How to use the parliament.expand_action function in parliament
To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
duo-labs / cloudmapper / parliament / statement.py View on Github 
severity.MALFORMED,
location={"string": self.stmt},
)
return False
# Expand the actions from s3:Get* to s3:GetObject and others
expanded_actions = []
for action in actions:
# Handle special case where all actions are allowed
if action == "*" or action == "*:*":
# TODO Should ensure the resource is "*" with this action
continue
try:
# Given an action such as "s3:List*", return all the possible values it could have
expanded_actions.extend(expand_action(action))
except Exception as e:
self.add_finding(e, severity.INVALID, location={"string": self.stmt})
return False
# Check the resources are correct formatted correctly
has_malformed_resource = False
for resource in resources:
if resource == "*":
continue
parts = resource.split(":")
if len(parts) < 6:
has_malformed_resource = True
self.add_finding(
"Malformed resource, should have 6 parts, arn:partition:service:region:account:id",
severity.MALFORMED,
location={"string": resource},detail="Condition formatted incorrectly",
location={"string": self.stmt},
)
return False
# Expand the actions from s3:Get* to s3:GetObject and others
expanded_actions = []
for action in actions:
# Handle special case where all actions are allowed
if action == "*" or action == "*:*":
# TODO Should ensure the resource is "*" with this action
continue
try:
# Given an action such as "s3:List*", return all the possible values it could have
expanded_actions.extend(expand_action(action))
except UnknownActionException as e:
self.add_finding(
"UNKNOWN_ACTION", detail=str(e), location={"unknown_action": action, "statement": self.stmt}
)
return False
except UnknownPrefixException as e:
self.add_finding(
"UNKNOWN_PREFIX", detail=str(e), location={"statement": self.stmt}
)
return False
except Exception as e:
self.add_finding(
"EXCEPTION", detail=str(e), location={"statement": self.stmt}
)
return Falsefor action_struct in expanded_actions:
if (
action_struct["service"] == privilege_prefix
and action_struct["action"] == privilege_name
):
return True
return False
# Else, we're dealing with a NotAction
for action in make_list(self.stmt["NotAction"]):
if action == "*" or action == "*:*":
# I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
return False
for action_struct in expand_action(action, raise_exceptions=False):
if (
action_struct["service"] == privilege_prefix
and action_struct["action"] == privilege_name
):
return False
return True# Find resource types that match the given ARN
resource_type_matches = parliament.get_resource_type_matches_from_arn(
args.resource_arn
)
if len(resource_type_matches) == 0:
raise Exception("Unknown ARN type for {}".format(args.resource_arn))
# Find privileges that match this resource type
privilege_matches = parliament.get_privilege_matches_for_resource_type(
resource_type_matches
)
# Check if we were given a privilege
if args.privilege is not None:
# Confirm these privileges exist
expanded_actions = parliament.expand_action(args.privilege)
if len(expanded_actions) == 0:
raise Exception("Unknown privilege {}".format(args.privilege))
new_privilege_matches = []
for action in expanded_actions:
for privilege in privilege_matches:
if (
action["service"] == privilege["privilege_prefix"]
and action["action"] == privilege["privilege_name"]
):
new_privilege_matches.append(privilege)
privilege_matches = new_privilege_matches
if len(privilege_matches) == 0:
raise Exception("No privileges exist for the given argument set")def in_actions(self, privilege_prefix, privilege_name):
"""
Given "s3" "GetObject", determine if the privilege is in this statement.
This could happen either because the Action is ["s3:GetObject"] or ["s3:*", "ec2:*"]
or because the action is not in the NotAction. For example, if we have an Allow on NotAction "ec2:*",
then this, with "s3" "GetObject" returns True.
"""
if "Action" in self.stmt:
for action in make_list(self.stmt["Action"]):
if action == "*" or action == "*:*":
return True
for action_struct in expand_action(action, raise_exceptions=False):
if (
action_struct["service"] == privilege_prefix
and action_struct["action"] == privilege_name
):
return True
return False
# Else, we're dealing with a NotAction
for action in make_list(self.stmt["NotAction"]):
if action == "*" or action == "*:*":
# I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
return False
for action_struct in expand_action(action, raise_exceptions=False):
if (
action_struct["service"] == privilege_prefixdef in_actions(self, privilege_prefix, privilege_name):
"""
Given "s3" "GetObject", determine if the privilege is in this statement.
This could happen either because the Action is ["s3:GetObject"] or ["s3:*", "ec2:*"]
or because the action is not in the NotAction. For example, if we have an Allow on NotAction "ec2:*",
then this, with "s3" "GetObject" returns True.
"""
if "Action" in self.stmt:
for action in make_list(self.stmt["Action"]):
if action == "*" or action == "*:*":
return True
expanded_actions = expand_action(action, raise_exceptions=False)
for action_struct in expanded_actions:
if (
action_struct["service"] == privilege_prefix
and action_struct["action"] == privilege_name
):
return True
return False
# Else, we're dealing with a NotAction
for action in make_list(self.stmt["NotAction"]):
if action == "*" or action == "*:*":
# I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
return False
for action_struct in expand_action(action, raise_exceptions=False):parliament
parliament audits your AWS IAM policies
Package Health Score
83 / 100Popular parliament functions
- parliament.analyze_policy_string
- parliament.enhance_finding
- parliament.expand_action
- parliament.finding.Finding
- parliament.finding.severity
- parliament.finding.severity.INVALID
- parliament.finding.severity.LOW
- parliament.finding.severity.MALFORMED
- parliament.get_privilege_matches_for_resource_type
- parliament.get_resource_type_matches_from_arn
- parliament.iam_definition
- parliament.is_arn_match
- parliament.misc.make_list
- parliament.override_config
- parliament.policy.Policy
- parliament.statement.expand_action
- parliament.statement.is_valid_account_id
- parliament.statement.is_valid_region
- parliament.UnknownActionException
- parliament.UnknownPrefixException