Filter deny from unrestricted actions (#170)

schosterbarak · web-flow · commit 1c9a61a50132 · 2021-03-23T16:08:56.000-04:00
* filter deny statements from "all_allowed_unrestricted_actions"

* add pylint disable for python lambda code
diff --git a/cloudsplaining/scan/policy_document.py b/cloudsplaining/scan/policy_document.py
@@ -57,21 +57,30 @@ def all_allowed_actions(self):
             if statement.effect_allow: # if Effect is "Deny" - it is not an allowed action
                 if statement.expanded_actions:
                     allowed_actions.extend(statement.expanded_actions)
+        allowed_actions = self.filter_deny_statements(allowed_actions)
+        allowed_actions = list(dict.fromkeys(allowed_actions))
+        return allowed_actions
+
+    def filter_deny_statements(self, allowed_actions):
+        """
+            filter all denied statements from actions
+        """
         for statement in self.statements:
             if statement.effect_deny:
                 if statement.expanded_actions:
+                    # pylint: disable=W0640
                     allowed_actions = filter(lambda x: x not in statement.expanded_actions, allowed_actions)
-        allowed_actions = list(dict.fromkeys(allowed_actions))
         return allowed_actions
 
     @property
     def all_allowed_unrestricted_actions(self):
         """Output all IAM actions that do not practice resource constraints"""
         allowed_actions = []
         for statement in self.statements:
-            if not statement.has_resource_constraints and not statement.has_condition:
+            if not statement.has_resource_constraints and not statement.has_condition and statement.effect_allow:
                 if statement.expanded_actions:
                     allowed_actions.extend(statement.expanded_actions)
+        allowed_actions = self.filter_deny_statements(allowed_actions)
         allowed_actions = list(dict.fromkeys(allowed_actions))
         return allowed_actions
 
diff --git a/test/scanning/test_policy_document.py b/test/scanning/test_policy_document.py
@@ -108,6 +108,22 @@ def test_policy_document_all_allowed_actions(self):
         ]
         self.assertListEqual(result, expected_result)
 
+    def test_all_allowed_unrestriced_deny(self):
+        """scan.policy_document.all_allowed_unrestricted_actions"""
+        test_policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Deny",
+                    "Action": "*",
+                    "Resource": "*",
+                }
+            ]
+        }
+        policy_document = PolicyDocument(test_policy)
+        result = policy_document.all_allowed_unrestricted_actions
+        self.assertEquals([],result)
+
     def test_policy_document_all_allowed_actions_deny(self):
         """scan.policy_document.all_allowed_actions"""
         test_policy = {
