Compare commits
No commits in common. "227b869869cc3aab497ed6c869ef727aee0a532f" and "8a7c1be2d165153b19c410b213d1bfa9622da6c8" have entirely different histories.
227b869869
...
8a7c1be2d1
|
|
@ -310,7 +310,6 @@ export function evaluatePolicy(
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @deprecated Upgrade to evaluateAllPoliciesV2
|
|
||||||
* Evaluate whether a request is permitted under a policy.
|
* Evaluate whether a request is permitted under a policy.
|
||||||
* @param requestContext - Info necessary to
|
* @param requestContext - Info necessary to
|
||||||
* evaluate permission
|
* evaluate permission
|
||||||
|
|
@ -326,16 +325,6 @@ export function evaluateAllPolicies(
|
||||||
allPolicies: any[],
|
allPolicies: any[],
|
||||||
log: Logger,
|
log: Logger,
|
||||||
): string {
|
): string {
|
||||||
return evaluateAllPoliciesV2(requestContext, allPolicies, log).verdict;
|
|
||||||
}
|
|
||||||
export function evaluateAllPoliciesV2(
|
|
||||||
requestContext: RequestContext,
|
|
||||||
allPolicies: any[],
|
|
||||||
log: Logger,
|
|
||||||
): {
|
|
||||||
verdict: string;
|
|
||||||
isImplicit: boolean;
|
|
||||||
} {
|
|
||||||
log.trace('evaluating all policies');
|
log.trace('evaluating all policies');
|
||||||
let allow = false;
|
let allow = false;
|
||||||
let allowWithTagCondition = false;
|
let allowWithTagCondition = false;
|
||||||
|
|
@ -344,10 +333,7 @@ export function evaluateAllPoliciesV2(
|
||||||
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
|
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
|
||||||
// If there is any Deny, just return Deny
|
// If there is any Deny, just return Deny
|
||||||
if (singlePolicyVerdict === 'Deny') {
|
if (singlePolicyVerdict === 'Deny') {
|
||||||
return {
|
return 'Deny';
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: false,
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
if (singlePolicyVerdict === 'Allow') {
|
if (singlePolicyVerdict === 'Allow') {
|
||||||
allow = true;
|
allow = true;
|
||||||
|
|
@ -358,7 +344,6 @@ export function evaluateAllPoliciesV2(
|
||||||
} // else 'Neutral'
|
} // else 'Neutral'
|
||||||
}
|
}
|
||||||
let verdict;
|
let verdict;
|
||||||
let isImplicit = false;
|
|
||||||
if (allow) {
|
if (allow) {
|
||||||
if (denyWithTagCondition) {
|
if (denyWithTagCondition) {
|
||||||
verdict = 'NeedTagConditionEval';
|
verdict = 'NeedTagConditionEval';
|
||||||
|
|
@ -370,9 +355,8 @@ export function evaluateAllPoliciesV2(
|
||||||
verdict = 'NeedTagConditionEval';
|
verdict = 'NeedTagConditionEval';
|
||||||
} else {
|
} else {
|
||||||
verdict = 'Deny';
|
verdict = 'Deny';
|
||||||
isImplicit = true;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.trace('result of evaluating all policies', { verdict, isImplicit });
|
log.trace('result of evaluating all policies', { verdict });
|
||||||
return { verdict, isImplicit };
|
return verdict;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ const fakeTimers = require('@sinonjs/fake-timers');
|
||||||
const evaluator = require('../../lib/policyEvaluator/evaluator');
|
const evaluator = require('../../lib/policyEvaluator/evaluator');
|
||||||
const evaluatePolicy = evaluator.evaluatePolicy;
|
const evaluatePolicy = evaluator.evaluatePolicy;
|
||||||
const evaluateAllPolicies = evaluator.evaluateAllPolicies;
|
const evaluateAllPolicies = evaluator.evaluateAllPolicies;
|
||||||
const evaluateAllPoliciesV2 = evaluator.evaluateAllPoliciesV2;
|
|
||||||
const handleWildcards =
|
const handleWildcards =
|
||||||
require('../../lib/policyEvaluator/utils/wildcards').handleWildcards;
|
require('../../lib/policyEvaluator/utils/wildcards').handleWildcards;
|
||||||
const substituteVariables =
|
const substituteVariables =
|
||||||
|
|
@ -1452,49 +1451,6 @@ describe('policyEvaluator', () => {
|
||||||
assert.strictEqual(result, 'Deny');
|
assert.strictEqual(result, 'Deny');
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should deny access if any policy results in a Deny', () => {
|
|
||||||
requestContext = new RequestContext({}, {},
|
|
||||||
'my_favorite_bucket', undefined,
|
|
||||||
undefined, undefined, 'bucketDelete', 's3');
|
|
||||||
requestContext.setRequesterInfo({});
