Skip to content

Commit 04d74f1

Browse files
jacobappleton-orbisjacobappleton-orbis
committed
Add unit test for issue #278 
1 parent e73d41f commit 04d74f1

File tree

1 file changed

+98
-0
lines changed

1 file changed

+98
-0
lines changed

test/scanning/test_policy_document.py

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -539,3 +539,101 @@ def test_gh_254_flag_risky_actions_with_resource_constraints_infrastructure_modi
539539
self.assertListEqual(policy_document.infrastructure_modification, ['ec2:AuthorizeSecurityGroupIngress'])
540540
policy_document = PolicyDocument(test_policy, flag_resource_arn_statements=False)
541541
self.assertListEqual(policy_document.infrastructure_modification, [])
542+
543+
def test_gh_278_all_issue_types_respect_conditions_on_policy(self):
544+
test_policy_all_issues_no_conditions = {
545+
"Version": "2012-10-17",
546+
"Statement": [
547+
{
548+
"Effect": "Allow",
549+
"Action": [
550+
# Credentials Exposure
551+
"ec2:GetPasswordData",
552+
# Data Exfiltration
553+
"s3:GetObject",
554+
# Infrastructure Modification
555+
"ec2:AuthorizeSecurityGroupIngress",
556+
# Privilege Escalation
557+
"ec2:RunInstances",
558+
"iam:PassRole",
559+
# Resource Exposure
560+
"ec2:CreateNetworkInterfacePermission"
561+
],
562+
"Resource": "*"
563+
}
564+
]
565+
}
566+
policy_document = PolicyDocument(test_policy_all_issues_no_conditions)
567+
self.assertListEqual(policy_document.credentials_exposure, ["ec2:GetPasswordData"])
568+
self.assertListEqual(policy_document.allows_data_exfiltration_actions, ["s3:GetObject"])
569+
self.assertListEqual(policy_document.infrastructure_modification, [
570+
"ec2:AuthorizeSecurityGroupIngress",
571+
"ec2:CreateNetworkInterfacePermission",
572+
"ec2:RunInstances",
573+
"iam:PassRole",
574+
"s3:GetObject"
575+
])
576+
self.assertListEqual(policy_document.allows_privilege_escalation, [{
577+
"actions": [
578+
"iam:passrole",
579+
"ec2:runinstances"
580+
],
581+
"type": "CreateEC2WithExistingIP"
582+
}])
583+
self.assertListEqual(policy_document.permissions_management_without_constraints, [
584+
"ec2:CreateNetworkInterfacePermission",
585+
"iam:PassRole"
586+
])
587+
588+
test_policy_service_wildcard = {
589+
"Version": "2012-10-17",
590+
"Statement": [
591+
{
592+
"Effect": "Allow",
593+
"Action": [
594+
# Service Wildcard
595+
"kinesis:*"
596+
],
597+
"Resource": "*"
598+
}
599+
]
600+
}
601+
policy_document_service_wildcard = PolicyDocument(test_policy_service_wildcard)
602+
self.assertListEqual(policy_document_service_wildcard.service_wildcard, ["kinesis"])
603+
604+
test_policy_all_issues_conditions = {
605+
"Version": "2012-10-17",
606+
"Statement": [
607+
{
608+
"Effect": "Allow",
609+
"Action": [
610+
# Credentials Exposure
611+
"ec2:GetPasswordData",
612+
# Data Exfiltration
613+
"s3:GetObject",
614+
# Infrastructure Modification
615+
"ec2:AuthorizeSecurityGroupIngress",
616+
# Privilege Escalation
617+
"ec2:RunInstances",
618+
"iam:PassRole",
619+
# Resource Exposure
620+
"ec2:CreateNetworkInterfacePermission",
621+
# Service Wildcard
622+
"kinesis:*"
623+
],
624+
"Resource": "*",
625+
"Condition": {
626+
"StringEquals": {
627+
"aws:PrincipalAccount": "123456789012"
628+
}
629+
}
630+
}
631+
]
632+
}
633+
policy_document_condition = PolicyDocument(test_policy_all_issues_conditions)
634+
self.assertListEqual(policy_document_condition.credentials_exposure, [])
635+
self.assertListEqual(policy_document_condition.allows_data_exfiltration_actions, [])
636+
self.assertListEqual(policy_document_condition.infrastructure_modification, [])
637+
self.assertListEqual(policy_document_condition.allows_privilege_escalation, [])
638+
self.assertListEqual(policy_document_condition.permissions_management_without_constraints, [])
639+
self.assertListEqual(policy_document.service_wildcard, [])

0 commit comments

Comments
 (0)