policy

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2024 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MatchesAfterExpansion added in v1.14.0 

func MatchesAfterExpansion(stringFromPolicyToCheck, stringToCheckAgainst string) bool

source: https://github.com/nccgroup/PMapper/blob/master/principalmapper/querying/local_policy_simulation.py MatchesAfterExpansion checks the stringToCheck against stringToCheckAgainst.

Types

type ListOfPrincipals added in v1.13.4 

type ListOfPrincipals []string

A custom unmarshaller is necessary because the list of principals can be an array of strings or a string. https://stackoverflow.com/questions/65854778/parsing-arn-from-iam-policy-using-regex

func (*ListOfPrincipals) UnmarshalJSON added in v1.13.4 

func (r *ListOfPrincipals) UnmarshalJSON(b []byte) error

type ListOrString 

type ListOrString []string

func (*ListOrString) UnmarshalJSON 

func (ls *ListOrString) UnmarshalJSON(b []byte) error

type Policy 

type Policy struct {
	Version   string            `json:"Version"`
	Id        string            `json:"Id"`
	Statement []PolicyStatement `json:"Statement"`
}

func ParseJSONPolicy 

func ParseJSONPolicy(data []byte) (Policy, error)

func (*Policy) DoesPolicyHaveMatchingStatement added in v1.14.0 

func (p *Policy) DoesPolicyHaveMatchingStatement(effect string, actionToCheck string, resourceToCheck string) bool

func (*Policy) IsConditionallyPublic 

func (p *Policy) IsConditionallyPublic() bool

true iff there is at least one statement with principal * with conditions that do not scope access down to AWS accounts or organizations

func (*Policy) IsEmpty 

func (p *Policy) IsEmpty() bool

IsNull returns true iff the Policy is empty you cannot do a comparison like this: `p == Policy{}' since we use custom types in the struct`

func (*Policy) IsPublic 

func (p *Policy) IsPublic() bool

true iff there is at least one statement with principal * and no conditions

type PolicyStatement 

type PolicyStatement struct {
	Sid         string                   `json:"Sid,omitempty"`
	Effect      string                   `json:"Effect"`
	Principal   PolicyStatementPrincipal `json:"Principal,omitempty"`
	Action      ListOrString             `json:"Action"`
	NotAction   ListOrString             `json:"NotAction,omitempty"`
	Resource    ListOrString             `json:"Resource,omitempty"`
	NotResource ListOrString             `json:"NotResource,omitempty"`
	Condition   PolicyStatementCondition `json:"Condition,omitempty"`
}

func (*PolicyStatement) GetAllActionsAsString 

func (ps *PolicyStatement) GetAllActionsAsString() string

func (*PolicyStatement) GetAllPrincipalsAsString 

func (ps *PolicyStatement) GetAllPrincipalsAsString() string

func (*PolicyStatement) GetConditionsInEnglish 

func (ps *PolicyStatement) GetConditionsInEnglish(caller string) string

func (*PolicyStatement) GetResources added in v1.12.3 

func (ps *PolicyStatement) GetResources() []string

GetResources as list of strings

func (*PolicyStatement) GetStatementSummaryInEnglish 

func (ps *PolicyStatement) GetStatementSummaryInEnglish(caller string) string

func (*PolicyStatement) IsAllow 

func (ps *PolicyStatement) IsAllow() bool

func (*PolicyStatement) IsEmpty 

func (ps *PolicyStatement) IsEmpty() bool

type PolicyStatementCondition 

type PolicyStatementCondition map[string]map[string]ListOrString

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html Conditions have the following general structure: 

"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

func (*PolicyStatementCondition) IsEmpty 

func (psc *PolicyStatementCondition) IsEmpty() bool

func (*PolicyStatementCondition) IsScopedOnAccountOrOrganization 

func (psc *PolicyStatementCondition) IsScopedOnAccountOrOrganization() bool

IsScopedOnAccountOrOrganization returns true if the policy condition ensures access only for specific AWS accounts or organizations. If may return false even if access is restricted in such a way. Such policies should be reported to the user and analyzed case by case to judge if conditions are sufficiently restrictive.

type PolicyStatementPrincipal 

type PolicyStatementPrincipal struct {
	S string
	O PolicyStatementPrincipalObject
}

func (*PolicyStatementPrincipal) IsEmpty 

func (psp *PolicyStatementPrincipal) IsEmpty() bool

func (*PolicyStatementPrincipal) IsPublic 

func (psp *PolicyStatementPrincipal) IsPublic() bool

func (*PolicyStatementPrincipal) MarshalJSON 

func (psp *PolicyStatementPrincipal) MarshalJSON() ([]byte, error)

func (*PolicyStatementPrincipal) UnmarshalJSON 

func (psp *PolicyStatementPrincipal) UnmarshalJSON(b []byte) error

type PolicyStatementPrincipalObject 

type PolicyStatementPrincipalObject struct {
	AWS           ListOrString `json:"AWS,omitempty"`
	CanonicalUser ListOrString `json:"CanonicalUser,omitempty"`
	Federated     ListOrString `json:"Federated,omitempty"`
	Service       ListOrString `json:"Service,omitempty"`
}

