Policy Shard

PolicyShards are a simplified representation of policies.

class PolicyShard(effect, effective_action, effective_resource, effective_principal, conditions=None, not_conditions=None)

A PolicyShard is part of a policy broken down in such a way that it can be deduplicated and collapsed.

Parameters
Return type

None

__init__(effect, effective_action, effective_resource, effective_principal, conditions=None, not_conditions=None)

Create a new model by parsing and validating input data from keyword arguments.

Raises ValidationError if the input data cannot be parsed to form a valid model.

Parameters
Return type

None

conditions: FrozenSet[policyglass.condition.Condition]
dict(*args, **kwargs)

Convert instance to dict representation of it.

Parameters
  • *args – Arguments to Pydantic dict method.

  • **kwargs – Arguments to Pydantic dict method.

Return type

Dict[str, Any]

Overridden from BaseModel so that when converting conditions to dict they don’t suffer from being unhashable when placed in a set.

difference(other)

Calculate the difference between this and another object of the same type.

Effectively subtracts the inclusions of other from self. This is useful when applying denies (other) to allows (self).

Parameters

other (object) – The object to subtract from this one.

Raises

ValueError – If other is not the same type as this object.

Return type

List[policyglass.policy_shard.PolicyShard]

effect: str
effective_action: policyglass.effective_arp.EffectiveARP[policyglass.action.Action]
effective_principal: policyglass.effective_arp.EffectiveARP[policyglass.principal.Principal]
effective_resource: policyglass.effective_arp.EffectiveARP[policyglass.resource.Resource]
property explain: str

Return a plain English representation of the policy shard.

Example

Simple PolicyShard explain.

>>> from policyglass import Policy
>>> policy = Policy(**{"Statement": [{"Effect": "Allow", "Action": "s3:*"}]})
>>> print([shard.explain for shard in policy.policy_shards])
['Allow action s3:* on resource * with principal AWS *.']
issubset(other)

Whether this object contains all the elements of another object (i.e. is a subset of the other object).

Parameters

other (object) – The object to determine if our object contains.

Raises

ValueError – If the other object is not of the same type as this object.

Return type

bool

not_conditions: FrozenSet[policyglass.condition.Condition]
union(other)

Combine this object with another object of the same type.

Parameters

other (object) – The object to combine with this one.

Raises

ValueError – If other is not the same type as this object.

Return type

List[policyglass.policy_shard.PolicyShard]

dedupe_policy_shards(shards)

Dedupe policy shards that are subsets of each other.

Parameters

shards (List[policyglass.policy_shard.PolicyShard]) – The shards to deduplicate.

Return type

List[policyglass.policy_shard.PolicyShard]

policy_shards_effect(shards)

Calculate the effect of merging allow and deny shards together.

Parameters

shards (List[policyglass.policy_shard.PolicyShard]) – The shards to caclulate the effect of.

Return type

List[policyglass.policy_shard.PolicyShard]

policy_shards_to_json(shards, exclude_defaults=False, **kwargs)

Convert a list of awspolicy.policy_shard.PolicyShard objects to JSON.

Parameters
  • shards (List[policyglass.policy_shard.PolicyShard]) – The list of shards to convert.

  • exclude_defaults – Whether to exclude default values (e.g. empty lists) from the output.

  • **kwargs – keyword arguments passed on to json.dumps()

Return type

str