use alien_core::{
AwsBindingSpec, AwsPlatformPermission, AzureBindingSpec, AzurePlatformPermission,
BindingConfiguration, GcpBindingSpec, GcpCondition, GcpPlatformPermission, PermissionGrant,
PermissionSet, PlatformPermissions,
};
use alien_permissions::PermissionContext;
use indexmap::IndexMap;
pub fn create_test_context() -> PermissionContext {
PermissionContext::new()
.with_stack_prefix("my-stack")
.with_stack_name("byoc-database")
.with_deployment_name("Payment Processor")
.with_resource_id("payments-data")
.with_resource_name("my-stack-payments-data")
.with_project_name("my-project")
.with_project_number("123456789012")
.with_region("us-central1")
.with_subscription_id("00000000-0000-0000-0000-000000000000")
.with_resource_group("rg-observability-prod")
.with_storage_account_name("stcxpaymentsprod")
.with_service_account_name("my-sa")
.with_principal_id("11111111-2222-3333-4444-555555555555")
.with_external_id("my-external-id")
.with_aws_account_id("123456789012")
.with_aws_region("us-east-1")
.with_managing_account_id("210987654321")
}
pub fn create_aws_storage_data_read_permission_set() -> PermissionSet {
PermissionSet {
id: "storage/data-read".to_string(),
description: "Allows reading data from storage resources".to_string(),
platforms: PlatformPermissions {
aws: Some(vec![AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: Some(vec![
"s3:GetObject".to_string(),
"s3:GetObjectVersion".to_string(),
"s3:ListBucket".to_string(),
]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${stackPrefix}-*".to_string(),
"arn:aws:s3:::${stackPrefix}-*/*".to_string(),
],
condition: None,
}),
resource: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${resourceName}".to_string(),
"arn:aws:s3:::${resourceName}/*".to_string(),
],
condition: None,
}),
},
}]),
gcp: None,
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_aws_storage_data_read_permission_set_with_condition() -> PermissionSet {
let mut condition = IndexMap::new();
let mut string_equals = IndexMap::new();
string_equals.insert("sts:ExternalId".to_string(), "${externalId}".to_string());
condition.insert("StringEquals".to_string(), string_equals);
PermissionSet {
id: "storage/data-read".to_string(),
description: "Allows reading data from storage resources".to_string(),
platforms: PlatformPermissions {
aws: Some(vec![AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: Some(vec![
"s3:GetObject".to_string(),
"s3:GetObjectVersion".to_string(),
"s3:ListBucket".to_string(),
]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${stackPrefix}-*".to_string(),
"arn:aws:s3:::${stackPrefix}-*/*".to_string(),
],
condition: Some(condition),
}),
resource: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${resourceName}".to_string(),
"arn:aws:s3:::${resourceName}/*".to_string(),
],
condition: None,
}),
},
}]),
gcp: None,
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_gcp_storage_data_read_permission_set() -> PermissionSet {
PermissionSet {
id: "storage/data-read".to_string(),
description: "Allows reading data from storage resources".to_string(),
platforms: PlatformPermissions {
aws: None,
gcp: Some(vec![GcpPlatformPermission {
label: None,
description: None,
grant: PermissionGrant {
actions: None,
permissions: Some(vec![
"storage.buckets.get".to_string(),
"storage.objects.get".to_string(),
"storage.objects.list".to_string(),
]),
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(GcpBindingSpec {
scope: "projects/${projectName}".to_string(),
condition: Some(GcpCondition {
title: "Stack-prefixed only".to_string(),
expression:
"resource.name.startsWith('projects/_/buckets/${stackPrefix}-')"
.to_string(),
}),
}),
resource: Some(GcpBindingSpec {
scope: "projects/_/buckets/${resourceName}".to_string(),
condition: None,
}),
},
}]),
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_azure_storage_data_read_permission_set() -> PermissionSet {
PermissionSet {
id: "storage/data-read".to_string(),
description: "Allows reading data from storage resources".to_string(),
platforms: PlatformPermissions {
aws: None,
gcp: None,
azure: Some(vec![AzurePlatformPermission {
label: None,
description: None,
grant: PermissionGrant {
actions: None,
permissions: None,
predefined_roles: Some(vec!["Storage Blob Data Reader".to_string()]),
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}"
.to_string(),
}),
resource: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.Storage/storageAccounts/${storageAccountName}".to_string(),
}),
},
}]),
},
}
}
#[allow(dead_code)]
pub fn create_azure_custom_permission_set() -> PermissionSet {
PermissionSet {
id: "storage/metadata-read".to_string(),
description: "Allows reading storage account metadata".to_string(),
platforms: PlatformPermissions {
aws: None,
gcp: None,
azure: Some(vec![AzurePlatformPermission {
label: None,
description: None,
grant: PermissionGrant {
