Skip to content

Commit

Permalink
Add unit test for issue #278
Browse files Browse the repository at this point in the history
  • Loading branch information
@jacobappleton-orbis
jacobappleton-orbis committed Aug 3, 2023
1 parent e73d41f commit 04d74f1
Showing 1 changed file with 98 additions and 0 deletions.
98 changes: 98 additions & 0 deletions test/scanning/test_policy_document.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,3 +539,101 @@ def test_gh_254_flag_risky_actions_with_resource_constraints_infrastructure_modi
self.assertListEqual(policy_document.infrastructure_modification, ['ec2:AuthorizeSecurityGroupIngress'])
policy_document = PolicyDocument(test_policy, flag_resource_arn_statements=False)
self.assertListEqual(policy_document.infrastructure_modification, [])

def test_gh_278_all_issue_types_respect_conditions_on_policy(self):
test_policy_all_issues_no_conditions = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
# Credentials Exposure
"ec2:GetPasswordData",
# Data Exfiltration
"s3:GetObject",
# Infrastructure Modification
"ec2:AuthorizeSecurityGroupIngress",
# Privilege Escalation
"ec2:RunInstances",
"iam:PassRole",
# Resource Exposure
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "*"
}
]
}
policy_document = PolicyDocument(test_policy_all_issues_no_conditions)
self.assertListEqual(policy_document.credentials_exposure, ["ec2:GetPasswordData"])
self.assertListEqual(policy_document.allows_data_exfiltration_actions, ["s3:GetObject"])
self.assertListEqual(policy_document.infrastructure_modification, [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterfacePermission",
"ec2:RunInstances",
"iam:PassRole",
"s3:GetObject"
])
self.assertListEqual(policy_document.allows_privilege_escalation, [{
"actions": [
"iam:passrole",
"ec2:runinstances"
],
"type": "CreateEC2WithExistingIP"
}])
self.assertListEqual(policy_document.permissions_management_without_constraints, [
"ec2:CreateNetworkInterfacePermission",
"iam:PassRole"
])

test_policy_service_wildcard = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
# Service Wildcard
"kinesis:*"
],
"Resource": "*"
}
]
}
policy_document_service_wildcard = PolicyDocument(test_policy_service_wildcard)
self.assertListEqual(policy_document_service_wildcard.service_wildcard, ["kinesis"])

test_policy_all_issues_conditions = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
# Credentials Exposure
"ec2:GetPasswordData",
# Data Exfiltration
"s3:GetObject",
# Infrastructure Modification
"ec2:AuthorizeSecurityGroupIngress",
# Privilege Escalation
"ec2:RunInstances",
"iam:PassRole",
# Resource Exposure
"ec2:CreateNetworkInterfacePermission",
# Service Wildcard
"kinesis:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
policy_document_condition = PolicyDocument(test_policy_all_issues_conditions)
self.assertListEqual(policy_document_condition.credentials_exposure, [])
self.assertListEqual(policy_document_condition.allows_data_exfiltration_actions, [])
self.assertListEqual(policy_document_condition.infrastructure_modification, [])
self.assertListEqual(policy_document_condition.allows_privilege_escalation, [])
self.assertListEqual(policy_document_condition.permissions_management_without_constraints, [])
self.assertListEqual(policy_document.service_wildcard, [])

0 comments on commit 04d74f1

Please sign in to comment.