Compare commits

..

4 Commits

Author SHA1 Message Date
williamlardier f4894a6d6e
fix test 2023-07-11 10:09:16 +02:00
williamlardier 40a5498374
S3C-7845: support object retention days condition 2023-07-11 10:09:16 +02:00
williamlardier 3e68510093
update tests 2023-07-11 10:09:16 +02:00
williamlardier 068b8dabf1
return if implicit deny when evaluating policies 2023-07-11 10:09:12 +02:00
6 changed files with 122 additions and 24 deletions

View File

@ -36,6 +36,7 @@ export type ParsedRetention =
export default class ObjectLockConfiguration { export default class ObjectLockConfiguration {
_parsedXml: any; _parsedXml: any;
_config: Config; _config: Config;
_days: number | null;
/** /**
* Create an Object Lock Configuration instance * Create an Object Lock Configuration instance
@ -45,6 +46,7 @@ export default class ObjectLockConfiguration {
constructor(xml: any) { constructor(xml: any) {
this._parsedXml = xml; this._parsedXml = xml;
this._config = {}; this._config = {};
this._days = null;
} }
/** /**
@ -183,6 +185,8 @@ export default class ObjectLockConfiguration {
this._config.rule = {}; this._config.rule = {};
this._config.rule.mode = validMode.mode; this._config.rule.mode = validMode.mode;
this._config.rule[validTime.timeType!] = validTime.timeValue; this._config.rule[validTime.timeType!] = validTime.timeValue;
// Store the number of days
this._days = validTime.timeType === 'years' ? 365 * validTime.timeValue : validTime.timeValue;
} }
return validConfig; return validConfig;
} }

View File

@ -171,6 +171,7 @@ export default class RequestContext {
_needTagEval: boolean; _needTagEval: boolean;
_foundAction?: string; _foundAction?: string;
_foundResource?: string; _foundResource?: string;
_objectLockRetentionDays?: number | null;
constructor( constructor(
headers: { [key: string]: string | string[] }, headers: { [key: string]: string | string[] },
@ -192,6 +193,7 @@ export default class RequestContext {
requestObjTags?: string, requestObjTags?: string,
existingObjTag?: string, existingObjTag?: string,
needTagEval?: false, needTagEval?: false,
objectLockRetentionDays?: number,
) { ) {
this._headers = headers; this._headers = headers;
this._query = query; this._query = query;
@ -224,6 +226,7 @@ export default class RequestContext {
this._requestObjTags = requestObjTags || null; this._requestObjTags = requestObjTags || null;
this._existingObjTag = existingObjTag || null; this._existingObjTag = existingObjTag || null;
this._needTagEval = needTagEval || false; this._needTagEval = needTagEval || false;
this._objectLockRetentionDays = objectLockRetentionDays || null;
return this; return this;
} }
@ -255,6 +258,7 @@ export default class RequestContext {
requestObjTags: this._requestObjTags, requestObjTags: this._requestObjTags,
existingObjTag: this._existingObjTag, existingObjTag: this._existingObjTag,
needTagEval: this._needTagEval, needTagEval: this._needTagEval,
objectLockRetentionDays: this._objectLockRetentionDays,
}; };
return JSON.stringify(requestInfo); return JSON.stringify(requestInfo);
} }
@ -295,6 +299,7 @@ export default class RequestContext {
obj.requestObjTags, obj.requestObjTags,
obj.existingObjTag, obj.existingObjTag,
obj.needTagEval, obj.needTagEval,
obj.objectLockRetentionDays,
); );
} }
@ -698,4 +703,24 @@ export default class RequestContext {
getNeedTagEval() { getNeedTagEval() {
return this._needTagEval; return this._needTagEval;
} }
/**
* Get object lock retention days
*
* @returns objectLockRetentionDays - object lock retention days
*/
getObjectLockRetentionDays() {
return this._objectLockRetentionDays;
}
/**
* Set object lock retention days
*
* @param objectLockRetentionDays - object lock retention days
* @returns itself
*/
setObjectLockRetentionDays(objectLockRetentionDays: number) {
this._objectLockRetentionDays = objectLockRetentionDays;
return this;
}
} }

View File

@ -324,7 +324,10 @@ export function evaluateAllPolicies(
requestContext: RequestContext, requestContext: RequestContext,
allPolicies: any[], allPolicies: any[],
log: Logger, log: Logger,
): string { ): {
verdict: string;
isImplicit: boolean;
} {
log.trace('evaluating all policies'); log.trace('evaluating all policies');
let allow = false; let allow = false;
let allowWithTagCondition = false; let allowWithTagCondition = false;
@ -333,7 +336,10 @@ export function evaluateAllPolicies(
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log); const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
// If there is any Deny, just return Deny // If there is any Deny, just return Deny
if (singlePolicyVerdict === 'Deny') { if (singlePolicyVerdict === 'Deny') {
return 'Deny'; return {
verdict: 'Deny',
isImplicit: false,
};
} }
if (singlePolicyVerdict === 'Allow') { if (singlePolicyVerdict === 'Allow') {
allow = true; allow = true;
@ -344,6 +350,7 @@ export function evaluateAllPolicies(
} // else 'Neutral' } // else 'Neutral'
} }
let verdict; let verdict;
let isImplicit = false;
if (allow) { if (allow) {
if (denyWithTagCondition) { if (denyWithTagCondition) {
verdict = 'NeedTagConditionEval'; verdict = 'NeedTagConditionEval';
@ -355,8 +362,9 @@ export function evaluateAllPolicies(
verdict = 'NeedTagConditionEval'; verdict = 'NeedTagConditionEval';
} else { } else {
verdict = 'Deny'; verdict = 'Deny';
isImplicit = true;
} }
} }
log.trace('result of evaluating all policies', { verdict }); log.trace('result of evaluating all policies', { verdict, isImplicit });
return verdict; return { verdict, isImplicit };
} }

