Writing
See the examples under https://github.com/salesforce/policy_sentry/tree/master/examples/library-usage/writing.
command.write_policy
Given a Policy Sentry YML template, write a least-privilege IAM Policy in CRUD mode or Actions mode.
RegisterLengthOption
Mark this option as getting a _length option
RegisterLengthOptionHelp
Translate help for the hidden _length suffix
RegisterMinimizeLengthCommand
Translate any opt= to opt_length= as needed
parse_args(self, ctx, args)
Given a context and a list of arguments this creates the parser
and parses the arguments, then modifies the context as necessary.
This is automatically invoked by :meth:make_context
.
Source code in policy_sentry/command/write_policy.py
def parse_args(self, ctx, args):
options = [o for o in ctx.command.params
if getattr(o, 'register_length', None)]
prefixes = {p for p in sum([o.opts for o in options], [])
if p.startswith('--')}
for i, a in enumerate(args):
a = a.split('=')
if a[0] in prefixes:
if len(a) > 1:
args[i] = a[0]
args.insert(i + 1, a[0] + '_length=' + a[1])
else:
# check if next argument is naked
if len(args) > i + 1 and not args[i + 1].startswith('--'):
value = args[i + 1]
args[i + 1] = a[0] + '_length=' + value
return super().parse_args(ctx, args)
write_policy_with_template(cfg, minimize=None)
This function is called by write-policy so the config can be passed in as a dict without running into a Click-related error. Use this function, rather than the write-policy function, if you are using Policy Sentry as a python library.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
cfg |
|
The loaded YAML as a dict. Must follow Policy Sentry dictated format. |
required |
minimize |
|
Minimize the resulting statement with safe usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none. |
None |
Returns:
Type | Description |
---|---|
Dictionary |
The JSON policy |
Source code in policy_sentry/command/write_policy.py
def write_policy_with_template(cfg, minimize=None):
"""
This function is called by write-policy so the config can be passed in as a dict without running into a Click-related error. Use this function, rather than the write-policy function, if you are using Policy Sentry as a python library.
Arguments:
cfg: The loaded YAML as a dict. Must follow Policy Sentry dictated format.
minimize: Minimize the resulting statement with *safe* usage of wildcards to reduce policy length. Set this to the character length you want - for example, 0, or 4. Defaults to none.
Returns:
Dictionary: The JSON policy
"""
sid_group = SidGroup()
policy = sid_group.process_template(cfg, minimize)
return policy