def test_empty_strings_in_access_level_categories(self):
"""
test_allow_empty_access_level_categories_in_cfg: If the content of a list is an empty string, it should sysexit
:return:
"""
crud_file_input = {
"policy_with_crud_levels": [
{
"name": "RoleNameWithCRUD",
"description": "Why I need these privs",
"role_arn": "arn:aws:iam::123456789012:role/RiskyEC2",
"read": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
"write": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
"list": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
"tagging": [
""
],
"permissions-management": [
""
]
}
]
}
with self.assertRaises(SystemExit):
result = write_policy_with_access_levels(db_session, crud_file_input)
print(json.dumps(result, indent=4))
def test_allow_missing_access_level_categories_in_cfg(self):
"""
test_allow_missing_access_level_categories_in_cfg: write-policy --crud when the YAML file
is missing access level categories
It should write a policy regardless.
:return:
"""
crud_file_input = {
"policy_with_crud_levels": [
{
"name": "RoleNameWithCRUD",
"description": "Why I need these privs",
"role_arn": "arn:aws:iam::123456789012:role/RiskyEC2",
"read": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
"write": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
"list": [
"arn:aws:ssm:us-east-1:123456789012:parameter/test",
],
}
]
}
self.maxDiff = None
result = write_policy_with_access_levels(db_session, crud_file_input)
print(json.dumps(result, indent=4))
def test_write_crud_policy_with_library_only(self):
"""test_write_crud_policy_with_library_only: Write an actions mode policy without using the command line at all (library only)"""
db_session = connect_db('bundled')
crud_template = get_crud_template_dict()
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
print(crud_template)
crud_template['policy_with_crud_levels'][0]['name'] = "MyPolicy"
crud_template['policy_with_crud_levels'][0][
'description'] = "Description"
crud_template['policy_with_crud_levels'][0]['role_arn'] = "somearn"
crud_template['policy_with_crud_levels'][0]['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['policy_with_crud_levels'][0]['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['policy_with_crud_levels'][0]['list'].append(
"arn:aws:s3:::example-org-sbx-vmimport/stuff")
crud_template['policy_with_crud_levels'][0][
'permissions-management'].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
crud_template['policy_with_crud_levels'][0]['wildcard'].extend(
wildcard_actions_to_add)
crud_template['policy_with_crud_levels'][0]['tagging'].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
# Modify it
policy = write_policy_with_access_levels(db_session, crud_template,
None)
# print(json.dumps(policy, indent=4))
self.assertDictEqual(desired_crud_policy, policy)
def write_policy_dir(input_dir, output_dir, crud, minimize):
"""
write_policy, but this time with an input directory of YML/YAML files, and an output directory for all the JSON files
"""
home = str(Path.home())
config_directory = '/.policy_sentry/'
database_file_name = 'aws.sqlite3'
database_path = home + config_directory + database_file_name
db_session = connect_db(database_path)
input_dir = os.path.abspath(input_dir)
output_dir = os.path.abspath(output_dir)
if not crud:
print(
"Warning: If you are using ARNs from Terraform to generate your policies, "
"try using the CRUD functionality instead of the default actions-based policy writing functionality."
)
if not minimize:
print(
"Warning: --minimize option is not set. If the policy is too large, "
"it can hit the AWS IAM Policy character limit. "
"We'll execute as-is, but try using `--minimize 0` functionality "
"for production to optimize policy size.\n")
# Construct the path
# Get the list of files
# Write a list of the names
if not check_valid_file_path(input_dir):
print("Input directory is invalid")
sys.exit()
if not check_valid_file_path(output_dir):
print("Output directory is invalid")
sys.exit()
input_files = glob.glob(str(input_dir + '/*.yml'), recursive=False)
if not input_files:
print(
"Directory is empty or does not have files with *.yml extension. "
"Please check the folder contents and/or extension spelling.")
print("Writing the policy JSON files from " + input_dir + " to " +
output_dir + "...\n")
for yaml_file in input_files:
# Get the name of the file, and strip the extension. This is what the policy name will be
base_name = os.path.basename(yaml_file)
base_name_no_extension = os.path.splitext(
os.path.basename(yaml_file))[0]
cfg = read_yaml_file(yaml_file)
# User supplies file containing resource-specific access levels
if crud:
policy = write_policy_with_access_levels(cfg, db_session, minimize)
# User supplies file containing a list of IAM actions
else:
policy = write_policy_with_actions(cfg, db_session, minimize)
print("Writing policy for " + base_name + '\n')
target_file = str(output_dir + '/' + base_name_no_extension + '.json')
if os.path.exists(target_file):
print(
"Target file for " + base_name_no_extension + '.json' +
" exists in the target directory. Removing it and writing a new file.\n"
)
os.remove(target_file)
write_json_file(target_file, policy)
print("Finished")
crud_template['read'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['write'].append(
"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret")
crud_template['list'].append("arn:aws:s3:::example-org-sbx-vmimport/stuff")
crud_template['permissions-management'].append(
"arn:aws:kms:us-east-1:123456789012:key/123456")
crud_template['tagging'].append(
"arn:aws:ssm:us-east-1:123456789012:parameter/test")
wildcard_actions_to_add = [
"kms:createcustomkeystore", "cloudhsm:describeclusters"
]
crud_template['wildcard'].extend(wildcard_actions_to_add)
policy = write_policy_with_access_levels(db_session, template, None)
print(json.dumps(policy, indent=4))
"""
Output:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MultMultNone",
"Effect": "Allow",
"Action": [
"kms:createcustomkeystore"
],
"Resource": [
"*"