diff --git a/parliament/__init__.py b/parliament/__init__.py index b24162e..c4cc711 100644 --- a/parliament/__init__.py +++ b/parliament/__init__.py @@ -1,7 +1,7 @@ """ This library is a linter for AWS IAM policies. """ -__version__ = "1.6.0" +__version__ = "1.6.1" import fnmatch import functools @@ -229,7 +229,7 @@ def is_glob_match(s1, s2): return s1[0] == s2[0] and is_glob_match(s1[1:], s2[1:]) -@functools.lru_cache(maxsize=1024) +@functools.lru_cache(maxsize=10240) def expand_action(action, raise_exceptions=True): """ Converts "iam:*List*" to diff --git a/parliament/statement.py b/parliament/statement.py index 4acc165..dbf8766 100644 --- a/parliament/statement.py +++ b/parliament/statement.py @@ -147,12 +147,16 @@ def is_valid_account_id(str): "aws:CalledViaLast": "String", "aws:CurrentTime": "Date", "aws:EpochTime": "Date", # This needs to accept Date or Numeric + "aws:FederatedProvider": "String", "aws:MultiFactorAuthAge": "Numeric", "aws:MultiFactorAuthPresent": "Bool", "aws:PrincipalAccount": "String", "aws:PrincipalOrgID": "String", "aws:PrincipalArn": "Arn", + "aws:PrincipalIsAWSService": "Bool", "aws:PrincipalOrgPaths": "String", + "aws:PrincipalServiceName": "String", + "aws:PrincipalServiceNamesList": "String", "aws:PrincipalTag": "String", "aws:PrincipalType": "String", "aws:RequestedRegion": "String", @@ -162,11 +166,16 @@ def is_valid_account_id(str): "aws:PrincipalTag/*": "String", "aws:PrincipalType": "String", "aws:Referer": "String", + "aws:RequestedRegion": "String", "aws:RequestTag/*": "String", + "aws:ResourceAccount": "String", + "aws:ResourceOrgID": "String", + "aws:ResourceOrgPaths": "String", "aws:ResourceTag/*": "String", "aws:SecureTransport": "Bool", "aws:SourceAccount": "String", "aws:SourceArn": "Arn", + "aws:SourceIdentity": "String", "aws:SourceIp": "Ip", "aws:SourceVpc": "String", "aws:SourceVpce": "String", diff --git a/tests/unit/test_action_expansion.py b/tests/unit/test_action_expansion.py index c5cb0c3..8ee13c4 100644 --- a/tests/unit/test_action_expansion.py +++ b/tests/unit/test_action_expansion.py @@ -9,42 +9,36 @@ class TestActionExpansion: def test_expand_action_no_expansion(self): expanded_actions = expand_action("s3:listallmybuckets") - assert ( - len(expanded_actions), - len([{"service": "s3", "action": "ListAllMyBuckets"}]), + assert len(expanded_actions) == len( + [{"service": "s3", "action": "ListAllMyBuckets"}] ) def test_expand_action_with_expansion(self): expanded_actions = expand_action("s3:listallmybucke*") - assert ( - len(expanded_actions), - len([{"service": "s3", "action": "ListAllMyBuckets"}]), + assert len(expanded_actions) == len( + [{"service": "s3", "action": "ListAllMyBuckets"}] ) def test_expand_action_with_casing(self): expanded_actions = expand_action("iAm:li*sTuS*rs") - assert (len(expanded_actions), len([{"service": "iam", "action": "ListUsers"}])) + assert len(expanded_actions) == len([{"service": "iam", "action": "ListUsers"}]) def test_expand_action_with_expansion_for_prefix_used_multiple_times(self): expanded_actions = expand_action("ses:Describe*") - assert ( - len(expanded_actions), - len( - [ - {"service": "ses", "action": "DescribeActiveReceiptRuleSet"}, - {"service": "ses", "action": "DescribeConfigurationSet"}, - {"service": "ses", "action": "DescribeReceiptRule"}, - {"service": "ses", "action": "DescribeReceiptRuleSet"}, - ] - ), + assert len(expanded_actions) == len( + [ + {"service": "ses", "action": "DescribeActiveReceiptRuleSet"}, + {"service": "ses", "action": "DescribeConfigurationSet"}, + {"service": "ses", "action": "DescribeReceiptRule"}, + {"service": "ses", "action": "DescribeReceiptRuleSet"}, + ] ) def test_expand_action_with_permission_only_action(self): # There are 17 privileges list as "logs.CreateLogDelivery [permission only]" expanded_actions = expand_action("logs:GetLogDelivery") - assert ( - len(expanded_actions), - len([{"service": "logs", "action": "GetLogDelivery"}]), + assert len(expanded_actions) == len( + [{"service": "logs", "action": "GetLogDelivery"}] ) def test_exception_malformed(self):