cloudsplaining 0.6.3__tar.gz → 0.7.0__tar.gz

cloudsplaining-0.7.0/LICENSE

@@ -0,0 +1,12 @@
+Copyright (c) 2020, Salesforce.com, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+* Neither the name of Salesforce.com nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cloudsplaining
-Version: 0.6.3
+Version: 0.7.0
 Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 Home-page: https://github.com/salesforce/cloudsplaining
 Author: Kinnaird McQuade
@@ -402,13 +402,13 @@ Description: ## NOTE: This repo/project has been restored by Salesforce.
 Keywords: aws iam roles policy policies privileges security
 Platform: UNKNOWN
 Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.7
 Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
-Requires-Python: >=3.6
+Requires-Python: >=3.8
 Description-Content-Type: text/markdown

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/__init__.py

@@ -1,16 +1,15 @@
 # pylint: disable=missing-module-docstring
+from __future__ import annotations
+
 import logging
 import sys
 
 # Set default logging handler to avoid "No handler found" warnings.
-from logging import NullHandler
-
+# from logging import NullHandler
 # logging.getLogger(__name__).addHandler(NullHandler())
 # Uncomment to get the full debug logs.
 # 2020-10-06 10:04:17,200 - root - DEBUG - Leveraging the bundled IAM Definition.
 # Need to figure out how to get click_log to do this for me.
-from typing import Union, Optional
-
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.WARNING)
 handler = logging.StreamHandler(sys.stdout)
@@ -23,8 +22,8 @@ logger.addHandler(handler)
 name = "cloudsplaining"  # pylint: disable=invalid-name
 
 
-def change_log_level(log_level: Union[int, str]) -> None:
-    """"Change log level of module logger"""
+def change_log_level(log_level: int | str) -> None:
+    """ "Change log level of module logger"""
     logger.setLevel(log_level)
 
 
@@ -32,7 +31,7 @@ def change_log_level(log_level: Union[int, str]) -> None:
 def set_stream_logger(
     name: str = "cloudsplaining",
     level: int = logging.DEBUG,
-    format_string: Optional[str] = None,
+    format_string: str | None = None,
 ) -> None:
     """
     Add a stream handler for the given name and level to the logging module.
@@ -71,10 +70,10 @@ def set_log_level(verbose: int) -> None:
     :return:
     """
     if verbose == 1:
-        set_stream_logger(level=getattr(logging, "WARNING"))
+        set_stream_logger(level=logging.WARNING)
     elif verbose == 2:
-        set_stream_logger(level=getattr(logging, "INFO"))
+        set_stream_logger(level=logging.INFO)
     elif verbose >= 3:
-        set_stream_logger(level=getattr(logging, "DEBUG"))
+        set_stream_logger(level=logging.DEBUG)
     else:
-        set_stream_logger(level=getattr(logging, "CRITICAL"))
+        set_stream_logger(level=logging.CRITICAL)

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/bin/cli.py

@@ -5,9 +5,11 @@
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 """
-    Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
+Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
 """
+
 import click
+
 from cloudsplaining import command
 from cloudsplaining.bin.version import __version__
 

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = '0.6.3'
+__version__ = "0.7.0"

cloudsplaining-0.7.0/cloudsplaining/command/__init__.py

@@ -0,0 +1,11 @@
+# ruff: noqa: F401
+# pylint: disable=missing-module-docstring
+from cloudsplaining.command import (
+    create_exclusions_file,
+    create_multi_account_config_file,
+    download,
+    expand_policy,
+    scan,
+    scan_multi_account,
+    scan_policy_file,
+)

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/command/create_exclusions_file.py

@@ -2,17 +2,20 @@
 Create YML Template files for the exclusions template command.
 This way, users don't have to remember exactly how to phrase the yaml files, since this command creates it for them.
 """
+
 # Copyright (c) 2020, salesforce.com, inc.
 # All rights reserved.
 # Licensed under the BSD 3-Clause license.
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
-import os
 import logging
+import os
+
 import click
-from cloudsplaining.shared.constants import EXCLUSIONS_TEMPLATE
+
 from cloudsplaining import set_log_level
 from cloudsplaining.shared import utils
+from cloudsplaining.shared.constants import EXCLUSIONS_TEMPLATE
 
 logger = logging.getLogger(__name__)
 
