How to use the parliament.expand_action function in parliament

To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github duo-labs / cloudmapper / parliament / statement.py View on Github external
severity.MALFORMED,
                    location={"string": self.stmt},
                )
                return False

        # Expand the actions from s3:Get* to s3:GetObject and others
        expanded_actions = []
        for action in actions:
            # Handle special case where all actions are allowed
            if action == "*" or action == "*:*":
                # TODO Should ensure the resource is "*" with this action
                continue

            try:
                # Given an action such as "s3:List*", return all the possible values it could have
                expanded_actions.extend(expand_action(action))
            except Exception as e:
                self.add_finding(e, severity.INVALID, location={"string": self.stmt})
                return False

        # Check the resources are correct formatted correctly
        has_malformed_resource = False
        for resource in resources:
            if resource == "*":
                continue
            parts = resource.split(":")
            if len(parts) < 6:
                has_malformed_resource = True
                self.add_finding(
                    "Malformed resource, should have 6 parts, arn:partition:service:region:account:id",
                    severity.MALFORMED,
                    location={"string": resource},
github duo-labs / parliament / parliament / statement.py View on Github external
detail="Condition formatted incorrectly",
                    location={"string": self.stmt},
                )
                return False

        # Expand the actions from s3:Get* to s3:GetObject and others
        expanded_actions = []
        for action in actions:
            # Handle special case where all actions are allowed
            if action == "*" or action == "*:*":
                # TODO Should ensure the resource is "*" with this action
                continue

            try:
                # Given an action such as "s3:List*", return all the possible values it could have
                expanded_actions.extend(expand_action(action))
            except UnknownActionException as e:
                self.add_finding(
                    "UNKNOWN_ACTION", detail=str(e), location={"unknown_action": action, "statement": self.stmt}
                )
                return False
            except UnknownPrefixException as e:
                self.add_finding(
                    "UNKNOWN_PREFIX", detail=str(e), location={"statement": self.stmt}
                )
                return False
            except Exception as e:
                self.add_finding(
                    "EXCEPTION", detail=str(e), location={"statement": self.stmt}
                )
                return False
github duo-labs / parliament / parliament / statement.py View on Github external
for action_struct in expanded_actions:
                    if (
                        action_struct["service"] == privilege_prefix
                        and action_struct["action"] == privilege_name
                    ):
                        return True
            return False

        # Else, we're dealing with a NotAction
        for action in make_list(self.stmt["NotAction"]):
            if action == "*" or action == "*:*":
                # I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
                return False

            for action_struct in expand_action(action, raise_exceptions=False):
                if (
                    action_struct["service"] == privilege_prefix
                    and action_struct["action"] == privilege_name
                ):
                    return False
        return True
github duo-labs / cloudmapper / commands / access_check.py View on Github external
# Find resource types that match the given ARN
    resource_type_matches = parliament.get_resource_type_matches_from_arn(
        args.resource_arn
    )
    if len(resource_type_matches) == 0:
        raise Exception("Unknown ARN type for {}".format(args.resource_arn))

    # Find privileges that match this resource type
    privilege_matches = parliament.get_privilege_matches_for_resource_type(
        resource_type_matches
    )

    # Check if we were given a privilege
    if args.privilege is not None:
        # Confirm these privileges exist
        expanded_actions = parliament.expand_action(args.privilege)
        if len(expanded_actions) == 0:
            raise Exception("Unknown privilege {}".format(args.privilege))

        new_privilege_matches = []
        for action in expanded_actions:
            for privilege in privilege_matches:
                if (
                    action["service"] == privilege["privilege_prefix"]
                    and action["action"] == privilege["privilege_name"]
                ):
                    new_privilege_matches.append(privilege)
        privilege_matches = new_privilege_matches

    if len(privilege_matches) == 0:
        raise Exception("No privileges exist for the given argument set")
github duo-labs / cloudmapper / parliament / statement.py View on Github external
def in_actions(self, privilege_prefix, privilege_name):
        """
        Given "s3" "GetObject", determine if the privilege is in this statement.
        This could happen either because the Action is ["s3:GetObject"] or ["s3:*", "ec2:*"]
        or because the action is not in the NotAction. For example, if we have an Allow on NotAction "ec2:*",
        then this, with "s3" "GetObject" returns True.
        """

        if "Action" in self.stmt:
            for action in make_list(self.stmt["Action"]):
                if action == "*" or action == "*:*":
                    return True

                for action_struct in expand_action(action, raise_exceptions=False):
                    if (
                        action_struct["service"] == privilege_prefix
                        and action_struct["action"] == privilege_name
                    ):
                        return True
            return False

        # Else, we're dealing with a NotAction
        for action in make_list(self.stmt["NotAction"]):
            if action == "*" or action == "*:*":
                # I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
                return False

            for action_struct in expand_action(action, raise_exceptions=False):
                if (
                    action_struct["service"] == privilege_prefix
github duo-labs / parliament / parliament / statement.py View on Github external
def in_actions(self, privilege_prefix, privilege_name):
        """
        Given "s3" "GetObject", determine if the privilege is in this statement.
        This could happen either because the Action is ["s3:GetObject"] or ["s3:*", "ec2:*"]
        or because the action is not in the NotAction. For example, if we have an Allow on NotAction "ec2:*",
        then this, with "s3" "GetObject" returns True.
        """

        if "Action" in self.stmt:
            for action in make_list(self.stmt["Action"]):
                if action == "*" or action == "*:*":
                    return True

                expanded_actions = expand_action(action, raise_exceptions=False)

                for action_struct in expanded_actions:
                    if (
                        action_struct["service"] == privilege_prefix
                        and action_struct["action"] == privilege_name
                    ):
                        return True
            return False

        # Else, we're dealing with a NotAction
        for action in make_list(self.stmt["NotAction"]):
            if action == "*" or action == "*:*":
                # I don't think it makes sense to have a "NotAction" of "*", but I'm including this check anyway.
                return False

            for action_struct in expand_action(action, raise_exceptions=False):