policy-engine/iam/converter_test.go
Marina Biryukova 9040e48504 [#57] iam: Add policy validation checks
Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2024-03-11 16:12:47 +03:00

1426 lines
40 KiB
Go

package iam
import (
"encoding/json"
"errors"
"fmt"
"strconv"
"testing"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
"github.com/stretchr/testify/require"
)
type mockUserResolver struct {
users map[string]string
containers map[string]string
namespace string
}
func newMockUserResolver(accountUsers []string, buckets []string, namespace string) *mockUserResolver {
userMap := make(map[string]string, len(accountUsers))
for _, user := range accountUsers {
userMap[user] = user + "/resolvedValue"
}
containerMap := make(map[string]string, len(buckets))
for _, bkt := range buckets {
containerMap[bkt] = bkt + "/resolvedValues"
}
return &mockUserResolver{users: userMap, containers: containerMap, namespace: namespace}
}
func (m *mockUserResolver) GetUserAddress(account, user string) (string, error) {
key, ok := m.users[account+"/"+user]
if !ok {
return "", errors.New("not found")
}
return key, nil
}
func (m *mockUserResolver) GetUserKey(account, user string) (string, error) {
key, ok := m.users[account+"/"+user]
if !ok {
return "", errors.New("not found")
}
return key, nil
}
func (m *mockUserResolver) GetBucketInfo(bkt string) (*BucketInfo, error) {
cnr, ok := m.containers[bkt]
if !ok {
return nil, errors.New("not found")
}
return &BucketInfo{Container: cnr, Namespace: m.namespace}, nil
}
func TestConverters(t *testing.T) {
namespace := "root"
userName := "JohnDoe"
user := namespace + "/" + userName
principal := "arn:aws:iam::" + namespace + ":user/" + userName
bktName := "DOC-EXAMPLE-BUCKET"
objName := "object-name"
resource := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName)
s3GetObjectAction := "s3:GetObject"
s3HeadObjectAction := "s3:HeadObject"
mockResolver := newMockUserResolver([]string{user}, []string{bktName}, namespace)
t.Run("valid policy", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Action: []string{s3GetObjectAction},
Resource: []string{resource},
Conditions: map[string]Condition{
CondStringEquals: {
"s3:RequestObjectTag/Department": {"Finance"},
},
},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{s3GetObjectAction, s3HeadObjectAction}},
Resources: chain.Resources{Names: []string{resource}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "s3:RequestObjectTag/Department",
Value: "Finance",
},
},
},
}}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, expected, s3Chain)
})
t.Run("valid native policy", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{resource},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodPutObject}},
Resources: chain.Resources{Names: []string{fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName])}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
},
},
},
}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, expected, nativeChain)
})
t.Run("valid inverted policy", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
NotPrincipal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: DenyEffect,
NotAction: []string{s3GetObjectAction},
NotResource: []string{resource},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{Inverted: true, Names: []string{s3GetObjectAction, s3HeadObjectAction}},
Resources: chain.Resources{Inverted: true, Names: []string{resource}},
Condition: []chain.Condition{
{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
},
},
},
}}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, expected, s3Chain)
})
t.Run("valid native policy map action", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: DenyEffect,
Action: []string{"s3:DeleteObject", "s3:DeleteBucket"},
Resource: []string{
fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName, objName),
fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName),
},
}},
}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.AccessDenied,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
}},
Condition: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
},
{
Op: chain.CondStringLike,
Object: chain.ObjectResource,
Key: PropertyKeyFilePath,
Value: objName,
},
},
},
{
Status: chain.AccessDenied,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject, native.MethodDeleteContainer}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