|
|
||||||
const result = evaluateAllPoliciesV2(requestContext,
|
|
||||||
[samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
|
|
||||||
samples['Deny Bucket Policy']], log);
|
|
||||||
assert.deepStrictEqual(result, {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: false,
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
it('should deny access if request action is not in any policy', () => {
|
|
||||||
requestContext = new RequestContext({}, {},
|
|
||||||
'notVeryPrivate', undefined,
|
|
||||||
undefined, undefined, 'bucketDelete', 's3');
|
|
||||||
requestContext.setRequesterInfo({});
|
|
||||||
const result = evaluateAllPoliciesV2(requestContext,
|
|
||||||
[samples['Multi-Statement Policy'],
|
|
||||||
samples['Variable Bucket Policy']], log);
|
|
||||||
assert.deepStrictEqual(result, {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
it('should deny access if request resource is not in any policy', () => {
|
|
||||||
requestContext = new RequestContext({}, {},
|
|
||||||
'notbucket', undefined,
|
|
||||||
undefined, undefined, 'objectGet', 's3');
|
|
||||||
requestContext.setRequesterInfo({});
|
|
||||||
const result = evaluateAllPoliciesV2(requestContext, [
|
|
||||||
samples['Multi-Statement Policy'],
|
|
||||||
samples['Variable Bucket Policy'],
|
|
||||||
], log);
|
|
||||||
assert.deepStrictEqual(result, {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
const TestMatrixPolicies = {
|
const TestMatrixPolicies = {
|
||||||
Allow: {
|
Allow: {
|
||||||
Version: '2012-10-17',
|
Version: '2012-10-17',
|
||||||
|
|
@ -1548,136 +1504,6 @@ describe('policyEvaluator', () => {
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
const TestMatrixV2 = [
|
|
||||||
{
|
|
||||||
policiesToEvaluate: [],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Allow',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Neutral'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Deny'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow', 'Allow'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Allow',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow', 'Neutral'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Allow',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Neutral', 'Allow'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Allow',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Neutral', 'Neutral'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow', 'Deny'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['AllowWithTagCondition'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'NeedTagConditionEval',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow', 'AllowWithTagCondition'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Allow',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['DenyWithTagCondition'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['Allow', 'DenyWithTagCondition'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'NeedTagConditionEval',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'NeedTagConditionEval',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'Deny',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'],
|
|
||||||
expectedPolicyEvaluation: {
|
|
||||||
verdict: 'NeedTagConditionEval',
|
|
||||||
isImplicit: false,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
];
|
|
||||||
|
|
||||||
TestMatrixV2.forEach(testCase => {
|
|
||||||
it(`policies evaluating individually to [${testCase.policiesToEvaluate.join(', ')}] `
|
|
||||||
+ `should return ${testCase.expectedPolicyEvaluation}`, () => {
|
|
||||||
requestContext = new RequestContext({}, {},
|
|
||||||
'my_favorite_bucket', undefined,
|
|
||||||
undefined, undefined, 'objectGet', 's3');
|
|
||||||
requestContext.setRequesterInfo({});
|
|
||||||
const result = evaluateAllPoliciesV2(
|
|
||||||
requestContext,
|
|
||||||
testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]),
|
|
||||||
log);
|
|
||||||
assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
const TestMatrix = [
|
const TestMatrix = [
|
||||||
{
|
{
|
||||||
policiesToEvaluate: [],
|
policiesToEvaluate: [],
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue