1. Advisor
  2. policyuniverse
  3. functions
  4. policyuniverse.get_actions_from_statement
View all policyuniverse analysis

How to use the policyuniverse.get_actions_from_statement function in policyuniverse

To help you get started, we’ve selected a few policyuniverse examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github Netflix-Skunkworks / policyuniverse / tests / TestMethods.py View on Github external
def test_get_actions_from_statement(self):
        statement = {
            "Action": "ec2:thispermissiondoesntexist",
            "NotAction": list(all_permissions),
            "Resource": "*",
            "Effect": "Allow"
        }
        expected_result = {"ec2:thispermissiondoesntexist"}
        result = get_actions_from_statement(statement)
        self.assertEqual(result, expected_result)
        get_actions_from_statement(dict(NotAction="abc"))
github Netflix-Skunkworks / policyuniverse / tests / TestMethods.py View on Github external
def test_get_actions_from_statement(self):
        statement = {
            "Action": "ec2:thispermissiondoesntexist",
            "NotAction": list(all_permissions),
            "Resource": "*",
            "Effect": "Allow"
        }
        expected_result = {"ec2:thispermissiondoesntexist"}
        result = get_actions_from_statement(statement)
        self.assertEqual(result, expected_result)
        get_actions_from_statement(dict(NotAction="abc"))
github Netflix / repokid / repokid / utils / roledata.py View on Github external
for policy_name, policy in list(policy_dict.items()):
        policy = expand_policy(policy=policy, expand_deny=False)
        for statement in policy.get("Statement"):
            if statement["Effect"].lower() == "allow":
                total_permissions = total_permissions.union(
                    get_actions_from_statement(statement)
                )
                if not (
                    "Sid" in statement
                    and statement["Sid"].startswith(STATEMENT_SKIP_SID)
                ):
                    # No Sid
                    # Sid exists, but doesn't start with STATEMENT_SKIP_SID
                    eligible_permissions = eligible_permissions.union(
                        get_actions_from_statement(statement)
                    )

    weird_permissions = total_permissions.difference(all_permissions)
    if weird_permissions and warn_unknown_perms:
        LOGGER.warn("Unknown permissions found: {}".format(weird_permissions))

    return total_permissions, eligible_permissions
github Netflix / repokid / repokid / utils / roledata.py View on Github external
warn_unknown_perms

    Returns
        tuple
        set - all permissions allowed by the policies
        set - all permisisons allowed by the policies not marked with STATEMENT_SKIP_SID
    """
    total_permissions = set()
    eligible_permissions = set()

    for policy_name, policy in list(policy_dict.items()):
        policy = expand_policy(policy=policy, expand_deny=False)
        for statement in policy.get("Statement"):
            if statement["Effect"].lower() == "allow":
                total_permissions = total_permissions.union(
                    get_actions_from_statement(statement)
                )
                if not (
                    "Sid" in statement
                    and statement["Sid"].startswith(STATEMENT_SKIP_SID)
                ):
                    # No Sid
                    # Sid exists, but doesn't start with STATEMENT_SKIP_SID
                    eligible_permissions = eligible_permissions.union(
                        get_actions_from_statement(statement)
                    )

    weird_permissions = total_permissions.difference(all_permissions)
    if weird_permissions and warn_unknown_perms:
        LOGGER.warn("Unknown permissions found: {}".format(weird_permissions))

    return total_permissions, eligible_permissions
github Netflix / repokid / repokid / utils / roledata.py View on Github external
empty_policies = []
    for policy_name, policy in list(role_policies.items()):
        # list of indexes in the policy that are empty
        empty_statements = []

        if type(policy["Statement"]) is dict:
            policy["Statement"] = [policy["Statement"]]

        for idx, statement in enumerate(policy["Statement"]):
            if statement["Effect"].lower() == "allow":
                if "Sid" in statement and statement["Sid"].startswith(
                    STATEMENT_SKIP_SID
                ):
                    continue

                statement_actions = get_actions_from_statement(statement)

                if not statement_actions.intersection(repoable_permissions):
                    # No permissions are being taken away; let's not modify this statement at all.
                    continue

                statement_actions = statement_actions.difference(repoable_permissions)

                # get_actions_from_statement has already inverted this so our new statement should be 'Action'
                if "NotAction" in statement:
                    del statement["NotAction"]

                # by putting this into a set, we lose order, which may be confusing to someone.
                statement["Action"] = sorted(list(statement_actions))

                # mark empty statements to be removed
                if len(statement["Action"]) == 0:

policyuniverse

Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.

GitHub
Apache-2.0
Latest version published 5 months ago

Package Health Score

77 / 100
Full package analysis

Popular policyuniverse functions

Similar packages