4
4
5
5
from cached_property import cached_property
6
6
7
- from policy_sentry .analysis .analyze import determine_actions_to_expand
7
+ from policy_sentry .analysis .expand import determine_actions_to_expand
8
8
from policy_sentry .querying .actions import (
9
9
remove_actions_not_matching_access_level ,
10
10
get_actions_matching_arn ,
@@ -33,7 +33,12 @@ class StatementDetail:
33
33
Analyzes individual statements within a policy
34
34
"""
35
35
36
- def __init__ (self , statement : Dict [str , Any ], flag_conditional_statements : bool = False , flag_resource_arn_statements : bool = False ) -> None :
36
+ def __init__ (
37
+ self ,
38
+ statement : Dict [str , Any ],
39
+ flag_conditional_statements : bool = False ,
40
+ flag_resource_arn_statements : bool = False ,
41
+ ) -> None :
37
42
self .json = statement
38
43
self .statement = statement
39
44
self .effect = statement ["Effect" ]
@@ -78,7 +83,8 @@ def _resources(self) -> List[str]:
78
83
79
84
def _not_action (self ) -> List [str ]:
80
85
"""Holds the NotAction details.
81
- We won't do anything with it - but we will flag it as something for the assessor to triage."""
86
+ We won't do anything with it - but we will flag it as something for the assessor to triage.
87
+ """
82
88
not_action = self .statement .get ("NotAction" )
83
89
if not not_action :
84
90
return []
@@ -88,7 +94,8 @@ def _not_action(self) -> List[str]:
88
94
89
95
def _not_resource (self ) -> List [str ]:
90
96
"""Holds the NotResource details.
91
- We won't do anything with it - but we will flag it as something for the assessor to triage."""
97
+ We won't do anything with it - but we will flag it as something for the assessor to triage.
98
+ """
92
99
not_resource = self .statement .get ("NotResource" )
93
100
if not not_resource :
94
101
return []
@@ -98,7 +105,7 @@ def _not_resource(self) -> List[str]:
98
105
99
106
# @property
100
107
def _not_action_effective_actions (self ) -> Optional [List [str ]]:
101
- """If NotAction is used, calculate the allowed actions - i.e., what it would be """
108
+ """If NotAction is used, calculate the allowed actions - i.e., what it would be"""
102
109
effective_actions = []
103
110
if not self .not_action :
104
111
return None
@@ -149,7 +156,8 @@ def _not_action_effective_actions(self) -> Optional[List[str]]:
149
156
@property
150
157
def has_not_resource_with_allow (self ) -> bool :
151
158
"""Per the AWS documentation, the NotResource should NEVER be used with the Allow Effect.
152
- See documentation here. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html#notresource-element-combinations"""
159
+ See documentation here. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html#notresource-element-combinations
160
+ """
153
161
if self .not_resource and self .effect_allow :
154
162
logger .warning (
155
163
"Per the AWS documentation, the NotResource should never be used with the "
@@ -198,9 +206,8 @@ def permissions_management_actions_without_constraints(self) -> List[str]:
198
206
do not have resource constraints"""
199
207
result = []
200
208
if (
201
- (not self .has_resource_constraints or self .flag_resource_arn_statements ) and
202
- not self .has_condition
203
- ):
209
+ not self .has_resource_constraints or self .flag_resource_arn_statements
210
+ ) and not self .has_condition :
204
211
result = remove_actions_not_matching_access_level (
205
212
self .restrictable_actions , "Permissions management"
206
213
)
@@ -213,9 +220,8 @@ def write_actions_without_constraints(self) -> List[str]:
213
220
do not have resource constraints"""
214
221
result = []
215
222
if (
216
- (not self .has_resource_constraints or self .flag_resource_arn_statements ) and
217
- not self .has_condition
218
- ):
223
+ not self .has_resource_constraints or self .flag_resource_arn_statements
224
+ ) and not self .has_condition :
219
225
result = remove_actions_not_matching_access_level (
220
226
self .restrictable_actions , "Write"
221
227
)
0 commit comments