Policy Shard
PolicyShards are a simplified representation of policies.
- class PolicyShard(effect, effective_action, effective_resource, effective_principal, effective_condition=None)
A PolicyShard is part of a policy broken down in such a way that it can be deduplicated and collapsed.
- Parameters
effect (str) –
effective_action (policyglass.effective_arp.EffectiveARP[policyglass.action.Action]) –
effective_resource (policyglass.effective_arp.EffectiveARP[policyglass.resource.Resource]) –
effective_principal (policyglass.effective_arp.EffectiveARP[policyglass.principal.Principal]) –
effective_condition (policyglass.condition.EffectiveCondition) –
- Return type
- class Config
Pydantic Config.
- json_encoders = {<class 'policyglass.action.EffectiveAction'>: <function PolicyShard.Config.<lambda>>, <class 'policyglass.resource.EffectiveResource'>: <function PolicyShard.Config.<lambda>>, <class 'policyglass.principal.EffectivePrincipal'>: <function PolicyShard.Config.<lambda>>}
- __init__(effect, effective_action, effective_resource, effective_principal, effective_condition=None)
Initialize a PolicyShard object.
- Parameters
effect (str) – ‘Allow’ or ‘Deny’
effective_action (policyglass.effective_arp.EffectiveARP[policyglass.action.Action]) – The EffectiveAction that this PolicyShard allows or denies
effective_resource (policyglass.effective_arp.EffectiveARP[policyglass.resource.Resource]) – The EffectiveResource that this PolicyShard allows or denies
effective_principal (policyglass.effective_arp.EffectiveARP[policyglass.principal.Principal]) – The EffectivePrincipal that this PolicyShard allows or denies
effective_condition (Optional[policyglass.condition.EffectiveCondition]) – The EffectiveCondition that needs to be met for this PolicyShard to apply
- Return type
- dict(*args, **kwargs)
Convert instance to dict representation of it.
- Parameters
*args – Arguments to Pydantic dict method.
**kwargs – Arguments to Pydantic dict method.
- Return type
Dict[str, Any]
Overridden from BaseModel so that when converting conditions to dict they don’t suffer from being unhashable when placed in a set.
- difference(other, dedupe_result=True)
Calculate the difference between this and another object of the same type.
Effectively subtracts the inclusions of
other
fromself
. This is useful when applying denies (other
) to allows (self
).- Parameters
- Raises
ValueError – If
other
is not the same type as this object.- Return type
- effective_action: policyglass.effective_arp.EffectiveARP[policyglass.action.Action]
- effective_condition: policyglass.condition.EffectiveCondition
- effective_principal: policyglass.effective_arp.EffectiveARP[policyglass.principal.Principal]
- effective_resource: policyglass.effective_arp.EffectiveARP[policyglass.resource.Resource]
- property explain: str
Return a plain English representation of the policy shard.
Example
Simple PolicyShard explain.
>>> from policyglass import Policy >>> policy = Policy(**{"Statement": [{"Effect": "Allow", "Action": "s3:*"}]}) >>> print([shard.explain for shard in policy.policy_shards]) ['Allow action s3:* on resource * with principal AWS *.']
- intersection(other)
Calculate the intersection between this object and another object of the same type.
- Parameters
other (object) – The object to intersect with this one.
- Raises
ValueError – if
other
is not the same type as this object.- Return type
Optional[policyglass.policy_shard.PolicyShard]
- issubset(other)
Whether this object contains all the elements of another object (i.e. is a subset of the other object).
- Conditions:
If both PolicyShards have conditions but are otherwise identical, self will be a subset of other if the other’s conditions are are a subset of self’s as this means that self is more restrictive and therefore carves out a subset of possiblilites in comparison with other.
- Parameters
other (object) – The object to determine if our object contains.
- Raises
ValueError – If the other object is not of the same type as this object.
- Return type
- union(other)
Combine this object with another object of the same type.
- Parameters
other (object) – The object to combine with this one.
- Raises
ValueError – If
other
is not the same type as this object.- Return type
- dedupe_policy_shard_subsets(shards, check_reverse=True)
Dedupe policy shards that are subsets of each other.
- Parameters
shards (Iterable[policyglass.policy_shard.PolicyShard]) – The shards to deduplicate.
check_reverse (bool) – Whether you want to check these shards in reverse as well (only disabled when alling itself).
- Return type
- dedupe_policy_shards(shards, check_reverse=True)
Dedupe policy shards that are subsets of each other and remove intersections.
- Parameters
shards (Iterable[policyglass.policy_shard.PolicyShard]) – The shards to deduplicate.
check_reverse (bool) – Whether you want to check these shards in reverse as well (only disabled when calling itself).
- Return type
- explain_policy_shards(shards, language='en')
Return a list of string explanations for a given list of PolicyShards.
- Parameters
shards (List[policyglass.policy_shard.PolicyShard]) – The PolicyShards to explain.
language (str) – The language of the explanation
- Raises
NotImplementedError – When an unsupported language is requested.
- Return type
List[str]
- policy_shards_effect(shards)
Calculate the effect of merging allow and deny shards together.
- Parameters
shards (List[policyglass.policy_shard.PolicyShard]) – The shards to caclulate the effect of.
- Return type
- policy_shards_to_json(shards, exclude_defaults=False, **kwargs)
Convert a list of
policyglass.policy_shard.PolicyShard
objects to JSON.- Parameters
shards (List[policyglass.policy_shard.PolicyShard]) – The list of shards to convert.
exclude_defaults – Whether to exclude default values (e.g. empty lists) from the output.
**kwargs – keyword arguments passed on to
json.dumps()
- Return type