}},
},
}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, expected, nativeChain)
})
t.Run("invalid policy (unsupported principal type)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
"dummy": {principal},
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
}},
}
_, err := ConvertToS3Chain(p, mockResolver)
require.Error(t, err)
})
t.Run("invalid policy (missing resource)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Action: []string{"s3:PutObject"},
}},
}
_, err := ConvertToS3Chain(p, mockResolver)
require.Error(t, err)
})
t.Run("invalid policy (not applicable native actions)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Action: []string{"s3:AbortMultipartUpload"},
Resource: []string{"arn:aws:s3:::" + resource},
}},
}
_, err := ConvertToNativeChain(p, mockResolver)
require.Error(t, err)
})
t.Run("invalid policy (missing s3 actions)", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal},
},
Effect: AllowEffect,
Resource: []string{"arn:aws:s3:::" + resource},
}},
}
_, err := ConvertToS3Chain(p, mockResolver)
require.Error(t, err)
})
t.Run("valid mixed iam/s3 actions", func(t *testing.T) {
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{AWSPrincipalType: {principal}},
Effect: AllowEffect,
Action: []string{"s3:DeleteObject", "iam:*"},
Resource: []string{"*"},
}},
}
s3Expected := &chain.Chain{Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{"s3:DeleteObject", "s3:DeleteMultipleObjects", "iam:*"}},
Resources: chain.Resources{Names: []string{"*"}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: s3.PropertyKeyOwner,
Value: mockResolver.users[user],
}},
}}}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, s3Expected, s3Chain)
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodDeleteObject, native.MethodHeadObject}},
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: native.PropertyKeyActorPublicKey,
Value: mockResolver.users[user],
}},
}}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
require.NoError(t, err)
require.Equal(t, nativeExpected, nativeChain)
})
}
func TestConvertToChainCondition(t *testing.T) {
principal := "arn:aws:iam::namespace:user/userName"
conditions := Conditions{
CondStringEquals: {"key1": {"val0", "val1"}},
CondStringNotEquals: {"key2": {"val2"}},
CondStringEqualsIgnoreCase: {"key3": {"val3"}},
CondStringNotEqualsIgnoreCase: {"key4": {"val4"}},
CondStringLike: {"key5": {"val5"}},
CondStringNotLike: {"key6": {"val6"}},
CondDateEquals: {"key7": {"2006-01-02T15:04:05+07:00"}},
CondDateNotEquals: {"key8": {"2006-01-02T15:04:05Z"}},
CondDateLessThan: {"key9": {"2006-01-02T15:04:05+06:00"}},
CondDateLessThanEquals: {"key10": {"2006-01-02T15:04:05+03:00"}},
CondDateGreaterThan: {"key11": {"2006-01-02T15:04:05-01:00"}},
CondDateGreaterThanEquals: {"key12": {"2006-01-02T15:04:05-03:00"}},
CondBool: {"key13": {"True"}},
CondIPAddress: {"key14": {"val14"}},
CondNotIPAddress: {"key15": {"val15"}},
CondArnEquals: {"key16": {"val16"}},
CondArnLike: {condKeyAWSPrincipalARN: {principal}},
CondArnNotEquals: {"key18": {"val18"}},
CondArnNotLike: {"key19": {"val19"}},
}
expectedCondition := []GroupedConditions{
{
Any: true,
Conditions: []chain.Condition{
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "key1",
Value: "val0",
},
{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "key1",
Value: "val1",
},
},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: "key2",
Value: "val2",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringEqualsIgnoreCase,
Object: chain.ObjectRequest,
Key: "key3",
Value: "val3",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotEqualsIgnoreCase,
Object: chain.ObjectRequest,
Key: "key4",
Value: "val4",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
Key: "key5",
Value: "val5",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
Key: "key6",
Value: "val6",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "key7",
Value: "1136189045",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: "key8",
Value: "1136214245",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringLessThan,
Object: chain.ObjectRequest,
Key: "key9",
Value: "1136192645",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringLessThanEquals,
Object: chain.ObjectRequest,
