forked from TrueCloudLab/policy-engine
1426 lines
40 KiB
Go
1426 lines
40 KiB
Go
package iam
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"testing"
|
|
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
type mockUserResolver struct {
|
|
users map[string]string
|
|
containers map[string]string
|
|
namespace string
|
|
}
|
|
|
|
func newMockUserResolver(accountUsers []string, buckets []string, namespace string) *mockUserResolver {
|
|
userMap := make(map[string]string, len(accountUsers))
|
|
for _, user := range accountUsers {
|
|
userMap[user] = user + "/resolvedValue"
|
|
}
|
|
|
|
containerMap := make(map[string]string, len(buckets))
|
|
for _, bkt := range buckets {
|
|
containerMap[bkt] = bkt + "/resolvedValues"
|
|
}
|
|
|
|
return &mockUserResolver{users: userMap, containers: containerMap, namespace: namespace}
|
|
}
|
|
|
|
func (m *mockUserResolver) GetUserAddress(account, user string) (string, error) {
|
|
key, ok := m.users[account+"/"+user]
|
|
if !ok {
|
|
return "", errors.New("not found")
|
|
}
|
|
|
|
return key, nil
|
|
}
|
|
|
|
func (m *mockUserResolver) GetUserKey(account, user string) (string, error) {
|
|
key, ok := m.users[account+"/"+user]
|
|
if !ok {
|
|
return "", errors.New("not found")
|
|
}
|
|
|
|
return key, nil
|
|
}
|
|
|
|
func (m *mockUserResolver) GetBucketInfo(bkt string) (*BucketInfo, error) {
|
|
cnr, ok := m.containers[bkt]
|
|
if !ok {
|
|
return nil, errors.New("not found")
|
|
}
|
|
|
|
return &BucketInfo{Container: cnr, Namespace: m.namespace}, nil
|
|
}
|
|
|
|
func TestConverters(t *testing.T) {
|
|
namespace := "root"
|
|
userName := "JohnDoe"
|
|
user := namespace + "/" + userName
|
|
principal := "arn:aws:iam::" + namespace + ":user/" + userName
|
|
bktName := "DOC-EXAMPLE-BUCKET"
|
|
objName := "object-name"
|
|
resource := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName)
|
|
s3GetObjectAction := "s3:GetObject"
|
|
s3HeadObjectAction := "s3:HeadObject"
|
|
|
|
mockResolver := newMockUserResolver([]string{user}, []string{bktName}, namespace)
|
|
|
|
t.Run("valid policy", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{s3GetObjectAction},
|
|
Resource: []string{resource},
|
|
Conditions: map[string]Condition{
|
|
CondStringEquals: {
|
|
"s3:RequestObjectTag/Department": {"Finance"},
|
|
},
|
|
},
|
|
}},
|
|
}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{s3GetObjectAction, s3HeadObjectAction}},
|
|
Resources: chain.Resources{Names: []string{resource}},
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: s3.PropertyKeyOwner,
|
|
Value: mockResolver.users[user],
|
|
},
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "s3:RequestObjectTag/Department",
|
|
Value: "Finance",
|
|
},
|
|
},
|
|
},
|
|
}}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, s3Chain)
|
|
})
|
|
|
|
t.Run("valid native policy", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:PutObject"},
|
|
Resource: []string{resource},
|
|
}},
|
|
}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{native.MethodPutObject}},
|
|
Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName])}},
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: native.PropertyKeyActorPublicKey,
|
|
Value: mockResolver.users[user],
|
|
},
|
|
},
|
|
},
|
|
}}
|
|
|
|
nativeChain, err := ConvertToNativeChain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, nativeChain)
|
|
})
|
|
|
|
t.Run("valid inverted policy", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
NotPrincipal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: DenyEffect,
|
|
NotAction: []string{s3GetObjectAction},
|
|
NotResource: []string{resource},
|
|
}},
|
|
}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Inverted: true, Names: []string{s3GetObjectAction, s3HeadObjectAction}},
|
|
Resources: chain.Resources{Inverted: true, Names: []string{resource}},
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringNotEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: s3.PropertyKeyOwner,
|
|
Value: mockResolver.users[user],
|
|
},
|
|
},
|
|
},
|
|
}}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, s3Chain)
|
|
})
|
|
|
|
t.Run("valid native policy map action", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: DenyEffect,
|
|
Action: []string{"s3:DeleteObject", "s3:DeleteBucket"},
|
|
Resource: []string{
|
|
fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName, objName),
|
|
fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName),
|
|
},
|
|
}},
|
|
}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
|
|
Resources: chain.Resources{Names: []string{
|
|
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
|
|
}},
|
|
Condition: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: native.PropertyKeyActorPublicKey,
|
|
Value: mockResolver.users[user],
|
|
},
|
|
{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectResource,
