Merge pull request #43 from kmcquade/fix/GH-25-html-docs-scripts-fix-…

…and-update Fixes #23 - HTML docs update method; docs refresh; fix breaking change from 0.5.4; service coverage.
salesforce · Nov 21, 2019 · 444af4e · 444af4e
2 parents cef77a3 + 6283b18
commit 444af4e
Show file tree

Hide file tree

Showing 235 changed files with 37,190 additions and 4,964 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 tmp/*
+tmp.yml
 *.csv
 state.tf
 Pipfile.lock

diff --git a/.pylintrc b/.pylintrc
@@ -1,4 +1,4 @@
 
 [MESSAGES CONTROL]
 
-disable=line-too-long
+disable=line-too-long,fixme
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,42 @@
 # Changelog
+## 2019-11-21 Part 2
+### Changed
+* **Fixed issue where initialize was not working due to db_session being declared outside of a function. This only applied to the last release.**
+* Analyze command: Added credentials-exposure.txt audit file
+* Fixed some stuff in the documentation that had old errors.
+* Version bump
+* HTML Documentation update approach (Fixes GH-23)
+    * `get_links.py` and other util scripts are now updated. We no longer have to maintain the big list of service-to-html-names.
+    * Missing services are now fixed by this HTML documentation update approach:
+      - applicationinsights
+      - appmesh
+      - appmesh-preview
+      - backup-storage
+      - chatbot
+      - codestar-notifications
+      - dataexchange
+      - ec2-instance-connect
+      - iotthingsgraph
+      - mediapackage-vod
+      - managedblockchain
+      - personalize
+      - rdsiamauthentiation
+      - savingsplans
+      - pinpointemailservice
+      - workmailmessageflow
+      - Marketplace links:
+          - Marketplace catalog
+          - Marketplace Entitlement Service
+          - Marketplace Image Building Service
+          - Marketplace Procurement systems integration
+          - Private Marketplace
+
 ## 2019-11-21
 ### Changed
 * `query` command is cleaner. Used click subgroups instead of if-else hell.
 * Adjusted the docs to reflect this.
+### Removed
+* ROADMAP.md because this is in the documentation instead.
 
 ## 2019-11-15
 ### Changed

diff --git a/Pipfile b/Pipfile
@@ -28,6 +28,7 @@ wheel = "==0.33.6"
 schema = "==0.7.1"
 safety = "==1.8.5"
 invoke = "*"
+parliament = "*"
 
 [packages]
 bs4 = "==0.0.1"
@@ -47,4 +48,4 @@ boto3 = "==1.9.248"
 jinja2 = "==2.10.3"
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"
diff --git a/README.md b/README.md
@@ -194,7 +194,7 @@ policy_sentry initialize
 policy_sentry create-template --name myRole --output-file tmp.yml --template-type crud
 
 # Write policy based on resource-specific access levels
-policy_sentry write-policy --crud --file examples/crud.yml
+policy_sentry write-policy --crud --input-file examples/yml/crud.yml
 
 # Write policy_sentry YML files based on resource-specific access levels on a directory basis
 policy_sentry write-policy-dir --crud --input-dir examples/input-dir --output-dir examples/output-dir
@@ -203,7 +203,7 @@ policy_sentry write-policy-dir --crud --input-dir examples/input-dir --output-di
 policy_sentry create-template --name myRole --output-file tmp.yml --template-type actions
 
 # Write policy based on a list of actions
-policy_sentry write-policy --file examples/actions.yml
+policy_sentry write-policy --input-file examples/yml/actions.yml
 ```
 
 * Policy Analysis Cheat Sheet
@@ -213,7 +213,7 @@ policy_sentry write-policy --file examples/actions.yml
 policy_sentry initialize
 
 # Analyze a policy FILE to determine actions with "Permissions Management" access levels
-policy_sentry analyze-iam-policy --from-access-level permissions-management --file examples/analyze/wildcards.json
+policy_sentry analyze-iam-policy --from-access-level permissions-management --policy examples/analyze/wildcards.json
 
 # Download customer managed IAM policies from a live account under 'default' profile. By default, it looks for policies that are 1. in use and 2. customer managed
 policy_sentry download-policies # this will download to ~/.policy_sentry/accountid/customer-managed/.json
@@ -225,10 +225,10 @@ policy_sentry download-policies --include-unattached # this will download to ~/.
 policy_sentry analyze-iam-policy --show ~/.policy_sentry/123456789012/customer-managed
 
 # Analyze a policy FILE to identify higher-risk IAM calls
-policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json
+policy_sentry analyze-iam-policy --policy examples/analyze/wildcards.json
 
 # Analyze a policy against a custom file containing a list of IAM actions
-policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json --from-audit-file ~/.policy_sentry/audit/privilege-escalation.txt
+policy_sentry analyze-iam-policy --policy examples/analyze/wildcards.json --from-audit-file ~/.policy_sentry/audit/privilege-escalation.txt
 ```
 