actions: Some(vec!["Microsoft.Storage/storageAccounts/read".to_string()]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}"
.to_string(),
}),
resource: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.Storage/storageAccounts/${storageAccountName}".to_string(),
}),
},
}]),
},
}
}
#[allow(dead_code)]
pub fn create_azure_hybrid_permission_set() -> PermissionSet {
PermissionSet {
id: "artifact-registry/provision".to_string(),
description: "Allows provisioning artifact registries".to_string(),
platforms: PlatformPermissions {
aws: None,
gcp: None,
azure: Some(vec![AzurePlatformPermission {
label: None,
description: None,
grant: PermissionGrant {
actions: Some(vec![
"Microsoft.ContainerRegistry/registries/write".to_string(),
"Microsoft.ContainerRegistry/registries/delete".to_string(),
]),
permissions: None,
predefined_roles: Some(vec!["AcrPush".to_string()]),
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}"
.to_string(),
}),
resource: Some(AzureBindingSpec {
scope: "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.ContainerRegistry/registries/${resourceName}".to_string(),
}),
},
}]),
},
}
}
#[allow(dead_code)]
pub fn create_permission_set_missing_actions() -> PermissionSet {
PermissionSet {
id: "test/policy".to_string(),
description: "Test permission set with missing actions".to_string(),
platforms: PlatformPermissions {
aws: Some(vec![AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: None, permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec!["arn:aws:s3:::test-bucket".to_string()],
condition: None,
}),
resource: None,
},
}]),
gcp: None,
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_permission_set_missing_gcp_permissions() -> PermissionSet {
PermissionSet {
id: "test/role".to_string(),
description: "Test permission set with missing GCP permissions".to_string(),
platforms: PlatformPermissions {
aws: None,
gcp: Some(vec![GcpPlatformPermission {
label: None,
description: None,
grant: PermissionGrant {
actions: None,
permissions: None, predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(GcpBindingSpec {
scope: "projects/test-project".to_string(),
condition: None,
}),
resource: None,
},
}]),
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_empty_context() -> PermissionContext {
PermissionContext::new()
}
#[allow(dead_code)]
pub fn create_cloudformation_context() -> PermissionContext {
PermissionContext::new()
.with_stack_prefix("my-stack")
.with_resource_id("payments-data")
.with_resource_name("PaymentsDataBucket") .with_aws_account_id("123456789012") .with_aws_region("us-east-1")
.with_external_id("my-external-id")
.with_managing_account_id("210987654321")
}
#[allow(dead_code)]
pub fn create_aws_cloudformation_permission_set() -> PermissionSet {
PermissionSet {
id: "storage/data-read".to_string(),
description: "Allows reading data from storage resources".to_string(),
platforms: PlatformPermissions {
aws: Some(vec![AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: Some(vec![
"s3:GetObject".to_string(),
"s3:GetObjectVersion".to_string(),
"s3:ListBucket".to_string(),
]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${AWS::StackName}-*".to_string(),
"arn:aws:s3:::${AWS::StackName}-*/*".to_string(),
],
condition: None,
}),
resource: Some(AwsBindingSpec {
resources: vec![
"arn:aws:s3:::${resourceName}".to_string(),
"arn:aws:s3:::${resourceName}/*".to_string(),
],
condition: None,
}),
},
}]),
gcp: None,
azure: None,
},
}
}
#[allow(dead_code)]
pub fn create_aws_lambda_permission_set() -> PermissionSet {
let mut condition = IndexMap::new();
let mut string_equals = IndexMap::new();
string_equals.insert("sts:ExternalId".to_string(), "${externalId}".to_string());
condition.insert("StringEquals".to_string(), string_equals);
PermissionSet {
id: "worker/execute".to_string(),
description: "Allows executing Lambda functions and pulling container images".to_string(),
platforms: PlatformPermissions {
aws: Some(vec![
AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: Some(vec![
"lambda:InvokeWorker".to_string(),
]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec![
"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-*".to_string(),
],
condition: None,
}),
resource: Some(AwsBindingSpec {
resources: vec![
"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-${resourceName}".to_string(),
],
condition: None,
}),
},
},
AwsPlatformPermission {
label: None,
description: None,
effect: Default::default(),
grant: PermissionGrant {
actions: Some(vec![
"ecr:BatchGetImage".to_string(),
"ecr:GetDownloadUrlForLayer".to_string(),
]),
permissions: None,
predefined_roles: None,
residual_permissions: None,
data_actions: None,
},
binding: BindingConfiguration {
stack: Some(AwsBindingSpec {
resources: vec![
"arn:aws:ecr:*:${ManagingAccountId}:repository/*".to_string(),
],
condition: Some(condition.clone()),
}),
resource: None,
},
}
]),
gcp: None,
azure: None,
},
}
}