File tree Expand file tree Collapse file tree 5 files changed +32
-7
lines changed
Expand file tree Collapse file tree 5 files changed +32
-7
lines changed Original file line number Diff line number Diff line change 11# CHANGELOG
22
3+ ## 0.0.11 (2020-05-06)
4+ * Fixed an issue arising from policies where "Deny" was used in effect with no resource constraints. Fixes #23 .
5+
36## 0.0.10 (2020-05-05)
47* Removed the recursive credentials method from the ` download ` command.
58* Fixed occasional installation error occurring from outdated Policy Sentry versions.
Original file line number Diff line number Diff line change 77"""
88 Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
99"""
10- __version__ = "0.0.10 "
10+ __version__ = "0.0.11 "
1111import click
1212from cloudsplaining import command
1313
Original file line number Diff line number Diff line change @@ -40,7 +40,8 @@ def all_allowed_actions(self):
4040 """Output all allowed IAM Actions, regardless of resource constraints"""
4141 allowed_actions = []
4242 for statement in self .statements :
43- allowed_actions .extend (statement .expanded_actions )
43+ if statement .expanded_actions :
44+ allowed_actions .extend (statement .expanded_actions )
4445 allowed_actions = list (dict .fromkeys (allowed_actions ))
4546 return allowed_actions
4647
@@ -50,7 +51,8 @@ def all_allowed_unrestricted_actions(self):
5051 allowed_actions = []
5152 for statement in self .statements :
5253 if not statement .has_resource_constraints :
53- allowed_actions .extend (statement .expanded_actions )
54+ if statement .expanded_actions :
55+ allowed_actions .extend (statement .expanded_actions )
5456 allowed_actions = list (dict .fromkeys (allowed_actions ))
5557 return allowed_actions
5658
Original file line number Diff line number Diff line change @@ -81,7 +81,7 @@ def _not_action_effective_actions(self):
8181 """If NotAction is used, calculate the allowed actions - i.e., what it would be """
8282 effective_actions = []
8383 if not self .not_action :
84- return False
84+ return None
8585 not_actions_expanded = determine_actions_to_expand (self .not_action )
8686 not_actions_expanded_lowercase = [x .lower () for x in not_actions_expanded ]
8787
@@ -116,12 +116,12 @@ def _not_action_effective_actions(self):
116116 return effective_actions
117117 elif self .has_resource_constraints and self .effect_deny :
118118 logger .debug ("NOTE: Haven't decided if we support Effect Deny here?" )
119- return False
119+ return None
120120 elif not self .has_resource_constraints and self .effect_deny :
121121 logger .debug ("NOTE: Haven't decided if we support Effect Deny here?" )
122- return False
122+ return None
123123 else :
124- return False
124+ return None
125125
126126 @property
127127 def has_not_resource_with_allow (self ):
Original file line number Diff line number Diff line change @@ -182,3 +182,23 @@ def test_allows_specific_actions(self):
182182 ]
183183 results = policy_document .allows_specific_actions_without_constraints (high_priority_read_only_actions )
184184 self .assertListEqual (results , high_priority_read_only_actions )
185+
186+ def test_policy_document_not_action_deny_gh_23 (self ):
187+ test_policy = {
188+ "Version" : "2012-10-17" ,
189+ "Statement" : [{
190+ "Sid" : "DenyAllUsersNotUsingMFA" ,
191+ "Effect" : "Deny" ,
192+ "NotAction" : "iam:*" ,
193+ "Resource" : "*" ,
194+ "Condition" : {"BoolIfExists" : {"aws:MultiFactorAuthPresent" : "false" }}
195+ }]
196+ }
197+ policy_document = PolicyDocument (test_policy )
198+ allowed_actions = []
199+ for statement in policy_document .statements :
200+ if not statement .has_resource_constraints :
201+ if statement .expanded_actions :
202+ allowed_actions .extend (statement .expanded_actions )
203+ self .assertListEqual (allowed_actions , [])
204+ self .assertListEqual (policy_document .all_allowed_unrestricted_actions , [])
You can’t perform that action at this time.
0 commit comments