forked from aws-cloudformation/cfn-lint
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Permissions.py
107 lines (91 loc) · 3.86 KB
/
Permissions.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
from __future__ import annotations
from typing import Any
from cfnlint.data import AdditionalSpecs
from cfnlint.helpers import ensure_list, load_resource
from cfnlint.jsonschema import ValidationError, ValidationResult, Validator
from cfnlint.rules.jsonschema.CfnLintKeyword import CfnLintKeyword
class Permissions(CfnLintKeyword):
"""Check IAM Permission configuration"""
id = "W3037"
shortdesc = "Check IAM Permission configuration"
description = "Check for valid IAM Permissions"
source_url = "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html"
tags = ["properties", "iam", "permissions"]
experimental = True
def __init__(self):
"""Init"""
super().__init__(
["AWS::IAM::Policy/Properties/PolicyDocument/Statement/Action"]
)
self.service_map = self.load_service_map()
def validate(
self, validator: Validator, _, instance: Any, schema: dict[str, Any]
) -> ValidationResult:
actions = ensure_list(instance)
for action in actions:
if action == "*":
continue
if ":" not in action:
yield ValidationError(
(
f"{action!r} is not a valid action."
"Must be of the form service:action or '*'"
),
rule=self,
)
return
service, permission = action.split(":", 1)
service = service.lower()
permission = permission.lower()
if service in self.service_map:
enums = self.service_map[service]
if permission == "*":
pass
elif permission.endswith("*"):
wilcarded_permission = permission.split("*")[0]
if not any(wilcarded_permission in action for action in enums):
yield ValidationError(
f"{permission!r} is not one of {enums!r}",
rule=self,
)
elif permission.startswith("*"):
wilcarded_permission = permission.split("*")[1]
if not any(
wilcarded_permission in action
for action in self.service_map[service]
):
yield ValidationError(
f"{permission!r} is not one of {enums!r}",
rule=self,
)
elif permission not in self.service_map[service]:
yield ValidationError(
f"{permission!r} is not one of {enums!r}",
rule=self,
)
else:
yield ValidationError(
f"{service!r} is not one of {list(self.service_map.keys())!r}",
rule=self,
)
def load_service_map(self):
"""
Convert policies.json into a simpler version for more efficient key lookup.
"""
service_map = load_resource(AdditionalSpecs, "Policies.json")["serviceMap"]
policy_service_map = {}
for _, properties in service_map.items():
# The services and actions are case insensitive
service = properties["StringPrefix"].lower()
actions = [x.lower() for x in properties["Actions"]]
# Some services have the same name for different
# generations; like elasticloadbalancing.
if service in policy_service_map:
policy_service_map[service] += actions
else:
policy_service_map[service] = actions
return policy_service_map