_user, access_level)
print(arn_action_group.get_arns())
self.assertEqual(arn_action_group.get_arns(), desired_output)
def test_update_actions_for_raw_arn_format(self):
arn_action_group = ArnActionGroup()
arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
access_level = "Permissions management"
desired_output = [{
'arn':
'arn:aws:s3:::example-org-s3-access-logs',
'service':
's3',
'access_level':
'Permissions management',
'arn_format':
'arn:aws:s3:::${BucketName}',
'actions': [
"s3:deletebucketpolicy", "s3:putbucketacl",
"s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
]
}]
arn_action_group.add(db_session, arn_list_from_user, access_level)
arn_action_group.update_actions_for_raw_arn_format(db_session)
print(arn_action_group.get_arns())
self.assertEqual(arn_action_group.get_arns(), desired_output)
def test_get_policy_elements(self):
arn_action_group = ArnActionGroup()
arn_list_from_user = ["arn:aws:s3:::example-org-s3-access-logs"]
access_level = "Permissions management"
desired_output = {
'S3PermissionsmanagementBucket': {
'name':
'S3PermissionsmanagementBucket',
'actions': [
's3:deletebucketpolicy', 's3:putbucketacl',
's3:putbucketpolicy', 's3:putbucketpublicaccessblock'
],
'arns': ['arn:aws:s3:::example-org-s3-access-logs']
}
}
arn_action_group.add(db_session, arn_list_from_user, access_level)
arn_action_group.update_actions_for_raw_arn_format(db_session)
arn_dict = arn_action_group.get_policy_elements(db_session)
print(arn_dict)
self.assertEqual(arn_dict, desired_output)