2023-10-19 13:15:21 +00:00
|
|
|
package iam
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
2023-11-07 17:20:54 +00:00
|
|
|
chain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
2023-10-19 13:15:21 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestConverters(t *testing.T) {
|
|
|
|
t.Run("valid policy", func(t *testing.T) {
|
|
|
|
p := Policy{
|
|
|
|
Version: "2012-10-17",
|
|
|
|
Statement: []Statement{{
|
2023-10-30 13:34:53 +00:00
|
|
|
Principal: map[PrincipalType][]string{
|
|
|
|
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
|
2023-10-19 13:15:21 +00:00
|
|
|
},
|
|
|
|
Effect: AllowEffect,
|
|
|
|
Action: []string{"s3:PutObject"},
|
|
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
|
|
Conditions: map[string]Condition{
|
|
|
|
CondStringEquals: {
|
|
|
|
"s3:RequestObjectTag/Department": {"Finance"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
2023-11-07 17:20:54 +00:00
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
2023-10-19 13:15:21 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Status: chain.Allow,
|
|
|
|
Actions: chain.Actions{Names: p.Statement[0].Action},
|
|
|
|
Resources: chain.Resources{Names: p.Statement[0].Resource},
|
2023-10-30 13:34:53 +00:00
|
|
|
Any: true,
|
2023-11-07 17:20:54 +00:00
|
|
|
Condition: []chain.Condition{
|
2023-10-19 13:15:21 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: RequestOwnerProperty,
|
|
|
|
Value: "arn:aws:iam::111122223333:user/JohnDoe",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "s3:RequestObjectTag/Department",
|
|
|
|
Value: "Finance",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}}
|
|
|
|
|
|
|
|
chain, err := p.ToChain()
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, expected, chain)
|
|
|
|
})
|
|
|
|
|
2023-10-30 13:34:53 +00:00
|
|
|
t.Run("valid inverted policy", func(t *testing.T) {
|
|
|
|
p := Policy{
|
|
|
|
Version: "2012-10-17",
|
|
|
|
Statement: []Statement{{
|
|
|
|
NotPrincipal: map[PrincipalType][]string{
|
|
|
|
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
|
|
|
|
},
|
|
|
|
Effect: DenyEffect,
|
|
|
|
NotAction: []string{"s3:PutObject"},
|
|
|
|
NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
2023-11-07 17:20:54 +00:00
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
2023-10-30 13:34:53 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Status: chain.AccessDenied,
|
|
|
|
Actions: chain.Actions{Inverted: true, Names: p.Statement[0].NotAction},
|
|
|
|
Resources: chain.Resources{Inverted: true, Names: p.Statement[0].NotResource},
|
2023-10-30 13:34:53 +00:00
|
|
|
Any: true,
|
2023-11-07 17:20:54 +00:00
|
|
|
Condition: []chain.Condition{
|
2023-10-30 13:34:53 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-30 13:34:53 +00:00
|
|
|
Key: RequestOwnerProperty,
|
|
|
|
Value: "arn:aws:iam::111122223333:user/JohnDoe",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}}
|
|
|
|
|
|
|
|
chain, err := p.ToChain()
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, expected, chain)
|
|
|
|
})
|
|
|
|
|
2023-10-19 13:15:21 +00:00
|
|
|
t.Run("invalid policy (unsupported principal type)", func(t *testing.T) {
|
|
|
|
p := Policy{
|
|
|
|
Version: "2012-10-17",
|
|
|
|
Statement: []Statement{{
|
2023-10-30 13:34:53 +00:00
|
|
|
Principal: map[PrincipalType][]string{
|
|
|
|
"dummy": {"arn:aws:iam::111122223333:user/JohnDoe"},
|
2023-10-19 13:15:21 +00:00
|
|
|
},
|
|
|
|
Effect: AllowEffect,
|
|
|
|
Action: []string{"s3:PutObject"},
|
|
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err := p.ToChain()
|
|
|
|
require.Error(t, err)
|
|
|
|
})
|
|
|
|
|
2023-10-30 13:34:53 +00:00
|
|
|
t.Run("invalid policy (missing resource)", func(t *testing.T) {
|
2023-10-19 13:15:21 +00:00
|
|
|
p := Policy{
|
|
|
|
Version: "2012-10-17",
|
|
|
|
Statement: []Statement{{
|
2023-10-30 13:34:53 +00:00
|
|
|
Principal: map[PrincipalType][]string{
|
|
|
|
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
|
|
|
|
},
|
|
|
|
Effect: AllowEffect,
|
|
|
|
Action: []string{"s3:PutObject"},
|
2023-10-19 13:15:21 +00:00
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err := p.ToChain()
|
|
|
|
require.Error(t, err)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("check policy conditions", func(t *testing.T) {
|
|
|
|
p := Policy{
|
|
|
|
Version: "2012-10-17",
|
|
|
|
Statement: []Statement{{
|
2023-10-30 13:34:53 +00:00
|
|
|
Principal: map[PrincipalType][]string{Wildcard: nil},
|
2023-10-19 13:15:21 +00:00
|
|
|
Effect: AllowEffect,
|
|
|
|
Action: []string{"s3:PutObject"},
|
|
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
|
|
Conditions: Conditions{
|
|
|
|
