feat: expand capability of '*' querying action table

salesforce · Dec 4, 2024 · 1e64b8b · 1e64b8b
1 parent ba6cdf7
commit 1e64b8b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/policy_sentry/querying/actions.py b/policy_sentry/querying/actions.py
@@ -62,9 +62,12 @@ def get_action_data(service: str, action_name: str) -> dict[str, list[dict[str,
     action_data_results = {}
     try:
         service_prefix_data = get_service_prefix_data(service)
-        if action_name == "*":
+        if action_name.endswith("*"):
+            stripped_action_name = action_name.removesuffix("*")
             results = []
             for this_action_name, this_action_data in service_prefix_data["privileges"].items():
+                if not this_action_name.startswith(stripped_action_name):
+                    continue
                 if this_action_data:
                     entries = create_action_data_entries(
                         service_prefix_data=service_prefix_data,

diff --git a/test/querying/test_query_actions.py b/test/querying/test_query_actions.py
@@ -181,6 +181,33 @@ def test_get_action_data(self):
         self.maxDiff = None
         self.assertDictEqual(desired_output, output)
 
+    def test_get_action_data_with_glob(self):
+        """Query action-table with glob."""
+        desired_output = {
+            "sns": [
+                {
+                    "action": "sns:ListSubscriptions",
+                    "description": "Grants permission to return a list of the requester's subscriptions",
+                    "access_level": "List",
+                    "api_documentation_link": "https://docs.aws.amazon.com/sns/latest/api/API_ListSubscriptions.html",
+                    "resource_arn_format": "*",
+                    "condition_keys": [],
+                    "dependent_actions": [],
+                },
+                {
+                    "action": "sns:ListSubscriptionsByTopic",
+                    "description": "Grants permission to return a list of the subscriptions to a specific topic",
+                    "access_level": "List",
+                    "api_documentation_link": "https://docs.aws.amazon.com/sns/latest/api/API_ListSubscriptionsByTopic.html",
+                    "resource_arn_format": "arn:${Partition}:sns:${Region}:${Account}:${TopicName}",
+                    "condition_keys": ["aws:ResourceTag/${TagKey}"],
+                    "dependent_actions": [],
+                },
+            ]
+        }
+        results = get_action_data("sns", "ListSubscriptions*")
+        self.assertDictEqual(desired_output, results)
+
     def test_get_actions_that_support_wildcard_arns_only(self):
         """querying.actions.get_actions_that_support_wildcard_arns_only"""
         # Variant 1: Secrets manager