policy-engine/iam/converter_test.go

307 lines
8.2 KiB
Go
Raw Normal View History

2023-10-19 13:15:21 +00:00
package iam
import (
"testing"
chain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
2023-10-19 13:15:21 +00:00
"github.com/stretchr/testify/require"
)
func TestConverters(t *testing.T) {
t.Run("valid policy", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
2023-10-19 13:15:21 +00:00
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
Conditions: map[string]Condition{
CondStringEquals: {
"s3:RequestObjectTag/Department": {"Finance"},
},
},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
2023-10-19 13:15:21 +00:00
{
Status: chain.Allow,
Actions: chain.Actions{Names: p.Statement[0].Action},
Resources: chain.Resources{Names: p.Statement[0].Resource},
Any: true,
Condition: []chain.Condition{
2023-10-19 13:15:21 +00:00
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: RequestOwnerProperty,
Value: "arn:aws:iam::111122223333:user/JohnDoe",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "s3:RequestObjectTag/Department",
Value: "Finance",
},
},
},
}}
chain, err := p.ToChain()
require.NoError(t, err)
require.Equal(t, expected, chain)
})
t.Run("valid inverted policy", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
NotPrincipal: map[PrincipalType][]string{
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
},
Effect: DenyEffect,
NotAction: []string{"s3:PutObject"},
NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{Inverted: true, Names: p.Statement[0].NotAction},
Resources: chain.Resources{Inverted: true, Names: p.Statement[0].NotResource},
Any: true,
Condition: []chain.Condition{
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: RequestOwnerProperty,
Value: "arn:aws:iam::111122223333:user/JohnDoe",
},
},
},
}}
chain, err := p.ToChain()
require.NoError(t, err)
require.Equal(t, expected, chain)
})
2023-10-19 13:15:21 +00:00
t.Run("invalid policy (unsupported principal type)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
"dummy": {"arn:aws:iam::111122223333:user/JohnDoe"},
2023-10-19 13:15:21 +00:00
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
}},
}
_, err := p.ToChain()
require.Error(t, err)
})
t.Run("invalid policy (missing resource)", func(t *testing.T) {
2023-10-19 13:15:21 +00:00
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"},
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
2023-10-19 13:15:21 +00:00
}},
}
_, err := p.ToChain()
require.Error(t, err)
})
t.Run("check policy conditions", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{Wildcard: nil},
2023-10-19 13:15:21 +00:00
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
Conditions: Conditions{
CondStringEquals: {"key1": {"val0", "val1"}},
CondStringNotEquals: {"key2": {"val2"}},
CondStringEqualsIgnoreCase: {"key3": {"val3"}},
CondStringNotEqualsIgnoreCase: {"key4": {"val4"}},
CondStringLike: {"key5": {"val5"}},
CondStringNotLike: {"key6": {"val6"}},
CondDateEquals: {"key7": {"2006-01-02T15:04:05+07:00"}},
CondDateNotEquals: {"key8": {"2006-01-02T15:04:05Z"}},
CondDateLessThan: {"key9": {"2006-01-02T15:04:05+06:00"}},
CondDateLessThanEquals: {"key10": {"2006-01-02T15:04:05+03:00"}},
CondDateGreaterThan: {"key11": {"2006-01-02T15:04:05-01:00"}},
CondDateGreaterThanEquals: {"key12": {"2006-01-02T15:04:05-03:00"}},
CondBool: {"key13": {"True"}},
CondIPAddress: {"key14": {"val14"}},
CondNotIPAddress: {"key15": {"val15"}},
CondArnEquals: {"key16": {"val16"}},
CondArnLike: {"key17": {"val17"}},
CondArnNotEquals: {"key18": {"val18"}},
CondArnNotLike: {"key19": {"val19"}},
},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
2023-10-19 13:15:21 +00:00
{
Status: chain.Allow,
Actions: chain.Actions{Names: p.Statement[0].Action},
Resources: chain.Resources{Names: p.Statement[0].Resource},
Any: true,
Condition: []chain.Condition{
2023-10-19 13:15:21 +00:00
{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: RequestOwnerProperty,
Value: "*",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key1",
Value: "val0",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key1",
Value: "val1",
},
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key2",
Value: "val2",
},
{
Op: chain.CondStringEqualsIgnoreCase,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key3",
Value: "val3",
},
{
Op: chain.CondStringNotEqualsIgnoreCase,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key4",
Value: "val4",
},
{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key5",
Value: "val5",
},
{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key6",
Value: "val6",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key7",
Value: "1136189045",
},
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key8",
Value: "1136214245",
},
{
Op: chain.CondStringLessThan,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key9",
Value: "1136192645",
},
{
Op: chain.CondStringLessThanEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key10",
Value: "1136203445",
},
{
Op: chain.CondStringGreaterThan,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key11",
Value: "1136217845",
},
{
Op: chain.CondStringGreaterThanEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key12",
Value: "1136225045",
},
{
Op: chain.CondStringEqualsIgnoreCase,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key13",
Value: "True",
},
{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key14",
Value: "val14",
},
{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key15",
Value: "val15",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key16",
Value: "val16",
},
{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key17",
Value: "val17",
},
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key18",
Value: "val18",
},
{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
2023-10-19 13:15:21 +00:00
Key: "key19",
Value: "val19",
},
},
},
}}
chain, err := p.ToChain()
require.NoError(t, err)
for i, rule := range chain.Rules {
expectedRule := expected.Rules[i]
require.Equal(t, expectedRule.Actions, rule.Actions)
2023-10-19 13:15:21 +00:00
require.Equal(t, expectedRule.Any, rule.Any)
require.Equal(t, expectedRule.Resources, rule.Resources)
2023-10-19 13:15:21 +00:00
require.Equal(t, expectedRule.Status, rule.Status)
require.ElementsMatch(t, expectedRule.Condition, rule.Condition)
}
})
}