@@ -21,7 +24,14 @@ logger = logging.getLogger(__name__)
     context_settings=dict(max_content_width=160),
     short_help="Creates a YML file to be used as a custom exclusions template",
 )
-@click.option("-o", "--output-file", type=click.Path(exists=False), default=os.path.join(os.getcwd(), "exclusions.yml"), required=True, help="Relative path to output file where we want to store the exclusions template.")
+@click.option(
+    "-o",
+    "--output-file",
+    type=click.Path(exists=False),
+    default=os.path.join(os.getcwd(), "exclusions.yml"),
+    required=True,
+    help="Relative path to output file where we want to store the exclusions template.",
+)
 @click.option("--verbose", "-v", "verbosity", count=True)
 def create_exclusions_file(output_file: str, verbosity: int) -> None:
     """
@@ -30,7 +40,7 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(output_file, "a") as file_obj:
+    with open(output_file, "a", encoding="utf-8") as file_obj:
         for line in EXCLUSIONS_TEMPLATE:
             file_obj.write(line)
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")
@@ -40,6 +50,4 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     )
     print("\tcloudsplaining download")
     print("You can use this with the scan command as shown below: ")
-    print(
-        "\tcloudsplaining scan --exclusions-file exclusions.yml --input-file default.json"
-    )
+    print("\tcloudsplaining scan --exclusions-file exclusions.yml --input-file default.json")

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/command/create_multi_account_config_file.py

@@ -2,17 +2,20 @@
 Create YML Template files for the exclusions template command.
 This way, users don't have to remember exactly how to phrase the yaml files, since this command creates it for them.
 """
+
 # Copyright (c) 2020, salesforce.com, inc.
 # All rights reserved.
 # Licensed under the BSD 3-Clause license.
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
-import os
 import logging
+import os
+
 import click
-from cloudsplaining.shared.constants import MULTI_ACCOUNT_CONFIG_TEMPLATE
+
 from cloudsplaining import set_log_level
 from cloudsplaining.shared import utils
+from cloudsplaining.shared.constants import MULTI_ACCOUNT_CONFIG_TEMPLATE
 
 logger = logging.getLogger(__name__)
 OK_GREEN = "\033[92m"
@@ -23,7 +26,15 @@ END = "\033[0m"
     context_settings=dict(max_content_width=160),
     short_help="Creates a YML file to be used for multi-account scanning",
 )
-@click.option("-o", "--output-file", "output_file", type=click.Path(exists=False), default=os.path.join(os.getcwd(), "multi-account-config.yml"), required=True, help="Relative path to output file where we want to store the multi account config template.")
+@click.option(
+    "-o",
+    "--output-file",
+    "output_file",
+    type=click.Path(exists=False),
+    default=os.path.join(os.getcwd(), "multi-account-config.yml"),
+    required=True,
+    help="Relative path to output file where we want to store the multi account config template.",
+)
 @click.option("-v", "--verbose", "verbosity", help="Log verbosity level.", count=True)
 def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     """
@@ -32,17 +43,13 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     set_log_level(verbosity)
 
     if os.path.exists(output_file):
-        logger.debug(
-            "%s exists. Removing the file and replacing its contents.", output_file
-        )
+        logger.debug("%s exists. Removing the file and replacing its contents.", output_file)
         os.remove(output_file)
 
-    with open(output_file, "a") as file_obj:
+    with open(output_file, "a", encoding="utf-8") as file_obj:
         for line in MULTI_ACCOUNT_CONFIG_TEMPLATE:
             file_obj.write(line)
-    utils.print_green(
-        f"Success! Multi-account config file written to: {os.path.relpath(output_file)}"
-    )
+    utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
     print(
         f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."
     )

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/command/download.py

@@ -1,5 +1,6 @@
 """Runs aws iam get-authorization-details on all accounts specified in the aws credentials file, and stores them in
-account-alias.json """
+account-alias.json"""
+
 # Copyright (c) 2020, salesforce.com, inc.
 # All rights reserved.
 # Licensed under the BSD 3-Clause license.
@@ -10,7 +11,7 @@ from __future__ import annotations
 import json
 import logging
 import os
-from typing import Dict, List, Any, TYPE_CHECKING
+from typing import TYPE_CHECKING, Any
 
 import boto3
 import click
@@ -28,13 +29,29 @@ logger = logging.getLogger(__name__)
     short_help="Runs aws iam get-authorization-details on all accounts specified in the aws credentials "
     "file, and stores them in account-alias.json"
 )
-@click.option("-p", "--profile", type=str, required=False, envvar="AWS_DEFAULT_PROFILE", help="Specify 'all' to authenticate to AWS and scan from *all* AWS credentials profiles. Specify a non-default profile here. Defaults to the 'default' profile.")
-@click.option("-o", "--output", type=click.Path(exists=True), default=os.getcwd(), help="Path to store the output. Defaults to current directory.")
-@click.option("--include-non-default-policy-versions", is_flag=True, default=False, help="When downloading AWS managed policy documents, also include the non-default policy versions. Note that this will dramatically increase the size of the downloaded file.")
+@click.option(
+    "-p",
+    "--profile",
+    type=str,
+    required=False,
+    envvar="AWS_DEFAULT_PROFILE",
+    help="Specify 'all' to authenticate to AWS and scan from *all* AWS credentials profiles. Specify a non-default profile here. Defaults to the 'default' profile.",
+)
+@click.option(
+    "-o",
+    "--output",
+    type=click.Path(exists=True),
+    default=os.getcwd(),
+    help="Path to store the output. Defaults to current directory.",
+)
+@click.option(
+    "--include-non-default-policy-versions",
+    is_flag=True,
+    default=False,
+    help="When downloading AWS managed policy documents, also include the non-default policy versions. Note that this will dramatically increase the size of the downloaded file.",
+)
 @click.option("-v", "--verbose", "verbosity", help="Log verbosity level.", count=True)
-def download(
-    profile: str, output: str, include_non_default_policy_versions: bool, verbosity: int
-) -> int:
+def download(profile: str, output: str, include_non_default_policy_versions: bool, verbosity: int) -> int:
     """
     Runs aws iam get-authorization-details on all accounts specified in the aws credentials file, and stores them in
     account-alias.json
@@ -50,10 +67,8 @@ def download(
     else:
         output_filename = os.path.join(output, "default.json")
 
