acid-ant/policy-engine
1
0
Fork 0
forked from TrueCloudLab/policy-engine
Code Pull requests Activity

[#46] iam: Error if policy doesn't have actions

Browse source 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-01-26 11:16:12 +03:00
parent 8d21ab2d99
commit 2af381ae81
4 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
iam/converter.go
View file

@ -71,6 +71,9 @@ var (
// ErrInvalidActionFormat occurs when action has unknown/unsupported format. // ErrInvalidActionFormat occurs when action has unknown/unsupported format.
ErrInvalidActionFormat = errors.New("invalid action format") ErrInvalidActionFormat = errors.New("invalid action format")
// ErrActionsNotApplicable occurs when failed to convert any actions.
ErrActionsNotApplicable = errors.New("actions not applicable")
) )
type formPrincipalConditionFunc func(string) chain.Condition type formPrincipalConditionFunc func(string) chain.Condition

4
iam/converter_native.go
View file

@ -1,7 +1,6 @@
package iam package iam
import ( import (
"errors"
"fmt" "fmt"
"strings" "strings"
@ -11,9 +10,6 @@ import (
const PropertyKeyFilePath = "FilePath" const PropertyKeyFilePath = "FilePath"
// ErrActionsNotApplicable occurs when failed to convert any actions.
var ErrActionsNotApplicable = errors.New("actions not applicable")
var actionToOpMap = map[string][]string{ var actionToOpMap = map[string][]string{
supportedS3ActionDeleteObject: {native.MethodDeleteObject}, supportedS3ActionDeleteObject: {native.MethodDeleteObject},
supportedS3ActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject}, supportedS3ActionGetObject: {native.MethodGetObject, native.MethodHeadObject, native.MethodSearchObject, native.MethodRangeObject, native.MethodHashObject},

7
iam/converter_s3.go
View file

@ -26,6 +26,9 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
return nil, err return nil, err
} }
ruleAction := chain.Actions{Inverted: actionInverted, Names: actions} ruleAction := chain.Actions{Inverted: actionInverted, Names: actions}
if len(ruleAction.Names) == 0 {
continue
}
resources, resourceInverted := statement.resource() resources, resourceInverted := statement.resource()
if err := validateS3ResourceNames(resources); err != nil { if err := validateS3ResourceNames(resources); err != nil {
@ -57,6 +60,10 @@ func ConvertToS3Chain(p Policy, resolver S3Resolver) (*chain.Chain, error) {
} }
} }
if len(engineChain.Rules) == 0 {
return nil, ErrActionsNotApplicable
}
return &engineChain, nil return &engineChain, nil
} }

16
iam/converter_test.go
View file

@ -279,6 +279,22 @@ func TestConverters(t *testing.T) {
require.Error(t, err) require.Error(t, err)
}) })
t.Run("invalid policy (missing s3 actions)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Resource: []string{"arn:aws:s3:::" + resource},
}},
}
_, err := ConvertToS3Chain(p, mockResolver)
require.Error(t, err)
})
t.Run("valid mixed iam/s3 actions", func(t *testing.T) { t.Run("valid mixed iam/s3 actions", func(t *testing.T) {
p := Policy{ p := Policy{
Statement: []Statement{{ Statement: []Statement{{