def get_actions_matching_condition_key(db_session, service, condition_key):
"""
Get a list of actions under a service that allow the use of a specified condition key
:param db_session: SQLAlchemy database session
:param service: A single AWS service prefix
:param condition_key: The condition key to look for.
:return: A list of actions
"""
actions_list = []
looking_for = "%{0}%".format(condition_key)
if service:
rows = db_session.query(ActionTable).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.condition_keys.ilike(looking_for),
)
)
for row in rows:
action = get_full_action_name(row.service, row.name)
actions_list.append(action)
else:
rows = db_session.query(ActionTable).filter(
and_(ActionTable.condition_keys.ilike(looking_for))
)
for row in rows:
action = get_full_action_name(row.service, row.name)
actions_list.append(action)
return actions_list
def get_actions_with_access_level(db_session, service, access_level):
"""
Get a list of actions in a service under different access levels.
:param db_session: SQLAlchemy database session object
:param service: A single AWS service prefix, like `s3` or `kms`
:param access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging'
:return: A list of actions
"""
actions_list = []
all_services = get_all_service_prefixes(db_session)
if service == "all":
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, access_level)
actions_list.extend(output)
rows = db_session.query(ActionTable).filter(
and_(
ActionTable.service.like(service),
ActionTable.access_level.ilike(access_level),
)
)
# Create a list of actions under each service. Use this list to pass in to the remove_actions_not_matching_access_level function
# which will give you the list of actions you want.
for row in rows:
action = get_full_action_name(row.service, row.name)
if action not in actions_list:
actions_list.append(action)
return actions_list
def get_actions_at_access_level_that_support_wildcard_arns_only(
db_session, service, access_level
):
"""
Get a list of actions at an access level that do not support restricting the action to resource ARNs.
:param db_session: SQLAlchemy database session object
:param service: A single AWS service prefix, like `s3` or `kms`
:param access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging'
:return: A list of actions
"""
actions_list = []
rows = db_session.query(ActionTable.service, ActionTable.name).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.resource_arn_format.like("*"),
ActionTable.access_level.ilike(access_level),
ActionTable.name.notin_(
db_session.query(ActionTable.name).filter(
ActionTable.resource_arn_format.notlike("*")
)
),
)
)
for row in rows:
actions_list.append(get_full_action_name(row.service, row.name))
return actions_list
def get_actions_matching_condition_crud_and_arn(db_session, condition_key,
access_level, raw_arn):
"""
Get a list of IAM Actions matching a condition key, CRUD level, and raw ARN format.
:param db_session: SQL Alchemy database session
:param condition_key: A condition key, like aws:TagKeys
:param access_level: Access level that matches the database value. "Read", "Write", "List", "Tagging", or "Permissions management"
:param raw_arn: The raw ARN format in the database, like arn:${Partition}:s3:::${BucketName}
:return: List of IAM Actions
"""
actions_list = []
looking_for = "%{0}%".format(condition_key)
if raw_arn == "*":
rows = db_session.query(ActionTable).filter(
and_(
# ActionTable.service.ilike(service),
ActionTable.access_level.ilike(access_level),
ActionTable.resource_arn_format.is_(raw_arn),
ActionTable.condition_keys.ilike(looking_for),
))
else:
service = get_service_from_arn(raw_arn)
rows = db_session.query(ActionTable).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.access_level.ilike(access_level),
ActionTable.resource_arn_format.ilike(raw_arn),
ActionTable.condition_keys.ilike(looking_for),
))
for row in rows:
action = get_full_action_name(row.service, row.name)
actions_list.append(action)
return actions_list
def remove_actions_that_are_not_wildcard_arn_only(db_session, actions_list):
"""
Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.
:param db_session: SQL Alchemy database session object
:param actions_list: A list of actions
:return: An updated list of actions
:rtype: list
"""
# remove duplicates, if there are any
actions_list_unique = list(dict.fromkeys(actions_list))
actions_list_placeholder = []
for action in actions_list_unique:
service = get_service_from_action(action)
action_name = get_action_name_from_action(action)
rows = db_session.query(ActionTable.service, ActionTable.name).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.name.ilike(action_name),
ActionTable.resource_arn_format.like("*"),
ActionTable.name.notin_(
db_session.query(ActionTable.name).filter(
ActionTable.resource_arn_format.notlike('*')))))
for row in rows:
if row.service == service and row.name == action_name:
actions_list_placeholder.append(
get_full_action_name(service, action_name))
return actions_list_placeholder
def get_actions_that_support_wildcard_arns_only(db_session, service):
"""
Get a list of actions that do not support restricting the action to resource ARNs.
:param db_session: SQLAlchemy database session object
:param service: A single AWS service prefix, like `s3` or `kms`
:return: A list of actions
"""
actions_list = []
rows = db_session.query(ActionTable.service, ActionTable.name).filter(
and_(
ActionTable.service.ilike(service),
ActionTable.resource_arn_format.like("*"),
ActionTable.name.notin_(
db_session.query(ActionTable.name).filter(
ActionTable.resource_arn_format.notlike('*')))))
for row in rows:
actions_list.append(get_full_action_name(row.service, row.name))
return actions_list
def get_actions_with_arn_type_and_access_level(db_session, service,
resource_type_name,
access_level):
"""
Get a list of actions in a service under different access levels, specific to an ARN format.
:param db_session: SQLAlchemy database session object
:param service: A single AWS service prefix, like `s3` or `kms`
:param resource_type_name: The ARN type name, like `bucket` or `key`
:return: A list of actions
"""
actions_list = []
rows = db_session.query(ActionTable).filter(
and_(ActionTable.service.ilike(service),
ActionTable.resource_type_name.ilike(resource_type_name),
ActionTable.access_level.ilike(access_level)))
for row in rows:
action = get_full_action_name(row.service, row.name)
if action not in actions_list:
actions_list.append(action)
return actions_list
