Skip to content

Commit a2f1e95

Browse files
committed
correctly propagate condition keys to resource types
1 parent 1e64b8b commit a2f1e95

File tree

2 files changed

+18
-5
lines changed

2 files changed

+18
-5
lines changed

policy_sentry/querying/actions.py

+12-2
Original file line numberDiff line numberDiff line change
@@ -109,11 +109,17 @@ def create_action_data_entries(
109109
"""
110110

111111
results = []
112-
condition_keys = []
113112
dependent_actions = []
113+
114+
# check for condition keys, which can be used with any allowed resource type
115+
wildcard_condition_keys = []
116+
if wildcard_resource_type := action_data["resource_types"].get(""):
117+
wildcard_condition_keys = wildcard_resource_type["condition_keys"]
118+
114119
for resource_type, resource_type_entry in action_data["resource_types"].items():
115120
# Set default value for if no other matches are found
116121
resource_arn_format = "*"
122+
condition_keys = []
117123
# Get the dependent actions
118124
resource_dependent_actions = resource_type_entry["dependent_actions"]
119125
if resource_dependent_actions:
@@ -123,7 +129,11 @@ def create_action_data_entries(
123129
service_resource_data = service_prefix_data["resources"].get(resource_type)
124130
if service_resource_data:
125131
resource_arn_format = service_resource_data.get("arn", "*")
126-
condition_keys = service_resource_data.get("condition_keys")
132+
if resource_condition_keys := service_resource_data.get("condition_keys"):
133+
condition_keys.extend(resource_condition_keys)
134+
135+
if wildcard_condition_keys:
136+
condition_keys.extend(wildcard_condition_keys)
127137

128138
temp_dict = {
129139
"action": f"{service_prefix_data['prefix']}:{action_name}",

test/querying/test_query_actions.py

+6-3
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,8 @@ def test_get_action_data(self):
145145
"aws:ResourceTag/${TagKey}",
146146
"ram:PermissionArn",
147147
"ram:PermissionResourceType",
148+
"aws:RequestTag/${TagKey}",
149+
"aws:TagKeys",
148150
],
149151
"dependent_actions": [],
150152
},
@@ -158,6 +160,8 @@ def test_get_action_data(self):
158160
"aws:ResourceTag/${TagKey}",
159161
"ram:AllowsExternalPrincipals",
160162
"ram:ResourceShareName",
163+
"aws:RequestTag/${TagKey}",
164+
"aws:TagKeys",
161165
],
162166
"dependent_actions": [],
163167
},
@@ -168,9 +172,8 @@ def test_get_action_data(self):
168172
"api_documentation_link": "https://docs.aws.amazon.com/ram/latest/APIReference/API_TagResource.html",
169173
"resource_arn_format": "*",
170174
"condition_keys": [
171-
"aws:ResourceTag/${TagKey}",
172-
"ram:AllowsExternalPrincipals",
173-
"ram:ResourceShareName",
175+
"aws:RequestTag/${TagKey}",
176+
"aws:TagKeys",
174177
],
175178
"dependent_actions": [],
176179
},

0 commit comments

Comments
 (0)