How to use the parliament.is_arn_match function in parliament

To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
            is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_true(
            is_arn_match("cloudfront",
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
            is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_true(
            is_arn_match("cloudfront", 
                "arn:aws:logs:*:*:/aws/cloudfront/*",
                "arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
            )
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
            is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
            is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_true(
            is_arn_match("cloudfront", 
                "arn:aws:logs:*:*:/aws/cloudfront/*",
                "arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
            )
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
"Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
            is_arn_match("object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_true(
            is_arn_match("cloudfront", 
                "arn:aws:logs:*:*:/aws/cloudfront/*",
                "arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test",
            )
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
        )
        assert_false(
github duo-labs / parliament / tests / unit / test_resource_formatting.py View on Github external
def test_arn_match(self):
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*"))
        assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket"))
        assert_false(
            is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"),
            "Bucket and object types should not match",
        )
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"),
            "Object and bucket types should not match",
        )
        assert_true(is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2"))
        assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2"))
        assert_false(
            is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*")
github duo-labs / cloudmapper / commands / access_check.py View on Github external
def get_privilege_statements(policy_doc, privilege_matches, resource_arn, principal):
    policy = parliament.policy.Policy(policy_doc)
    policy.analyze()

    policy_privilege_matches = []

    for privilege_match in privilege_matches:
        references = policy.get_references(
            privilege_match["privilege_prefix"], privilege_match["privilege_name"]
        )

        statements_for_resource = []
        for reference in references:
            expanded_reference = replace_principal_variables(reference, principal)
            # TODO I need to do something for NotResource and NotAction
            if parliament.is_arn_match(
                privilege_match["resource_type"], expanded_reference, resource_arn
            ):
                # We now have a bunch of statements that match the privileges and resource of interest.
                # Now we need to check if the statement is allowed by its conditions.
                # We'll append the allowed statements to a second list, and then swap that list in.
                stmts = references[reference]
                condition_allowed_stmts = []
                for stmt in stmts:
                    allowed_by_conditions = True
                    for condition_function in stmt.stmt.get("Condition", {}):
                        condition_values = stmt.stmt["Condition"][condition_function]
                        condition_result = get_condition_result(condition_function, condition_values, resource_arn, principal)
                        # TODO Need to do something different for Deny, to avoid false negatives
                        if condition_result is not None:
                            if condition_result == False:
                                allowed_by_conditions = False
github duo-labs / cloudmapper / parliament / statement.py View on Github external
# Iterate through the resources defined in the action definition
                for resource_type in privilege_info["resource_types"]:
                    resource_type = resource_type["resource_type"]

                    # Only check the required resources which have a "*" at the end
                    if "*" not in resource_type:
                        continue

                    arn_format = get_arn_format(
                        resource_type, privilege_info["service_resources"]
                    )

                    # At least one resource has to match the action's required resources
                    match_found = False
                    for resource in resources:
                        if is_arn_match(resource_type, arn_format, resource):
                            match_found = True
                            continue
                        if resource == "*":
                            # TODO I shouldn't allow this as a match,
                            # but am for now as I'll get too many findings otherwise
                            match_found = True
                            continue

                    if not match_found:
                        self.add_finding(
                            "No resources match for {}:{} which requires a resource format of {} for the resource {}".format(
                                action_struct["service"],
                                action_struct["action"],
                                arn_format,
                                resource_type,
                            ),