Key: "key10",
Value: "1136203445",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringGreaterThan,
Object: chain.ObjectRequest,
Key: "key11",
Value: "1136217845",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringGreaterThanEquals,
Object: chain.ObjectRequest,
Key: "key12",
Value: "1136225045",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringEqualsIgnoreCase,
Object: chain.ObjectRequest,
Key: "key13",
Value: "True",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
Key: "key14",
Value: "val14",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
Key: "key15",
Value: "val15",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringEquals,
Object: chain.ObjectRequest,
Key: "key16",
Value: "val16",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringLike,
Object: chain.ObjectRequest,
Key: condKeyAWSPrincipalARN,
Value: principal,
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotEquals,
Object: chain.ObjectRequest,
Key: "key18",
Value: "val18",
}},
},
{
Conditions: []chain.Condition{{
Op: chain.CondStringNotLike,
Object: chain.ObjectRequest,
Key: "key19",
Value: "val19",
}},
},
}
actualCondition, err := convertToChainCondition(conditions)
require.NoError(t, err)
require.ElementsMatch(t, expectedCondition, actualCondition)
}
func TestParsePrincipalARN(t *testing.T) {
for i, tc := range []struct {
principal string
account string
user string
error bool
}{
{
principal: "arn:aws:iam::root:user/user",
account: "root",
user: "user",
error: false,
},
{
principal: "arn:aws:iam::root:user/path/user/user2",
account: "root",
user: "user2",
error: false,
},
{
principal: "arn:aws:iam::root:user/",
error: true,
},
{
principal: "root:user/name",
error: true,
},
{
principal: "arn:aws:iam::root:user",
error: true,
},
{
principal: "arn:aws:iam::root:name",
error: true,
},
{
principal: "arn:aws:iam::root:user/path/user/",
error: true,
},
} {
t.Run(strconv.Itoa(i), func(t *testing.T) {
account, user, err := parsePrincipalAsIAMUser(tc.principal)
if tc.error {
require.Error(t, err)
return
}
require.NoError(t, err)
require.Equal(t, tc.account, account)
require.Equal(t, tc.user, user)
})
}
}
func TestComplexNativeConditions(t *testing.T) {
namespace := "root"
userName1, userName2 := "user1", "user2"
user1, user2 := namespace+"/"+userName1, namespace+"/"+userName2
principal1 := "arn:aws:iam::" + namespace + ":user/" + userName1
principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
objName1 := "objName1"
resource1 := bktName1 + "/" + objName1
resource2 := bktName2 + "/*"
resource3 := bktName3 + "/*"
action := "PutObject"
key1, key2 := "key1", "key2"
val0, val1, val2 := "val0", "val1", "val2"
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
nativeResource1 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName1])
nativeResource2 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName2])
nativeResource3 := fmt.Sprintf(native.ResourceFormatRootContainerObjects, mockResolver.containers[bktName3])
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal1, principal2},
},
Effect: DenyEffect,
Action: []string{"s3:" + action},
Resource: []string{"arn:aws:s3:::" + resource1, "arn:aws:s3:::" + resource2, "arn:aws:s3:::" + resource3},
Conditions: map[string]Condition{
CondStringEquals: {key1: {val0, val1}},
CondStringLike: {key2: {val2}},
},
}},
}
expectedStatus := chain.AccessDenied
expectedActions := chain.Actions{Names: supportedActionToNativeOpMap["s3:"+action]}
expectedResource1 := chain.Resources{Names: []string{nativeResource1}}
expectedResource23 := chain.Resources{Names: []string{nativeResource2, nativeResource3}}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user1]}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: native.PropertyKeyActorPublicKey, Value: mockResolver.users[user2]}
objectName1Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectResource, Key: PropertyKeyFilePath, Value: objName1}
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource1,
Condition: []chain.Condition{
user1Condition,
objectName1Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource1,
Condition: []chain.Condition{
user1Condition,
objectName1Condition,
key1val1Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource1,
Condition: []chain.Condition{
user2Condition,