-    results = get_account_authorization_details(
-        session_data, include_non_default_policy_versions
-    )
-    with open(output_filename, "w") as f:
+    results = get_account_authorization_details(session_data, include_non_default_policy_versions)
+    with open(output_filename, "w", encoding="utf-8") as f:
         json.dump(results, f, indent=4, default=str)
     # output_filename.write_text(json.dumps(results, indent=4, default=str))
     print(f"Saved results to {output_filename}")
@@ -61,14 +76,14 @@ def download(
 
 
 def get_account_authorization_details(
-    session_data: Dict[str, str], include_non_default_policy_versions: bool
-) -> Dict[str, List[Any]]:
+    session_data: dict[str, str], include_non_default_policy_versions: bool
+) -> dict[str, list[Any]]:
     """Runs aws-iam-get-account-authorization-details"""
-    session = boto3.Session(**session_data)  # type:ignore[arg-type]  # dynamically constructed
+    session = boto3.Session(**session_data)  # type:ignore[arg-type]
     config = Config(connect_timeout=5, retries={"max_attempts": 10})
     iam_client: IAMClient = session.client("iam", config=config)
 
-    results: Dict[str, List[Any]] = {
+    results: dict[str, list[Any]] = {
         "UserDetailList": [],
         "GroupDetailList": [],
         "RoleDetailList": [],
@@ -100,9 +115,7 @@ def get_account_authorization_details(
                 else:
                     policy_version_list = []
                     for policy_version in policy.get("PolicyVersionList") or []:
-                        if policy_version.get("VersionId") == policy.get(
-                            "DefaultVersionId"
-                        ):
+                        if policy_version.get("VersionId") == policy.get("DefaultVersionId"):
                             policy_version_list.append(policy_version)
                             break
                     entry = {
@@ -112,9 +125,7 @@ def get_account_authorization_details(
                         "Path": policy.get("Path"),
                         "DefaultVersionId": policy.get("DefaultVersionId"),
                         "AttachmentCount": policy.get("AttachmentCount"),
-                        "PermissionsBoundaryUsageCount": policy.get(
-                            "PermissionsBoundaryUsageCount"
-                        ),
+                        "PermissionsBoundaryUsageCount": policy.get("PermissionsBoundaryUsageCount"),
                         "IsAttachable": policy.get("IsAttachable"),
                         "CreateDate": policy.get("CreateDate"),
                         "UpdateDate": policy.get("UpdateDate"),

{cloudsplaining-0.6.3 → cloudsplaining-0.7.0}/cloudsplaining/command/expand_policy.py

@@ -1,24 +1,31 @@
 """
 Expands the wildcards (*) on an IAM policy file so it is easier for a human to understand. Example: s3:g* vs s3:GetObject, s3:GetObjectAcl, etc.
 """
+
 # Copyright (c) 2020, salesforce.com, inc.
 # All rights reserved.
 # Licensed under the BSD 3-Clause license.
 # For full license text, see the LICENSE file in the repo rootgit pus
 # or https://opensource.org/licenses/BSD-3-Clause
-import logging
 import json
+import logging
+
 import click
 from policy_sentry.analysis.expand import get_expanded_policy
+
 from cloudsplaining import set_log_level
 
 logger = logging.getLogger(__name__)
 
 
-@click.command(
-    short_help="Expand the * Actions in IAM policy files to improve readability"
+@click.command(short_help="Expand the * Actions in IAM policy files to improve readability")
+@click.option(
+    "-i",
+    "--input-file",
+    type=click.Path(exists=True),
+    required=True,
+    help="Path to the JSON policy file.",
 )
-@click.option("-i", "--input-file", type=click.Path(exists=True), required=True, help="Path to the JSON policy file.")
 @click.option("-v", "--verbose", "verbosity", help="Log verbosity level.", count=True)
 def expand_policy(input_file: str, verbosity: int) -> None:
     """
@@ -26,7 +33,7 @@ def expand_policy(input_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(input_file) as json_file:
+    with open(input_file, encoding="utf-8") as json_file:
         logger.debug(f"Opening {input_file}")
         data = json.load(json_file)
         policy = get_expanded_policy(data)