def action_table(name, service, access_level, condition, wildcard_only):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
for result in results:
print(result)
# Get a list of all services in the database
else:
print("All services in the database:\n")
for item in all_services:
print(item)
elif name is None and access_level:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(json.dumps(output, indent=4))
# Get a list of all IAM actions under the service that support the
# specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(json.dumps(output, indent=4))
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(json.dumps(output, indent=4))
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(json.dumps(output, indent=4))
else:
print(f"All IAM actions available to {service}:")
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
for item in action_list:
print(item)
def remove_actions_not_matching_access_level(db_session, actions_list, access_level):
"""
Given a list of actions, return a list of actions that match an access level
:param db_session: The SQLAlchemy database session
:param actions_list: A list of actions
:param access_level: 'read', 'write', 'list', 'tagging', or 'permissions-management'
:return: Updated list of actions, where the actions not matching the requested access level are removed.
"""
new_actions_list = []
for action in actions_list:
try:
service, action_name = action.split(":")
first_result = None # Just to appease nosetests
level = transform_access_level_text(access_level)
query_actions_access_level = db_session.query(ActionTable).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.name.ilike(action_name),
ActionTable.access_level.ilike(level),
)
)
first_result = query_actions_access_level.first()
if first_result is None:
pass
else:
# Just take the first result
new_actions_list.append(f"{first_result.service}:{first_result.name}")
except ValueError as v_e:
logger.debug("ValueError: %s for the action %s", v_e, action)
continue
return new_actions_list
def query_action_table(name,
service,
access_level,
condition,
resource_type,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not resource_type:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and resource_type:
print(
f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_with_arn_type_and_access_level(
service, resource_type, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif resource_type:
print(
f"IAM actions under {service} service that have the resource type {resource_type}:"
)
output = get_actions_matching_arn_type(service, resource_type)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output