def test_statement_summary(self):
statement = Statement(statement24)
self.assertEqual(statement.action_summary(), {'ec2': {'DataPlaneMutating'}})
statement = Statement(statement25)
self.assertEqual(statement.action_summary(), {'ec2': {'DataPlaneMutating'}, 'iam': {'Permissions'}})
statement = Statement(statement26)
self.assertEqual(statement.action_summary(), {'iam': {'Permissions', 'DataPlaneListRead'}})
def test_statement_principals(self):
statement = Statement(statement02)
self.assertEqual(statement.principals,
set(["arn:aws:iam::012345678910:root"]))
statement = Statement(statement03)
self.assertEqual(statement.principals,
set(["arn:aws:iam::012345678910:root"]))
statement = Statement(statement04)
self.assertEqual(statement.principals,
set(["arn:aws:iam::012345678910:root"]))
statement = Statement(statement05)
self.assertEqual(
statement.principals,
set(["arn:aws:iam::012345678910:root", "lambda.amazonaws.com"]),
)
statement = Statement(statement06)
self.assertEqual(statement.principals, set(["lambda.amazonaws.com"]))
statement_wo_principal = dict(statement06)
del statement_wo_principal["Principal"]
statement = Statement(statement_wo_principal)
self.assertEqual(statement.principals, set([]))
statement = Statement(statement31)
self.assertEqual(statement.principals,
set(["cognito-identity.amazonaws.com"]))
statement = Statement(statement32)
self.assertEqual(statement.principals,
set(["cognito-identity.amazonaws.com"]))
def test_statement_summary(self):
statement = Statement(statement24)
self.assertEqual(statement.action_summary(), {"ec2": {"Write"}})
statement = Statement(statement25)
self.assertEqual(statement.action_summary(), {
"ec2": {"Write"},
"iam": {"Permissions"}
})
statement = Statement(statement26)
self.assertEqual(statement.action_summary(),
{"iam": {"Permissions", "List"}})
def __init__(self, policy):
self.policy = policy
self.statements = []
statement_structure = ensure_array(self.policy.get("Statement", []))
for statement in statement_structure:
self.statements.append(Statement(statement))
def test_statement_conditions(self):
statement = Statement(statement07)
self.assertEqual(statement.condition_arns, set(['arn:aws:iam::012345678910:role/SomeTestRoleForTesting']))
statement = Statement(statement08)
self.assertEqual(statement.condition_arns,
set(['arn:aws:iam::012345678910:role/SomeTestRoleForTesting',
'arn:aws:iam::012345678910:role/OtherRole']))
statement = Statement(statement10)
self.assertEqual(statement.condition_accounts, set(['012345678910', '123456789123']))
statement = Statement(statement11)
self.assertEqual(statement.condition_accounts, set(['012345678910', '123456789123']))
statement = Statement(statement12)
self.assertEqual(statement.condition_arns, set(['arn:aws:iam::012345678910:role/Admin']))
self.assertEqual(statement.condition_accounts, set(['012345678910']))
self.assertEqual(statement.condition_userids, set(['AROAI1111111111111111:*']))
self.assertEqual(statement.condition_cidrs, set(['123.45.67.89', '10.0.7.0/24', '172.16.0.0/16']))
self.assertEqual(statement.condition_vpcs, set(['vpc-111111']))
self.assertEqual(statement.condition_vpces, set(['vpce-111111']))
statement = Statement(statement13)
self.assertEqual(statement.condition_arns, set(['arn:aws:iam::012345678910:role/Admin']))
self.assertEqual(len(statement.condition_userids), 0)
statement = Statement(statement23)
self.assertEqual(statement.condition_accounts, set(['222222222222']))
def __init__(self, policy):
self.policy = policy
self.statements = []
statement_structure = self.policy.get("Statement", [])
if not isinstance(statement_structure, list):
statement_structure = [statement_structure]
for statement in statement_structure:
self.statements.append(Statement(statement))
def test_statement_principals(self):
statement = Statement(statement02)
self.assertEqual(statement.principals, set(['arn:aws:iam::012345678910:root']))
statement = Statement(statement03)
self.assertEqual(statement.principals, set(['arn:aws:iam::012345678910:root']))
statement = Statement(statement04)
self.assertEqual(statement.principals, set(['arn:aws:iam::012345678910:root']))
statement = Statement(statement05)
self.assertEqual(statement.principals, set(['arn:aws:iam::012345678910:root', 'lambda.amazonaws.com']))
statement = Statement(statement06)
self.assertEqual(statement.principals, set(['lambda.amazonaws.com']))
statement_wo_principal = dict(statement06)
del statement_wo_principal['Principal']
statement = Statement(statement_wo_principal)
self.assertEqual(statement.principals, set([]))
def test_statement_internet_accessible(self):
self.assertTrue(Statement(statement14).is_internet_accessible())
self.assertTrue(Statement(statement15).is_internet_accessible())
self.assertTrue(Statement(statement01).is_internet_accessible())
self.assertFalse(Statement(statement02).is_internet_accessible())
self.assertFalse(Statement(statement03).is_internet_accessible())
self.assertFalse(Statement(statement04).is_internet_accessible())
self.assertFalse(Statement(statement05).is_internet_accessible())
self.assertFalse(Statement(statement06).is_internet_accessible())
self.assertFalse(Statement(statement07).is_internet_accessible())
self.assertFalse(Statement(statement08).is_internet_accessible())
self.assertFalse(Statement(statement09).is_internet_accessible())
self.assertTrue(
