Condition

Statement Condition classes.

class Condition(key, operator, values)

A representation of part of a statement condition in order to facilitate comparison.

Parameters
Return type

None

__init__(key, operator, values)

Create a new model by parsing and validating input data from keyword arguments.

Raises ValidationError if the input data cannot be parsed to form a valid model.

Parameters
Return type

None

classmethod factory(condition_collection)
Parameters

condition_collection (policyglass.condition.RawConditionCollection) –

Return type

FrozenSet[policyglass.condition.Condition]

key: policyglass.condition.ConditionKey
operator: policyglass.condition.ConditionOperator
property reverse: policyglass.condition.Condition

Return a new condition which is the opposite of this condition.

Raises

ValueError – If the operator is a type that cannot be reversed.

values: List[policyglass.condition.ConditionValue]
class ConditionKey

Condition Keys are case insensitive.

“Condition key names are not case-sensitive.” - IAM Reference Policy Elements

class ConditionOperator

Condition Operator.

See IAM JSON policy elements: Condition operators for more.

class ConditionValue

Condition values may or may not be case sensitive depending on the operator.

class EffectiveCondition(inclusions=None, exclusions=None)

A pair of sets for inclusions and exclusion conditions.

Parameters
Return type

None

__init__(inclusions=None, exclusions=None)

Convert exclusions to inclusions if possible.

The only type of Condition that really exists in AWS policies is the inclusions. The exclusions are created only when conditions on a Deny statement have operators that cannot be reversed. The reversal is required in order to fold a Deny condition into an Allow condition.

Parameters
Return type

None

dict(*args, **kwargs)

Convert instance to dict representation of it.

Parameters

  • *args – Arguments to Pydantic dict method.

  • **kwargs – Arguments to Pydantic dict method.

Return type

Dict[str, Any]

Overridden from BaseModel so that when converting conditions to dict they don’t suffer from being unhashable when placed in a set.

exclusions: FrozenSet[policyglass.condition.Condition]

Conditions which must NOT be met

inclusions: FrozenSet[policyglass.condition.Condition]

Conditions which must be met

intersection(other)

Calculate the intersection between this object and another object of the same type.

Parameters

other (object) – The object to intersect with this one.

Raises

ValueError – if other is not the same type as this object.

Return type

policyglass.condition.EffectiveCondition

property reverse: policyglass.condition.EffectiveCondition

Reverse the effect of this EffectiveCondition.

union(other)

Combine this object with another object of the same type.

Parameters

other (object) – The object to combine with this one.

Raises

ValueError – If other is not the same type as this object.

Return type

policyglass.condition.EffectiveCondition

OPERATOR_REVERSAL_INDEX = {ConditionOperator('ArnEquals'): ConditionOperator('ArnNotEquals'), ConditionOperator('ArnEqualsIfExists'): ConditionOperator('ArnNotEqualsIfExists'), ConditionOperator('ArnLike'): ConditionOperator('ArnNotLike'), ConditionOperator('ArnLikeIfExists'): ConditionOperator('ArnNotLikeIfExists'), ConditionOperator('ArnNotEquals'): ConditionOperator('ArnEquals'), ConditionOperator('ArnNotEqualsIfExists'): ConditionOperator('ArnEqualsIfExists'), ConditionOperator('ArnNotLike'): ConditionOperator('ArnLike'), ConditionOperator('ArnNotLikeIfExists'): ConditionOperator('ArnLikeIfExists'), ConditionOperator('DateEquals'): ConditionOperator('DateNotEquals'), ConditionOperator('DateEqualsIfExists'): ConditionOperator('DateNotEqualsIfExists'), ConditionOperator('DateGreaterThan'): ConditionOperator('DateLessThanEquals'), ConditionOperator('DateGreaterThanEquals'): ConditionOperator('DateLessThan'), ConditionOperator('DateGreaterThanEqualsIfExists'): ConditionOperator('DateLessThanIfExists'), ConditionOperator('DateGreaterThanIfExists'): ConditionOperator('DateLessThanEqualsIfExists'), ConditionOperator('DateLessThan'): ConditionOperator('DateGreaterThanEquals'), ConditionOperator('DateLessThanEquals'): ConditionOperator('DateGreaterThan'), ConditionOperator('DateLessThanEqualsIfExists'): ConditionOperator('DateGreaterThanIfExists'), ConditionOperator('DateLessThanIfExists'): ConditionOperator('DateGreaterThanEqualsIfExists'), ConditionOperator('DateNotEquals'): ConditionOperator('DateEquals'), ConditionOperator('DateNotEqualsIfExists'): ConditionOperator('DateEqualsIfExists'), ConditionOperator('IpAddress'): ConditionOperator('NotIpAddress'), ConditionOperator('IpAddressIfExists'): ConditionOperator('NotIpAddressIfExists'), ConditionOperator('NotIpAddress'): ConditionOperator('IpAddress'), ConditionOperator('NotIpAddressIfExists'): ConditionOperator('IpAddressIfExists'), ConditionOperator('NumericEquals'): ConditionOperator('NumericNotEquals'), ConditionOperator('NumericEqualsIfExists'): ConditionOperator('NumericNotEqualsIfExists'), ConditionOperator('NumericGreaterThan'): ConditionOperator('NumericLessThanEquals'), ConditionOperator('NumericGreaterThanEquals'): ConditionOperator('NumericLessThan'), ConditionOperator('NumericGreaterThanEqualsIfExists'): ConditionOperator('NumericLessThanIfExists'), ConditionOperator('NumericGreaterThanIfExists'): ConditionOperator('NumericLessThanEqualsIfExists'), ConditionOperator('NumericLessThan'): ConditionOperator('NumericGreaterThanEquals'), ConditionOperator('NumericLessThanEquals'): ConditionOperator('NumericGreaterThan'), ConditionOperator('NumericLessThanEqualsIfExists'): ConditionOperator('NumericGreaterThanIfExists'), ConditionOperator('NumericLessThanIfExists'): ConditionOperator('NumericGreaterThanEqualsIfExists'), ConditionOperator('NumericNotEquals'): ConditionOperator('NumericEquals'), ConditionOperator('NumericNotEqualsIfExists'): ConditionOperator('NumericEqualsIfExists'), ConditionOperator('StringEquals'): ConditionOperator('StringNotEquals'), ConditionOperator('StringEqualsIfExists'): ConditionOperator('StringNotEqualsIfExists'), ConditionOperator('StringEqualsIgnoreCase'): ConditionOperator('StringNotEqualsIgnoreCase'), ConditionOperator('StringEqualsIgnoreCaseIfExists'): ConditionOperator('StringNotEqualsIgnoreCaseIfExists'), ConditionOperator('StringLike'): ConditionOperator('StringNotLike'), ConditionOperator('StringLikeIfExists'): ConditionOperator('StringNotLikeIfExists'), ConditionOperator('StringNotEquals'): ConditionOperator('StringEquals'), ConditionOperator('StringNotEqualsIfExists'): ConditionOperator('StringEqualsIfExists'), ConditionOperator('StringNotEqualsIgnoreCase'): ConditionOperator('StringEqualsIgnoreCase'), ConditionOperator('StringNotEqualsIgnoreCaseIfExists'): ConditionOperator('StringEqualsIgnoreCaseIfExists'), ConditionOperator('StringNotLike'): ConditionOperator('StringLike'), ConditionOperator('StringNotLikeIfExists'): ConditionOperator('StringLikeIfExists')}

A list of operators and their opposite.

class RawConditionCollection

A representation of a statement condition.

property conditions: FrozenSet[policyglass.condition.Condition]

Return a list of Condition Shards.