def test_match_action_resource_policy_elements(self):
"""Test if we're correctly testing Action/Resource elements in resource policies"""
bucket_policy_1 = {
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': '*',
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::bucket/object'
}]
}
bucket_policy_2 = {
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Deny',
'Principal': '*',
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::bucket/object'
}]
}
iam_user_1 = _build_user_with_policy(
{
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::bucket/object'
}]
}, 'single_user_policy', 'asdf1', '1')
iam_user_2 = _build_user_with_policy(
{
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::bucket/object'
}]
}, 'single_user_policy', 'asdf2', '2')
rpa_result = resource_policy_authorization(
iam_user_1, '000000000000', bucket_policy_1, 's3:GetObject',
'arn:aws:s3:::bucket/object', {})
self.assertTrue(rpa_result == ResourcePolicyEvalResult.NODE_MATCH)
rpa_result = resource_policy_authorization(
iam_user_1, '000000000000', bucket_policy_1, 's3:PutObject',
'arn:aws:s3:::bucket/object', {})
self.assertTrue(rpa_result == ResourcePolicyEvalResult.NO_MATCH)
def test_condition_key_handling_in_resources(self):
test_node = _build_user_with_policy({
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 'iam:CreateAccessKey',
'Resource': 'arn:aws:iam::000000000000:user/${aws:username}'
}]
})
self.assertTrue(has_matching_statement(test_node, 'Allow', 'iam:CreateAccessKey', test_node.arn,
{'aws:username': '******'}))
def test_inferred_keys(self):
test_node = _build_user_with_policy(
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*'
}]
},
user_name='infer')
inferred_keys = _infer_condition_keys(test_node, {})
self.assertTrue('aws:username' in inferred_keys)
self.assertTrue(inferred_keys['aws:username'] == 'infer')
def test_permissions_boundary_no_resource_policy(self):
"""In the case of no resource policy, the effective permissions are the "intersection" of the caller's
identity policies + the boundary policy. Both the user's identity policies + boundary policy must
permit the API call. A matching deny statement in either set will deny the whole call.
"""
boundary = Policy(
'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess',
'AmazonS3ReadOnlyAccess',
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
)
iam_user_1 = _build_user_with_policy(
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*'
}]
},
'admin_policy',
'asdf1',
'1'
)
iam_user_1.permissions_boundary = boundary
self.assertTrue(
local_check_authorization(iam_user_1, 's3:GetObject', 'arn:aws:s3:::bucket/object', {})
)
self.assertFalse(
local_check_authorization(iam_user_1, 's3:PutObject', 'arn:aws:s3:::bucket/object', {})
)
def test_arn_condition(self):
""" Validate the following conditions are correctly handled:
ArnEquals, ArnLike, ArnNotEquals, ArnNotLike.
Note, ArnEquals and ArnLike have the same behavior, as well as ArnNotEquals and ArnNotLike
Validated against the Simulator API
TODO: Check on ForAnyValue and ForAllValues
"""
# ArnEquals (and ArnLike) testing: no wildcards
test_arn_equals = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ArnEquals': {
'aws:SourceArn':
'arn:aws:iam::000000000000:user/test1',
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_arn_equals, 'iam:CreateUser', '*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'}))
self.assertFalse(
local_check_authorization(
test_arn_equals, 'iam:CreateUser', '*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'}))
# ArnEquals (and ArnLike) testing: wildcards
test_arn_equals_wild = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ArnEquals': {
'aws:SourceArn': 'arn:aws:iam::*:user/test1',
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_arn_equals_wild,
'iam:CreateUser',
'*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'},
))
self.assertFalse(
local_check_authorization(
test_arn_equals_wild,
'iam:CreateUser',
'*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'},
))
# ArnNotEquals (and ArnNotLike) testing: wildcards
test_arn_equals_wild = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ArnNotLike': {
'aws:SourceArn': 'arn:aws:iam::*:user/test1',
}
}
}]
})
self.assertFalse(
local_check_authorization(
test_arn_equals_wild,
'iam:CreateUser',
'*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test1'},
))
self.assertTrue(
local_check_authorization(
test_arn_equals_wild,
'iam:CreateUser',
'*',
{'aws:SourceArn': 'arn:aws:iam::000000000000:user/test2'},
))
self.assertFalse(
local_check_authorization(
test_arn_equals_wild,
'iam:CreateUser',
'*',
{'aws:SourceArn': 'test2'},
))
def test_documented_ddb_authorization_behavior(self):
test_node = _build_user_with_policy({
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:*:*:table/Thread",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": ["ID", "Message", "Tags"]
