1 files changed, 261 insertions, 0 deletions

diff --git a/python-aws-iam-tester.spec b/python-aws-iam-tester.spec
new file mode 100644
index 0000000..82175cb
--- /dev/null
+++ b/python-aws-iam-tester.spec
@@ -0,0 +1,261 @@
+%global _empty_manifest_terminate_build 0
+Name:		python-aws-iam-tester
+Version:	1.0.3
+Release:	1
+Summary:	AWS IAM tester - simple command-line tool to check permissions handed out to IAM users and roles.
+License:	MIT
+URL:		https://github.com/gercograndia/aws-iam-tester
+Source0:	https://mirrors.aliyun.com/pypi/web/packages/b2/85/3bcd231a278a6ac396d930443ad8324eb0841f8237b28f32dfecda2d47c7/aws_iam_tester-1.0.3.tar.gz
+BuildArch:	noarch
+
+Requires:	python3-boto3
+Requires:	python3-pyyaml
+Requires:	python3-click
+Requires:	python3-termcolor
+Requires:	python3-outdated
+Requires:	python3-tabulate
+
+%description
+user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account
+global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported
+- "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$"
+```
+Then you define a list of tests, each consisting at least of a set of:
+- actions
+- resources
+- the expected result (should it fail or succeed)
+```yaml
+# List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator.
+# For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
+tests: 
+- actions: # list of actions to validate
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+```
+Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles.
+The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html).
+```yaml
+- actions: # Same list of actions, but now check (with a custom context) whether
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+  limit_to: # check this list for the admin users
+  - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$"
+  - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$"
+  # test if the admins are required to use multi factor authentication
+  custom_context: 
+    - context_key_name: aws:MultiFactorAuthPresent
+      context_key_values: false
+      context_key_type: boolean
+```
+Or if you want to do that for **all** tests you can use the `global_limit_to`:
+
+%package -n python3-aws-iam-tester
+Summary:	AWS IAM tester - simple command-line tool to check permissions handed out to IAM users and roles.
+Provides:	python-aws-iam-tester
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-pip
+%description -n python3-aws-iam-tester
+user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account
+global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported
+- "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$"
+```
+Then you define a list of tests, each consisting at least of a set of:
+- actions
+- resources
+- the expected result (should it fail or succeed)
+```yaml
+# List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator.
+# For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
+tests: 
+- actions: # list of actions to validate
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+```
+Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles.
+The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html).
+```yaml
+- actions: # Same list of actions, but now check (with a custom context) whether
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+  limit_to: # check this list for the admin users
+  - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$"
+  - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$"
+  # test if the admins are required to use multi factor authentication
+  custom_context: 
+    - context_key_name: aws:MultiFactorAuthPresent
+      context_key_values: false
+      context_key_type: boolean
+```
+Or if you want to do that for **all** tests you can use the `global_limit_to`:
+
+%package help
+Summary:	Development documents and examples for aws-iam-tester
+Provides:	python3-aws-iam-tester-doc
+%description help
+user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account
+global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported
+- "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$"
+- "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$"
+```
+Then you define a list of tests, each consisting at least of a set of:
+- actions
+- resources
+- the expected result (should it fail or succeed)
+```yaml
+# List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator.
+# For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
+tests: 
+- actions: # list of actions to validate
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+```
+Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles.
+The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html).
+```yaml
+- actions: # Same list of actions, but now check (with a custom context) whether
+  - "*:*"
+  - iam:*
+  - iam:AddUser*
+  - iam:Attach*
+  - iam:Create*
+  - iam:Delete*
+  - iam:Detach*
+  - iam:Pass*
+  - iam:Put*
+  - iam:Remove*
+  - iam:UpdateAccountPasswordPolicy
+  - sts:AssumeRole
+  - sts:AssumeRoleWithSAML
+  expected_result: fail # 'fail' or 'succeed'
+  resources: # list of resources to validate against
+  - "*"
+  limit_to: # check this list for the admin users
+  - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$"
+  - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$"
+  # test if the admins are required to use multi factor authentication
+  custom_context: 
+    - context_key_name: aws:MultiFactorAuthPresent
+      context_key_values: false
+      context_key_type: boolean
+```
+Or if you want to do that for **all** tests you can use the `global_limit_to`:
+
+%prep
+%autosetup -n aws_iam_tester-1.0.3
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-aws-iam-tester -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Fri Jun 09 2023 Python_Bot <Python_Bot@openeuler.org> - 1.0.3-1
+- Package Spec generated