How to use the parliament.finding.severity.INVALID function in parliament
To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
duo-labs / cloudmapper / parliament / statement.py View on Github 
if operator_type_requirement is None:
self.add_finding(
"Unknown operator in condition: {}".format(operator),
severity.INVALID,
location={"location": condition_block},
)
if operator_type_requirement == "Bool":
value = list(condition_block.values())[0]
if value != "true" and value != "false":
self.add_finding(
"Null operation requires being matched against true or false but given {}".format(
condition_block
),
severity.INVALID,
location={"location": condition_block},
)
return False
for key in condition_block:
# The key here from the example is "s3:prefix"
condition_type = get_global_key_type(key)
if condition_type:
# This is a global key, like aws:CurrentTime
# Check if the values match the type (ex. must all be Date values)
if not is_value_in_correct_format_for_type(
condition_type, make_list(condition_block[key])
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
key, condition_type, condition_block[key]op = documented_operator.lower()
if operator.lower() in [
op,
op + "ifexists",
"forallvalues:" + op,
"foranyvalue:" + op,
"forallvalues:" + op + "ifexists",
"foranyvalue:" + op + "ifexists",
]:
operator_type_requirement = OPERATORS[documented_operator]
break
if operator_type_requirement is None:
self.add_finding(
"Unknown operator in condition: {}".format(operator),
severity.INVALID,
location={"location": condition_block},
)
if operator_type_requirement == "Bool":
value = list(condition_block.values())[0]
if value != "true" and value != "false":
self.add_finding(
"Null operation requires being matched against true or false but given {}".format(
condition_block
),
severity.INVALID,
location={"location": condition_block},
)
return False
for key in condition_block:location={"string": element},
)
return False
# Check Version
if "Version" not in self.policy_json:
self.add_finding(
"Policy does not contain a Version element", severity.MALFORMED
)
return False
self.version = self.policy_json["Version"]
if self.version not in ["2012-10-17", "2008-10-17"]:
self.add_finding(
"Unknown Version used. Version must be either 2012-10-17 or 2008-10-17",
severity.INVALID,
location={"string": self.version},
)
elif self.version != "2012-10-17":
# TODO I should have a check so that if an older version is being used,
# and a variable is detected, it should be marked as higher severity.
self.add_finding(
"Older version used. Variables will not be allowed.",
severity.LOW,
location={"string": self.version},
)
# Check Statements
if "Statement" not in self.policy_json:
self.add_finding(
"Policy does not contain a Statement element", severity.MALFORMED
))
if condition_type is not None:
# if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
# # Ignore these.
# pass
if operator_type_requirement != translate_documentation_types(
condition_type
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
operator,
operator_type_requirement,
translate_documentation_types(condition_type),
),
severity.INVALID,
location={"location": condition_block},
)
# Check for known bad pattern
if operator.lower() == "bool":
if key.lower() == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]
):
self.add_finding(
'Bad patttern: The condition {"Bool": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent may not exist so it does not enforce MFA. You likely want to use a Deny with BoolIfExists.',
severity.MEDIUM,
location={"location": condition_block},
)
elif operator.lower() == "null":
if key.lower == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]if condition_type is None:
raise Exception(
"Action condition not found in service definition for {}".format(
condition
)
)
if not is_value_in_correct_format_for_type(
condition_type, make_list(condition_block[key])
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
key, condition_type, condition_block[key]
),
severity.INVALID,
location={"location": condition_block},
)
if condition_type is not None:
# if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
# # Ignore these.
# pass
if operator_type_requirement != translate_documentation_types(
condition_type
):
self.add_finding(
"Type mismatch: {} requires a value of type {} but given {}".format(
operator,
operator_type_requirement,
translate_documentation_types(condition_type),
),parliament
parliament audits your AWS IAM policies
Package Health Score
83 / 100Popular parliament functions
- parliament.analyze_policy_string
- parliament.enhance_finding
- parliament.expand_action
- parliament.finding.Finding
- parliament.finding.severity
- parliament.finding.severity.INVALID
- parliament.finding.severity.LOW
- parliament.finding.severity.MALFORMED
- parliament.get_privilege_matches_for_resource_type
- parliament.get_resource_type_matches_from_arn
- parliament.iam_definition
- parliament.is_arn_match
- parliament.misc.make_list
- parliament.override_config
- parliament.policy.Policy
- parliament.statement.expand_action
- parliament.statement.is_valid_account_id
- parliament.statement.is_valid_region
- parliament.UnknownActionException
- parliament.UnknownPrefixException