in cartography/intel/aws/s3.py [0:0]
def parse_acl(acl, bucket, aws_account_id):
""" Parses the AWS ACL object and returns a dict of the relevant data """
# ACL JSON looks like
# ...metadata...
# {
# "Grants": [
# {
# "Grantee": {
# "DisplayName": "string",
# "EmailAddress": "string",
# "ID": "string",
# "Type": "CanonicalUser" | "AmazonCustomerByEmail" | "Group",
# "URI": "string"
# },
# "Permission": "FULL_CONTROL" | "WRITE" | "WRITE_ACP" | "READ" | "READ_ACP"
# }
# ...
# ],
# "Owner": {
# "DisplayName": "string",
# "ID": "string"
# }
# }
acl_list = []
for grant in acl['Grants']:
parsed_acl = None
if grant['Grantee']['Type'] == 'CanonicalUser':
parsed_acl = {
"bucket": bucket,
"owner": acl['Owner'].get('DisplayName', "none"),
"ownerid": acl['Owner'].get('ID', "none"),
"type": grant['Grantee']['Type'],
"displayname": grant['Grantee'].get('DisplayName', "none"),
"granteeid": grant['Grantee'].get('ID', "none"),
"uri": "",
"permission": grant.get('Permission', "none")
}
elif grant['Grantee']['Type'] == 'Group':
parsed_acl = {
"bucket": bucket,
"owner": acl['Owner'].get('DisplayName', "none"),
"ownerid": acl['Owner'].get('ID', "none"),
"type": grant['Grantee']['Type'],
"displayname": "",
"granteeid": "",
"uri": grant['Grantee'].get('URI', "none"),
"permission": grant.get('Permission', "none")
}
else:
logger.warning("Unexpected grant type: %s", grant['Grantee']['Type'])
continue
# TODO this can be replaced with a string join
id_data = "{0}:{1}:{2}:{3}:{4}:{5}:{6}:{7}".format(
aws_account_id,
parsed_acl['owner'],
parsed_acl['ownerid'],
parsed_acl['type'],
parsed_acl['displayname'],
parsed_acl['granteeid'],
parsed_acl['uri'],
parsed_acl['permission']
)
parsed_acl['id'] = hashlib.sha256(id_data.encode("utf8")).hexdigest()
acl_list.append(parsed_acl)
return acl_list