3 D\p&@sXdZddlZddlmZddlZddlmZddlmZddlm Z GdddeZ dS) a Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. N)date) convert_dict)CloudFormationLintRule) RuleMatchcsPeZdZdZdZdZdZdZddgZfd d Z d d Z d dZ ddZ Z S)Policyz#Check if IAM Policy JSON is correctZE2507z-Check if IAM Policies are properly configuredz+See if there elements inside an IAM policy z are correctz]https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html propertiesZiamcsztt|jddi|_ddddddd|_dddddd|_x|jD]}|jj|qFWx|jD]}|jj|qbWd S) ZInitzAWS::ECR::RepositoryRepositoryPolicyTextPolicyDocument KeyPolicyAccessPolicies)zAWS::SNS::TopicPolicyzAWS::S3::BucketPolicyz AWS::KMS::KeyzAWS::SQS::QueuePolicyzAWS::ECR::RepositoryzAWS::Elasticsearch::DomainPolicies)zAWS::IAM::GroupzAWS::IAM::ManagedPolicyzAWS::IAM::PolicyzAWS::IAM::RolezAWS::IAM::UserN)superr__init__resource_exceptionsresources_and_keys idp_and_keysZresource_property_typesappend)selfZ resource_type) __class__|/private/var/folders/pf/wv4htv3x0qs2c2mp0dnn0kchsvlck3/T/pip-install-emcbgzcf/cfn-lint/cfnlint/rules/resources/iam/Policy.pyr"s"     zPolicy.__init__cCsg}dddg}ddtdddtd ddg} t|tjryttj|||}Wn<tk r} z d } |jt |d d | |Sd } ~ XnXt|t sd } |jt |d d | |Sx^|j |d d t D]D\} } x8| j D]*\}}||kr d |} |jt |d d | |g| |dkrb|| krbddj ttddg} |jt | |g| |dkrt|trx|j | dgt D] \}}|j|j||||qWqt|t rxP|j | dgD] \}}|j|j||||qWqd} |jt | |g| qWqW|S)zCheck policy documentVersionZIdZ Statementz 2012-10-17z 2008-10-17i iz$IAM Policy Documents need to be JSONNz%IAM Policy Documents needs to be JSONz IAM Policy key %s doesn't exist.z+IAM Policy Version needs to be one of (%s).z, z'IAM Policy statement should be of list.)r isinstancesix string_typesrjsonloads ExceptionrrdictZ items_safeitemsjoinmapstrlistextend_check_policy_statement)rvaluepathis_identity_policyr start_markend_markmatchesZ valid_keysZvalid_versionsexmessageZp_vsZp_pZ parent_keyZ parent_valueZi_s_vZi_s_prrrcheck_policy_document<sX  "     zPolicy.check_policy_documentc Csg}ddddddddd g }xB|jD]6\}}||kr$d |} |jt|d d |g| q$Wd|krd } |jt|d d | n4|jd} | dkrd} |jt|d d dg| d|krd|krd} |jt|d d | |rd|kpd|krPd} |jt|d d | n6d|krPd|krPd} |jt|d d dg| |sd|krd|krd} |jt|d d | |S)zCheck statementsZEffectZ PrincipalZ NotPrincipalZActionZ NotActionResourceZ NotResource ConditionZSidz'IAM Policy statement key %s isn't validNz#IAM Policy statement missing EffectAllowDenyz)IAM Policy Effect should be Allow or Denyz0IAM Policy statement missing Action or NotActionzFIAM Resource Policy statement shouldn't have Principal or NotPrincipalzCIAM Resource Policy statement should have Principal or NotPrincipalz4IAM Policy statement missing Resource or NotResource)r3r4)r!rrget) rbranchZ statementr*rr-Zstatement_valid_keyskey_r/Zeffectrrrr'vsV zPolicy._check_policy_statementc Cspg}d}||jkrd}d}||jkr2|jj|}n |jj|}|sF|Sd}||jj|kr^d}g} x(|jjD]\}} | dkrn| j|qnWx(|jjD]\}} | dkr| j|qWx|jD]\}} |dkot| tr2xt|j|gD]>\} } |j |j | d|ddd| g|j |||j |j dqWq|d kr|j |j |||dd|j |||j |j dqW|S) zCheck CloudFormation PropertiesTFNr r )objr7r) check_valuer*rr+r,r rr )r r rr )rr5rrr!rrr% enumerater&r:r0r+r,) rrZ resourcetyper)Zcfnr-r*r7rZ other_keysr(indexpolicyrrrmatch_resource_propertiessR    z Policy.match_resource_propertiesz6See if there elements inside an IAM policy are correct)__name__ __module__ __qualname____doc__idZ shortdesc descriptionZ source_urltagsrr0r'r> __classcell__rr)rrrs :4r) rBrdatetimerrZcfnlint.helpersrZcfnlintrrrrrrrs