-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected output when working with ARNs that have a path in them #284
Merged
Merged
Changes from 44 commits
Commits
Show all changes
45 commits
Select commit
Hold shift + click to select a range
0c15cc7
Non-working tests and adjustments to fix #237.
kmcquade 8658db4
Update database (#241)
github-actions[bot] 3b087a6
Speed improvements by changing IAM definition - fixes #240 (#242)
kmcquade 1d3207f
update brew formula
actions-user bea972b
Fix homebrew publishing
kmcquade 50a974c
renaming github action test.yml to ci.yml and name to continuous-inte…
reetasingh 8ad8d6e
fix None type scenario in get_actions_for_service (#246)
reetasingh cfb6264
updating build badge to github actions CI badge in README.md (#249)
reetasingh 7d26d96
adding unit tests for util/conditions.py is_condition_key_match metho…
reetasingh 180ae03
Fix IAM definition update code (#254)
reetasingh 6ab403a
Made updates to the scraping logic for the Actions, Resources, and Co…
kmcquade 256242d
Improving minimization by grouping results based on arns (#252)
saikirankv 909eb2c
Ensured minimization won't break if resource path contains special ch…
kmcquade ff4006f
Added click unit tests (#262)
kmcquade 1704ab1
Add `--resource-type` flag to `policy_sentry query action-table` comm…
reetasingh 4eb2312
fix cheat sheet for resource type (#265)
reetasingh b5ccd54
Updates to support calling policy_sentry from a terraform external da…
dgubitosi b1f931b
Provide fix for SID that contains dash (#267)
Alegrowin 06e10b7
fix logging bug (#269)
reetasingh 7cc7db3
Update CHANGELOG.md
kmcquade 8e58303
Change minimize to a boolean flag with an option minimize-length argu…
dgubitosi 88c5a7c
backward compatibility for --minimize
dgubitosi 5cb5512
remove --no-minimize
dgubitosi 56ce0bf
is_eager is not needed here
dgubitosi f1a95d8
use custom classes for proper backward compatibility for --minimize
dgubitosi 4c396fd
ensure argument order remains consistent
dgubitosi 3b46f5a
fix pylint errors
dgubitosi e2345a8
fix last pylint error
dgubitosi 90e62d8
increment version to 0.10.0
dgubitosi d64f53c
update brew formula
actions-user 9a598e1
adding release drafter github action (#260)
reetasingh 83f49fe
Update database (#271)
github-actions[bot] e6f504b
update brew formula
actions-user 7d08fa3
docs formatting (#273)
plaguna b7a98e8
removing CHANGELOG.md
reetasingh bc09697
Migrate terraform module (#277)
kmcquade a99674c
Terraform: Add support for skip_resource_constraints and exclude_acti…
kmcquade 7435597
Adds support for Terraform 0.13
kmcquade 1cab8ab
Minimize is set to true by default for the Terraform module
kmcquade b280b0d
Resolving conflicts
saikirankv a9d959d
Unexpected output when working with ARNs that have a path in them
saikirankv dc5c773
fixing failing testcases
saikirankv f984dd7
pylint changes
saikirankv 3c0b398
version increment
saikirankv 8e07aea
Review changes
saikirankv File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -145,3 +145,66 @@ def test_dynamodb_arn_matching_gh_215(self): | |
self.assertFalse(does_arn_match(this_arn, stream)) | ||
self.assertFalse(does_arn_match(this_arn, backup)) | ||
self.assertFalse(does_arn_match(this_arn, global_table)) | ||
|
||
|
||
class ArnPathTestCase(unittest.TestCase): | ||
# When paths are used | ||
def test_ssm_paths(self): | ||
parameter_1 = ARN("arn:aws:ssm:::parameter/dev/foo/bar*") | ||
parameter_2 = "arn:aws:ssm:::parameter/dev" | ||
print(parameter_1.same_resource_type(parameter_2)) | ||
self.assertTrue(parameter_1.same_resource_type(parameter_2)) | ||
|
||
|
||
# When confusing ARNs that look like paths but are not actually paths are used | ||
def test_dynamo_db_non_paths(self): | ||
backup_arn = "arn:aws:dynamodb:us-east-1:123456789123:table/mytable/backup/mybackup" | ||
backup_raw_arn = "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}" | ||
|
||
table_arn = "arn:aws:dynamodb:us-east-1:123456789123:table/mytable" | ||
table_raw_arn = "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}" | ||
|
||
parameter_arn_with_path = "arn:aws:ssm:::parameter/dev/foo/bar*" | ||
parameter_arn_without_path = "arn:aws:ssm:::parameter/dev" | ||
parameter_raw_arn = "arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}" | ||
|
||
s3_object_with_path = "arn:aws:s3:::foo/bar/baz" | ||
s3_object_without_path = "arn:aws:s3:::foo/bar" | ||
|
||
s3_object_raw_arn = "arn:${Partition}:s3:::${BucketName}/${ObjectName}" | ||
s3_bucket_raw_arn = "arn:${Partition}:s3:::${BucketName}" | ||
|
||
ecr_raw_arn = "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}" | ||
ecr_arn_with_path = "arn:aws:ecr:*:*:repository/foo/bar" | ||
ecr_arn_without_path = "arn:aws:ecr:*:*:repository/foo" | ||
|
||
self.assertTrue(does_arn_match(backup_arn, backup_raw_arn)) | ||
self.assertTrue(does_arn_match(table_arn, table_raw_arn)) | ||
self.assertFalse(does_arn_match(table_arn, backup_raw_arn)) | ||
self.assertFalse(does_arn_match(backup_arn, table_raw_arn)) | ||
|
||
self.assertTrue(does_arn_match(parameter_arn_with_path, parameter_raw_arn)) | ||
self.assertTrue(does_arn_match(parameter_arn_without_path, parameter_raw_arn)) | ||
|
||
self.assertTrue(does_arn_match(s3_object_without_path, s3_object_raw_arn)) | ||
self.assertTrue(does_arn_match(s3_object_with_path, s3_object_raw_arn)) | ||
# self.assertFalse(does_arn_match(s3_object_with_path, s3_bucket_raw_arn)) | ||
# self.assertFalse(does_arn_match(s3_object_without_path, s3_bucket_raw_arn)) | ||
|
||
self.assertTrue(does_arn_match(ecr_arn_with_path, ecr_raw_arn)) | ||
self.assertTrue(does_arn_match(ecr_arn_without_path, ecr_raw_arn)) | ||
|
||
{"arn:aws:dynamodb:us-east-1:123456789123:table/mytable/backup/mybackup", "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}", True} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we remove these? |
||
{"arn:aws:dynamodb:us-east-1:123456789123:table/mytable", "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}", True} | ||
|
||
{"arn:aws:dynamodb:us-east-1:123456789123:table/mytable/backup/mybackup", "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}", False} | ||
{"arn:aws:dynamodb:us-east-1:123456789123:table/mytable", "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}", False} | ||
|
||
{"arn:aws:ssm:::parameter/dev/foo/bar*", "arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}", True} | ||
{"arn:aws:ssm:::parameter/dev", "arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}", True} | ||
|
||
{"arn:aws:s3:::foo/bar/baz", "arn:${Partition}:s3:::${BucketName}/${ObjectName}", True} | ||
{"arn:aws:s3:::foo/bar/baz", "arn:${Partition}:s3:::${BucketName}", False} | ||
|
||
{"arn:aws:ecr:*:*:repository/foo/bar", "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}", True} | ||
{"arn:aws:ecr:*:*:repository/foo", "arn:${Partition}:ecr:${Region}:${Account}:repository/${RepositoryName}", True} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these commented out?