View File

@ -166,6 +166,9 @@ export function findConditionKey(
return requestContext.getNeedTagEval() && requestContext.getRequestObjTags() return requestContext.getNeedTagEval() && requestContext.getRequestObjTags()
? getTagKeys(requestContext.getRequestObjTags()!) ? getTagKeys(requestContext.getRequestObjTags()!)
: undefined; : undefined;
// The maximum retention period is 100 years.
case 's3:object-lock-remaining-retention-days':
return requestContext.getObjectLockRetentionDays() || undefined;
default: default:
return undefined; return undefined;
} }

View File

@ -1425,7 +1425,10 @@ describe('policyEvaluator', () => {
const result = evaluateAllPolicies(requestContext, const result = evaluateAllPolicies(requestContext,
[samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'], [samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
samples['Deny Bucket Policy']], log); samples['Deny Bucket Policy']], log);
assert.strictEqual(result, 'Deny'); assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: false,
});
}); });
it('should deny access if request action is not in any policy', () => { it('should deny access if request action is not in any policy', () => {
@ -1436,7 +1439,10 @@ describe('policyEvaluator', () => {
const result = evaluateAllPolicies(requestContext, const result = evaluateAllPolicies(requestContext,
[samples['Multi-Statement Policy'], [samples['Multi-Statement Policy'],
samples['Variable Bucket Policy']], log); samples['Variable Bucket Policy']], log);
assert.strictEqual(result, 'Deny'); assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: true,
});
}); });
it('should deny access if request resource is not in any policy', () => { it('should deny access if request resource is not in any policy', () => {
@ -1448,7 +1454,10 @@ describe('policyEvaluator', () => {
samples['Multi-Statement Policy'], samples['Multi-Statement Policy'],
samples['Variable Bucket Policy'], samples['Variable Bucket Policy'],
], log); ], log);
assert.strictEqual(result, 'Deny'); assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: true,
});
}); });
const TestMatrixPolicies = { const TestMatrixPolicies = {
@ -1507,67 +1516,115 @@ describe('policyEvaluator', () => {
const TestMatrix = [ const TestMatrix = [
{ {
policiesToEvaluate: [], policiesToEvaluate: [],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
}, },
{ {
policiesToEvaluate: ['Allow'], policiesToEvaluate: ['Allow'],
expectedPolicyEvaluation: 'Allow', expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Neutral'], policiesToEvaluate: ['Neutral'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
}, },
{ {
policiesToEvaluate: ['Deny'], policiesToEvaluate: ['Deny'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Allow', 'Allow'], policiesToEvaluate: ['Allow', 'Allow'],
expectedPolicyEvaluation: 'Allow', expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Allow', 'Neutral'], policiesToEvaluate: ['Allow', 'Neutral'],
expectedPolicyEvaluation: 'Allow', expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Neutral', 'Allow'], policiesToEvaluate: ['Neutral', 'Allow'],
expectedPolicyEvaluation: 'Allow', expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Neutral', 'Neutral'], policiesToEvaluate: ['Neutral', 'Neutral'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
}, },
{ {
policiesToEvaluate: ['Allow', 'Deny'], policiesToEvaluate: ['Allow', 'Deny'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['AllowWithTagCondition'], policiesToEvaluate: ['AllowWithTagCondition'],
expectedPolicyEvaluation: 'NeedTagConditionEval', expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['Allow', 'AllowWithTagCondition'], policiesToEvaluate: ['Allow', 'AllowWithTagCondition'],
expectedPolicyEvaluation: 'Allow', expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['DenyWithTagCondition'], policiesToEvaluate: ['DenyWithTagCondition'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
}, },
{ {
policiesToEvaluate: ['Allow', 'DenyWithTagCondition'], policiesToEvaluate: ['Allow', 'DenyWithTagCondition'],
expectedPolicyEvaluation: 'NeedTagConditionEval', expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'], policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'],
expectedPolicyEvaluation: 'NeedTagConditionEval', expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'], policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'],
expectedPolicyEvaluation: 'Deny', expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
}, },
{ {
policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'], policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'],
expectedPolicyEvaluation: 'NeedTagConditionEval', expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
}, },
]; ];
@ -1582,7 +1639,7 @@ describe('policyEvaluator', () => {
requestContext, requestContext,
testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]), testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]),
log); log);
assert.strictEqual(result, testCase.expectedPolicyEvaluation); assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation);
}); });
}); });
}); });

View File

@ -111,6 +111,7 @@ describe('RequestContext', () => {
specificResource: 'specific-resource', specificResource: 'specific-resource',
sslEnabled: true, sslEnabled: true,
tokenIssueTime: null, tokenIssueTime: null,
objectLockRetentionDays: null,
}; };
it('serialize()', () => { it('serialize()', () => {
assert.deepStrictEqual(JSON.parse(rc.serialize()), SerializedFields); assert.deepStrictEqual(JSON.parse(rc.serialize()), SerializedFields);