package iam import ( "testing" chain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" "github.com/stretchr/testify/require" ) func TestConverters(t *testing.T) { t.Run("valid policy", func(t *testing.T) { p := Policy{ Version: "2012-10-17", Statement: []Statement{{ Principal: map[PrincipalType][]string{ AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"}, }, Effect: AllowEffect, Action: []string{"s3:PutObject"}, Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"}, Conditions: map[string]Condition{ CondStringEquals: { "s3:RequestObjectTag/Department": {"Finance"}, }, }, }}, } expected := &chain.Chain{Rules: []chain.Rule{ { Status: chain.Allow, Actions: chain.Actions{Names: p.Statement[0].Action}, Resources: chain.Resources{Names: p.Statement[0].Resource}, Any: true, Condition: []chain.Condition{ { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: RequestOwnerProperty, Value: "arn:aws:iam::111122223333:user/JohnDoe", }, { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: "s3:RequestObjectTag/Department", Value: "Finance", }, }, }, }} chain, err := p.ToChain() require.NoError(t, err) require.Equal(t, expected, chain) }) t.Run("valid inverted policy", func(t *testing.T) { p := Policy{ Version: "2012-10-17", Statement: []Statement{{ NotPrincipal: map[PrincipalType][]string{ AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"}, }, Effect: DenyEffect, NotAction: []string{"s3:PutObject"}, NotResource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"}, }}, } expected := &chain.Chain{Rules: []chain.Rule{ { Status: chain.AccessDenied, Actions: chain.Actions{Inverted: true, Names: p.Statement[0].NotAction}, Resources: chain.Resources{Inverted: true, Names: p.Statement[0].NotResource}, Any: true, Condition: []chain.Condition{ { Op: chain.CondStringNotEquals, Object: chain.ObjectRequest, Key: RequestOwnerProperty, Value: "arn:aws:iam::111122223333:user/JohnDoe", }, }, }, }} chain, err := p.ToChain() require.NoError(t, err) require.Equal(t, expected, chain) }) t.Run("invalid policy (unsupported principal type)", func(t *testing.T) { p := Policy{ Version: "2012-10-17", Statement: []Statement{{ Principal: map[PrincipalType][]string{ "dummy": {"arn:aws:iam::111122223333:user/JohnDoe"}, }, Effect: AllowEffect, Action: []string{"s3:PutObject"}, Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"}, }}, } _, err := p.ToChain() require.Error(t, err) }) t.Run("invalid policy (missing resource)", func(t *testing.T) { p := Policy{ Version: "2012-10-17", Statement: []Statement{{ Principal: map[PrincipalType][]string{ AWSPrincipalType: {"arn:aws:iam::111122223333:user/JohnDoe"}, }, Effect: AllowEffect, Action: []string{"s3:PutObject"}, }}, } _, err := p.ToChain() require.Error(t, err) }) t.Run("check policy conditions", func(t *testing.T) { p := Policy{ Version: "2012-10-17", Statement: []Statement{{ Principal: map[PrincipalType][]string{Wildcard: nil}, Effect: AllowEffect, Action: []string{"s3:PutObject"}, Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"}, Conditions: Conditions{ CondStringEquals: {"key1": {"val0", "val1"}}, CondStringNotEquals: {"key2": {"val2"}}, CondStringEqualsIgnoreCase: {"key3": {"val3"}}, CondStringNotEqualsIgnoreCase: {"key4": {"val4"}}, CondStringLike: {"key5": {"val5"}}, CondStringNotLike: {"key6": {"val6"}}, CondDateEquals: {"key7": {"2006-01-02T15:04:05+07:00"}}, CondDateNotEquals: {"key8": {"2006-01-02T15:04:05Z"}}, CondDateLessThan: {"key9": {"2006-01-02T15:04:05+06:00"}}, CondDateLessThanEquals: {"key10": {"2006-01-02T15:04:05+03:00"}}, CondDateGreaterThan: {"key11": {"2006-01-02T15:04:05-01:00"}}, CondDateGreaterThanEquals: {"key12": {"2006-01-02T15:04:05-03:00"}}, CondBool: {"key13": {"True"}}, CondIPAddress: {"key14": {"val14"}}, CondNotIPAddress: {"key15": {"val15"}}, CondArnEquals: {"key16": {"val16"}}, CondArnLike: {"key17": {"val17"}}, CondArnNotEquals: {"key18": {"val18"}}, CondArnNotLike: {"key19": {"val19"}}, }, }}, } expected := &chain.Chain{Rules: []chain.Rule{ { Status: chain.Allow, Actions: chain.Actions{Names: p.Statement[0].Action}, Resources: chain.Resources{Names: p.Statement[0].Resource}, Any: true, Condition: []chain.Condition{ { Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: RequestOwnerProperty, Value: "*", }, { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: "key1", Value: "val0", }, { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: "key1", Value: "val1", }, { Op: chain.CondStringNotEquals, Object: chain.ObjectRequest, Key: "key2", Value: "val2", }, { Op: chain.CondStringEqualsIgnoreCase, Object: chain.ObjectRequest, Key: "key3", Value: "val3", }, { Op: chain.CondStringNotEqualsIgnoreCase, Object: chain.ObjectRequest, Key: "key4", Value: "val4", }, { Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: "key5", Value: "val5", }, { Op: chain.CondStringNotLike, Object: chain.ObjectRequest, Key: "key6", Value: "val6", }, { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: "key7", Value: "1136189045", }, { Op: chain.CondStringNotEquals, Object: chain.ObjectRequest, Key: "key8", Value: "1136214245", }, { Op: chain.CondStringLessThan, Object: chain.ObjectRequest, Key: "key9", Value: "1136192645", }, { Op: chain.CondStringLessThanEquals, Object: chain.ObjectRequest, Key: "key10", Value: "1136203445", }, { Op: chain.CondStringGreaterThan, Object: chain.ObjectRequest, Key: "key11", Value: "1136217845", }, { Op: chain.CondStringGreaterThanEquals, Object: chain.ObjectRequest, Key: "key12", Value: "1136225045", }, { Op: chain.CondStringEqualsIgnoreCase, Object: chain.ObjectRequest, Key: "key13", Value: "True", }, { Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: "key14", Value: "val14", }, { Op: chain.CondStringNotLike, Object: chain.ObjectRequest, Key: "key15", Value: "val15", }, { Op: chain.CondStringEquals, Object: chain.ObjectRequest, Key: "key16", Value: "val16", }, { Op: chain.CondStringLike, Object: chain.ObjectRequest, Key: "key17", Value: "val17", }, { Op: chain.CondStringNotEquals, Object: chain.ObjectRequest, Key: "key18", Value: "val18", }, { Op: chain.CondStringNotLike, Object: chain.ObjectRequest, Key: "key19", Value: "val19", }, }, }, }} chain, err := p.ToChain() require.NoError(t, err) for i, rule := range chain.Rules { expectedRule := expected.Rules[i] require.Equal(t, expectedRule.Actions, rule.Actions) require.Equal(t, expectedRule.Any, rule.Any) require.Equal(t, expectedRule.Resources, rule.Resources) require.Equal(t, expectedRule.Status, rule.Status) require.ElementsMatch(t, expectedRule.Condition, rule.Condition) } }) }