forked from TrueCloudLab/policy-engine
173 lines
3.5 KiB
Go
173 lines
3.5 KiB
Go
package iam
|
|
|
|
import (
|
|
"encoding/json"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestUnmarshalIAMPolicy(t *testing.T) {
|
|
t.Run("simple fields", func(t *testing.T) {
|
|
policy := `{
|
|
"Version": "2012-10-17",
|
|
"Id": "PutObjPolicy",
|
|
"Statement": {
|
|
"Sid": "DenyObjectsThatAreNotSSEKMS",
|
|
"Principal": "*",
|
|
"Effect": "Deny",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
|
|
"Condition": {
|
|
"Null": {
|
|
"s3:x-amz-server-side-encryption-aws-kms-key-id": "true"
|
|
}
|
|
}
|
|
}
|
|
}`
|
|
|
|
expected := Policy{
|
|
Version: "2012-10-17",
|
|
ID: "PutObjPolicy",
|
|
Statement: []Statement{{
|
|
SID: "DenyObjectsThatAreNotSSEKMS",
|
|
Principal: map[string][]string{
|
|
"*": nil,
|
|
},
|
|
Effect: DenyEffect,
|
|
Action: []string{"s3:PutObject"},
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
Conditions: map[string]Condition{
|
|
"Null": {
|
|
"s3:x-amz-server-side-encryption-aws-kms-key-id": {"true"},
|
|
},
|
|
},
|
|
}},
|
|
}
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, p)
|
|
})
|
|
|
|
t.Run("complex fields", func(t *testing.T) {
|
|
policy := `{
|
|
"Version": "2012-10-17",
|
|
"Statement": [{
|
|
"Principal":{
|
|
"AWS":[
|
|
"arn:aws:iam::111122223333:user/JohnDoe"
|
|
]
|
|
},
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:PutObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
|
|
],
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"s3:RequestObjectTag/Department": ["Finance"]
|
|
}
|
|
}
|
|
}]
|
|
}`
|
|
|
|
expected := Policy{
|
|
Version: "2012-10-17",
|
|
Statement: []Statement{{
|
|
Principal: map[string][]string{
|
|
"AWS": {"arn:aws:iam::111122223333:user/JohnDoe"},
|
|
},
|
|
Effect: AllowEffect,
|
|
Action: []string{"s3:PutObject"},
|
|
Resource: []string{"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"},
|
|
Conditions: map[string]Condition{
|
|
"StringEquals": {
|
|
"s3:RequestObjectTag/Department": {"Finance"},
|
|
},
|
|
},
|
|
}},
|
|
}
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, p)
|
|
|
|
raw, err := json.Marshal(expected)
|
|
require.NoError(t, err)
|
|
require.JSONEq(t, policy, string(raw))
|
|
})
|
|
|
|
t.Run("check principal AWS", func(t *testing.T) {
|
|
policy := `{
|
|
"Statement": [{
|
|
"Principal":{
|
|
"AWS":"arn:aws:iam::111122223333:user/JohnDoe"
|
|
}
|
|
}]
|
|
}`
|
|
|
|
expected := Policy{
|
|
Statement: []Statement{{
|
|
Principal: map[string][]string{
|
|
"AWS": {"arn:aws:iam::111122223333:user/JohnDoe"},
|
|
},
|
|
}},
|
|
}
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, p)
|
|
})
|
|
|
|
t.Run("native example", func(t *testing.T) {
|
|
policy := `
|
|
{
|
|
"Version": "xyz",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"native:*",
|
|
"s3:PutObject",
|
|
"s3:GetObject"
|
|
],
|
|
"Resource": ["*"],
|
|
"Principal": {"FrostFS": ["did:frostfs:039e3ee771a223361fe7862f532e9511b57baaae3c3e2622682e99d0e660f7671"]},
|
|
"Condition": {"StringEquals": {"native::object::attribute": "iamuser-admin"}}
|
|
}
|
|
]
|
|
}`
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("condition array", func(t *testing.T) {
|
|
policy := `
|
|
{
|
|
"Statement": [{
|
|
"Condition": {"StringLike": {"ec2:InstanceType": ["t1.*", "t2.*", "m3.*"]}}
|
|
}]
|
|
}`
|
|
|
|
expected := Policy{
|
|
Statement: []Statement{{
|
|
Conditions: map[string]Condition{
|
|
"StringLike": {"ec2:InstanceType": {"t1.*", "t2.*", "m3.*"}},
|
|
},
|
|
}},
|
|
}
|
|
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(policy), &p)
|
|
require.NoError(t, err)
|
|
require.Equal(t, expected, p)
|
|
})
|
|
}
|