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:attributes': ['ID', 'Message', 'Tags']}))
self.assertTrue(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:attributes': ['ID', 'Message']}))
self.assertTrue(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {}))
self.assertFalse(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:Attributes': ['ID', 'Message', 'Tags', 'Password']
}))
test_node = _build_user_with_policy({
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:*:*:table/Thread",
"Condition": {
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": ["ID", "Message", "Tags"]
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:Attributes': ['ID', 'Message', 'Tags']}))
self.assertTrue(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:Attributes': ['Tags', 'Password']}))
self.assertFalse(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread',
{'dynamodb:Attributes': ['Password']}))
self.assertFalse(
local_check_authorization(
test_node, 'dynamodb:GetItem',
'arn:aws:dynamodb:us-west-2:000000000000:table/Thread', {}))
def test_bool_condition_handling(self):
""" Validate the following conditions are handled:
* Bool
TODO: Check on ForAnyValue and ForAllValues
"""
# Bool: true
test_node_true = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'Bool': {
'aws:SecureTransport': 'true'
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_true, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'true'}))
self.assertTrue(
local_check_authorization(test_node_true, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'True'}))
self.assertFalse(
local_check_authorization(test_node_true, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'tru'}))
self.assertFalse(
local_check_authorization(test_node_true, 'iam:CreateUser', '*',
{'aws:SecureTransport': ''}))
self.assertFalse(
local_check_authorization(test_node_true, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'false'}))
# Bool: false
test_node_false = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'Bool': {
'aws:SecureTransport': 'false'
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_false, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'false'}))
self.assertFalse(
local_check_authorization(test_node_false, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'true'}))
self.assertTrue(
local_check_authorization(
test_node_false, 'iam:CreateUser', '*',
{'aws:SecureTransport': 'asdf'})) # policy sim behavior
self.assertTrue(
local_check_authorization(test_node_false, 'iam:CreateUser', '*',
{'aws:SecureTransport': 't'}))
def test_ipaddress_condition_handling(self):
""" Validate the following conditions are handled:
* IpAddress
* NotIpAddress
TODO: Check on ForAnyValue and ForAllValues
"""
# IpAddress: single IP
test_node_ipaddress = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'IpAddress': {
'aws:SourceIp': '10.0.0.1'
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '10.0.0.1'}))
self.assertFalse(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '10.0.0.2'}))
# IpAddress: IP range
test_node_ipaddress = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'IpAddress': {
'aws:SourceIp': '10.0.0.0/8'
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '10.0.0.1'}))
self.assertFalse(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '127.0.0.1'}))
# IpAddress: IP ranges
test_node_ipaddress = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'IpAddress': {
'aws:SourceIp': ['10.0.0.0/8', '127.0.0.0/8']
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '10.0.0.1'}))
self.assertTrue(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '127.0.0.1'}))
self.assertFalse(
local_check_authorization(test_node_ipaddress, 'iam:CreateUser',
'*', {'aws:SourceIp': '192.168.0.1'}))
def test_datetime_condition_handling(self):
""" Validate the following conditions are correctly handled:
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
TODO: Check on ForAnyValue and ForAllValues
"""
# DateEquals
test_node_date_equals = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateEquals': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_node_date_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:00Z'}))
self.assertTrue(
local_check_authorization(test_node_date_equals, 'iam:CreateUser',
'*',
{'aws:CurrentTime': '1533859200.0'}))
self.assertTrue(
local_check_authorization(test_node_date_equals, 'iam:CreateUser',
'*', {'aws:CurrentTime': '1533859200'}))
self.assertFalse(
local_check_authorization(test_node_date_equals, 'iam:CreateUser',
'*', {'aws:CurrentTime': '1533859201'}))
self.assertFalse(
local_check_authorization(
test_node_date_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
# DateNotEquals
test_node_date_not_equals = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateNotEquals': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertFalse(
