Merge 06471e7 into 3904e33

Netflix-Skunkworks · May 2, 2019 · 82d53a3 · 82d53a3
2 parents 3904e33 + 06471e7
commit 82d53a3
Show file tree

Hide file tree

Showing 6 changed files with 199 additions and 192 deletions.
diff --git a/README.md b/README.md
@@ -193,11 +193,11 @@ from policyuniverse.policy import Policy
 p = Policy(policy)
 for k, v in p.action_summary().items():
     print(k,v)
->>> ('s3', set([u'Write', u'Permissions']))
->>> ('sqs', set([u'List', u'Read']))
+>>> ('s3', set([u'Write', u'Permissions', u'Tagging']))
+>>> ('sqs', set([u'List']))
 >>> ('sns', set([u'List', u'Read', u'Write', u'Permissions']))
 ```
-Possible categories are `Permissions`, `Write`, `Read`, and `List`.  This data can be used to summarize statements and policies and to look for sensitive permissions.
+Possible categories are `Permissions`, `Write`, `Read`, `Tagging`, and `List`.  This data can be used to summarize statements and policies and to look for sensitive permissions.
 
 ## Expanding and Minification
 ```python

diff --git a/policyuniverse/action_categories.py b/policyuniverse/action_categories.py
@@ -6,11 +6,12 @@
 
 def translate_aws_action_groups(groups):
     """
-    Problem - AWS provides the following four groups:
+    Problem - AWS provides the following five groups:
         - Permissions
         - ReadWrite
         - ListOnly
         - ReadOnly
+        - Tagging
     
     The meaning of these groups was not immediately obvious to me.
     
@@ -19,6 +20,7 @@ def translate_aws_action_groups(groups):
     ReadOnly: Always used with ReadWrite. Indicates a read-only data-plane operation.
     ListOnly: Always used with [ReadWrite, ReadOnly]. Indicates an action which
         lists resources, which is a subcategory of read-only data-plane operations.
+    Tagging: Always used with ReadWrite. Indicates a permission that can mutate tags.
     
     So an action with ReadWrite, but without ReadOnly, is a mutating data-plane operation.
     An action with Permission never has any other groups.
@@ -27,6 +29,7 @@ def translate_aws_action_groups(groups):
 
     - List
     - Read
+    - Tagging
     - ReadWrite
     - Permissions
     """
@@ -36,6 +39,8 @@ def translate_aws_action_groups(groups):
         return 'List'
     if 'ReadOnly' in groups:
         return 'Read'
+    if 'Tagging' in groups:
+        return 'Tagging'
     if 'ReadWrite' in groups:
         return 'Write'
     return 'Unknown'
@@ -76,7 +81,7 @@ def actions_for_category(category):
     Returns set of actions containing each group passed in.
     
     Param:
-        category must be in {'Permissions', 'List', 'Read', 'Write'}
+        category must be in {'Permissions', 'List', 'Read', 'Tagging', 'Write'}
     
     Returns:
         set of matching actions