|
|
|
@ -31,12 +31,12 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
|
Sid: "AllowUserSpecificActions", |
|
|
|
Effect: "Allow", |
|
|
|
Action: []string{ |
|
|
|
"s3:Get*", // Regular wildcard
|
|
|
|
"s3:${aws:principaltype}*", // Policy variable in action
|
|
|
|
"s3:Get*", // Regular wildcard
|
|
|
|
"s3:${aws:principaltype}*", // Policy variable in action
|
|
|
|
}, |
|
|
|
Resource: []string{ |
|
|
|
"arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource
|
|
|
|
"arn:aws:s3:::shared/${saml:username}/*", // Different policy variable
|
|
|
|
"arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource
|
|
|
|
"arn:aws:s3:::shared/${saml:username}/*", // Different policy variable
|
|
|
|
}, |
|
|
|
}, |
|
|
|
}, |
|
|
|
@ -46,13 +46,13 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
|
require.NoError(t, err) |
|
|
|
|
|
|
|
tests := []struct { |
|
|
|
name string |
|
|
|
principal string |
|
|
|
action string |
|
|
|
resource string |
|
|
|
requestContext map[string]interface{} |
|
|
|
expectedEffect Effect |
|
|
|
description string |
|
|
|
name string |
|
|
|
principal string |
|
|
|
action string |
|
|
|
resource string |
|
|
|
requestContext map[string]interface{} |
|
|
|
expectedEffect Effect |
|
|
|
description string |
|
|
|
}{ |
|
|
|
{ |
|
|
|
name: "policy_variable_in_action_matches", |
|
|
|
@ -100,10 +100,10 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { |
|
|
|
description: "Policy variable should prevent access when username doesn't match", |
|
|
|
}, |
|
|
|
{ |
|
|
|
name: "missing_policy_variable_context", |
|
|
|
principal: "dave", |
|
|
|
action: "s3:GetObject", |
|
|
|
resource: "arn:aws:s3:::user-dave/file.txt", |
|
|
|
name: "missing_policy_variable_context", |
|
|
|
principal: "dave", |
|
|
|
action: "s3:GetObject", |
|
|
|
resource: "arn:aws:s3:::user-dave/file.txt", |
|
|
|
requestContext: map[string]interface{}{ |
|
|
|
// Missing aws:username context
|
|
|
|
}, |
|
|
|
@ -151,9 +151,9 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
|
Version: "2012-10-17", |
|
|
|
Statement: []Statement{ |
|
|
|
{ |
|
|
|
Sid: "CaseInsensitiveMatching", |
|
|
|
Effect: "Allow", |
|
|
|
Action: []string{"S3:GET*"}, // Uppercase action pattern
|
|
|
|
Sid: "CaseInsensitiveMatching", |
|
|
|
Effect: "Allow", |
|
|
|
Action: []string{"S3:GET*"}, // Uppercase action pattern
|
|
|
|
Resource: []string{"arn:aws:s3:::TEST-BUCKET/*"}, // Uppercase resource pattern
|
|
|
|
Condition: map[string]map[string]interface{}{ |
|
|
|
"StringLike": { |
|
|
|
@ -169,7 +169,7 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { |
|
|
|
|
|
|
|
evalCtx := &EvaluationContext{ |
|
|
|
Principal: "test-user", |
|
|
|
Action: "s3:getobject", // lowercase action
|
|
|
|
Action: "s3:getobject", // lowercase action
|
|
|
|
Resource: "arn:aws:s3:::test-bucket/file.txt", // lowercase resource
|
|
|
|
RequestContext: map[string]interface{}{ |
|
|
|
"s3:RequestedRegion": "us-east-1", // lowercase condition value
|
|
|
|
|
chrislu
1 month ago