Removed dead code

nccgroup · Mar 19, 2019 · d9ef880 · d9ef880
1 parent f689337
commit d9ef880
Showing 1 changed file with 0 additions and 89 deletions.
diff --git a/ScoutSuite/providers/aws/services/s3.py b/ScoutSuite/providers/aws/services/s3.py
@@ -73,95 +73,6 @@ def parse_buckets(self, bucket, params):
         bucket['id'] = self.get_non_provider_id(bucket['name'])
         self.buckets[bucket['id']] = bucket
 
-
-def match_iam_policies_and_buckets(s3_info, iam_info):
-    if 'Action' in iam_info['permissions']:
-        for action in (x for x in iam_info['permissions']['Action'] if
-                       ((x.startswith('s3:') and x != 's3:ListAllMyBuckets') or (x == '*'))):
-            for iam_entity in iam_info['permissions']['Action'][action]:
-                if 'Allow' in iam_info['permissions']['Action'][action][iam_entity]:
-                    for allowed_iam_entity in iam_info['permissions']['Action'][action][iam_entity]['Allow']:
-                        # For resource statements, we can easily rely on the existing permissions structure
-                        if 'Resource' in \
-                                iam_info['permissions']['Action'][action][iam_entity]['Allow'][allowed_iam_entity]:
-                            for full_path in (x for x in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                    allowed_iam_entity]['Resource'] if x.startswith('arn:aws:s3:') or x == '*'):
-                                parts = full_path.split('/')
-                                bucket_name = parts[0].split(':')[-1]
-                                update_iam_permissions(s3_info, bucket_name, iam_entity, allowed_iam_entity,
-                                                       iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                                           allowed_iam_entity]['Resource'][full_path])
-                        # For notresource statements, we must fetch the policy document to determine which buckets are
-                        # not protected
-                        if 'NotResource' in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                allowed_iam_entity]:
-                            for full_path in (x for x in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                    allowed_iam_entity]['NotResource'] if x.startswith('arn:aws:s3:') or x == '*'):
-                                for policy_type in ['InlinePolicies', 'ManagedPolicies']:
-                                    if policy_type in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                            allowed_iam_entity]['NotResource'][full_path]:
-                                        for policy in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
-                                                allowed_iam_entity]['NotResource'][full_path][policy_type]:
-                                            update_bucket_permissions(s3_info, iam_info, action, iam_entity,
-                                                                      allowed_iam_entity, full_path, policy_type,
-                                                                      policy)
-
-
-def update_iam_permissions(s3_info, bucket_name, iam_entity, allowed_iam_entity, policy_info):
-    if bucket_name != '*' and bucket_name in s3_info['buckets']:
-        bucket = s3_info['buckets'][bucket_name]
-        manage_dictionary(bucket, iam_entity, {})
-        manage_dictionary(bucket, iam_entity + '_count', 0)
-        if allowed_iam_entity not in bucket[iam_entity]:
-            bucket[iam_entity][allowed_iam_entity] = {}
-            bucket[iam_entity + '_count'] = bucket[iam_entity + '_count'] + 1
-
-        if 'inline_policies' in policy_info:
-            manage_dictionary(bucket[iam_entity][allowed_iam_entity], 'inline_policies', {})
-            bucket[iam_entity][allowed_iam_entity]['inline_policies'].update(policy_info['inline_policies'])
-        if 'policies' in policy_info:
-            manage_dictionary(bucket[iam_entity][allowed_iam_entity], 'policies', {})
-            bucket[iam_entity][allowed_iam_entity]['policies'].update(policy_info['policies'])
-    elif bucket_name == '*':
-        for bucket in s3_info['buckets']:
-            update_iam_permissions(s3_info, bucket, iam_entity, allowed_iam_entity, policy_info)
-        pass
-    else:
-        # Could be an error or cross-account access, ignore...
-        pass
-
-
-def update_bucket_permissions(s3_info, iam_info, action, iam_entity, allowed_iam_entity, full_path, policy_type,
-                              policy_name):
-    policy = {}
-    allowed_buckets = []
-    # By default, all buckets are allowed
-    for bucket_name in s3_info['buckets']:
-        allowed_buckets.append(bucket_name)
-    if policy_type == 'InlinePolicies':
-        policy = iam_info[iam_entity.title()][allowed_iam_entity]['Policies'][policy_name]['PolicyDocument']
-    elif policy_type == 'ManagedPolicies':
-        policy = iam_info['ManagedPolicies'][policy_name]['PolicyDocument']
-    else:
-        print_error('Error, found unknown policy type.')
-    for statement in policy['Statement']:
-        for target_path in statement['NotResource']:
-            parts = target_path.split('/')
-            bucket_name = parts[0].split(':')[-1]
-            path = '/' + '/'.join(parts[1:]) if len(parts) > 1 else '/'
-            if (path == '/' or path == '/*') and (bucket_name in allowed_buckets):
-                # Remove bucket from list
-                allowed_buckets.remove(bucket_name)
-            elif bucket_name == '*':
-                allowed_buckets = []
-    policy_info = {policy_type: {}}
-    policy_info[policy_type][policy_name] = \
-        iam_info['permissions']['Action'][action][iam_entity]['Allow'][allowed_iam_entity]['NotResource'][full_path][
-            policy_type][policy_name]
-    for bucket_name in allowed_buckets:
-        update_iam_permissions(s3_info, bucket_name, iam_entity, allowed_iam_entity, policy_info)
-
-
 def init_s3_permissions():
     permissions = {'read': False, 'write': False, 'read_acp': False, 'write_acp': False}
     return permissions