forked from aws-cloudformation/cfn-lint
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathPermissions.py
More file actions
105 lines (91 loc) · 3.86 KB
/
Permissions.py
File metadata and controls
105 lines (91 loc) · 3.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
from __future__ import annotations
from typing import Any
import regex as re
from cfnlint.data import AdditionalSpecs
from cfnlint.helpers import ensure_list, load_resource
from cfnlint.jsonschema import ValidationError, ValidationResult, Validator
from cfnlint.rules.jsonschema.CfnLintKeyword import CfnLintKeyword
class Permissions(CfnLintKeyword):
"""Check IAM Permission configuration"""
id = "W3037"
shortdesc = "Check IAM Permission configuration"
description = "Check for valid IAM Permissions"
source_url = "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html"
tags = ["properties", "iam", "permissions"]
def __init__(self):
"""Init"""
super().__init__(
["AWS::IAM::Policy/Properties/PolicyDocument/Statement/Action"]
)
self._service_map = load_resource(AdditionalSpecs, "Policies.json")
self._resource_action_limitations = {
"AWS::S3::BucketPolicy": ["s3"],
"AWS::SQS::QueuePolicy": ["sqs"],
"AWS::SNS::TopicPolicy": ["sns"],
}
def validate(
self, validator: Validator, _, instance: Any, schema: dict[str, Any]
) -> ValidationResult:
# Escape validation when using SAM transforms as a result of
# https://github.com/aws/serverless-application-model/issues/3633
if validator.cfn.has_serverless_transform():
return
actions = ensure_list(instance)
for action in actions:
if not validator.is_type(action, "string"):
continue
if action == "*":
continue
if ":" not in action:
yield ValidationError(
f"{action!r} is not a valid action. "
"Must be of the form service:action or '*'",
rule=self,
)
return
service, permission = action.split(":", 1)
service = service.lower()
permission = permission.lower()
if len(validator.context.path.cfn_path) >= 2:
if (
validator.context.path.cfn_path[1]
in self._resource_action_limitations
):
if (
service
not in self._resource_action_limitations[
validator.context.path.cfn_path[1]
]
):
yield ValidationError(
f"{service!r} is not one of "
f"{self._resource_action_limitations[validator.context.path.cfn_path[1]]!r}",
rule=self,
)
if service in self._service_map:
enums = list(self._service_map[service].get("Actions", []).keys())
if permission == "*":
pass
if any(x in permission for x in ["*", "?"]):
permission_regex = (
f"^{permission.replace('*', '.*').replace('?', '.')}$"
)
if not any(re.match(permission_regex, action) for action in enums):
yield ValidationError(
f"{permission!r} is not one of {enums!r}",
rule=self,
)
elif permission not in enums:
yield ValidationError(
f"{permission!r} is not one of {enums!r}",
rule=self,
)
else:
yield ValidationError(
f"{service!r} is not one of {list(self._service_map.keys())!r}",
rule=self,
)