local_check_authorization(
test_node_date_not_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:00Z'}))
self.assertTrue(
local_check_authorization(
test_node_date_not_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
# DateGreaterThan
test_node_date_greater_than = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateGreaterThan': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertFalse(
local_check_authorization(
test_node_date_greater_than, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:00Z'}))
self.assertTrue(
local_check_authorization(
test_node_date_greater_than, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
# DateGreaterThanEquals
test_node_date_greater_than_equals = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateGreaterThanEquals': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertFalse(
local_check_authorization(
test_node_date_greater_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-09T23:59:59Z'}))
self.assertTrue(
local_check_authorization(
test_node_date_greater_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:00Z'}))
self.assertTrue(
local_check_authorization(
test_node_date_greater_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
# DateLessThan
test_node_date_less_than = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateLessThan': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_node_date_less_than, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-09T23:59:59Z'}))
self.assertFalse(
local_check_authorization(
test_node_date_less_than, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
# DateLessThanEquals
test_node_date_less_than_equals = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'DateLessThanEquals': {
'aws:CurrentTime': '2018-08-10T00:00:00Z'
}
}
}]
})
self.assertTrue(
local_check_authorization(
test_node_date_less_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-09T23:59:59Z'}))
self.assertTrue(
local_check_authorization(
test_node_date_less_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:00Z'}))
self.assertFalse(
local_check_authorization(
test_node_date_less_than_equals, 'iam:CreateUser', '*',
{'aws:CurrentTime': '2018-08-10T00:00:01Z'}))
def test_null_condition_handling(self):
""" Validate the following conditions are correctly handled:
Null, ForAnyValue:Null, ForAllValues:Null
Validated against the Simulator API
"""
# Basic use validation
test_node_null = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'Null': {
'aws:username':
'******', # aws:username MUST NOT be present
'aws:userid': 'false' # aws:userid MUST be present
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_null, 'iam:CreateUser', '*', {
'aws:userid': 'asdf',
'aws:username': ''
}))
self.assertFalse(
local_check_authorization(test_node_null, 'iam:CreateUser', '*', {
'aws:userid': '',
'aws:username': ''
}))
# Array use validation
test_node_null_array = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'Null': {
'aws:username':
['true', 'false'], # doesn't matter if it's in or not
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_null_array, 'iam:CreateUser',
'*', {'aws:username': ''}))
self.assertTrue(
local_check_authorization(test_node_null_array, 'iam:CreateUser',
'*', {'aws:username': '******'}))
# ForAllValues: validation
test_node_null_forallvalues_1 = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ForAllValues:Null': { # For all valid context values...
'aws:username':
'******', # aws:username MUST be present
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_null_forallvalues_1,
'iam:CreateUser', '*',
{'aws:username': '******'}))
self.assertTrue(
local_check_authorization(test_node_null_forallvalues_1,
'iam:CreateUser', '*',
{'aws:username': ''}))
test_node_null_forallvalues_2 = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ForAllValues:Null': { # For all valid context values...
'aws:username':
'******', # aws:username MUST NOT be present
}
}
}]
})
self.assertFalse(
local_check_authorization(test_node_null_forallvalues_2,
'iam:CreateUser', '*',
{'aws:username': '******'}))
self.assertTrue(
local_check_authorization(test_node_null_forallvalues_2,
'iam:CreateUser', '*',
{'aws:username': ''}))
# ForAnyValue: validation
test_node_null_foranyvalue_1 = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ForAnyValue:Null': { # Among the valid context values...
'aws:username':
'******', # aws:username MUST NOT be present (cannot fulfill this)
}
}
}]
})
self.assertFalse(
local_check_authorization(test_node_null_foranyvalue_1,
'iam:CreateUser', '*',
{'aws:username': '******'}))
self.assertFalse(
local_check_authorization(test_node_null_foranyvalue_1,
'iam:CreateUser', '*',
{'aws:username': ''}))
test_node_null_foranyvalue_2 = _build_user_with_policy({
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*',
'Condition': {
'ForAnyValue:Null': { # Among the valid context values...
