diff --git a/iam/converter.go b/iam/converter.go index 957cbc3..ffa2352 100644 --- a/iam/converter.go +++ b/iam/converter.go @@ -71,6 +71,9 @@ var ( // ErrInvalidActionFormat occurs when action has unknown/unsupported format. ErrInvalidActionFormat = errors.New("invalid action format") + + // ErrActionsNotApplicable occurs when failed to convert any actions. + ErrActionsNotApplicable = errors.New("actions not applicable") ) type formPrincipalConditionFunc func(string) chain.Condition diff --git a/iam/converter_native.go b/iam/converter_native.go index 7eb7cad..e28289b 100644 --- a/iam/converter_native.go +++ b/iam/converter_native.go @@ -1,7 +1,6 @@ package iam import ( - "errors" "fmt" "strings" @@ -11,9 +10,6 @@ import ( const PropertyKeyFilePath = "FilePath" -// ErrActionsNotApplicable occurs when failed to convert any actions. -var ErrActionsNotApplicable = errors.New("actions not applicable") - var actionToOpMap = map[string][]string{ supportedS3ActionDeleteObject: {native.MethodDeleteObject}, supportedS3ActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, diff --git a/iam/converter_s3.go b/iam/converter_s3.go index d136e50..5af957a 100644 --- a/iam/converter_s3.go +++ b/iam/converter_s3.go @@ -26,6 +26,9 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) { return nil, err } ruleAction := chain.Actions{Inverted: actionInverted, Names: actions} + if len(ruleAction.Names) == 0 { + continue + } resources, resourceInverted := statement.resource() if err := validateS3ResourceNames(resources); err != nil { @@ -57,6 +60,10 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) { } } + if len(engineChain.Rules) == 0 { + return nil, ErrActionsNotApplicable + } + return &engineChain, nil } diff --git a/iam/converter_test.go b/iam/converter_test.go index 000d5cd..ba918eb 100644 --- a/iam/converter_test.go +++ b/iam/converter_test.go @@ -279,6 +279,22 @@ func TestConverters(t *testing.T) { require.Error(t, err) }) + t.Run("invalid policy (missing s3 actions)", func(t *testing.T) { + p := Policy{ + Version: "2012-10-17", + Statement: []Statement{{ + Principal: map[PrincipalType][]string{ + AWSPrincipalType: {principal}, + }, + Effect: AllowEffect, + Resource: []string{"arn:aws:s3:::" + resource}, + }}, + } + + _, err := ConvertToS3Chain(p, mockResolver) + require.Error(t, err) + }) + t.Run("valid mixed iam/s3 actions", func(t *testing.T) { p := Policy{ Statement: []Statement{{