func (*PolicyStatementPrincipalObject) GetListOfPrincipals 

func (pspo *PolicyStatementPrincipalObject) GetListOfPrincipals() []string

func (*PolicyStatementPrincipalObject) IsEmpty 

func (pspo *PolicyStatementPrincipalObject) IsEmpty() bool

func (*PolicyStatementPrincipalObject) IsPublic 

func (pspo *PolicyStatementPrincipalObject) IsPublic() bool

func (*PolicyStatementPrincipalObject) IsTrustedPrincipalSameAccount added in v1.12.3 

func (pspo *PolicyStatementPrincipalObject) IsTrustedPrincipalSameAccount(accountID string) bool

create a method on *PolicyStatementPrincipalObject that will determine if trusted principal is from the same account as the resource or a different account

type RoleTrustStatementEntry added in v1.13.4 

type RoleTrustStatementEntry struct {
	Sid       string `json:"Sid"`
	Effect    string `json:"Effect"`
	Principal struct {
		AWS       ListOfPrincipals `json:"AWS"`
		Service   ListOfPrincipals `json:"Service"`
		Federated ListOfPrincipals `json:"Federated"`
	} `json:"Principal"`
	Action    string `json:"Action"`
	Condition struct {
		StringEquals struct {
			StsExternalID                       string           `json:"sts:ExternalId"`
			SAMLAud                             string           `json:"SAML:aud"`
			TokenActionsGithubusercontentComSub ListOfPrincipals `json:"token.actions.githubusercontent.com:sub"`
			TokenActionsGithubusercontentComAud string           `json:"token.actions.githubusercontent.com:aud"`
			OidcEksSub                          ListOfPrincipals `json:"OidcEksSub"`
			OidcEksAud                          string           `json:"OidcEksAud"`
			CognitoAud                          string           `json:"cognito-identity.amazonaws.com:aud"`
			TerraformAud                        string           `json:"app.terraform.io:aud"` // Terraform Cloud specific
			TerraformSub                        ListOfPrincipals `json:"app.terraform.io:sub"` // Terraform Cloud specific
			GCPAud                              string           `json:"accounts.google.com:aud"`
			GCPSub                              ListOfPrincipals `json:"accounts.google.com:sub"`
			AzureADIss                          ListOfPrincipals `json:"http://sts.windows.net/tenant-id/iss"` // Azure AD specific
			AzureADSub                          ListOfPrincipals `json:"sub"`                                  // Common among OIDC providers
			PingClientId                        string           `json:"pingidentity.com:client_id"`
			GoogleWorkspaceAud                  string           `json:"workspace.google.com:aud"`
			GoogleWorkspaceSub                  ListOfPrincipals `json:"workspace.google.com:sub"`
			CircleCIAud                         ListOfPrincipals `json:"CircleCIAud"`
			CircleCISub                         ListOfPrincipals `json:"CircleCISub"`
		} `json:"StringEquals"`
		StringLike struct {
			TokenActionsGithubusercontentComSub ListOfPrincipals `json:"token.actions.githubusercontent.com:sub"`
			TokenActionsGithubusercontentComAud string           `json:"token.actions.githubusercontent.com:aud"`
			OidcEksSub                          ListOfPrincipals `json:"OidcEksSub"`
			OidcEksAud                          string           `json:"OidcEksAud"`
			TerraformAud                        string           `json:"app.terraform.io:aud"` // Terraform Cloud specific
			TerraformSub                        ListOfPrincipals `json:"app.terraform.io:sub"` // Terraform Cloud specific
			GCPAud                              string           `json:"accounts.google.com:aud"`
			GCPSub                              ListOfPrincipals `json:"accounts.google.com:sub"`
			AzureADIss                          ListOfPrincipals `json:"http://sts.windows.net/tenant-id/iss"` // Azure AD specific
			AzureADSub                          ListOfPrincipals `json:"sub"`                                  // Common among OIDC providers
			PingClientId                        string           `json:"pingidentity.com:client_id"`
			GoogleWorkspaceAud                  string           `json:"workspace.google.com:aud"`
			GoogleWorkspaceSub                  ListOfPrincipals `json:"workspace.google.com:sub"`
			CircleCIAud                         ListOfPrincipals `json:"CircleCIAud"`
			CircleCISub                         ListOfPrincipals `json:"CircleCISub"`
		} `json:"StringLike"`
		ForAnyValueStringLike struct {
			CognitoAMR string `json:"cognito-identity.amazonaws.com:amr"`
		} `json:"ForAnyValue:StringLike"`
	} `json:"Condition"`
}

type TrustPolicyDocument added in v1.13.4 

type TrustPolicyDocument struct {
	Version   string                    `json:"Version"`
	Statement []RoleTrustStatementEntry `json:"Statement"`
}

func ParseRoleTrustPolicyDocument added in v1.13.4 

func ParseRoleTrustPolicyDocument(role types.Role) (TrustPolicyDocument, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.