|
|
Key: PropertyKeyFilePath,
|
|
Value: objName,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Status: chain.AccessDenied,
|
|
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
|
|
Resources: chain.Resources{Names: []string{
|
|
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
|
|
}},
|
|
Condition: []chain.Condition{{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: native.PropertyKeyActorPublicKey,
|
|
Value: mockResolver.users[user],
|
|
}},
|
|
},
|
|
}}
|
|
|
|
nativeChain, err := ConvertToNativeChain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, nativeChain)
|
|
})
|
|
|
|
t.Run("invalid policy (unsupported principal type)", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
"dummy": {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:PutObject"},
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
}},
|
|
}
|
|
|
|
_, err := ConvertToS3Chain(p, mockResolver)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("invalid policy (missing resource)", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:PutObject"},
|
|
}},
|
|
}
|
|
|
|
_, err := ConvertToS3Chain(p, mockResolver)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("invalid policy (not applicable native actions)", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:AbortMultipartUpload"},
|
|
Resource: []string{"arn:aws:s3:::" + resource},
|
|
}},
|
|
}
|
|
|
|
_, err := ConvertToNativeChain(p, mockResolver)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("invalid policy (missing s3 actions)", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal},
|
|
},
|
|
Effect: AllowEffect,
|
|
Resource: []string{"arn:aws:s3:::" + resource},
|
|
}},
|
|
}
|
|
|
|
_, err := ConvertToS3Chain(p, mockResolver)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("valid mixed iam/s3 actions", func(t *testing.T) {
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{AWSPrincipalType: {principal}},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:DeleteObject", "iam:*"},
|
|
Resource: []string{"*"},
|
|
}},
|
|
}
|
|
|
|
s3Expected := &chain.Chain{Rules: []chain.Rule{{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{"s3:DeleteObject", "s3:DeleteMultipleObjects", "iam:*"}},
|
|
Resources: chain.Resources{Names: []string{"*"}},
|
|
Condition: []chain.Condition{{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: s3.PropertyKeyOwner,
|
|
Value: mockResolver.users[user],
|
|
}},
|
|
}}}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, s3Expected, s3Chain)
|
|
|
|
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject}},
|
|
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
|
|
Condition: []chain.Condition{{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: native.PropertyKeyActorPublicKey,
|
|
Value: mockResolver.users[user],
|
|
}},
|
|
}}}
|
|
|
|
nativeChain, err := ConvertToNativeChain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
require.Equal(t, nativeExpected, nativeChain)
|
|
})
|
|
}
|
|
|
|
func TestConvertToChainCondition(t *testing.T) {
|
|
principal := "arn:aws:iam::namespace:user/userName"
|
|
|
|
conditions := Conditions{
|
|
CondStringEquals: {"key1": {"val0", "val1"}},
|
|
CondStringNotEquals: {"key2": {"val2"}},
|
|
CondStringEqualsIgnoreCase: {"key3": {"val3"}},
|
|
CondStringNotEqualsIgnoreCase: {"key4": {"val4"}},
|
|
CondStringLike: {"key5": {"val5"}},
|
|
CondStringNotLike: {"key6": {"val6"}},
|
|
CondDateEquals: {"key7": {"2006-01-02T15:04:05+07:00"}},
|
|
CondDateNotEquals: {"key8": {"2006-01-02T15:04:05Z"}},
|
|
CondDateLessThan: {"key9": {"2006-01-02T15:04:05+06:00"}},
|
|
CondDateLessThanEquals: {"key10": {"2006-01-02T15:04:05+03:00"}},
|
|
CondDateGreaterThan: {"key11": {"2006-01-02T15:04:05-01:00"}},
|
|
CondDateGreaterThanEquals: {"key12": {"2006-01-02T15:04:05-03:00"}},
|
|
CondBool: {"key13": {"True"}},
|
|
CondIPAddress: {"key14": {"val14"}},
|
|
CondNotIPAddress: {"key15": {"val15"}},
|
|
CondArnEquals: {"key16": {"val16"}},
|
|
CondArnLike: {condKeyAWSPrincipalARN: {principal}},
|
|
CondArnNotEquals: {"key18": {"val18"}},
|
|
CondArnNotLike: {"key19": {"val19"}},
|
|
}
|
|
|
|
expectedCondition := []GroupedConditions{
|
|
{
|
|
Any: true,
|
|
Conditions: []chain.Condition{
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key1",
|
|
Value: "val0",
|
|
},
|
|
{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key1",
|
|
Value: "val1",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key2",
|
|
Value: "val2",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringEqualsIgnoreCase,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key3",
|
|
Value: "val3",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotEqualsIgnoreCase,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key4",
|
|
Value: "val4",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key5",
|
|
