|
|
@ -8,7 +8,7 @@ import ( |
|
|
"github.com/stretchr/testify/require" |
|
|
"github.com/stretchr/testify/require" |
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
// TestPolicyVariableMatchingInActionsAndResources tests that Actions and Resources
|
|
|
|
|
|
|
|
|
// TestPolicyVariableMatchingInActionsAndResources tests that Actions and Resources
|
|
|
// now support policy variables like ${aws:username} just like string conditions do
|
|
|
// now support policy variables like ${aws:username} just like string conditions do
|
|
|
func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
engine := NewPolicyEngine() |
|
|
engine := NewPolicyEngine() |
|
|
@ -16,7 +16,7 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
DefaultEffect: "Deny", |
|
|
DefaultEffect: "Deny", |
|
|
StoreType: "memory", |
|
|
StoreType: "memory", |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
err := engine.Initialize(config) |
|
|
err := engine.Initialize(config) |
|
|
require.NoError(t, err) |
|
|
require.NoError(t, err) |
|
|
|
|
|
|
|
|
@ -31,12 +31,12 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
Sid: "AllowUserSpecificActions", |
|
|
Sid: "AllowUserSpecificActions", |
|
|
Effect: "Allow", |
|
|
Effect: "Allow", |
|
|
Action: []string{ |
|
|
Action: []string{ |
|
|
"s3:Get*", // Regular wildcard
|
|
|
|
|
|
"s3:${aws:principaltype}*", // Policy variable in action
|
|
|
|
|
|
|
|
|
"s3:Get*", // Regular wildcard
|
|
|
|
|
|
"s3:${aws:principaltype}*", // Policy variable in action
|
|
|
}, |
|
|
}, |
|
|
Resource: []string{ |
|
|
Resource: []string{ |
|
|
"arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource
|
|
|
|
|
|
"arn:aws:s3:::shared/${saml:username}/*", // Different policy variable
|
|
|
|
|
|
|
|
|
"arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource
|
|
|
|
|
|
"arn:aws:s3:::shared/${saml:username}/*", // Different policy variable
|
|
|
}, |
|
|
}, |
|
|
}, |
|
|
}, |
|
|
}, |
|
|
}, |
|
|
@ -46,13 +46,13 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
require.NoError(t, err) |
|
|
require.NoError(t, err) |
|
|
|
|
|
|
|
|
tests := []struct { |
|
|
tests := []struct { |
|
|
name string |
|
|
|
|
|
principal string |
|
|
|
|
|
action string |
|
|
|
|
|
resource string |
|
|
|
|
|
requestContext map[string]interface{} |
|
|
|
|
|
expectedEffect Effect |
|
|
|
|
|
description string |
|
|
|
|
|
|
|
|
name string |
|
|
|
|
|
principal string |
|
|
|
|
|
action string |
|
|
|
|
|
resource string |
|
|
|
|
|
requestContext map[string]interface{} |
|
|
|
|
|
expectedEffect Effect |
|
|
|
|
|
description string |
|
|
}{ |
|
|
}{ |
|
|
{ |
|
|
{ |
|
|
name: "policy_variable_in_action_matches", |
|
|
name: "policy_variable_in_action_matches", |
|
|
@ -91,7 +91,7 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
{ |
|
|
{ |
|
|
name: "policy_variable_no_match_wrong_user", |
|
|
name: "policy_variable_no_match_wrong_user", |
|
|
principal: "charlie", |
|
|
principal: "charlie", |
|
|
action: "s3:GetObject", |
|
|
|
|
|
|
|
|
action: "s3:GetObject", |
|
|
resource: "arn:aws:s3:::user-alice/file.txt", // charlie trying to access alice's files
|
|
|
resource: "arn:aws:s3:::user-alice/file.txt", // charlie trying to access alice's files
|
|
|
requestContext: map[string]interface{}{ |
|
|
requestContext: map[string]interface{}{ |
|
|
"aws:username": "charlie", |
|
|
"aws:username": "charlie", |
|
|
@ -100,10 +100,10 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
description: "Policy variable should prevent access when username doesn't match", |
|
|
description: "Policy variable should prevent access when username doesn't match", |
|
|
}, |
|
|
}, |
|
|
{ |
|
|
{ |
|
|
name: "missing_policy_variable_context", |
|
|
|
|
|
principal: "dave", |
|
|
|
|
|
action: "s3:GetObject", |
|
|
|
|
|
resource: "arn:aws:s3:::user-dave/file.txt", |
|
|
|
|
|
|
|
|
name: "missing_policy_variable_context", |
|
|
|
|
|
principal: "dave", |
|
|
|
|
|
action: "s3:GetObject", |
|
|
|
|
|
resource: "arn:aws:s3:::user-dave/file.txt", |
|
|
requestContext: map[string]interface{}{ |
|
|
requestContext: map[string]interface{}{ |
|
|
// Missing aws:username context
|
|
|
// Missing aws:username context
|
|
|
}, |
|
|
}, |
|
|
@ -123,15 +123,15 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
|
|
|
|
|
|
result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"user-specific-policy"}) |
|
|
result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"user-specific-policy"}) |
|
|