objectName1Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource1,
Condition: []chain.Condition{
user2Condition,
objectName1Condition,
key1val1Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource23,
Condition: []chain.Condition{
user1Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource23,
Condition: []chain.Condition{
user1Condition,
key1val1Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource23,
Condition: []chain.Condition{
user2Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResource23,
Condition: []chain.Condition{
user2Condition,
key1val1Condition,
key2val2Condition,
},
},
}}
nativeChain, err := ConvertToNativeChain(p, mockResolver)
require.NoError(t, err)
requireChainRulesMatch(t, expected.Rules, nativeChain.Rules)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), nativeChain)
require.NoError(t, err)
for _, tc := range []struct {
name string
action string
resource string
resourceMap map[string]string
requestMap map[string]string
status chain.Status
}{
{
name: "bucket resource1, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket resource3, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName3], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val0,
},
status: chain.NoRuleFound,
},
{
name: "bucket resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName2], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, all conditions matched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket/object resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: "dummy",
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: "dummy",
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: "dummy",
key1: val0,
key2: val0,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, object filepath condition mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, mockResolver.containers[bktName1], "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: "any-object-name",
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "resource mismatched",
action: action,
resource: fmt.Sprintf(native.ResourceFormatRootContainerObject, "some-cid", "some-oid"),
resourceMap: map[string]string{
PropertyKeyFilePath: objName1,
},
requestMap: map[string]string{
native.PropertyKeyActorPublicKey: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
} {
t.Run(tc.name, func(t *testing.T) {
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
require.NoError(t, err)
require.Equal(t, tc.status.String(), status.String())
})
}
}
func TestComplexS3Conditions(t *testing.T) {
namespace := "root"
userName1, userName2 := "user1", "user2"
user1, user2 := namespace+"/"+userName1, namespace+"/"+userName2
principal1 := "arn:aws:iam::" + namespace + ":user/" + userName1
principal2 := "arn:aws:iam::" + namespace + ":user/" + userName2
bktName1, bktName2, bktName3 := "bktName", "bktName2", "bktName3"
objName1 := "objName1"
resource1 := fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, objName1)
resource2 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName2)
resource3 := fmt.Sprintf(s3.ResourceFormatS3BucketObjects, bktName3)
action := "s3:DeleteObject"
action2 := "s3:DeleteMultipleObjects"
key1, key2 := "key1", "key2"
val0, val1, val2 := "val0", "val1", "val2"
mockResolver := newMockUserResolver([]string{user1, user2}, []string{bktName1, bktName2, bktName3}, "")
p := Policy{
Version: "2012-10-17",
Statement: []Statement{{
Principal: map[PrincipalType][]string{
AWSPrincipalType: {principal1, principal2},
},
Effect: DenyEffect,
Action: []string{action},
Resource: []string{resource1, resource2, resource3},
Conditions: map[string]Condition{
CondStringEquals: {key1: {val0, val1}},
CondStringLike: {key2: {val2}},
},
}},
}
expectedStatus := chain.AccessDenied
expectedActions := chain.Actions{Names: []string{action, action2}}
expectedResources := chain.Resources{Names: []string{resource1, resource2, resource3}}
user1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user1]}
user2Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: s3.PropertyKeyOwner, Value: mockResolver.users[user2]}
key1val0Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val0}
key1val1Condition := chain.Condition{Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: key1, Value: val1}
key2val2Condition := chain.Condition{Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: key2, Value: val2}