Value: "val5",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key6",
|
|
Value: "val6",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key7",
|
|
Value: "1136189045",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key8",
|
|
Value: "1136214245",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringLessThan,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key9",
|
|
Value: "1136192645",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringLessThanEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key10",
|
|
Value: "1136203445",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringGreaterThan,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key11",
|
|
Value: "1136217845",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringGreaterThanEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key12",
|
|
Value: "1136225045",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringEqualsIgnoreCase,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key13",
|
|
Value: "True",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key14",
|
|
Value: "val14",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key15",
|
|
Value: "val15",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key16",
|
|
Value: "val16",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: condKeyAWSPrincipalARN,
|
|
Value: principal,
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotEquals,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key18",
|
|
Value: "val18",
|
|
}},
|
|
},
|
|
{
|
|
Conditions: []chain.Condition{{
|
|
Op: chain.CondStringNotLike,
|
|
Object: chain.ObjectRequest,
|
|
Key: "key19",
|
|
Value: "val19",
|
|
}},
|
|
},
|
|
}
|
|
|
|
actualCondition, err := convertToChainCondition(conditions)
|
|
require.NoError(t, err)
|
|
require.ElementsMatch(t, expectedCondition, actualCondition)
|
|
}
|
|
|
|
func TestParsePrincipalARN(t *testing.T) {
|
|
for i, tc := range []struct {
|
|
principal string
|
|
account string
|
|
user string
|
|
error bool
|
|
}{
|
|
{
|
|
principal: "arn:aws:iam::root:user/user",
|
|
account: "root",
|
|
user: "user",
|
|
error: false,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:user/path/user/user2",
|
|
account: "root",
|
|
user: "user2",
|
|
error: false,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:user/",
|
|
error: true,
|
|
},
|
|
{
|
|
principal: "root:user/name",
|
|
error: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:user",
|
|
error: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:name",
|
|
error: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:user/path/user/",
|
|
error: true,
|
|
},
|
|
} {
|
|
t.Run(strconv.Itoa(i), func(t *testing.T) {
|
|
account, user, err := parsePrincipalAsIAMUser(tc.principal)
|
|
if tc.error {
|
|
require.Error(t, err)
|
|
return
|
|
}
|
|
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.account, account)
|
|
require.Equal(t, tc.user, user)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestComplexNativeConditions(t *testing.T) {
|
|
namespace := "root"
|
|
userName1, userName2 := "user1", "user2"
|
|
user1, user2 := namespace+"/"+userName1, namespace+"/"+userName2
|
|
principal1 := "arn:aws:iam::" + namespace + ":user/" + userName1
|
|
principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
|
|
bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
|
|
objName1 := "objName1"
|
|
resource1 := bktName1 + "/" + objName1
|
|
resource2 := bktName2 + "/*"
|
|
resource3 := bktName3 + "/*"
|
|
action := "PutObject"
|
|
|
|
key1, key2 := "key1", "key2"
|
|
val0, val1, val2 := "val0", "val1", "val2"
|
|
|
|
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
|
|
nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName1])
|
|
nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName2])
|
|
nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName3])
|
|
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal1, principal2},
|
|
},
|
|
Effect: DenyEffect,
|
|
Action: []string{"s3:" + action},
|
|
Resource: []string{"arn:aws:s3:::" + resource1, "arn:aws:s3:::" + resource2, "arn:aws:s3:::" + resource3},
|
|
Conditions: map[string]Condition{
|
|
CondStringEquals: {key1: {val0, val1}},
|
|
CondStringLike: {key2: {val2}},
|
|
},
|
|
}},
|
|
}
|
|
|
|
expectedStatus := chain.AccessDenied
|
|
expectedActions := chain.Actions{Names: supportedActionToNativeOpMap["s3:"+action]}
|
|
expectedResource1 := chain.Resources{Names: []string{nativeResource1}}
|
|
expectedResource23 := chain.Resources{Names: []string{nativeResource2, nativeResource3}}
|
|
|
|
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user1]}
|
|
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user2]}
|
|
objectName1Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectResource, Key: PropertyKeyFilePath, Value: objName1}
|
|
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
|
