forked from iann0036/iam-dataset
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess_azure_roles.py
139 lines (128 loc) · 6.86 KB
/
process_azure_roles.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
import os
import json
import time
import requests
import re
result = {
'roles': []
}
raw_roles = []
with open("azure/built-in-roles-raw.json", "r") as f:
raw_roles = json.loads(f.read())
provider_ops = []
with open("azure/provider-operations.json", "r") as f:
provider_ops = json.loads(f.read())
for raw_role in raw_roles:
if raw_role['roleType'] != "BuiltInRole":
continue
permitted_actions = []
permitted_data_actions = []
has_unknown = False
has_external = False
for permission in raw_role['permissions']:
for action in permission['actions']:
matched = False
matchexpression = "^" + action.replace(".", "\\.").replace("*", ".*").replace("?", ".{{1}}") + "$"
for provider in provider_ops:
for operation in provider['operations']:
if not operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_actions.append({
'name': operation['name'],
'description': operation['description'],
'displayName': operation['displayName'],
'providerName': provider['name'],
'providerDisplayName': provider['displayName']
})
matched = True
for resource_type in provider['resourceTypes']:
for operation in resource_type['operations']:
if not operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_actions.append({
'name': operation['name'],
'description': operation['description'],
'displayName': operation['displayName'],
'providerName': provider['name'],
'providerDisplayName': provider['displayName']
})
matched = True
if not action.lower().startswith("microsoft."):
has_external = True
if not matched:
has_unknown = True
for permission in raw_role['permissions']:
for action in permission['dataActions']:
matched = False
matchexpression = "^" + action.replace(".", "\\.").replace("*", ".*").replace("?", ".{{1}}") + "$"
for provider in provider_ops:
for operation in provider['operations']:
if operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_data_actions.append({
'name': operation['name'],
'description': operation['description'],
'displayName': operation['displayName'],
'providerName': provider['name'],
'providerDisplayName': provider['displayName']
})
matched = True
for resource_type in provider['resourceTypes']:
for operation in resource_type['operations']:
if operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_data_actions.append({
'name': operation['name'],
'description': operation['description'],
'displayName': operation['displayName'],
'providerName': provider['name'],
'providerDisplayName': provider['displayName']
})
matched = True
if not action.lower().startswith("microsoft."):
has_external = True
if not matched:
has_unknown = True
for permission in raw_role['permissions']:
for action in permission['notActions']:
matched = False
matchexpression = "^" + action.replace(".", "\\.").replace("*", ".*").replace("?", ".{{1}}") + "$"
for provider in provider_ops:
for operation in provider['operations']:
if not operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_actions = list(filter(lambda x: x['name'].lower() != operation['name'].lower(), permitted_actions))
matched = True
for resource_type in provider['resourceTypes']:
for operation in resource_type['operations']:
if not operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_actions = list(filter(lambda x: x['name'].lower() != operation['name'].lower(), permitted_actions))
matched = True
if not action.lower().startswith("microsoft."):
has_external = True
if not matched:
has_unknown = True
for permission in raw_role['permissions']:
for action in permission['notDataActions']:
matched = False
matchexpression = "^" + action.replace(".", "\\.").replace("*", ".*").replace("?", ".{{1}}") + "$"
for provider in provider_ops:
for operation in provider['operations']:
if operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_data_actions = list(filter(lambda x: x['name'].lower() != operation['name'].lower(), permitted_data_actions))
matched = True
for resource_type in provider['resourceTypes']:
for operation in resource_type['operations']:
if operation['isDataAction'] and re.search(matchexpression.lower(), operation['name'].lower()):
permitted_data_actions = list(filter(lambda x: x['name'].lower() != operation['name'].lower(), permitted_data_actions))
matched = True
if not action.lower().startswith("microsoft."):
has_external = True
if not matched:
has_unknown = True
result['roles'].append({
'name': raw_role['roleName'],
'description': raw_role['description'],
'permittedActions': permitted_actions,
'permittedDataActions': permitted_data_actions,
'rawPermissions': raw_role['permissions'],
'hasUnknown': has_unknown,
'hasExternal': has_external
})
with open("azure/built-in-roles.json", "w") as f:
f.write(json.dumps(result, indent=2, sort_keys=True))