CondStringEquals: {"key1": {"val0", "val1"}},
|
|
|
|
CondStringNotEquals: {"key2": {"val2"}},
|
|
|
|
CondStringEqualsIgnoreCase: {"key3": {"val3"}},
|
|
|
|
CondStringNotEqualsIgnoreCase: {"key4": {"val4"}},
|
|
|
|
CondStringLike: {"key5": {"val5"}},
|
|
|
|
CondStringNotLike: {"key6": {"val6"}},
|
|
|
|
CondDateEquals: {"key7": {"2006-01-02T15:04:05+07:00"}},
|
|
|
|
CondDateNotEquals: {"key8": {"2006-01-02T15:04:05Z"}},
|
|
|
|
CondDateLessThan: {"key9": {"2006-01-02T15:04:05+06:00"}},
|
|
|
|
CondDateLessThanEquals: {"key10": {"2006-01-02T15:04:05+03:00"}},
|
|
|
|
CondDateGreaterThan: {"key11": {"2006-01-02T15:04:05-01:00"}},
|
|
|
|
CondDateGreaterThanEquals: {"key12": {"2006-01-02T15:04:05-03:00"}},
|
|
|
|
CondBool: {"key13": {"True"}},
|
|
|
|
CondIPAddress: {"key14": {"val14"}},
|
|
|
|
CondNotIPAddress: {"key15": {"val15"}},
|
|
|
|
CondArnEquals: {"key16": {"val16"}},
|
|
|
|
CondArnLike: {"key17": {"val17"}},
|
|
|
|
CondArnNotEquals: {"key18": {"val18"}},
|
|
|
|
CondArnNotLike: {"key19": {"val19"}},
|
|
|
|
},
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
2023-11-07 17:20:54 +00:00
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
2023-10-19 13:15:21 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Status: chain.Allow,
|
|
|
|
Actions: chain.Actions{Names: p.Statement[0].Action},
|
|
|
|
Resources: chain.Resources{Names: p.Statement[0].Resource},
|
2023-10-30 13:34:53 +00:00
|
|
|
Any: true,
|
2023-11-07 17:20:54 +00:00
|
|
|
Condition: []chain.Condition{
|
2023-10-19 13:15:21 +00:00
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: RequestOwnerProperty,
|
|
|
|
Value: "*",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key1",
|
|
|
|
Value: "val0",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key1",
|
|
|
|
Value: "val1",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key2",
|
|
|
|
Value: "val2",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEqualsIgnoreCase,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key3",
|
|
|
|
Value: "val3",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotEqualsIgnoreCase,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key4",
|
|
|
|
Value: "val4",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key5",
|
|
|
|
Value: "val5",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key6",
|
|
|
|
Value: "val6",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key7",
|
|
|
|
Value: "1136189045",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key8",
|
|
|
|
Value: "1136214245",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLessThan,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key9",
|
|
|
|
Value: "1136192645",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLessThanEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key10",
|
|
|
|
Value: "1136203445",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringGreaterThan,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key11",
|
|
|
|
Value: "1136217845",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringGreaterThanEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key12",
|
|
|
|
Value: "1136225045",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEqualsIgnoreCase,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key13",
|
|
|
|
Value: "True",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key14",
|
|
|
|
Value: "val14",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key15",
|
|
|
|
Value: "val15",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key16",
|
|
|
|
Value: "val16",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key17",
|
|
|
|
Value: "val17",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotEquals,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key18",
|
|
|
|
Value: "val18",
|
|
|
|
},
|
|
|
|
{
|
2023-11-07 17:20:54 +00:00
|
|
|
Op: chain.CondStringNotLike,
|
|
|
|
Object: chain.ObjectRequest,
|
2023-10-19 13:15:21 +00:00
|
|
|
Key: "key19",
|
|
|
|
Value: "val19",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}}
|
|
|
|
|
|
|
|
chain, err := p.ToChain()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
for i, rule := range chain.Rules {
|
|
|
|
expectedRule := expected.Rules[i]
|
2023-10-30 13:34:53 +00:00
|
|
|
require.Equal(t, expectedRule.Actions, rule.Actions)
|
2023-10-19 13:15:21 +00:00
|
|
|
require.Equal(t, expectedRule.Any, rule.Any)
|
2023-10-30 13:34:53 +00:00
|
|
|
require.Equal(t, expectedRule.Resources, rule.Resources)
|
2023-10-19 13:15:21 +00:00
|
|
|
require.Equal(t, expectedRule.Status, rule.Status)
|
|
|
|
require.ElementsMatch(t, expectedRule.Condition, rule.Condition)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|