|
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
|
|
key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource1,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
objectName1Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource1,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
objectName1Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource1,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
objectName1Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource1,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
objectName1Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource23,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource23,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource23,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResource23,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
}}
|
|
|
|
nativeChain, err := ConvertToNativeChain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
requireChainRulesMatch(t, expected.Rules, nativeChain.Rules)
|
|
|
|
s := inmemory.NewInMemory()
|
|
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
|
|
require.NoError(t, err)
|
|
|
|
for _, tc := range []struct {
|
|
name string
|
|
action string
|
|
resource string
|
|
resourceMap map[string]string
|
|
requestMap map[string]string
|
|
status chain.Status
|
|
}{
|
|
{
|
|
name: "bucket resource1, all conditions matched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket resource3, all conditions matched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket resource, user condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket resource, key2 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val0,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket resource, key1 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, all conditions matched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: objName1,
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket/object resource, user condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: objName1,
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: "dummy",
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, key1 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: objName1,
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: "dummy",
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, key2 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: objName1,
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: "dummy",
|
|
key1: val0,
|
|
key2: val0,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, object filepath condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: "any-object-name",
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "resource mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, "some-cid", "some-oid"),
|
|
resourceMap: map[string]string{
|
|
PropertyKeyFilePath: objName1,
|
|
},
|
|
requestMap: map[string]string{
|
|
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
} {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
|
|
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.status.String(), status.String())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestComplexS3Conditions(t *testing.T) {
|
|
namespace := "root"
|
|
userName1, userName2 := "user1", "user2"
|
|
user1, user2 := namespace+"/"+userName1, namespace+"/"+userName2
|
|
principal1 := "arn:aws:iam::" + namespace + ":user/" + userName1
|
|
principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
|
|
bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
|
|
objName1 := "objName1"
|
|
resource1 := fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, objName1)
|
|
resource2 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName2)
|
|
resource3 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName3)
|
|
action := "s3:DeleteObject"
|
|
action2 := "s3:DeleteMultipleObjects"
|
|
|
|
key1, key2 := "key1", "key2"
|
|
val0, val1, val2 := "val0", "val1", "val2"
|
|
|
|
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
|
|
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[PrincipalType][]string{
|
|
AWSPrincipalType: {principal1, principal2},
|
|
},
|
|
Effect: DenyEffect,
|
|
Action: []string{action},
|
|
Resource: []string{resource1, resource2, resource3},
|
|
Conditions: map[string]Condition{
|
|
CondStringEquals: {key1: {val0, val1}},
|
|
CondStringLike: {key2: {val2}},
|
|
},
|
|
}},
|
|
}
|
|
|
|
expectedStatus := chain.AccessDenied
|
|
expectedActions := chain.Actions{Names: []string{action, action2}}
|
|
expectedResources := chain.Resources{Names: []string{resource1, resource2, resource3}}
|
|
|
|
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1]}
|
|
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2]}
|
|
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
|
|