Statement(statement09_wildcard).is_internet_accessible())
self.assertFalse(Statement(statement10).is_internet_accessible())
self.assertFalse(Statement(statement11).is_internet_accessible())
self.assertFalse(Statement(statement12).is_internet_accessible())
self.assertFalse(Statement(statement13).is_internet_accessible())
self.assertTrue(Statement(statement14).is_internet_accessible())
self.assertTrue(Statement(statement15).is_internet_accessible())
self.assertFalse(Statement(statement16).is_internet_accessible())
self.assertFalse(Statement(statement17).is_internet_accessible())
self.assertTrue(Statement(statement18).is_internet_accessible())
self.assertTrue(Statement(statement19).is_internet_accessible())
self.assertTrue(Statement(statement20).is_internet_accessible())
# Statements with ARNS lacking account numbers
# 21 is an S3 ARN
self.assertFalse(Statement(statement21).is_internet_accessible())
# 22 is a likely malformed user ARN, but lacking an account number
self.assertTrue(Statement(statement22).is_internet_accessible())
# 27 is like 07, but with the mistake of not providing a list for ForAny/ForAll
self.assertTrue(Statement(statement27).is_internet_accessible())
# 28 is like 10, but with the mistake of not providing a list for ForAny/ForAll
self.assertTrue(Statement(statement28).is_internet_accessible())
# AWS:PrincipalOrgID
self.assertFalse(Statement(statement29).is_internet_accessible())
# AWS:PrincipalOrgID Wildcard
self.assertTrue(Statement(statement30).is_internet_accessible())
def test_statement_conditions(self):
statement = Statement(statement07)
self.assertEqual(
statement.condition_arns,
set(["arn:aws:iam::012345678910:role/SomeTestRoleForTesting"]),
)
statement = Statement(statement27)
self.assertEqual(statement.condition_arns, set([]))
statement = Statement(statement08)
self.assertEqual(
statement.condition_arns,
set([
"arn:aws:iam::012345678910:role/SomeTestRoleForTesting",
"arn:aws:iam::012345678910:role/OtherRole",
]),
)
statement = Statement(statement10)
self.assertEqual(statement.condition_accounts,
set(["012345678910", "123456789123"]))
statement = Statement(statement28)
self.assertEqual(statement.condition_accounts, set([]))
statement = Statement(statement11)
self.assertEqual(statement.condition_accounts,
set(["012345678910", "123456789123"]))
statement = Statement(statement12)
self.assertEqual(statement.condition_arns,
set(["arn:aws:iam::012345678910:role/Admin"]))
self.assertEqual(statement.condition_accounts, set(["012345678910"]))
self.assertEqual(statement.condition_userids,
set(["AROAI1111111111111111:*"]))
self.assertEqual(
statement.condition_cidrs,
set(["123.45.67.89", "10.0.7.0/24", "172.16.0.0/16"]),
)
self.assertEqual(statement.condition_vpcs, set(["vpc-111111"]))
self.assertEqual(statement.condition_vpces, set(["vpce-111111"]))
statement = Statement(statement13)
self.assertEqual(statement.condition_arns,
set(["arn:aws:iam::012345678910:role/Admin"]))
self.assertEqual(len(statement.condition_userids), 0)
statement = Statement(statement23)
self.assertEqual(statement.condition_accounts, set(["222222222222"]))
statement = Statement(statement29)
self.assertEqual(statement.condition_orgids, set(["o-xxxxxxxxxx"]))
statement = Statement(statement30)
self.assertEqual(statement.condition_orgids, set(["o-*"]))
def test_statement_not_principal(self):
statement = Statement(statement01)
self.assertTrue(statement.uses_not_principal())
def test_statement_effect(self):
statement = Statement(statement01)
self.assertEqual(statement.effect, "Allow")
def test_statement_internet_accessible(self):
self.assertTrue(Statement(statement14).is_internet_accessible())
self.assertTrue(Statement(statement15).is_internet_accessible())
self.assertTrue(Statement(statement01).is_internet_accessible())
self.assertFalse(Statement(statement02).is_internet_accessible())
self.assertFalse(Statement(statement03).is_internet_accessible())
self.assertFalse(Statement(statement04).is_internet_accessible())
self.assertFalse(Statement(statement05).is_internet_accessible())
self.assertFalse(Statement(statement06).is_internet_accessible())
self.assertFalse(Statement(statement07).is_internet_accessible())
self.assertFalse(Statement(statement08).is_internet_accessible())
self.assertFalse(Statement(statement09).is_internet_accessible())
self.assertTrue(Statement(statement09_wildcard).is_internet_accessible())
self.assertFalse(Statement(statement10).is_internet_accessible())
self.assertFalse(Statement(statement11).is_internet_accessible())
self.assertFalse(Statement(statement12).is_internet_accessible())
self.assertFalse(Statement(statement13).is_internet_accessible())
self.assertTrue(Statement(statement14).is_internet_accessible())
self.assertTrue(Statement(statement15).is_internet_accessible())
self.assertFalse(Statement(statement16).is_internet_accessible())
self.assertFalse(Statement(statement17).is_internet_accessible())
self.assertTrue(Statement(statement18).is_internet_accessible())
self.assertTrue(Statement(statement19).is_internet_accessible())
self.assertTrue(Statement(statement20).is_internet_accessible())
# Statements with ARNS lacking account numbers
# 21 is an S3 ARN
self.assertFalse(Statement(statement21).is_internet_accessible())
# 22 is a likely malformed user ARN, but lacking an account number
self.assertTrue(Statement(statement22).is_internet_accessible())