You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
100 lines
2.9 KiB
100 lines
2.9 KiB
package policy_engine
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
)
|
|
|
|
func TestIsolationPolicy(t *testing.T) {
|
|
engine := NewPolicyEngine()
|
|
bucketName := "test-isolation"
|
|
|
|
policyJSON := fmt.Sprintf(`{
|
|
"Version": "2012-10-17",
|
|
"Statement": [{
|
|
"Sid": "AllowOwnFolder",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": ["s3:GetObject", "s3:PutObject"],
|
|
"Resource": "arn:aws:s3:::%s/${aws:username}/*"
|
|
}, {
|
|
"Sid": "AllowListOwnPrefix",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:ListBucket",
|
|
"Resource": "arn:aws:s3:::%s",
|
|
"Condition": {
|
|
"StringLike": {
|
|
"s3:prefix": ["${aws:username}/*", "${aws:username}"]
|
|
}
|
|
}
|
|
}, {
|
|
"Sid": "DenyOtherFolders",
|
|
"Effect": "Deny",
|
|
"Principal": "*",
|
|
"Action": ["s3:GetObject", "s3:PutObject"],
|
|
"NotResource": "arn:aws:s3:::%s/${aws:username}/*"
|
|
}]
|
|
}`, bucketName, bucketName, bucketName)
|
|
|
|
err := engine.SetBucketPolicy(bucketName, policyJSON)
|
|
if err != nil {
|
|
t.Fatalf("Failed to set bucket policy: %v", err)
|
|
}
|
|
|
|
// Case 1: Alice accesses her own folder -> should be ALLOWED
|
|
args := &PolicyEvaluationArgs{
|
|
Action: "s3:GetObject",
|
|
Resource: fmt.Sprintf("arn:aws:s3:::%s/alice/data.txt", bucketName),
|
|
Principal: "arn:aws:sts::123456789012:assumed-role/TestReadOnlyRole/alice",
|
|
Conditions: map[string][]string{
|
|
"aws:username": {"alice"},
|
|
},
|
|
}
|
|
result := engine.EvaluatePolicy(bucketName, args)
|
|
if result != PolicyResultAllow {
|
|
t.Errorf("Alice should be ALLOWED to her own folder, got %v", result)
|
|
}
|
|
|
|
// Case 2: Alice accesses Bob's folder -> should be DENIED
|
|
args = &PolicyEvaluationArgs{
|
|
Action: "s3:GetObject",
|
|
Resource: fmt.Sprintf("arn:aws:s3:::%s/bob/data.txt", bucketName),
|
|
Principal: "arn:aws:sts::123456789012:assumed-role/TestReadOnlyRole/alice",
|
|
Conditions: map[string][]string{
|
|
"aws:username": {"alice"},
|
|
},
|
|
}
|
|
result = engine.EvaluatePolicy(bucketName, args)
|
|
if result != PolicyResultDeny {
|
|
t.Errorf("Alice should be DENIED access to Bob's folder, got %v", result)
|
|
}
|
|
|
|
// Case 3: Bob accesses Bob's folder -> should be ALLOWED
|
|
args = &PolicyEvaluationArgs{
|
|
Action: "s3:GetObject",
|
|
Resource: fmt.Sprintf("arn:aws:s3:::%s/bob/data.txt", bucketName),
|
|
Principal: "arn:aws:sts::123456789012:assumed-role/TestReadOnlyRole/bob",
|
|
Conditions: map[string][]string{
|
|
"aws:username": {"bob"},
|
|
},
|
|
}
|
|
result = engine.EvaluatePolicy(bucketName, args)
|
|
if result != PolicyResultAllow {
|
|
t.Errorf("Bob should be ALLOWED to his own folder, got %v", result)
|
|
}
|
|
|
|
// Case 4: Bob accesses Alice's folder -> should be DENIED
|
|
args = &PolicyEvaluationArgs{
|
|
Action: "s3:GetObject",
|
|
Resource: fmt.Sprintf("arn:aws:s3:::%s/alice/data.txt", bucketName),
|
|
Principal: "arn:aws:sts::123456789012:assumed-role/TestReadOnlyRole/bob",
|
|
Conditions: map[string][]string{
|
|
"aws:username": {"bob"},
|
|
},
|
|
}
|
|
result = engine.EvaluatePolicy(bucketName, args)
|
|
if result != PolicyResultDeny {
|
|
t.Errorf("Bob should be DENIED access to Alice's folder, got %v", result)
|
|
}
|
|
}
|