Compare commits
4 Commits
cb01346d07
...
f4894a6d6e
Author | SHA1 | Date |
---|---|---|
williamlardier | f4894a6d6e | |
williamlardier | 40a5498374 | |
williamlardier | 3e68510093 | |
williamlardier | 068b8dabf1 |
lib
policyEvaluator
tests/unit
policyEvaluator
|
@ -36,6 +36,7 @@ export type ParsedRetention =
|
||||||
export default class ObjectLockConfiguration {
|
export default class ObjectLockConfiguration {
|
||||||
_parsedXml: any;
|
_parsedXml: any;
|
||||||
_config: Config;
|
_config: Config;
|
||||||
|
_days: number | null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create an Object Lock Configuration instance
|
* Create an Object Lock Configuration instance
|
||||||
|
@ -45,6 +46,7 @@ export default class ObjectLockConfiguration {
|
||||||
constructor(xml: any) {
|
constructor(xml: any) {
|
||||||
this._parsedXml = xml;
|
this._parsedXml = xml;
|
||||||
this._config = {};
|
this._config = {};
|
||||||
|
this._days = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -183,6 +185,8 @@ export default class ObjectLockConfiguration {
|
||||||
this._config.rule = {};
|
this._config.rule = {};
|
||||||
this._config.rule.mode = validMode.mode;
|
this._config.rule.mode = validMode.mode;
|
||||||
this._config.rule[validTime.timeType!] = validTime.timeValue;
|
this._config.rule[validTime.timeType!] = validTime.timeValue;
|
||||||
|
// Store the number of days
|
||||||
|
this._days = validTime.timeType === 'years' ? 365 * validTime.timeValue : validTime.timeValue;
|
||||||
}
|
}
|
||||||
return validConfig;
|
return validConfig;
|
||||||
}
|
}
|
||||||
|
|
|
@ -171,6 +171,7 @@ export default class RequestContext {
|
||||||
_needTagEval: boolean;
|
_needTagEval: boolean;
|
||||||
_foundAction?: string;
|
_foundAction?: string;
|
||||||
_foundResource?: string;
|
_foundResource?: string;
|
||||||
|
_objectLockRetentionDays?: number | null;
|
||||||
|
|
||||||
constructor(
|
constructor(
|
||||||
headers: { [key: string]: string | string[] },
|
headers: { [key: string]: string | string[] },
|
||||||
|
@ -192,6 +193,7 @@ export default class RequestContext {
|
||||||
requestObjTags?: string,
|
requestObjTags?: string,
|
||||||
existingObjTag?: string,
|
existingObjTag?: string,
|
||||||
needTagEval?: false,
|
needTagEval?: false,
|
||||||
|
objectLockRetentionDays?: number,
|
||||||
) {
|
) {
|
||||||
this._headers = headers;
|
this._headers = headers;
|
||||||
this._query = query;
|
this._query = query;
|
||||||
|
@ -224,6 +226,7 @@ export default class RequestContext {
|
||||||
this._requestObjTags = requestObjTags || null;
|
this._requestObjTags = requestObjTags || null;
|
||||||
this._existingObjTag = existingObjTag || null;
|
this._existingObjTag = existingObjTag || null;
|
||||||
this._needTagEval = needTagEval || false;
|
this._needTagEval = needTagEval || false;
|
||||||
|
this._objectLockRetentionDays = objectLockRetentionDays || null;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -255,6 +258,7 @@ export default class RequestContext {
|
||||||
requestObjTags: this._requestObjTags,
|
requestObjTags: this._requestObjTags,
|
||||||
existingObjTag: this._existingObjTag,
|
existingObjTag: this._existingObjTag,
|
||||||
needTagEval: this._needTagEval,
|
needTagEval: this._needTagEval,
|
||||||
|
objectLockRetentionDays: this._objectLockRetentionDays,
|
||||||
};
|
};
|
||||||
return JSON.stringify(requestInfo);
|
return JSON.stringify(requestInfo);
|
||||||
}
|
}
|
||||||
|
@ -295,6 +299,7 @@ export default class RequestContext {
|
||||||
obj.requestObjTags,
|
obj.requestObjTags,
|
||||||
obj.existingObjTag,
|
obj.existingObjTag,
|
||||||
obj.needTagEval,
|
obj.needTagEval,
|
||||||
|
obj.objectLockRetentionDays,
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -698,4 +703,24 @@ export default class RequestContext {
|
||||||
getNeedTagEval() {
|
getNeedTagEval() {
|
||||||
return this._needTagEval;
|
return this._needTagEval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get object lock retention days
|
||||||
|
*
|
||||||
|
* @returns objectLockRetentionDays - object lock retention days
|
||||||
|
*/
|
||||||
|
getObjectLockRetentionDays() {
|
||||||
|
return this._objectLockRetentionDays;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set object lock retention days
|
||||||
|
*
|
||||||
|
* @param objectLockRetentionDays - object lock retention days
|
||||||
|
* @returns itself
|
||||||
|
*/
|
||||||
|
setObjectLockRetentionDays(objectLockRetentionDays: number) {
|
||||||
|
this._objectLockRetentionDays = objectLockRetentionDays;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -324,7 +324,10 @@ export function evaluateAllPolicies(
|
||||||
requestContext: RequestContext,
|
requestContext: RequestContext,
|
||||||
allPolicies: any[],
|
allPolicies: any[],
|
||||||
log: Logger,
|
log: Logger,
|
||||||
): string {
|
): {
|
||||||
|
verdict: string;
|
||||||
|
isImplicit: boolean;
|
||||||
|
} {
|
||||||
log.trace('evaluating all policies');
|
log.trace('evaluating all policies');
|
||||||
let allow = false;
|
let allow = false;
|
||||||
let allowWithTagCondition = false;
|
let allowWithTagCondition = false;
|
||||||
|
@ -333,7 +336,10 @@ export function evaluateAllPolicies(
|
||||||
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
|
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
|
||||||
// If there is any Deny, just return Deny
|
// If there is any Deny, just return Deny
|
||||||
if (singlePolicyVerdict === 'Deny') {
|
if (singlePolicyVerdict === 'Deny') {
|
||||||
return 'Deny';
|
return {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: false,
|
||||||
|
};
|
||||||
}
|
}
|
||||||
if (singlePolicyVerdict === 'Allow') {
|
if (singlePolicyVerdict === 'Allow') {
|
||||||
allow = true;
|
allow = true;
|
||||||
|
@ -344,6 +350,7 @@ export function evaluateAllPolicies(
|
||||||
} // else 'Neutral'
|
} // else 'Neutral'
|
||||||
}
|
}
|
||||||
let verdict;
|
let verdict;
|
||||||
|
let isImplicit = false;
|
||||||
if (allow) {
|
if (allow) {
|
||||||
if (denyWithTagCondition) {
|
if (denyWithTagCondition) {
|
||||||
verdict = 'NeedTagConditionEval';
|
verdict = 'NeedTagConditionEval';
|
||||||
|
@ -355,8 +362,9 @@ export function evaluateAllPolicies(
|
||||||
verdict = 'NeedTagConditionEval';
|
verdict = 'NeedTagConditionEval';
|
||||||
} else {
|
} else {
|
||||||
verdict = 'Deny';
|
verdict = 'Deny';
|
||||||
|
isImplicit = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.trace('result of evaluating all policies', { verdict });
|
log.trace('result of evaluating all policies', { verdict, isImplicit });
|
||||||
return verdict;
|
return { verdict, isImplicit };
|
||||||
}
|
}
|
||||||
|
|
|
@ -166,6 +166,9 @@ export function findConditionKey(
|
||||||
return requestContext.getNeedTagEval() && requestContext.getRequestObjTags()
|
return requestContext.getNeedTagEval() && requestContext.getRequestObjTags()
|
||||||
? getTagKeys(requestContext.getRequestObjTags()!)
|
? getTagKeys(requestContext.getRequestObjTags()!)
|
||||||
: undefined;
|
: undefined;
|
||||||
|
// The maximum retention period is 100 years.
