[#80] iam: Skip unsupported conditions in native chains

Skip conditions with * aws:RequestTag * aws:ResourceTag keys Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-06-10 17:35:01 +03:00 · 2024-06-10 17:35:01 +03:00 · 64e06f5b7c
commit 64e06f5b7c
parent 303a81cdc6
3 changed files with 29 additions and 7 deletions
--- a/iam/converter.go
+++ b/iam/converter.go
@ -69,6 +69,8 @@ const (
 	condKeyAWSPrincipalARN       = "aws:PrincipalArn"
 	condKeyAWSSourceIP           = "aws:SourceIp"
 	condKeyAWSPrincipalTagPrefix = "aws:PrincipalTag/"
 	condKeyAWSRequestTagPrefix   = "aws:RequestTag/"
 	condKeyAWSResourceTagPrefix  = "aws:ResourceTag/"
 	userClaimTagPrefix           = "tag-"
 )
--- a/iam/converter_native.go
+++ b/iam/converter_native.go
@ -224,21 +224,32 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
 func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
 	return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
 		res := GroupedConditions{
 			Conditions: make([]chain.Condition, 0, len(gr.Conditions)),
 			Any:        gr.Any,
 		}
 		for i := range gr.Conditions {
-			if gr.Conditions[i].Key == condKeyAWSMFAPresent {
+			switch {
 			case gr.Conditions[i].Key == condKeyAWSMFAPresent:
 				return GroupedConditions{}, errConditionKeyNotApplicable
-			}
+			case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
 			if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
 				gr.Conditions[i].Key = native.PropertyKeyActorPublicKey
 				val, err := formPrincipalKey(gr.Conditions[i].Value, resolver)
 				if err != nil {
 					return GroupedConditions{}, err
 				}
 				gr.Conditions[i].Value = val
 				res.Conditions = append(res.Conditions, gr.Conditions[i])
 			case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
 				strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
 				continue
 			default:
 				res.Conditions = append(res.Conditions, gr.Conditions[i])
 			}
 		}
-		return gr, nil
+		return res, nil
 	})
 }
--- a/iam/converter_test.go
+++ b/iam/converter_test.go
@ -1696,7 +1696,7 @@ func TestTagsConditions(t *testing.T) {
 }
 `
-	expectedConditions := []chain.Condition{
+	expectedS3Conditions := []chain.Condition{
 		{
 			Op:    chain.CondStringEquals,
 			Kind:  chain.KindRequest,
@ -1717,6 +1717,15 @@ func TestTagsConditions(t *testing.T) {
 		},
 	}
 	expectedNativeConditions := []chain.Condition{
 		{
 			Op:    chain.CondStringEquals,
 			Kind:  chain.KindRequest,
 			Key:   fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-department"),
 			Value: "hr",
 		},
 	}
 	var p Policy
 	err := json.Unmarshal([]byte(policy), &p)
 	require.NoError(t, err)
@ -1724,12 +1733,12 @@ func TestTagsConditions(t *testing.T) {
 	s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
 	require.NoError(t, err)
 	require.Len(t, s3Chain.Rules, 1)
-	require.ElementsMatch(t, expectedConditions, s3Chain.Rules[0].Condition)
+	require.ElementsMatch(t, expectedS3Conditions, s3Chain.Rules[0].Condition)
 	nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
 	require.NoError(t, err)
 	require.Len(t, nativeChain.Rules, 1)
-	require.ElementsMatch(t, expectedConditions, nativeChain.Rules[0].Condition)
+	require.ElementsMatch(t, expectedNativeConditions, nativeChain.Rules[0].Condition)
 }
 func TestMFACondition(t *testing.T) {