require.NoError(t, err, "Policy evaluation should not error") |
|
|
require.NoError(t, err, "Policy evaluation should not error") |
|
|
|
|
|
|
|
|
assert.Equal(t, tt.expectedEffect, result.Effect, |
|
|
|
|
|
"Test %s: %s. Expected %s but got %s", |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
assert.Equal(t, tt.expectedEffect, result.Effect, |
|
|
|
|
|
"Test %s: %s. Expected %s but got %s", |
|
|
tt.name, tt.description, tt.expectedEffect, result.Effect) |
|
|
tt.name, tt.description, tt.expectedEffect, result.Effect) |
|
|
}) |
|
|
}) |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// TestActionResourceConsistencyWithStringConditions verifies that Actions, Resources,
|
|
|
|
|
|
|
|
|
// TestActionResourceConsistencyWithStringConditions verifies that Actions, Resources,
|
|
|
// and string conditions all use the same AWS IAM-compliant matching logic
|
|
|
// and string conditions all use the same AWS IAM-compliant matching logic
|
|
|
func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
engine := NewPolicyEngine() |
|
|
engine := NewPolicyEngine() |
|
|
@ -139,7 +139,7 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
DefaultEffect: "Deny", |
|
|
DefaultEffect: "Deny", |
|
|
StoreType: "memory", |
|
|
StoreType: "memory", |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
err := engine.Initialize(config) |
|
|
err := engine.Initialize(config) |
|
|
require.NoError(t, err) |
|
|
require.NoError(t, err) |
|
|
|
|
|
|
|
|
@ -151,9 +151,9 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
Version: "2012-10-17", |
|
|
Version: "2012-10-17", |
|
|
Statement: []Statement{ |
|
|
Statement: []Statement{ |
|
|
{ |
|
|
{ |
|
|
Sid: "CaseInsensitiveMatching", |
|
|
|
|
|
Effect: "Allow", |
|
|
|
|
|
Action: []string{"S3:GET*"}, // Uppercase action pattern
|
|
|
|
|
|
|
|
|
Sid: "CaseInsensitiveMatching", |
|
|
|
|
|
Effect: "Allow", |
|
|
|
|
|
Action: []string{"S3:GET*"}, // Uppercase action pattern
|
|
|
Resource: []string{"arn:aws:s3:::TEST-BUCKET/*"}, // Uppercase resource pattern
|
|
|
Resource: []string{"arn:aws:s3:::TEST-BUCKET/*"}, // Uppercase resource pattern
|
|
|
Condition: map[string]map[string]interface{}{ |
|
|
Condition: map[string]map[string]interface{}{ |
|
|
"StringLike": { |
|
|
"StringLike": { |
|
|
@ -169,8 +169,8 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
|
|
|
|
|
|
evalCtx := &EvaluationContext{ |
|
|
evalCtx := &EvaluationContext{ |
|
|
Principal: "test-user", |
|
|
Principal: "test-user", |
|
|
Action: "s3:getobject", // lowercase action
|
|
|
|
|
|
Resource: "arn:aws:s3:::test-bucket/file.txt", // lowercase resource
|
|
|
|
|
|
|
|
|
Action: "s3:getobject", // lowercase action
|
|
|
|
|
|
Resource: "arn:aws:s3:::test-bucket/file.txt", // lowercase resource
|
|
|
RequestContext: map[string]interface{}{ |
|
|
RequestContext: map[string]interface{}{ |
|
|
"s3:RequestedRegion": "us-east-1", // lowercase condition value
|
|
|
"s3:RequestedRegion": "us-east-1", // lowercase condition value
|
|
|
}, |
|
|
}, |
|
|
@ -178,14 +178,14 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
|
|
|
|
|
|
result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"case-insensitive-policy"}) |
|
|
result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"case-insensitive-policy"}) |
|
|
require.NoError(t, err) |
|
|
require.NoError(t, err) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// All should match due to case-insensitive AWS IAM-compliant matching
|
|
|
// All should match due to case-insensitive AWS IAM-compliant matching
|
|
|
assert.Equal(t, EffectAllow, result.Effect, |
|
|
|
|
|
|
|
|
assert.Equal(t, EffectAllow, result.Effect, |
|
|
"Actions, Resources, and Conditions should all use case-insensitive AWS IAM matching") |
|
|
"Actions, Resources, and Conditions should all use case-insensitive AWS IAM matching") |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Verify that matching statements were found
|
|
|
// Verify that matching statements were found
|
|
|
assert.Len(t, result.MatchingStatements, 1, |
|
|
|
|
|
|
|
|
assert.Len(t, result.MatchingStatements, 1, |
|
|
"Should have exactly one matching statement") |
|
|
"Should have exactly one matching statement") |
|
|
assert.Equal(t, "Allow", string(result.MatchingStatements[0].Effect), |
|
|
|
|
|
|
|
|
assert.Equal(t, "Allow", string(result.MatchingStatements[0].Effect), |
|
|
"Matching statement should have Allow effect") |
|
|
"Matching statement should have Allow effect") |
|
|
} |
|
|
} |
chrislu
1 month ago