util.policy_files
util.policy_files
A few methods for parsing policies.
get_actions_from_json_policy_file(file)
read the json policy file and return a list of actions
Source code in policy_sentry/util/policy_files.py
def get_actions_from_json_policy_file(file):
"""
read the json policy file and return a list of actions
"""
# FIXME use a try/expect here to validate the json file. I would create a generic json
try:
with open(file) as json_file:
# validation function/parser as there is a lot of json floating around
# in this tool. [MJ]
data = json.load(json_file)
actions_list = get_actions_from_policy(data)
except: # pylint: disable=bare-except
logger.debug("General Error at get_actions_from_json_policy_file.")
actions_list = []
return actions_list
get_actions_from_policy(data)
Given a policy dictionary, create a list of the actions
Source code in policy_sentry/util/policy_files.py
def get_actions_from_policy(data):
"""Given a policy dictionary, create a list of the actions"""
actions_list = []
statement_clause = data.get("Statement")
# Statement must be a dict if it's a single statement. Otherwise it will be a list of statements
if isinstance(statement_clause, dict):
actions_list.extend(get_actions_from_statement(statement_clause))
# Otherwise it will be a list of Sids
elif isinstance(statement_clause, list):
for statement in data["Statement"]:
actions_list.extend(get_actions_from_statement(statement))
else:
logger.critical("Unknown error: The 'Statement' is neither a dict nor a list")
actions_list = [x.lower() for x in actions_list]
new_actions_list = []
for action in actions_list:
service, action_name = action.split(":")
action_data = get_action_data(service, action_name)
if service in action_data.keys():
if len(action_data[service]) > 0:
new_actions_list.append(action_data[service][0]["action"])
new_actions_list.sort()
return new_actions_list
get_actions_from_statement(statement)
Given a statement dictionary, create a list of the actions
Source code in policy_sentry/util/policy_files.py
def get_actions_from_statement(statement):
"""Given a statement dictionary, create a list of the actions"""
actions_list = []
# We only want to evaluate policies that have Effect = "Allow"
if statement.get("Effect") == "Deny":
return actions_list
else:
action_clause = statement.get("Action")
if not action_clause:
logger.debug("No actions contained in statement")
return actions_list
# Action = "s3:GetObject"
if isinstance(action_clause, str):
actions_list.append(action_clause)
# Action = ["s3:GetObject", "s3:ListBuckets"]
elif isinstance(action_clause, list):
actions_list.extend(action_clause)
else:
logger.debug("Unknown error: The 'Action' is neither a list nor a string")
return actions_list
get_sid_names_from_policy(policy_json)
Given a Policy JSON, get a list of the Statement IDs. This is helpful in unit tests.
Source code in policy_sentry/util/policy_files.py
def get_sid_names_from_policy(policy_json):
"""
Given a Policy JSON, get a list of the Statement IDs. This is helpful in unit tests.
"""
sid_names = list(map(itemgetter("Sid"), policy_json.get("Statement")))
return sid_names
get_statement_from_policy_using_sid(policy_json, sid)
Helper function to get a statement just by providing the policy JSON and the Statement ID
Source code in policy_sentry/util/policy_files.py
def get_statement_from_policy_using_sid(policy_json, sid):
"""
Helper function to get a statement just by providing the policy JSON and the Statement ID
"""
res = next((sub for sub in policy_json["Statement"] if sub['Sid'] == sid), None)
return res