def test_should_guess_only_specific_actions_and_fix_upper_lowercase(): input_policy = PolicyDocument(Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action( 'ec2', 'DetachVolume'), ], Resource=["*"]), ]) expected_output = PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('ec2', 'DetachVolume'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('ec2', 'AttachVolume'), Action('ec2', 'DescribeVolumes'), ], Resource=["*"]), ]) runner = CliRunner() result = runner.invoke( cli.root_group, args=["guess", "--only", "Attach", "--only", "describe"], input=input_policy.to_json()) assert result.exit_code == 0 assert parse_policy_document(result.output) == expected_output
def test_should_group_by_action_and_resource_independent_of_order(): records = [ Record("rds.amazonaws.com", "ListTagsForResource", ["arn:aws:rds:eu-central-1:111111111111:db:some-db"]), Record("rds.amazonaws.com", "SomethingDifferent", ["arn:aws:rds:eu-central-1:111111111111:db:a-third-db"]), Record("rds.amazonaws.com", "ListTagsForResource", ["arn:aws:rds:eu-central-1:111111111111:db:some-other-db"]), ] expected = PolicyDocument( Version="2012-10-17", Statement=[ Statement( Effect="Allow", Action=[ Action("rds", "ListTagsForResource"), ], Resource=[ "arn:aws:rds:eu-central-1:111111111111:db:some-db", "arn:aws:rds:eu-central-1:111111111111:db:some-other-db", ]), Statement( Effect="Allow", Action=[ Action("rds", "SomethingDifferent"), ], Resource=[ "arn:aws:rds:eu-central-1:111111111111:db:a-third-db", ]), ]) actual = generate_policy(records) assert actual == expected
def test_should_guess_all_matching_statements(): input_policy = PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('sts', 'AssumeRole'), ], Resource=["arn:aws:iam::111111111111:role/someRole"]) ]) expected_output = PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('autoscaling', 'CreateLaunchConfiguration'), Action('autoscaling', 'DeleteLaunchConfiguration'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('sts', 'AssumeRole'), ], Resource=["arn:aws:iam::111111111111:role/someRole"]) ]) runner = CliRunner() result = runner.invoke(cli.root_group, args=["guess"], input=input_policy.to_json()) assert result.exit_code == 0 assert parse_policy_document(result.output) == expected_output
def test_json_parses_to_policy_document(): pd = PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('sts', 'AssumeRole'), ], Resource=["arn:aws:iam::111111111111:role/someRole"]) ]) assert parse_policy_document(StringIO( pd.to_json())).to_json() == pd.to_json()
def test_policy_document_renders_to_json(): pd = PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]), Statement(Effect="Allow", Action=[ Action('sts', 'AssumeRole'), ], Resource=["arn:aws:iam::111111111111:role/someRole"]) ]) expected_json = '''\ { "Statement": [ { "Action": [ "autoscaling:DescribeLaunchConfigurations" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::111111111111:role/someRole" ] } ], "Version": "2012-10-17" }''' assert json.loads(pd.to_json()) == json.loads(expected_json)
def generate_policy(selected_records): """Generates a policy from a set of records""" statements = pipe( selected_records, mapz(Record.to_statement), filterz(lambda statement: statement is not None), _combine_statements_by(lambda statement: statement.Resource), _combine_statements_by(lambda statement: statement.Action), sortedz()) return PolicyDocument( Version="2012-10-17", Statement=statements, )
def test_should_allow_events_that_dont_map_to_statement(): records = [ Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"), Record("sts.amazonaws.com", "GetCallerIdentity") ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]) ])
def test_should_remove_duplicate_actions(): records = [ Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"), Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"), ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), ], Resource=["*"]) ])
def test_should_generate_simple_policy(): records = [ Record("autoscaling.amazonaws.com", "DescribeLaunchConfigurations"), Record("sts.amazonaws.com", "AssumeRole") ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action('autoscaling', 'DescribeLaunchConfigurations'), Action('sts', 'AssumeRole'), ], Resource=["*"]) ])
def test_should_sort_actions_alphabetically(): records = [ Record("ec2.amazonaws.com", "DescribeSecurityGroups"), Record("rds.amazonaws.com", "ListTagsForResource"), Record("ec2.amazonaws.com", "DescribeInstances"), ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action("ec2", "DescribeInstances"), Action("ec2", "DescribeSecurityGroups"), Action("rds", "ListTagsForResource"), ], Resource=["*"]) ])
def test_should_group_by_resources_and_combine_statements_with_same_actions_but_different_resources( ): records = [ Record("rds.amazonaws.com", "ListTagsForResource", ["arn:aws:rds:eu-central-1:111111111111:db:some-db"]), Record("rds.amazonaws.com", "ListTagsForResource", ["arn:aws:rds:eu-central-1:111111111111:db:some-other-db"]), ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement( Effect="Allow", Action=[ Action("rds", "ListTagsForResource"), ], Resource=[ "arn:aws:rds:eu-central-1:111111111111:db:some-db", "arn:aws:rds:eu-central-1:111111111111:db:some-other-db", ]) ])
def test_should_group_by_resources(): records = [ Record("ec2.amazonaws.com", "DescribeSecurityGroups"), Record("rds.amazonaws.com", "ListTagsForResource", ["arn:aws:rds:eu-central-1:111111111111:db:some-db"]), Record("ec2.amazonaws.com", "DescribeInstances"), ] assert generate_policy(records) == PolicyDocument( Version="2012-10-17", Statement=[ Statement(Effect="Allow", Action=[ Action("ec2", "DescribeInstances"), Action("ec2", "DescribeSecurityGroups"), ], Resource=["*"]), Statement( Effect="Allow", Action=[ Action("rds", "ListTagsForResource"), ], Resource=["arn:aws:rds:eu-central-1:111111111111:db:some-db"]) ])
def guess_statements(policy, allowed_prefixes): """Guess additional create actions""" extended_statements = [item for statement in policy.Statement for item in _extend_statement(statement, allowed_prefixes)] return PolicyDocument(Version=policy.Version, Statement=extended_statements)