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
|
|
key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
|
|
|
|
expected := &chain.Chain{Rules: []chain.Rule{
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResources,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResources,
|
|
Condition: []chain.Condition{
|
|
user1Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResources,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
key1val0Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
{
|
|
Status: expectedStatus,
|
|
Actions: expectedActions,
|
|
Resources: expectedResources,
|
|
Condition: []chain.Condition{
|
|
user2Condition,
|
|
key1val1Condition,
|
|
key2val2Condition,
|
|
},
|
|
},
|
|
}}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
requireChainRulesMatch(t, expected.Rules, s3Chain.Rules)
|
|
|
|
s := inmemory.NewInMemory()
|
|
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
|
|
require.NoError(t, err)
|
|
|
|
for _, tc := range []struct {
|
|
name string
|
|
action string
|
|
resource string
|
|
resourceMap map[string]string
|
|
requestMap map[string]string
|
|
status chain.Status
|
|
}{
|
|
{
|
|
name: "bucket resource1, all conditions matched",
|
|
action: action,
|
|
resource: resource1,
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket resource3, all conditions matched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket resource, user condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
|
|
requestMap: map[string]string{
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket resource, key2 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val0,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket resource, key1 condition mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, all conditions matched",
|
|
action: action,
|
|
resource: resource1,
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.AccessDenied,
|
|
},
|
|
{
|
|
name: "bucket/object resource, resource mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, "some-obj"),
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, user condition mismatched",
|
|
action: action,
|
|
resource: resource1,
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: "dummy",
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, key1 condition mismatched",
|
|
action: action,
|
|
resource: resource1,
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: "dummy",
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "bucket/object resource, key2 condition mismatched",
|
|
action: action,
|
|
resource: resource1,
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: "dummy",
|
|
key1: val0,
|
|
key2: val0,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
{
|
|
name: "resource mismatched",
|
|
action: action,
|
|
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, "some-bkt", "some-obj"),
|
|
requestMap: map[string]string{
|
|
s3.PropertyKeyOwner: mockResolver.users[user1],
|
|
key1: val0,
|
|
key2: val2,
|
|
},
|
|
status: chain.NoRuleFound,
|
|
},
|
|
} {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
|
|
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.status.String(), status.String())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestS3BucketResource(t *testing.T) {
|
|
namespace := "ns"
|
|
bktName1, bktName2 := "bucket1", "bucket2"
|
|
chainName := chain.Name("name")
|
|
|
|
mockResolver := newMockUserResolver([]string{}, []string{}, "")
|
|
|
|
p := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{
|
|
{
|
|
Principal: map[PrincipalType][]string{Wildcard: nil},
|
|
Effect: DenyEffect,
|
|
Action: []string{"s3:HeadBucket"},
|
|
Resource: []string{fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1)},
|
|
},
|
|
{
|
|
Principal: map[PrincipalType][]string{Wildcard: nil},
|
|
Effect: AllowEffect,
|
|
Action: []string{"*"},
|
|
Resource: []string{s3.ResourceFormatS3All},
|
|
},
|
|
},
|
|
}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, mockResolver)
|
|
require.NoError(t, err)
|
|
|
|
s := inmemory.NewInMemory()
|
|
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chainName, engine.NamespaceTarget(namespace), s3Chain)
|
|
require.NoError(t, err)
|
|
|
|
// check we match just "bucket1" resource
|
|
req := testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1), nil), nil)
|
|
status, _, err := s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, chain.AccessDenied.String(), status.String())
|
|
|
|
// check we match just "bucket2" resource
|
|
req = testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName2), nil), nil)
|
|
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, chain.Allow.String(), status.String())
|
|
|
|
// check we also match "bucket2/object" resource
|
|
req = testutil.NewRequest("s3:PutObject", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "object"), nil), nil)
|
|
