Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
if operator_type_requirement is None:
self.add_finding(
"Unknown operator in condition: {}".format(operator),
severity.INVALID,
location={"location": condition_block},
)
if operator_type_requirement == "Bool":
value = list(condition_block.values())[0]
if value != "true" and value != "false":
self.add_finding(
"Null operation requires being matched against true or false but given {}".format(
condition_block
),
severity.INVALID,
location={"location": condition_block},
)
return False
for key in condition_block:
# The key here from the example is "s3:prefix"
condition_type = get_global_key_type(key)
if condition_type:
# This is a global key, like aws:CurrentTime
# Check if the values match the type (ex. must all be Date values)
if not is_value_in_correct_format_for_type(
condition_type, make_list(condition_block[key])
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
key, condition_type, condition_block[key]
op = documented_operator.lower()
if operator.lower() in [
op,
op + "ifexists",
"forallvalues:" + op,
"foranyvalue:" + op,
"forallvalues:" + op + "ifexists",
"foranyvalue:" + op + "ifexists",
]:
operator_type_requirement = OPERATORS[documented_operator]
break
if operator_type_requirement is None:
self.add_finding(
"Unknown operator in condition: {}".format(operator),
severity.INVALID,
location={"location": condition_block},
)
if operator_type_requirement == "Bool":
value = list(condition_block.values())[0]
if value != "true" and value != "false":
self.add_finding(
"Null operation requires being matched against true or false but given {}".format(
condition_block
),
severity.INVALID,
location={"location": condition_block},
)
return False
for key in condition_block:
location={"string": element},
)
return False
# Check Version
if "Version" not in self.policy_json:
self.add_finding(
"Policy does not contain a Version element", severity.MALFORMED
)
return False
self.version = self.policy_json["Version"]
if self.version not in ["2012-10-17", "2008-10-17"]:
self.add_finding(
"Unknown Version used. Version must be either 2012-10-17 or 2008-10-17",
severity.INVALID,
location={"string": self.version},
)
elif self.version != "2012-10-17":
# TODO I should have a check so that if an older version is being used,
# and a variable is detected, it should be marked as higher severity.
self.add_finding(
"Older version used. Variables will not be allowed.",
severity.LOW,
location={"string": self.version},
)
# Check Statements
if "Statement" not in self.policy_json:
self.add_finding(
"Policy does not contain a Statement element", severity.MALFORMED
)
)
if condition_type is not None:
# if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
# # Ignore these.
# pass
if operator_type_requirement != translate_documentation_types(
condition_type
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
operator,
operator_type_requirement,
translate_documentation_types(condition_type),
),
severity.INVALID,
location={"location": condition_block},
)
# Check for known bad pattern
if operator.lower() == "bool":
if key.lower() == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]
):
self.add_finding(
'Bad patttern: The condition {"Bool": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent may not exist so it does not enforce MFA. You likely want to use a Deny with BoolIfExists.',
severity.MEDIUM,
location={"location": condition_block},
)
elif operator.lower() == "null":
if key.lower == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]
if condition_type is None:
raise Exception(
"Action condition not found in service definition for {}".format(
condition
)
)
if not is_value_in_correct_format_for_type(
condition_type, make_list(condition_block[key])
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
key, condition_type, condition_block[key]
),
severity.INVALID,
location={"location": condition_block},
)
if condition_type is not None:
# if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
# # Ignore these.
# pass
if operator_type_requirement != translate_documentation_types(
condition_type
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
operator,
operator_type_requirement,
translate_documentation_types(condition_type),
),