MFA requirements in roles can lead to misleading results

[RyanJarv]

Brief Description IAM roles blocking access without MFA return incorrect results when calling local_check_authorization_handling_mfa. These roles also fail to appear in the output of python ./pmapper.py --profile me query 'preset privesc *'.

IAM Action, Resource, and Condition Being Authorized The principal needs to be a role with an identity policy enforcing MFA. The specific actions affected are the one's that apply to the MFA conditional in the policy.

IAM Policies Attached to Principal

arn:aws:iam::aws:policy/AdministratorAccess

And a custom policy with the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Expected Behavior The principalmapper.querying.query_interface.local_check_authorization_handling_mfa function should return (True, True) when passed any action without any explicitly passed condition keys (as it would if the principal was a User). The current behavior is to return (False, False).

Looks like the issue is here:

https://github.com/nccgroup/PMapper/blob/master/principalmapper/querying/query_interface.py#L205

I suspect the idea here is in some cases roles can't have MFA (if attached to EC2), so returning a (True, True) result in that case might be misleading if the calling function isn't taking into account the source.