'aws:username':
'******', # aws:username MUST be present
}
}
}]
})
self.assertTrue(
local_check_authorization(test_node_null_foranyvalue_2,
'iam:CreateUser', '*',
{'aws:username': '******'}))
self.assertFalse(
local_check_authorization(test_node_null_foranyvalue_2,
'iam:CreateUser', '*',
{'aws:username': ''}))
def test_iam_assume_role(self):
"""Test that we are correctly validating policies for calls to `sts:AssumeRole`"""
trust_doc_1 = {
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::000000000000:root'
},
'Action': 'sts:AssumeRole'
}]
}
trust_doc_2 = {
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::999999999999:root'
},
'Action': 'sts:AssumeRole'
}]
}
iam_user_1 = _build_user_with_policy(
{
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 'sts:AssumeRole',
'Resource': '*'
}]
}, 'single_user_policy', 'asdf1', '1')
iam_user_2 = _build_user_with_policy(
{
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 's3:GetObject',
'Resource': '*'
}]
}, 'single_user_policy', 'asdf2', '2')
# account root + iam policy => authorized
self.assertTrue(
local_check_authorization_full(
iam_user_1, 'sts:AssumeRole',
'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1,
'000000000000'))
# iam policy only => not authorized
self.assertFalse(
local_check_authorization_full(
iam_user_1, 'sts:AssumeRole',
'arn:aws:iam::000000000000:role/test1', {}, trust_doc_2,
'000000000000'))
# account root only => not authorized
self.assertFalse(
local_check_authorization_full(
iam_user_2, 'sts:AssumeRole',
'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1,
'000000000000'))
# Neither the account root nor the iam policy => not authorized
self.assertFalse(
local_check_authorization_full(
iam_user_2, 'sts:AssumeRole',
'arn:aws:iam::000000000000:role/test1', {}, trust_doc_2,
'000000000000'))
# A user from another account
other_account_node = Node(
'arn:aws:iam::999999999999:role/test_other', 'ARIA00', [
Policy(
'arn:aws:iam::999999999999:role/test_other', 'inline1', {
'Version':
'2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 'sts:AssumeRole',
'Resource': '*'
}]
})
], [], {}, [], 0, False, False, None, False, None)
self.assertFalse(
local_check_authorization_full(
other_account_node, 'sts:AssumeRole',
'arn:aws:iam::000000000000:role/test1', {}, trust_doc_1,
'000000000000'))
def test_permissions_boundary_with_resource_policy(self):
boundary_1 = Policy(
'arn:aws:iam::aws:policy/AssumeJumpRole',
'AssumeJumpRole',
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000000:role/JumpRole",
"Effect": "Allow"
}
]
}
)
iam_user_1 = _build_user_with_policy(
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': '*',
'Resource': '*'
}]
},
'admin_policy',
'asdf1',
'1'
)
iam_user_1.permissions_boundary = boundary_1
boundary_2 = Policy(
'arn:aws:iam::aws:policy/EmptyPolicy',
'EmptyPolicy',
{
"Version": "2012-10-17",
"Statement": []
}
)
iam_user_2 = _build_user_with_policy(
{
'Version': '2012-10-17',
'Statement': []
},
'admin_policy',
'asdf2',
'2'
)
iam_user_2.permissions_boundary = boundary_2
trust_doc = {
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': {
'AWS': [
'arn:aws:iam::000000000000:user/asdf2',
'arn:aws:iam::000000000000:root'
]
},
'Action': 'sts:AssumeRole'
}]
}
self.assertTrue(
local_check_authorization_full(
iam_user_1,
'sts:AssumeRole',
'arn:aws:iam::000000000000:role/JumpRole',
{},
trust_doc,
'000000000000'
)
)
self.assertTrue(
local_check_authorization_full(
iam_user_2,
'sts:AssumeRole',
'arn:aws:iam::000000000000:role/JumpRole',
{},
trust_doc,
'000000000000'
)
)
