forked from TrueCloudLab/policy-engine
[#80] iam: Skip unsupported conditions in native chains
Skip conditions with * aws:RequestTag * aws:ResourceTag keys Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
303a81cdc6
commit
64e06f5b7c
3 changed files with 29 additions and 7 deletions
|
@ -69,6 +69,8 @@ const (
|
|||
condKeyAWSPrincipalARN = "aws:PrincipalArn"
|
||||
condKeyAWSSourceIP = "aws:SourceIp"
|
||||
condKeyAWSPrincipalTagPrefix = "aws:PrincipalTag/"
|
||||
condKeyAWSRequestTagPrefix = "aws:RequestTag/"
|
||||
condKeyAWSResourceTagPrefix = "aws:ResourceTag/"
|
||||
userClaimTagPrefix = "tag-"
|
||||
)
|
||||
|
||||
|
|
|
@ -224,21 +224,32 @@ func getNativePrincipalsAndConditionFunc(statement Statement, resolver NativeRes
|
|||
|
||||
func convertToNativeChainCondition(c Conditions, resolver NativeResolver) ([]GroupedConditions, error) {
|
||||
return convertToChainConditions(c, func(gr GroupedConditions) (GroupedConditions, error) {
|
||||
for i := range gr.Conditions {
|
||||
if gr.Conditions[i].Key == condKeyAWSMFAPresent {
|
||||
return GroupedConditions{}, errConditionKeyNotApplicable
|
||||
res := GroupedConditions{
|
||||
Conditions: make([]chain.Condition, 0, len(gr.Conditions)),
|
||||
Any: gr.Any,
|
||||
}
|
||||
if gr.Conditions[i].Key == condKeyAWSPrincipalARN {
|
||||
|
||||
for i := range gr.Conditions {
|
||||
switch {
|
||||
case gr.Conditions[i].Key == condKeyAWSMFAPresent:
|
||||
return GroupedConditions{}, errConditionKeyNotApplicable
|
||||
case gr.Conditions[i].Key == condKeyAWSPrincipalARN:
|
||||
gr.Conditions[i].Key = native.PropertyKeyActorPublicKey
|
||||
val, err := formPrincipalKey(gr.Conditions[i].Value, resolver)
|
||||
if err != nil {
|
||||
return GroupedConditions{}, err
|
||||
}
|
||||
gr.Conditions[i].Value = val
|
||||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||
case strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSRequestTagPrefix) ||
|
||||
strings.HasPrefix(gr.Conditions[i].Key, condKeyAWSResourceTagPrefix):
|
||||
continue
|
||||
default:
|
||||
res.Conditions = append(res.Conditions, gr.Conditions[i])
|
||||
}
|
||||
}
|
||||
|
||||
return gr, nil
|
||||
return res, nil
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
@ -1696,7 +1696,7 @@ func TestTagsConditions(t *testing.T) {
|
|||
}
|
||||
`
|
||||
|
||||
expectedConditions := []chain.Condition{
|
||||
expectedS3Conditions := []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
|
@ -1717,6 +1717,15 @@ func TestTagsConditions(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
expectedNativeConditions := []chain.Condition{
|
||||
{
|
||||
Op: chain.CondStringEquals,
|
||||
Kind: chain.KindRequest,
|
||||
Key: fmt.Sprintf(common.PropertyKeyFormatFrostFSIDUserClaim, "tag-department"),
|
||||
Value: "hr",
|
||||
},
|
||||
}
|
||||
|
||||
var p Policy
|
||||
err := json.Unmarshal([]byte(policy), &p)
|
||||
require.NoError(t, err)
|
||||
|
@ -1724,12 +1733,12 @@ func TestTagsConditions(t *testing.T) {
|
|||
s3Chain, err := ConvertToS3Chain(p, newMockUserResolver(nil, nil, ""))
|
||||
require.NoError(t, err)
|
||||
require.Len(t, s3Chain.Rules, 1)
|
||||
require.ElementsMatch(t, expectedConditions, s3Chain.Rules[0].Condition)
|
||||
require.ElementsMatch(t, expectedS3Conditions, s3Chain.Rules[0].Condition)
|
||||
|
||||
nativeChain, err := ConvertToNativeChain(p, newMockUserResolver(nil, nil, ""))
|
||||
require.NoError(t, err)
|
||||
require.Len(t, nativeChain.Rules, 1)
|
||||
require.ElementsMatch(t, expectedConditions, nativeChain.Rules[0].Condition)
|
||||
require.ElementsMatch(t, expectedNativeConditions, nativeChain.Rules[0].Condition)
|
||||
}
|
||||
|
||||
func TestMFACondition(t *testing.T) {
|
||||
|
|
Loading…
Reference in a new issue