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResources,
Condition: []chain.Condition{
user1Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResources,
Condition: []chain.Condition{
user1Condition,
key1val1Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResources,
Condition: []chain.Condition{
user2Condition,
key1val0Condition,
key2val2Condition,
},
},
{
Status: expectedStatus,
Actions: expectedActions,
Resources: expectedResources,
Condition: []chain.Condition{
user2Condition,
key1val1Condition,
key2val2Condition,
},
},
}}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
requireChainRulesMatch(t, expected.Rules, s3Chain.Rules)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain("name", engine.NamespaceTarget("ns"), s3Chain)
require.NoError(t, err)
for _, tc := range []struct {
name string
action string
resource string
resourceMap map[string]string
requestMap map[string]string
status chain.Status
}{
{
name: "bucket resource1, all conditions matched",
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket resource3, all conditions matched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket resource, user condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
requestMap: map[string]string{
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket resource, key2 condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName3, "some-obj"),
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val0,
},
status: chain.NoRuleFound,
},
{
name: "bucket resource, key1 condition mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "some-obj"),
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, all conditions matched",
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.AccessDenied,
},
{
name: "bucket/object resource, resource mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName1, "some-obj"),
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, user condition mismatched",
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: "dummy",
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, key1 condition mismatched",
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: "dummy",
key2: val2,
},
status: chain.NoRuleFound,
},
{
name: "bucket/object resource, key2 condition mismatched",
action: action,
resource: resource1,
requestMap: map[string]string{
s3.PropertyKeyOwner: "dummy",
key1: val0,
key2: val0,
},
status: chain.NoRuleFound,
},
{
name: "resource mismatched",
action: action,
resource: fmt.Sprintf(s3.ResourceFormatS3BucketObject, "some-bkt", "some-obj"),
requestMap: map[string]string{
s3.PropertyKeyOwner: mockResolver.users[user1],
key1: val0,
key2: val2,
},
status: chain.NoRuleFound,
},
} {
t.Run(tc.name, func(t *testing.T) {
req := testutil.NewRequest(tc.action, testutil.NewResource(tc.resource, tc.resourceMap), tc.requestMap)
status, _, err := s.IsAllowed("name", engine.NewRequestTargetWithNamespace("ns"), req)
require.NoError(t, err)
require.Equal(t, tc.status.String(), status.String())
})
}
}
func TestS3BucketResource(t *testing.T) {
namespace := "ns"
bktName1, bktName2 := "bucket1", "bucket2"
chainName := chain.Name("name")
mockResolver := newMockUserResolver([]string{}, []string{}, "")
p := Policy{
Version: "2012-10-17",
Statement: []Statement{
{
Principal: map[PrincipalType][]string{Wildcard: nil},
Effect: DenyEffect,
Action: []string{"s3:HeadBucket"},
Resource: []string{fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1)},
},
{
Principal: map[PrincipalType][]string{Wildcard: nil},
Effect: AllowEffect,
Action: []string{"*"},
Resource: []string{s3.ResourceFormatS3All},
},
},
}
s3Chain, err := ConvertToS3Chain(p, mockResolver)
require.NoError(t, err)
s := inmemory.NewInMemory()
_, _, err = s.MorphRuleChainStorage().AddMorphRuleChain(chainName, engine.NamespaceTarget(namespace), s3Chain)
require.NoError(t, err)
// check we match just "bucket1" resource
req := testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName1), nil), nil)
status, _, err := s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.AccessDenied.String(), status.String())
// check we match just "bucket2" resource
req = testutil.NewRequest("s3:HeadBucket", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName2), nil), nil)