 * IAM Database Query Cheat Sheet

diff --git a/ROADMAP.md b/ROADMAP.md
diff --git a/docs/user-guide/command-cheat-sheet.rst b/docs/user-guide/command-cheat-sheet.rst
@@ -47,7 +47,7 @@ Policy Writing Commands
    policy_sentry create-template --name myRole --output-file tmp.yml --template-type crud
 
    # Write policy based on resource-specific access levels
-   policy_sentry write-policy --crud --file examples/crud.yml
+   policy_sentry write-policy --crud --input-file examples/yml/crud.yml
 
    # Write policy_sentry YML files based on resource-specific access levels on a directory basis
    policy_sentry write-policy-dir --crud --input-dir examples/input-dir --output-dir examples/output-dir
@@ -56,7 +56,7 @@ Policy Writing Commands
    policy_sentry create-template --name myRole --output-file tmp.yml --template-type actions
 
    # Write policy based on a list of actions
-   policy_sentry write-policy --file examples/actions.yml
+   policy_sentry write-policy --input-file examples/yml/actions.yml
 
 
 Policy Analysis Commands
@@ -67,7 +67,7 @@ Policy Analysis Commands
    policy_sentry initialize
 
    # Analyze a policy FILE to determine actions with "Permissions Management" access levels
-   policy_sentry analyze-iam-policy --from-access-level permissions-management --file examples/analyze/wildcards.json
+   policy_sentry analyze-iam-policy --from-access-level permissions-management --policy examples/analyze/wildcards.json
 
    # Download customer managed IAM policies from a live account under 'default' profile. By default, it looks for policies that are 1. in use and 2. customer managed
    policy_sentry download-policies # this will download to ~/.policy_sentry/accountid/customer-managed/.json
@@ -79,10 +79,10 @@ Policy Analysis Commands
    policy_sentry analyze-iam-policy --show ~/.policy_sentry/123456789012/customer-managed
 
    # Analyze a policy FILE to identify higher-risk IAM calls
-   policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json
+   policy_sentry analyze-iam-policy --policy examples/analyze/wildcards.json
 
    # Analyze a policy against a custom file containing a list of IAM actions
-   policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json --from-audit-file ~/.policy_sentry/audit/privilege-escalation.txt
+   policy_sentry analyze-iam-policy --policy examples/analyze/wildcards.json --from-audit-file ~/.policy_sentry/audit/privilege-escalation.txt
 
 
 IAM Database Query Commands

diff --git a/docs/user-guide/querying-the-database.rst b/docs/user-guide/querying-the-database.rst
@@ -15,10 +15,13 @@ Commands
 
     # Get a list of all IAM Actions available to the RAM service
     policy_sentry query action-table --service ram
+
     # Get details about the `ram:TagResource` IAM Action
     policy_sentry query action-table --service ram --name tagresource
+
     # Get a list of all IAM actions under the RAM service that have the Permissions management access level.
     policy_sentry query action-table --service ram --access-level permissions-management
+
     # Get a list of all IAM actions under the SES service that support the `ses:FeedbackAddress` condition key.
     policy_sentry query action-table --service ses --condition ses:FeedbackAddress
 
@@ -28,8 +31,10 @@ Commands
 
     # Get a list of all RAW ARN formats available through the SSM service.
     policy_sentry query arn-table --service ssm
+
     # Get the raw ARN format for the `cloud9` ARN with the short name `environment`
     policy_sentry query arn-table --service cloud9 --name environment
+
     # Get key/value pairs of all RAW ARN formats plus their short names
     policy_sentry query arn-table --service cloud9 --list-arn-types
 
@@ -39,6 +44,7 @@ Commands
 
     # Get a list of all condition keys available to the Cloud9 service
     policy_sentry query condition-table --service cloud9
+
     # Get details on the condition key titled `cloud9:Permissions`
     policy_sentry query condition-table --service cloud9 --name cloud9:Permissions
 

diff --git a/policy_sentry/command/analyze_iam_policy.py b/policy_sentry/command/analyze_iam_policy.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 """
     analyze_iam_policy will audit the policy for any security concerns
 
@@ -28,7 +26,7 @@
 DATABASE_FILE_NAME = 'aws.sqlite3'
 AUDIT_DIRECTORY_FOLDER = '/audit'
 audit_directory_path = HOME + CONFIG_DIRECTORY + AUDIT_DIRECTORY_FOLDER
-audit_file_name = '/permissions-access-level.txt'
+audit_file_name = '/privilege-escalation.txt'
 audit_file_path = audit_directory_path + audit_file_name
 database_file_path = HOME + CONFIG_DIRECTORY + DATABASE_FILE_NAME
 
@@ -38,7 +36,7 @@
     '--from-audit-file',
     type=str,
     default=audit_file_path,
-    help='The file containing AWS actions to audit. Default path is $HOME/.policy_sentry/audit/permissions-access-level.txt.'
+    help='The file containing AWS actions to audit. Default path is $HOME/.policy_sentry/audit/privilege-escalation.txt.'
 )
 @click.option(
     '--from-access-level',