policy_sentry skip-resource-constraints does not hold precedence over other fields

If I specify an s3 object path under write and then specify s3:PutObject under skip-resource-constraints, then I get an IndexError.

Example template:

mode: crud
write:
- 'arn:aws:s3:::mybucket*/*'
skip-resource-constraints:
- 's3:PutObject'

Error:

Traceback (most recent call last):
  File "/usr/local/bin/policy_sentry", line 33, in <module>
    sys.exit(load_entry_point('policy-sentry==0.11.0', 'console_scripts', 'policy_sentry')())
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/bin/cli.py", line 26, in main
    policy_sentry()
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/command/write_policy.py", line 106, in write_policy
    policy = write_policy_with_template(cfg, min_length)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/command/write_policy.py", line 130, in write_policy_with_template
    policy = sid_group.process_template(cfg, minimize)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/writing/sid_group.py", line 492, in process_template
    rendered_policy = self.get_rendered_policy(minimize)
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/writing/sid_group.py", line 208, in get_rendered_policy
    arn_details = parse_arn(stmt['Resource'][0])
  File "/usr/local/Cellar/policy_sentry/0.11.0/libexec/lib/python3.9/site-packages/policy_sentry/util/arns.py", line 162, in parse_arn
    "partition": elements[1],
IndexError: list index out of range

Dec 09 '20 19:12 kmcquade

@kmcquade is this still reproducible, I'm seeing the below output

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3WriteObject",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:ReplicateDelete",
                "s3:ReplicateObject",
                "s3:RestoreObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket*/*"
            ]
        },
        {
            "Sid": "SkipResourceConstraints",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}```

Dec 19 '20 10:12 saikirankv

I have been able to replicate this issue

Jun 08 '21 23:06 Shocktrooper

policy_sentry policy_sentry copied to clipboard

skip-resource-constraints does not hold precedence over other fields

policy_sentry
policy_sentry copied to clipboard