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.Allow.String(), status.String())
// check we also match "bucket2/object" resource
req = testutil.NewRequest("s3:PutObject", testutil.NewResource(fmt.Sprintf(s3.ResourceFormatS3BucketObject, bktName2, "object"), nil), nil)
status, _, err = s.IsAllowed(chainName, engine.NewRequestTargetWithNamespace(namespace), req)
require.NoError(t, err)
require.Equal(t, chain.Allow.String(), status.String())
}
func TestWildcardConverters(t *testing.T) {
policy := `{"Version":"2012-10-17","Statement":{"Effect":"Allow", "Principal": "*", "Action":"*","Resource":"*"}}`
var p Policy
err := json.Unmarshal([]byte(policy), &p)
require.NoError(t, err)
s3Expected := &chain.Chain{
Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{Wildcard}},
Resources: chain.Resources{Names: []string{Wildcard}},
}},
}
s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Equal(t, s3Expected, s3Chain)
nativeExpected := &chain.Chain{
Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{Wildcard}},
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
}},
}
nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Equal(t, nativeExpected, nativeChain)
}
func TestActionParsing(t *testing.T) {
for _, tc := range []struct {
action string
err bool
}{
{
action: "withoutPrefix",
err: true,
},
{
action: "s3:*Object",
err: true,
},
{
action: "*",
},
{
action: "s3:PutObject",
},
{
action: "s3:Put*",
},
{
action: "s3:*",
},
{
action: "s3:",
},
{
action: "iam:ListAccessKeys",
},
{
action: "iam:*",
},
} {
t.Run("", func(t *testing.T) {
err := validateAction(tc.action)
if tc.err {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
}
}
func TestPrincipalParsing(t *testing.T) {
for _, tc := range []struct {
principal string
expectedAccount string
expectedUser string
err bool
}{
{
principal: "withoutPrefix",
err: true,
},
{
principal: "*",
err: true,
},
{
principal: "arn:aws:iam:::dummy",
err: true,
},
{
principal: "arn:aws:iam::",
err: true,
},
{
principal: "arn:aws:iam:::dummy/test",
err: true,
},
{
principal: "arn:aws:iam:::user/",
err: true,
},
{
principal: "arn:aws:iam:::user/user/",
err: true,
},
{
principal: "arn:aws:iam:::user/name",
expectedUser: "name",
},
{
principal: "arn:aws:iam:::user/path/name",
expectedUser: "name",
},
{
principal: "arn:aws:iam::root:user/path/name",
expectedAccount: "root",
expectedUser: "name",
},
} {
t.Run("", func(t *testing.T) {
account, user, err := parsePrincipalAsIAMUser(tc.principal)
if tc.err {
require.Error(t, err)
return
}
require.NoError(t, err)
require.Equal(t, tc.expectedAccount, account)
require.Equal(t, tc.expectedUser, user)
})
}
}
func TestResourceParsing(t *testing.T) {
for _, tc := range []struct {
resource string
err bool
}{
{resource: "withoutPrefixAnd", err: true},
{resource: "arn:aws:s3:::*/obj", err: true},
{resource: "arn:aws:s3:::bkt/*"},
{resource: "arn:aws:s3:::bkt"},
{resource: "arn:aws:s3:::bkt/"},
{resource: "arn:aws:s3:::*"},
{resource: "*"},
} {
t.Run("", func(t *testing.T) {
err := validateResource(tc.resource)
if tc.err {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
}
}
func requireChainRulesMatch(t *testing.T, expected, actual []chain.Rule) {
require.Equal(t, len(expected), len(actual), "length of chain rules differ")
seen := make(map[int]int)
for i, expRule := range expected {
for j, actRule := range actual {
if _, ok := seen[j]; ok {
continue
}
if areRulesMatched(expRule, actRule) {
seen[j] = i
break
}
}
}
require.Len(t, seen, len(expected), "expected unique rules")
}
func areRulesMatched(rule1, rule2 chain.Rule) bool {
if rule1.Status != rule2.Status ||
rule1.Any != rule2.Any ||
rule1.Resources.Inverted != rule2.Resources.Inverted ||
len(rule1.Resources.Names) != len(rule2.Resources.Names) ||
rule1.Actions.Inverted != rule2.Actions.Inverted ||
len(rule1.Actions.Names) != len(rule2.Actions.Names) {
return false
}
for i, name := range rule1.Resources.Names {
if name != rule2.Resources.Names[i] {
return false
}
}
for i, name := range rule1.Actions.Names {
if name != rule2.Actions.Names[i] {
return false
}
}
seen := make(map[int]struct{})
for _, cond1 := range rule1.Condition {
for j, cond2 := range rule2.Condition {
if _, ok := seen[j]; ok {
continue
}
if cond1 == cond2 {
seen[j] = struct{}{}
break
}
}
}
return len(seen) == len(rule1.Condition)
}