|
||||||
|
case 's3:object-lock-remaining-retention-days':
|
||||||
|
return requestContext.getObjectLockRetentionDays() || undefined;
|
||||||
default:
|
default:
|
||||||
return undefined;
|
return undefined;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1425,7 +1425,10 @@ describe('policyEvaluator', () => {
|
||||||
const result = evaluateAllPolicies(requestContext,
|
const result = evaluateAllPolicies(requestContext,
|
||||||
[samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
|
[samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
|
||||||
samples['Deny Bucket Policy']], log);
|
samples['Deny Bucket Policy']], log);
|
||||||
assert.strictEqual(result, 'Deny');
|
assert.deepStrictEqual(result, {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: false,
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should deny access if request action is not in any policy', () => {
|
it('should deny access if request action is not in any policy', () => {
|
||||||
|
@ -1436,7 +1439,10 @@ describe('policyEvaluator', () => {
|
||||||
const result = evaluateAllPolicies(requestContext,
|
const result = evaluateAllPolicies(requestContext,
|
||||||
[samples['Multi-Statement Policy'],
|
[samples['Multi-Statement Policy'],
|
||||||
samples['Variable Bucket Policy']], log);
|
samples['Variable Bucket Policy']], log);
|
||||||
assert.strictEqual(result, 'Deny');
|
assert.deepStrictEqual(result, {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should deny access if request resource is not in any policy', () => {
|
it('should deny access if request resource is not in any policy', () => {
|
||||||
|
@ -1448,7 +1454,10 @@ describe('policyEvaluator', () => {
|
||||||
samples['Multi-Statement Policy'],
|
samples['Multi-Statement Policy'],
|
||||||
samples['Variable Bucket Policy'],
|
samples['Variable Bucket Policy'],
|
||||||
], log);
|
], log);
|
||||||
assert.strictEqual(result, 'Deny');
|
assert.deepStrictEqual(result, {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
const TestMatrixPolicies = {
|
const TestMatrixPolicies = {
|
||||||
|
@ -1507,67 +1516,115 @@ describe('policyEvaluator', () => {
|
||||||
const TestMatrix = [
|
const TestMatrix = [
|
||||||
{
|
{
|
||||||
policiesToEvaluate: [],
|
policiesToEvaluate: [],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow'],
|
policiesToEvaluate: ['Allow'],
|
||||||
expectedPolicyEvaluation: 'Allow',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Allow',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Neutral'],
|
policiesToEvaluate: ['Neutral'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Deny'],
|
policiesToEvaluate: ['Deny'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow', 'Allow'],
|
policiesToEvaluate: ['Allow', 'Allow'],
|
||||||
expectedPolicyEvaluation: 'Allow',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Allow',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow', 'Neutral'],
|
policiesToEvaluate: ['Allow', 'Neutral'],
|
||||||
expectedPolicyEvaluation: 'Allow',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Allow',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Neutral', 'Allow'],
|
policiesToEvaluate: ['Neutral', 'Allow'],
|
||||||
expectedPolicyEvaluation: 'Allow',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Allow',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Neutral', 'Neutral'],
|
policiesToEvaluate: ['Neutral', 'Neutral'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow', 'Deny'],
|
policiesToEvaluate: ['Allow', 'Deny'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['AllowWithTagCondition'],
|
policiesToEvaluate: ['AllowWithTagCondition'],
|
||||||
expectedPolicyEvaluation: 'NeedTagConditionEval',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'NeedTagConditionEval',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow', 'AllowWithTagCondition'],
|
policiesToEvaluate: ['Allow', 'AllowWithTagCondition'],
|
||||||
expectedPolicyEvaluation: 'Allow',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Allow',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['DenyWithTagCondition'],
|
policiesToEvaluate: ['DenyWithTagCondition'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['Allow', 'DenyWithTagCondition'],
|
policiesToEvaluate: ['Allow', 'DenyWithTagCondition'],
|
||||||
expectedPolicyEvaluation: 'NeedTagConditionEval',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'NeedTagConditionEval',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'],
|
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'],
|
||||||
expectedPolicyEvaluation: 'NeedTagConditionEval',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'NeedTagConditionEval',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'],
|
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'],
|
||||||
expectedPolicyEvaluation: 'Deny',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'Deny',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'],
|
policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'],
|
||||||
expectedPolicyEvaluation: 'NeedTagConditionEval',
|
expectedPolicyEvaluation: {
|
||||||
|
verdict: 'NeedTagConditionEval',
|
||||||
|
isImplicit: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -1582,7 +1639,7 @@ describe('policyEvaluator', () => {
|
||||||
requestContext,
|
requestContext,
|
||||||
testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]),
|
testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]),
|
||||||
log);
|
log);
|
||||||
assert.strictEqual(result, testCase.expectedPolicyEvaluation);
|
assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -111,6 +111,7 @@ describe('RequestContext', () => {
|
||||||
specificResource: 'specific-resource',
|
specificResource: 'specific-resource',
|
||||||
sslEnabled: true,
|
sslEnabled: true,
|
||||||
tokenIssueTime: null,
|
tokenIssueTime: null,
|
||||||
|
objectLockRetentionDays: null,
|
||||||
};
|
};
|
||||||
it('serialize()', () => {
|
it('serialize()', () => {
|
||||||
assert.deepStrictEqual(JSON.parse(rc.serialize()), SerializedFields);
|
assert.deepStrictEqual(JSON.parse(rc.serialize()), SerializedFields);
|
||||||
|
|
Loading…
Reference in New Issue