Fix Excluded Actions

SIDs can be empty due to excluded actions. This check will prevent those SIDs from being returned to the user.

Author: Keith Register

examples/yml/crud-with-excluded-actions-empty-sid.yml

@@ -0,0 +1,5 @@
+mode: crud
+write:
+- arn:aws:s3:::test
+exclude-actions:
+- "iam:Pass*"

policy_sentry/writing/sid_group.py

@@ -174,6 +174,9 @@ def get_rendered_policy(self, minimize=None):
             else:
                 actions = temp_actions
             # temp_actions.clear()
+            # Check if SID is empty of actions. Continue if yes.
+            if not actions:
+                continue
             match_found = False
             if minimize is not None and isinstance(minimize, int):
                 logger.debug("Minimizing statements...")

test/writing/test_sid_group_crud.py

@@ -593,3 +593,69 @@ def test_exclude_actions_from_crud_output(self):
             ]
         }
         self.assertDictEqual(results, expected_result)
+
+
+    def test_exclude_actions_empty_sid_from_crud_output(self):
+        sid_group = SidGroup()
+        crud_with_exclude_actions = os.path.abspath(
+            os.path.join(
+                os.path.dirname(__file__),
+                os.path.pardir,
+                os.path.pardir,
+                "examples",
+                "yml",
+                "crud-with-exclude-actions-empty-sid.yml",
+            )
+        )
+
+        with open(crud_with_exclude_actions, "r") as this_yaml_file:
+            crud_with_exclude_actions_cfg = yaml.safe_load(this_yaml_file)
+        # crud_with_exclude_actions_cfg = {
+        #     "mode": "crud",
+        #     "write": [
+        #         "arn:aws:s3:::test"
+        #     ],
+        #     "exclude-actions": [
+        #         "iam:Pass*"
+        #     ]
+        # }
+
+        # print(json.dumps(crud_with_exclude_actions_cfg, indent=4))
+        sid_group.process_template(crud_with_exclude_actions_cfg)
+        result = sid_group.get_rendered_policy(crud_with_exclude_actions_cfg)
+        # print(json.dumps(result, indent=4))
+        expected_result = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "S3WriteBucket",
+                    "Effect": "Allow",
+                    "Action": [
+                        "s3:CreateBucket",
+                        "s3:DeleteBucket",
+                        "s3:DeleteBucketOwnershipControls",
+                        "s3:DeleteBucketWebsite",
+                        "s3:PutAccelerateConfiguration",
+                        "s3:PutAnalyticsConfiguration",
+                        "s3:PutBucketCORS",
+                        "s3:PutBucketLogging",
+                        "s3:PutBucketNotification",
+                        "s3:PutBucketObjectLockConfiguration",
+                        "s3:PutBucketOwnershipControls",
+                        "s3:PutBucketRequestPayment",
+                        "s3:PutBucketVersioning",
+                        "s3:PutBucketWebsite",
+                        "s3:PutEncryptionConfiguration",
+                        "s3:PutIntelligentTieringConfiguration",
+                        "s3:PutInventoryConfiguration",
+                        "s3:PutLifecycleConfiguration",
+                        "s3:PutMetricsConfiguration",
+                        "s3:PutReplicationConfiguration"
+                    ],
+                    "Resource": [
+                        "arn:aws:s3:::test"
+                    ]
+                }
+            ]
+        }
+        self.assertDictEqual(result, expected_result)