[#80] iam: Skip unsupported conditions in native chains

Skip conditions with
* aws:RequestTag
* aws:ResourceTag
keys

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-06-10 17:35:01 +03:00
parent 303a81cdc6
commit 64e06f5b7c
3 changed files with 29 additions and 7 deletions

View file

@ -69,6 +69,8 @@ const (
condKeyAWSPrincipalARN = "aws:PrincipalArn"
condKeyAWSSourceIP = "aws:SourceIp"
condKeyAWSPrincipalTagPrefix = "aws:PrincipalTag/"
condKeyAWSRequestTagPrefix = "aws:RequestTag/"
condKeyAWSResourceTagPrefix = "aws:ResourceTag/"
userClaimTagPrefix = "tag-"
)

View file

@ -224,21 +224,32 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
for i := range gr.Conditions {
if gr.Conditions[i].Key == condKeyAWSMFAPresent {
return GroupedConditions{}, errConditionKeyNotApplicable
res := GroupedConditions{
Conditions: make([]chain.Condition, 0, len(gr.Conditions)),
Any: gr.Any,
}
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
for i := range gr.Conditions {
switch {
case gr.Conditions[i].Key == condKeyAWSMFAPresent:
return GroupedConditions{}, errConditionKeyNotApplicable
case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
gr.Conditions[i].Key = native.PropertyKeyActorPublicKey
val, err := formPrincipalKey(gr.Conditions[i].Value, resolver)
if err != nil {
return GroupedConditions{}, err
}
gr.Conditions[i].Value = val
res.Conditions = append(res.Conditions, gr.Conditions[i])
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
continue
default:
res.Conditions = append(res.Conditions, gr.Conditions[i])
}
}
return gr, nil
return res, nil
})
}

View file

@ -1696,7 +1696,7 @@ func TestTagsConditions(t *testing.T) {
}
`
expectedConditions := []chain.Condition{
expectedS3Conditions := []chain.Condition{
{
Op: chain.CondStringEquals,
Kind: chain.KindRequest,
@ -1717,6 +1717,15 @@ func TestTagsConditions(t *testing.T) {
},
}
expectedNativeConditions := []chain.Condition{
{
Op: chain.CondStringEquals,
Kind: chain.KindRequest,
Key: fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-department"),
Value: "hr",
},
}
var p Policy
err := json.Unmarshal([]byte(policy), &p)
require.NoError(t, err)
@ -1724,12 +1733,12 @@ func TestTagsConditions(t *testing.T) {
s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Len(t, s3Chain.Rules, 1)
require.ElementsMatch(t, expectedConditions, s3Chain.Rules[0].Condition)
require.ElementsMatch(t, expectedS3Conditions, s3Chain.Rules[0].Condition)
nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
require.NoError(t, err)
require.Len(t, nativeChain.Rules, 1)
require.ElementsMatch(t, expectedConditions, nativeChain.Rules[0].Condition)
require.ElementsMatch(t, expectedNativeConditions, nativeChain.Rules[0].Condition)
}
func TestMFACondition(t *testing.T) {