Skip to content

Commit

Permalink
support federated principals (#304)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gruebel
gruebel authored Aug 12, 2023
1 parent 5951298 commit 2483fe3
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 7 deletions.
8 changes: 8 additions & 0 deletions cloudsplaining/scan/assume_role_policy_document.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ def _principals(self) -> List[str]:
"Principal": ["value"]
"Principal": { "AWS": "value" }
"Principal": { "AWS": ["value", "value"] }
"Principal": { "Federated": "value" }
"Principal": { "Federated": ["value", "value"] }
"Principal": { "Service": "value" }
"Principal": { "Service": ["value", "value"] }
Return: Set of principals
Expand All @@ -101,6 +103,12 @@ def _principals(self) -> List[str]:
else:
principals.append(principal["AWS"])

if "Federated" in principal:
if isinstance(principal["Federated"], list):
principals.extend(principal["Federated"])
else:
principals.append(principal["Federated"])

if "Service" in principal:
if isinstance(principal["Service"], list):
principals.extend(principal["Service"])
Expand Down
36 changes: 29 additions & 7 deletions test/scanning/test_trust_policies.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
from cloudsplaining.scan.assume_role_policy_document import AssumeRoleStatement, AssumeRolePolicyDocument
import os
from cloudsplaining.scan.assume_role_policy_document import AssumeRoleStatement
import unittest
import json


class TestAssumeRole(unittest.TestCase):
Expand All @@ -10,6 +8,8 @@ class TestAssumeRole(unittest.TestCase):
"Principal": ["value"]
"Principal": { "AWS": "value" }
"Principal": { "AWS": ["value", "value"] }
"Principal": { "Federated": "value" }
"Principal": { "Federated": ["value", "value"] }
"Principal": { "Service": "value" }
"Principal": { "Service": ["value", "value"] }
"""
Expand Down Expand Up @@ -40,8 +40,24 @@ def test_assume_role_statement_principal_formats(self):
Resource="*",
)

# "Principal": { "Service": "value", "AWS": "value" }
# "Principal": { "Federated": "value" }
statement05 = dict(
Effect="Allow",
Principal={"Federated": "accounts.google.com"},
Action=["rds:*"],
Resource="*",
)

# "Principal": { "Federated": ["value", "value"] }
statement06 = dict(
Effect="Allow",
Principal={"Federated": ["cognito-identity.amazonaws.com", "www.amazon.com"]},
Action=["rds:*"],
Resource="*",
)

# "Principal": { "Service": "value", "AWS": "value" }
statement07 = dict(
Effect="Allow",
Principal={
"Service": "lambda.amazonaws.com",
Expand All @@ -52,7 +68,7 @@ def test_assume_role_statement_principal_formats(self):
)

# "Principal": { "Service": ["value", "value"] }
statement06 = dict(
statement08 = dict(
Effect="Allow",
Principal={"Service": ["lambda.amazonaws.com"]},
Action=["rds:*"],
Expand All @@ -63,16 +79,22 @@ def test_assume_role_statement_principal_formats(self):
assume_role_statement_04 = AssumeRoleStatement(statement04)
assume_role_statement_05 = AssumeRoleStatement(statement05)
assume_role_statement_06 = AssumeRoleStatement(statement06)
assume_role_statement_07 = AssumeRoleStatement(statement07)
assume_role_statement_08 = AssumeRoleStatement(statement08)

self.assertListEqual(assume_role_statement_02.principals, ['arn:aws:iam::012345678910:root'])
self.assertListEqual(assume_role_statement_03.principals, ['arn:aws:iam::012345678910:root'])
self.assertListEqual(assume_role_statement_04.principals, ['arn:aws:iam::012345678910:root'])
self.assertListEqual(assume_role_statement_05.principals, ['arn:aws:iam::012345678910:root', 'lambda.amazonaws.com'])
self.assertListEqual(assume_role_statement_06.principals, ['lambda.amazonaws.com'])
self.assertListEqual(assume_role_statement_05.principals, ['accounts.google.com'])
self.assertListEqual(assume_role_statement_06.principals, ['cognito-identity.amazonaws.com', 'www.amazon.com'])
self.assertListEqual(assume_role_statement_07.principals, ['arn:aws:iam::012345678910:root', 'lambda.amazonaws.com'])
self.assertListEqual(assume_role_statement_08.principals, ['lambda.amazonaws.com'])

self.assertListEqual(assume_role_statement_02.role_assumable_by_compute_services, [])
self.assertListEqual(assume_role_statement_03.role_assumable_by_compute_services, [])
self.assertListEqual(assume_role_statement_04.role_assumable_by_compute_services, [])
self.assertListEqual(assume_role_statement_05.role_assumable_by_compute_services, [])
self.assertListEqual(assume_role_statement_06.role_assumable_by_compute_services, [])
# self.assertListEqual(assume_role_statement_05.role_assumable_by_compute_services, ["lambda"])
# self.assertListEqual(assume_role_statement_06.role_assumable_by_compute_services, ["lambda"])

Expand Down

0 comments on commit 2483fe3

Please sign in to comment.