Merge pull request #26 from ReversecLabs/case-insensitive-who-can

ensures case insensitivity when dealing with resource policies for who-can

Author: Skybound1

iamspy/model.py

@@ -169,6 +169,15 @@ def _generate_query_conditions(
 
         return output
 
+    def get_correct_case_principal(self, principal: str) -> str:
+        identities = [x.lstrip("identity_") for x in self.model_vars if x.startswith("identity_arn")]
+
+        for identity in identities:
+            if identity.lower() == principal.lower():
+                return identity
+
+        raise Exception("Identity not found to match principal")
+
     def can_i(
         self,
         source: str,
@@ -243,7 +252,7 @@ def who_can(
                 sources.append(str(source)[1:-1])
                 solver.add(s != source)
                 sat = solver.check() == z3.sat
-                yield str(source)[1:-1]
+                yield self.get_correct_case_principal(str(source)[1:-1])
 
     def who_can_batch_resource(
         self,

iamspy/parse.py

@@ -490,7 +490,7 @@ def generate_evaluation_logic_checks(model_vars, source: Optional[str], resource
             == z3.And(
                 z3.Bool(x),
                 z3.Bool(f"deny_{x}"),
-                s == x.lstrip("identity_"),
+                s == x.lstrip("identity_").lower(),
                 z3.String("s_account") == z3.StringVal(x.split(":")[4]),
             )
             for x in identities
@@ -501,7 +501,7 @@ def generate_evaluation_logic_checks(model_vars, source: Optional[str], resource
         # TODO: This is a temporary fix for whocan, at some point need to expand this to do automatic wildcard resolution
         # for accounts external to known
         constraints.append(
-            z3.Or(*[parse_string(s, x.lstrip("identity_"), wildcard=False, case_sensitive=True) for x in identities])
+            z3.Or(*[parse_string(s, x.lstrip("identity_"), wildcard=False, case_sensitive=False) for x in identities])
         )
 
     constraints.append(z3.Bool("identity") == identity_check)

tests/files/gaad-uppercase.json

@@ -0,0 +1,52 @@
+{
+    "RoleDetailList": [],
+    "GroupDetailList": [],
+    "UserDetailList": [
+        {
+            "Path": "/",
+            "UserName": "userA",
+            "UserId": "AIDAVRUVVWHX5JXO27GWS",
+            "Arn": "arn:aws:iam::111111111111:user/userA",
+            "CreateDate": "2025-09-02T09:40:39+00:00",
+            "GroupList": [],
+            "UserPolicyList": [
+                {
+                    "PolicyName": "AllowGetObject",
+                    "PolicyDocument": {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Sid": "AllowGetObject",
+                                "Effect": "Allow",
+                                "Action": "s3:GetObject",
+                                "Resource": "arn:aws:s3:::bucket/*"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "AttachedManagedPolicies": []
+        },
+        {
+            "Path": "/",
+            "UserName": "userB",
+            "UserId": "AIDAVRUVVWHX4K7W3CHXO",
+            "Arn": "arn:aws:iam::111111111111:user/userB",
+            "CreateDate": "2025-09-01T14:28:12+00:00",
+            "GroupList": [],
+            "UserPolicyList": [],
+            "AttachedManagedPolicies": []
+        },
+        {
+            "Path": "/",
+            "UserName": "userC",
+            "UserId": "AIDAVRUVVWHXWLBII3IIU",
+            "Arn": "arn:aws:iam::111111111111:user/userC",
+            "CreateDate": "2025-09-02T10:03:39+00:00",
+            "GroupList": [],
+            "UserPolicyList": [],
+            "AttachedManagedPolicies": []
+        }
+    ],
+    "Policies": []
+}

tests/files/resource-uppercase.json

@@ -0,0 +1,20 @@
+[
+    {
+        "Resource": "arn:aws:s3:::bucket",
+        "Policy": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "AllowGetObject",
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "arn:aws:iam::111111111111:user/userB"
+                    },
+                    "Action": "s3:GetObject",
+                    "Resource": "arn:aws:s3:::bucket/*"
+                }
+            ]
+        },
+        "Account": "111111111111"
+    }
+]

tests/test_integration.py

@@ -368,6 +368,14 @@ def test_can_i(files, inp, out):
             ),
             set(["arn:aws:iam::111111111111:role/testing", "arn:aws:iam::111111111111:role/testing2"]),
         ),
+        (
+            {"gaads": ["gaad-uppercase.json"], "resources": ["resource-uppercase.json"]},
+            (
+                "s3:GetObject",
+                "arn:aws:s3:::bucket/key",
+            ),
+            set(["arn:aws:iam::111111111111:user/userA", "arn:aws:iam::111111111111:user/userB"]),
+        ),
     ],
 )
 def test_who_can(files, inp, out):