Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_true(
is_arn_match("cloudfront",
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_true(
is_arn_match("cloudfront",
"arn:aws:logs:*:*:/aws/cloudfront/*",
"arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
)
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_true(
is_arn_match("cloudfront",
"arn:aws:logs:*:*:/aws/cloudfront/*",
"arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
)
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_true(
is_arn_match("cloudfront",
"arn:aws:logs:*:*:/aws/cloudfront/*",
"arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
)
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
)
assert_false(
def test_arn_match(self):
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
assert_false(
is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
"Bucket and object types should not match",
)
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
"Object and bucket types should not match",
)
assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
assert_false(
is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
def get_privilege_statements(policy_doc, privilege_matches, resource_arn, principal):
policy = parliament.policy.Policy(policy_doc)
policy.analyze()
policy_privilege_matches = []
for privilege_match in privilege_matches:
references = policy.get_references(
privilege_match["privilege_prefix"], privilege_match["privilege_name"]
)
statements_for_resource = []
for reference in references:
expanded_reference = replace_principal_variables(reference, principal)
# TODO I need to do something for NotResource and NotAction
if parliament.is_arn_match(
privilege_match["resource_type"], expanded_reference, resource_arn
):
# We now have a bunch of statements that match the privileges and resource of interest.
# Now we need to check if the statement is allowed by its conditions.
# We'll append the allowed statements to a second list, and then swap that list in.
stmts = references[reference]
condition_allowed_stmts = []
for stmt in stmts:
allowed_by_conditions = True
for condition_function in stmt.stmt.get("Condition", {}):
condition_values = stmt.stmt["Condition"][condition_function]
condition_result = get_condition_result(condition_function, condition_values, resource_arn, principal)
# TODO Need to do something different for Deny, to avoid false negatives
if condition_result is not None:
if condition_result == False:
allowed_by_conditions = False
# Iterate through the resources defined in the action definition
for resource_type in privilege_info["resource_types"]:
resource_type = resource_type["resource_type"]
# Only check the required resources which have a "*" at the end
if "*" not in resource_type:
continue
arn_format = get_arn_format(
resource_type, privilege_info["service_resources"]
)
# At least one resource has to match the action's required resources
match_found = False
for resource in resources:
if is_arn_match(resource_type, arn_format, resource):
match_found = True
continue
if resource == "*":
# TODO I shouldn't allow this as a match,
# but am for now as I'll get too many findings otherwise
match_found = True
continue
if not match_found:
self.add_finding(
"No resources match for {}:{} which requires a resource format of {} for the resource {}".format(
action_struct["service"],
action_struct["action"],
arn_format,
resource_type,
),