add principal to the resource policy graphs #318

turbot · Jan 17, 2024 · 5e6ca03 · 5e6ca03
1 parent 9b7cc9e
commit 5e6ca03
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 3 deletions.
diff --git a/dashboards/iam/iam.sp b/dashboards/iam/iam.sp
@@ -49,6 +49,12 @@ category "iam_policy_action" {
   icon  = "electric_bolt"
 }
 
+category "iam_policy_principal" {
+  title = "IAM Policy Principal"
+  color = local.iam_color
+  icon  = "person"
+}
+
 category "iam_policy_condition" {
   title = "IAM Policy Condition"
   color = local.iam_color

diff --git a/dashboards/iam/iam_edges.sp b/dashboards/iam/iam_edges.sp
@@ -110,6 +110,81 @@ edge "iam_policy_statement" {
   param "iam_policy_arns" {}
 }
 
+edge "iam_policy_statement_principal" {
+  title = "principal"
+  sql = <<-EOQ
+
+    select
+      --distinct on (p.arn,action)
+      concat('principal:', principal) to_id,
+      concat('statement:', i) as from_id
+    from
+     jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+        ) as principal
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_action" {
+  title = "action"
+  sql = <<-EOQ
+
+    select
+      concat('principal:', principal) as from_id,
+      concat('action:', action) as to_id
+    from
+     jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+     jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+     jsonb_array_elements_text(t.stmt -> 'Action') as action
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_condition" {
+  title = "condition"
+  sql   = <<-EOQ
+
+    select
+      concat('statement:', i, ':condition:', condition.key) as to_id,
+      concat('principal:', principal) as from_id
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+      jsonb_each(t.stmt -> 'Condition') as condition
+    where
+      stmt -> 'Condition' <> 'null'
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
+edge "iam_resource_policy_statement_notaction" {
+  sql = <<-EOQ
+
+    select
+      concat('action:', notaction) as to_id,
+      concat('principal:', principal) as from_id,
+      concat(lower(t.stmt ->> 'Effect'), ' not action') as title,
+      lower(t.stmt ->> 'Effect') as category
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+        jsonb_path_query_array((t.stmt :: jsonb), '$.Principal.*')
+      ) as principal,
+      jsonb_array_elements_text(t.stmt -> 'NotAction') as notaction
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
 edge "iam_policy_statement_action" {
   //title = "allows"
   sql = <<-EOQ

diff --git a/dashboards/iam/iam_nodes.sp b/dashboards/iam/iam_nodes.sp
@@ -126,6 +126,23 @@ node "iam_policy_statement" {
   param "iam_policy_stds" {}
 }
 
+node "iam_policy_statement_principal" {
+  category = category.iam_policy_principal
+
+  sql = <<-EOQ
+   select
+      concat('principal:', principal ) as id,
+      case when principal = '*' then principal || ' [All principal]' else principal end as title
+    from
+      jsonb_array_elements(($1 :: jsonb) ->  'Statement') with ordinality as t(stmt,i),
+      jsonb_array_elements_text(
+          jsonb_path_query_array(($1 :: jsonb), '$.Statement[*].Principal.*')
+        ) as principal
+  EOQ
+
+  param "iam_policy_stds" {}
+}
+
 node "iam_policy_statement_action_notaction" {
   category = category.iam_policy_action
 

diff --git a/dashboards/iam/iam_resource_policy.sp b/dashboards/iam/iam_resource_policy.sp
@@ -32,6 +32,13 @@ graph "iam_resource_policy_structure" {
       }
     }
 
+    node {
+      base = node.iam_policy_statement_principal
+      args = {
+        iam_policy_stds = param.policy_std
+      }
+    }
+
     node {
       base = node.iam_policy_statement_action_notaction
       args = {
@@ -68,14 +75,21 @@ graph "iam_resource_policy_structure" {
     }
 
     edge {
-      base = edge.iam_policy_statement_action
+      base = edge.iam_policy_statement_principal
+      args = {
+        iam_policy_stds = param.policy_std
+      }
+    }
+
+    edge {
+      base = edge.iam_resource_policy_statement_action
       args = {
         iam_policy_stds = param.policy_std
       }
     }
 
     edge {
-      base = edge.iam_policy_statement_condition
+      base = edge.iam_resource_policy_statement_condition
       args = {
         iam_policy_stds = param.policy_std
       }
@@ -96,7 +110,7 @@ graph "iam_resource_policy_structure" {
     }
 
     edge {
-      base = edge.iam_policy_statement_notaction
+      base = edge.iam_resource_policy_statement_notaction
       args = {
         iam_policy_stds = param.policy_std
       }