def test_get_actions_matching_condition_key(self): """querying.actions.get_actions_matching_condition_key""" desired_results = ['ses:SendEmail'] results = get_actions_matching_condition_key("ses", "ses:FeedbackAddress") # print(output) self.maxDiff = None print(results) self.assertListEqual(results, desired_results)
def action_table(name, service, access_level, condition, wildcard_only): """Query the Action Table from the Policy Sentry database""" db_session = connect_db(DATABASE_FILE_PATH) # Actions on all services if service == "all": all_services = get_all_service_prefixes(db_session) if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") results = [] for serv in all_services: output = get_actions_with_access_level(db_session, serv, level) results.extend(output) for result in results: print(result) # Get a list of all services in the database else: print("All services in the database:\n") for item in all_services: print(item) elif name is None and access_level: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(db_session, service, level) print(json.dumps(output, indent=4)) # Get a list of all IAM actions under the service that support the # specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(db_session, service, condition) print(json.dumps(output, indent=4)) # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only( db_session, service) print(json.dumps(output, indent=4)) elif name and access_level is None: output = get_action_data(db_session, service, name) print(json.dumps(output, indent=4)) else: print(f"All IAM actions available to {service}:") # Get a list of all IAM Actions available to the service action_list = get_actions_for_service(db_session, service) print(f"ALL {service} actions:") for item in action_list: print(item)
def test_get_actions_matching_condition_key(self): """querying.actions.get_actions_matching_condition_key""" results = get_actions_matching_condition_key("ses", "ses:FeedbackAddress") desired_results = [ 'ses:SendBulkTemplatedEmail', 'ses:SendCustomVerificationEmail', 'ses:SendEmail', 'ses:SendRawEmail', 'ses:SendTemplatedEmail' ] # print(output) self.maxDiff = None print(results) self.assertListEqual(results, desired_results)
def test_get_actions_matching_condition_key(self): """test_get_actions_matching_condition_key: Tests a function that gathers all instances in the action tables where the condition key exists.""" desired_output = [ 'ses:sendemail', 'ses:sendbulktemplatedemail', 'ses:sendcustomverificationemail', 'ses:sendemail', 'ses:sendrawemail', 'ses:sendtemplatedemail' ] output = get_actions_matching_condition_key(db_session, "ses", "ses:FeedbackAddress") print(output) self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self): """querying.actions.get_actions_matching_condition_key""" desired_output = [ 'ses:SendEmail', 'ses:SendBulkTemplatedEmail', 'ses:SendCustomVerificationEmail', 'ses:SendEmail', 'ses:SendRawEmail', 'ses:SendTemplatedEmail' ] output = get_actions_matching_condition_key(db_session, "ses", "ses:FeedbackAddress") # print(output) self.maxDiff = None print(output) self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self): """querying.actions.get_actions_matching_condition_key""" desired_output = [ "ses:sendemail", "ses:sendbulktemplatedemail", "ses:sendcustomverificationemail", "ses:sendemail", "ses:sendrawemail", "ses:sendtemplatedemail", ] output = get_actions_matching_condition_key( db_session, "ses", "ses:FeedbackAddress" ) # print(output) self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_actions_matching_condition_key(self): """querying.actions.get_actions_matching_condition_key""" results = get_actions_matching_condition_key( "ses", "ses:FeedbackAddress" ) expected_results = [ # 'ses:SendBulkTemplatedEmail', # 'ses:SendCustomVerificationEmail', 'ses:SendEmail', # 'ses:SendRawEmail', # 'ses:SendTemplatedEmail' ] # print(output) self.maxDiff = None print(results) for expected_result in expected_results: self.assertTrue(expected_result in results)
def query_action_table(name, service, access_level, condition, resource_type, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" if os.path.exists(LOCAL_DATASTORE_FILE_PATH): logger.info( f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/" ) else: # Otherwise, leverage the datastore inside the python package logger.debug("Leveraging the bundled IAM Definition.") # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not resource_type: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and resource_type: print( f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:" ) access_level = transform_access_level_text(access_level) output = get_actions_with_arn_type_and_access_level( service, resource_type, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif resource_type: print( f"IAM actions under {service} service that have the resource type {resource_type}:" ) output = get_actions_matching_arn_type(service, resource_type) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
#!/usr/bin/env python from policy_sentry.shared.database import connect_db from policy_sentry.querying.actions import get_actions_matching_condition_key import json if __name__ == '__main__': db_session = connect_db('bundled') output = get_actions_matching_condition_key(db_session, "ses", "ses:FeedbackAddress") print(json.dumps(output, indent=4)) """ Output: [ 'ses:sendemail', 'ses:sendbulktemplatedemail', 'ses:sendcustomverificationemail', 'ses:sendemail', 'ses:sendrawemail', 'ses:sendtemplatedemail' ] """
def query_action_table(name, service, access_level, condition, wildcard_only, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not wildcard_only: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and wildcard_only: print( f"{service} {access_level.upper()} actions that must use wildcards in the resources block:" ) access_level = transform_access_level_text(access_level) output = get_actions_at_access_level_that_support_wildcard_arns_only( service, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output