Merge pull request #336 from kmcquade/fix/GH-335-arn-format

Invalid ARNs now raise a descriptive exception instead of just a generic IndexError message

Author: kmcquade

policy_sentry/util/arns.py

@@ -25,14 +25,16 @@ def __init__(self, provided_arn):
         )
 
         if not follows_arn_format:
-            raise Exception("The provided value does not follow required ARN formatting.")
-        elements = self.arn.split(":", 5)
-        self.partition = elements[1]
-        self.service_prefix = elements[2]
-        self.region = elements[3]
-        self.account = elements[4]
-        self.resource = elements[5]
-
+            raise Exception("The provided value does not follow required ARN format.")
+        try:
+            elements = self.arn.split(":", 5)
+            self.partition = elements[1]
+            self.service_prefix = elements[2]
+            self.region = elements[3]
+            self.account = elements[4]
+            self.resource = elements[5]
+        except IndexError as error:
+            raise Exception("The provided ARN is invalid. IndexError: %s. Please provide a valid ARN." % error) from error
         if "/" in self.resource:
             self.resource, self.resource_path = self.resource.split("/", 1)
         elif ":" in self.resource:
@@ -156,16 +158,19 @@ def parse_arn(arn):
     """
     Given an ARN, split up the ARN into the ARN namespacing schema dictated by the AWS docs.
     """
-    elements = arn.split(":", 5)
-    result = {
-        "arn": elements[0],
-        "partition": elements[1],
-        "service": elements[2],
-        "region": elements[3],
-        "account": elements[4],
-        "resource": elements[5],
-        "resource_path": None,
-    }
+    try:
+        elements = arn.split(":", 5)
+        result = {
+            "arn": elements[0],
+            "partition": elements[1],
+            "service": elements[2],
+            "region": elements[3],
+            "account": elements[4],
+            "resource": elements[5],
+            "resource_path": None,
+        }
+    except IndexError as error:
+        raise Exception("The provided ARN is invalid. IndexError: %s. Please provide a valid ARN." % error) from error
     if "/" in result["resource"]:
         result["resource"], result["resource_path"] = result["resource"].split("/", 1)
     elif ":" in result["resource"]:

test/util/test_arns.py

@@ -1,5 +1,5 @@
 import unittest
-from policy_sentry.util.arns import does_arn_match, ARN
+from policy_sentry.util.arns import does_arn_match, ARN, parse_arn
 
 # "Does Arn Match" tests
 # See docs for this list: # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns
@@ -146,6 +146,11 @@ def test_dynamodb_arn_matching_gh_215(self):
         self.assertFalse(does_arn_match(this_arn, backup))
         self.assertFalse(does_arn_match(this_arn, global_table))
 
+    def test_parse_arn(self):
+        """util.arns.parse_arn: Ensure that invalid ARNs raise a proper exception message"""
+        with self.assertRaises(Exception):
+            parse_arn("aaa")
+
 
 class ArnPathTestCase(unittest.TestCase):
     # When paths are used
@@ -155,7 +160,6 @@ def test_ssm_paths(self):
         print(parameter_1.same_resource_type(parameter_2))
         self.assertTrue(parameter_1.same_resource_type(parameter_2))
 
-
     # When confusing ARNs that look like paths but are not actually paths are used
     def test_dynamo_db_non_paths(self):
         backup_arn = "arn:aws:dynamodb:us-east-1:123456789123:table/mytable/backup/mybackup"