Skip to content

writing.validate

writing.validate

Validation for the Policy Sentry YML Templates.

check(conf_schema, conf)

Validates a user-supplied JSON vs a defined schema.

Parameters:

Name Type Description Default
conf_schema

The Schema object that defines the required structure.

required
conf

The user-supplied schema to validate against the required structure.

required

Returns:

Type Description
Boolean

The decision about whether the JSON meets expected Schema requirements

Source code in policy_sentry/writing/validate.py
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
def check(conf_schema, conf):
    """
    Validates a user-supplied JSON vs a defined schema.

    Arguments:
        conf_schema: The Schema object that defines the required structure.
        conf: The user-supplied schema to validate against the required structure.
    Returns:
        Boolean: The decision about whether the JSON meets expected Schema requirements
    """
    try:
        conf_schema.validate(conf)
        return True
    except SchemaError as schema_error:
        try:
            # workarounds for Schema's logging approach
            print(schema_error.autos[0])
            detailed_error_message = schema_error.autos[2]
            print(detailed_error_message.split(" in {'")[0])
            # for error in schema_error.autos:
        except:  # pylint: disable=bare-except
            logger.critical(schema_error)
        return False

check_actions_schema(cfg)

Determines whether the user-provided config matches the required schema for Actions mode

Source code in policy_sentry/writing/validate.py
62
63
64
65
66
67
68
69
70
71
72
73
74
def check_actions_schema(cfg):
    """
    Determines whether the user-provided config matches the required schema for Actions mode
    """
    result = check(ACTIONS_SCHEMA, cfg)
    if result is True:
        return result
    else:
        raise Exception(
            f"The provided template does not match the required schema for ACTIONS mode. "
            f"Please use the create-template command to generate a valid YML template that "
            f"Policy Sentry will accept."
        )

check_crud_schema(cfg)

Determines whether the user-provided config matches the required schema for CRUD mode

Source code in policy_sentry/writing/validate.py
77
78
79
80
81
82
83
84
85
86
87
88
89
def check_crud_schema(cfg):
    """
    Determines whether the user-provided config matches the required schema for CRUD mode
    """
    result = check(CRUD_SCHEMA, cfg)
    if result is True:
        return result
    else:
        raise Exception(
            f"The provided template does not match the required schema for CRUD mode. "
            f"Please use the create-template command to generate a valid YML template that "
            f"Policy Sentry will accept."
        )

validate_condition_block(condition_block)

Validates the format of the condition block that should be supplied in the template.

Parameters:

Name Type Description Default
condition_block

{"condition_key_string": "ec2:ResourceTag/purpose", "condition_type_string": "StringEquals", "condition_value": "test"}

required

Returns:

Type Description
Boolean

The decision

Source code in policy_sentry/writing/validate.py
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
def validate_condition_block(condition_block):
    """
    Validates the format of the condition block that should be supplied in the template.

    Arguments:
        condition_block: {"condition_key_string": "ec2:ResourceTag/purpose", "condition_type_string": "StringEquals", "condition_value": "test"}
    Returns:
        Boolean: The decision
    """

    # TODO: Validate that the values are legit somehow
    CONDITION_BLOCK_SCHEMA = Schema(
        {
            "condition_key_string": And(Use(str)),
            "condition_type_string": And(Use(str)),
            "condition_value": And(Use(str)),
        }
    )
    try:
        CONDITION_BLOCK_SCHEMA.validate(condition_block)
        # TODO: Try to validate whether or not the condition keys are legit
        return True
    except SchemaError as s_e:
        logger.warning(s_e)
        return False