From 1e64b8b8e2c0661c08a32067754ce052cdfe2caa Mon Sep 17 00:00:00 2001
From: Coen Meulenkamp <coen.meulenkamp@knmi.nl>
Date: Mon, 25 Nov 2024 19:42:46 +0100
Subject: [PATCH] feat: expand capability of '*' querying action table

---
 policy_sentry/querying/actions.py   |  5 ++++-
 test/querying/test_query_actions.py | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/policy_sentry/querying/actions.py b/policy_sentry/querying/actions.py
index 86defa8c..15dd5c20 100644
--- a/policy_sentry/querying/actions.py
+++ b/policy_sentry/querying/actions.py
@@ -62,9 +62,12 @@ def get_action_data(service: str, action_name: str) -> dict[str, list[dict[str,
     action_data_results = {}
     try:
         service_prefix_data = get_service_prefix_data(service)
-        if action_name == "*":
+        if action_name.endswith("*"):
+            stripped_action_name = action_name.removesuffix("*")
             results = []
             for this_action_name, this_action_data in service_prefix_data["privileges"].items():
+                if not this_action_name.startswith(stripped_action_name):
+                    continue
                 if this_action_data:
                     entries = create_action_data_entries(
                         service_prefix_data=service_prefix_data,
diff --git a/test/querying/test_query_actions.py b/test/querying/test_query_actions.py
index 927b00b9..f4ad7c64 100644
--- a/test/querying/test_query_actions.py
+++ b/test/querying/test_query_actions.py
@@ -181,6 +181,33 @@ def test_get_action_data(self):
         self.maxDiff = None
         self.assertDictEqual(desired_output, output)
 
+    def test_get_action_data_with_glob(self):
+        """Query action-table with glob."""
+        desired_output = {
+            "sns": [
+                {
+                    "action": "sns:ListSubscriptions",
+                    "description": "Grants permission to return a list of the requester's subscriptions",
+                    "access_level": "List",
+                    "api_documentation_link": "https://docs.aws.amazon.com/sns/latest/api/API_ListSubscriptions.html",
+                    "resource_arn_format": "*",
+                    "condition_keys": [],
+                    "dependent_actions": [],
+                },
+                {
+                    "action": "sns:ListSubscriptionsByTopic",
+                    "description": "Grants permission to return a list of the subscriptions to a specific topic",
+                    "access_level": "List",
+                    "api_documentation_link": "https://docs.aws.amazon.com/sns/latest/api/API_ListSubscriptionsByTopic.html",
+                    "resource_arn_format": "arn:${Partition}:sns:${Region}:${Account}:${TopicName}",
+                    "condition_keys": ["aws:ResourceTag/${TagKey}"],
+                    "dependent_actions": [],
+                },
+            ]
+        }
+        results = get_action_data("sns", "ListSubscriptions*")
+        self.assertDictEqual(desired_output, results)
+
     def test_get_actions_that_support_wildcard_arns_only(self):
         """querying.actions.get_actions_that_support_wildcard_arns_only"""
         # Variant 1: Secrets manager