Skip to content

Commit e226ccc

Browse files
bhendobhendo
committed
Add trust policy severity caching to avoid repeated list scans
Streamlined the trust policy aggregation to eliminate repeated loops over statements and cache the severity filter before building findings to improve performance.
1 parent 47dcc00 commit e226ccc

File tree

2 files changed

+29
-34
lines changed

2 files changed

+29
-34
lines changed

cloudsplaining/scan/assume_role_policy_document.py

Lines changed: 24 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -54,38 +54,42 @@ def __init__(
5454
@property
5555
def role_assumable_by_compute_services(self) -> list[str]:
5656
"""Determines whether or not the role is assumed from a compute service, and if so which ones."""
57-
assumable_by_compute_services = []
58-
for statement in self.statements:
59-
if statement.role_assumable_by_compute_services:
60-
assumable_by_compute_services.extend(statement.role_assumable_by_compute_services)
61-
return assumable_by_compute_services
57+
return [
58+
principal
59+
for statement in self.statements
60+
if statement.role_assumable_by_compute_services
61+
for principal in statement.role_assumable_by_compute_services
62+
]
6263

6364
@property
6465
def role_assumable_by_cross_account_principals(self) -> list[str]:
6566
"""Determines whether or not the role can be assumed from principals in other accounts, and if so which ones."""
66-
assumable_from_other_accounts = []
67-
for statement in self.statements:
68-
if statement.role_assumable_by_cross_account_principals:
69-
assumable_from_other_accounts.extend(statement.role_assumable_by_cross_account_principals)
70-
return assumable_from_other_accounts
67+
return [
68+
principal
69+
for statement in self.statements
70+
if statement.role_assumable_by_cross_account_principals
71+
for principal in statement.role_assumable_by_cross_account_principals
72+
]
7173

7274
@property
7375
def role_assumable_by_any_principal(self) -> list[str]:
7476
"""Determines whether or not the role can be assumed by any principal (*) or any AWS account root."""
75-
any_principals = []
76-
for statement in self.statements:
77-
if statement.role_assumable_by_any_principal:
78-
any_principals.extend(statement.role_assumable_by_any_principal)
79-
return any_principals
77+
return [
78+
principal
79+
for statement in self.statements
80+
if statement.role_assumable_by_any_principal
81+
for principal in statement.role_assumable_by_any_principal
82+
]
8083

8184
@property
8285
def role_assumable_by_any_principal_with_conditions(self) -> list[str]:
8386
"""Determines whether or not the role can be assumed by any principal (*) or any AWS account root with conditions."""
84-
any_principals_with_conditions = []
85-
for statement in self.statements:
86-
if statement.role_assumable_by_any_principal_with_conditions:
87-
any_principals_with_conditions.extend(statement.role_assumable_by_any_principal_with_conditions)
88-
return any_principals_with_conditions
87+
return [
88+
principal
89+
for statement in self.statements
90+
if statement.role_assumable_by_any_principal_with_conditions
91+
for principal in statement.role_assumable_by_any_principal_with_conditions
92+
]
8993

9094

9195
class AssumeRoleStatement(ResourceStatement):

cloudsplaining/scan/role_details.py

Lines changed: 5 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -352,6 +352,7 @@ def json(self) -> dict[str, Any]:
352352
)
353353

354354
if self.flag_trust_policies:
355+
severities = {x.lower() for x in self.severity}
355356
this_role_detail.update(
356357
{
357358
"AssumableByComputeServices": {
@@ -360,10 +361,7 @@ def json(self) -> dict[str, Any]:
360361
"findings": (
361362
self.assume_role_policy_document.role_assumable_by_compute_services
362363
if self.assume_role_policy_document
363-
and (
364-
ISSUE_SEVERITY["AssumableByComputeService"] in [x.lower() for x in self.severity]
365-
or not self.severity
366-
)
364+
and (ISSUE_SEVERITY["AssumableByComputeService"] in severities or not self.severity)
367365
else []
368366
),
369367
},
@@ -373,10 +371,7 @@ def json(self) -> dict[str, Any]:
373371
"findings": (
374372
self.assume_role_policy_document.role_assumable_by_cross_account_principals
375373
if self.assume_role_policy_document
376-
and (
377-
ISSUE_SEVERITY["AssumableByCrossAccountPrincipal"] in [x.lower() for x in self.severity]
378-
or not self.severity
379-
)
374+
and (ISSUE_SEVERITY["AssumableByCrossAccountPrincipal"] in severities or not self.severity)
380375
else []
381376
),
382377
},
@@ -386,10 +381,7 @@ def json(self) -> dict[str, Any]:
386381
"findings": (
387382
self.assume_role_policy_document.role_assumable_by_any_principal
388383
if self.assume_role_policy_document
389-
and (
390-
ISSUE_SEVERITY["AssumableByAnyPrincipal"] in [x.lower() for x in self.severity]
391-
or not self.severity
392-
)
384+
and (ISSUE_SEVERITY["AssumableByAnyPrincipal"] in severities or not self.severity)
393385
else []
394386
),
395387
},
@@ -400,8 +392,7 @@ def json(self) -> dict[str, Any]:
400392
self.assume_role_policy_document.role_assumable_by_any_principal_with_conditions
401393
if self.assume_role_policy_document
402394
and (
403-
ISSUE_SEVERITY["AssumableByAnyPrincipalWithConditions"]
404-
in [x.lower() for x in self.severity]
395+
ISSUE_SEVERITY["AssumableByAnyPrincipalWithConditions"] in severities
405396
or not self.severity
406397
)
407398
else []

0 commit comments

Comments
 (0)