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, chain.Allow.String(), status.String())
|
|
}
|
|
|
|
func TestWildcardConverters(t *testing.T) {
|
|
policy := `{"Version":"2012-10-17","Statement":{"Effect":"Allow", "Principal": "*", "Action":"*","Resource":"*"}}`
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
|
|
s3Expected := &chain.Chain{
|
|
Rules: []chain.Rule{{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{Wildcard}},
|
|
Resources: chain.Resources{Names: []string{Wildcard}},
|
|
}},
|
|
}
|
|
|
|
s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
|
|
require.NoError(t, err)
|
|
require.Equal(t, s3Expected, s3Chain)
|
|
|
|
nativeExpected := &chain.Chain{
|
|
Rules: []chain.Rule{{
|
|
Status: chain.Allow,
|
|
Actions: chain.Actions{Names: []string{Wildcard}},
|
|
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
|
|
}},
|
|
}
|
|
|
|
nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
|
|
require.NoError(t, err)
|
|
require.Equal(t, nativeExpected, nativeChain)
|
|
}
|
|
|
|
func TestActionParsing(t *testing.T) {
|
|
for _, tc := range []struct {
|
|
action string
|
|
err bool
|
|
}{
|
|
{
|
|
action: "withoutPrefix",
|
|
err: true,
|
|
},
|
|
{
|
|
action: "s3:*Object",
|
|
err: true,
|
|
},
|
|
{
|
|
action: "*",
|
|
},
|
|
{
|
|
action: "s3:PutObject",
|
|
},
|
|
{
|
|
action: "s3:Put*",
|
|
},
|
|
{
|
|
action: "s3:*",
|
|
},
|
|
{
|
|
action: "s3:",
|
|
},
|
|
{
|
|
action: "iam:ListAccessKeys",
|
|
},
|
|
{
|
|
action: "iam:*",
|
|
},
|
|
} {
|
|
t.Run("", func(t *testing.T) {
|
|
err := validateAction(tc.action)
|
|
if tc.err {
|
|
require.Error(t, err)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPrincipalParsing(t *testing.T) {
|
|
for _, tc := range []struct {
|
|
principal string
|
|
expectedAccount string
|
|
expectedUser string
|
|
err bool
|
|
}{
|
|
{
|
|
principal: "withoutPrefix",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "*",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::dummy",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::dummy/test",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::user/",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::user/user/",
|
|
err: true,
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::user/name",
|
|
expectedUser: "name",
|
|
},
|
|
{
|
|
principal: "arn:aws:iam:::user/path/name",
|
|
expectedUser: "name",
|
|
},
|
|
{
|
|
principal: "arn:aws:iam::root:user/path/name",
|
|
expectedAccount: "root",
|
|
expectedUser: "name",
|
|
},
|
|
} {
|
|
t.Run("", func(t *testing.T) {
|
|
account, user, err := parsePrincipalAsIAMUser(tc.principal)
|
|
if tc.err {
|
|
require.Error(t, err)
|
|
return
|
|
}
|
|
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.expectedAccount, account)
|
|
require.Equal(t, tc.expectedUser, user)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestResourceParsing(t *testing.T) {
|
|
for _, tc := range []struct {
|
|
resource string
|
|
err bool
|
|
}{
|
|
{resource: "withoutPrefixAnd", err: true},
|
|
{resource: "arn:aws:s3:::*/obj", err: true},
|
|
{resource: "arn:aws:s3:::bkt/*"},
|
|
{resource: "arn:aws:s3:::bkt"},
|
|
{resource: "arn:aws:s3:::bkt/"},
|
|
{resource: "arn:aws:s3:::*"},
|
|
{resource: "*"},
|
|
} {
|
|
t.Run("", func(t *testing.T) {
|
|
err := validateResource(tc.resource)
|
|
if tc.err {
|
|
require.Error(t, err)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func requireChainRulesMatch(t *testing.T, expected, actual []chain.Rule) {
|
|
require.Equal(t, len(expected), len(actual), "length of chain rules differ")
|
|
|
|
seen := make(map[int]int)
|
|
for i, expRule := range expected {
|
|
for j, actRule := range actual {
|
|
if _, ok := seen[j]; ok {
|
|
continue
|
|
}
|
|
|
|
if areRulesMatched(expRule, actRule) {
|
|
seen[j] = i
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
require.Len(t, seen, len(expected), "expected unique rules")
|
|
}
|
|
|
|
func areRulesMatched(rule1, rule2 chain.Rule) bool {
|
|
if rule1.Status != rule2.Status ||
|
|
rule1.Any != rule2.Any ||
|
|
rule1.Resources.Inverted != rule2.Resources.Inverted ||
|
|
len(rule1.Resources.Names) != len(rule2.Resources.Names) ||
|
|
rule1.Actions.Inverted != rule2.Actions.Inverted ||
|
|
len(rule1.Actions.Names) != len(rule2.Actions.Names) {
|
|
return false
|
|
}
|
|
|
|
for i, name := range rule1.Resources.Names {
|
|
if name != rule2.Resources.Names[i] {
|
|
return false
|
|
}
|
|
}
|
|
|
|
for i, name := range rule1.Actions.Names {
|
|
if name != rule2.Actions.Names[i] {
|
|
return false
|
|
}
|
|
}
|
|
|
|
seen := make(map[int]struct{})
|
|
for _, cond1 := range rule1.Condition {
|
|
for j, cond2 := range rule2.Condition {
|
|
if _, ok := seen[j]; ok {
|
|
continue
|
|
}
|
|
if cond1 == cond2 {
|
|
seen[j] = struct{}{}
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
return len(seen) == len(rule1.Condition)
|
|
}
|