Compare commits
1 Commits
developmen
...
ft/princip
| Author | SHA1 | Date |
|---|---|---|
Alexandre Merle
|
3ff8104a69 |
|
|
@ -4,6 +4,34 @@
|
|||
"title": "AWS Policy schema.",
|
||||
"description": "This schema describes a user policy per AWS policy grammar rules",
|
||||
"definitions": {
|
||||
"AWSprincipalItem": {
|
||||
"oneOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^\\*$"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^[0-9]{12}$"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^arn:aws:iam::[0-9]{12}:root$"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^arn:aws:iam::[0-9]{12}:user((\u002F)|(\u002F[\u0021-\u007F]+\u002F))[\\w+=,.@ -]{1,32}$"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^arn:aws:iam::[0-9]{12}:role((\u002F)|(\u002F[\u0021-\u007F]+\u002F))[\\w+=,.@ -]{1,32}$"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^arn:aws:sts::[0-9]{12}:assumed-role/[\\w+=,.@ -]{1,32}/[\\w+=,.@ -]{1,32}$"
|
||||
}
|
||||
]
|
||||
},
|
||||
"actionItem": {
|
||||
"type": "string",
|
||||
"pattern": "^[^*:]+:([^:])+|^\\*{1}$"
|
||||
|
|
@ -205,6 +233,22 @@
|
|||
"type": "string",
|
||||
"pattern": "^[a-zA-Z0-9]+$"
|
||||
},
|
||||
"Principal": {
|
||||
"oneOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^\\*$"
|
||||
},
|
||||
{
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"AWS": {
|
||||
"$ref": "#/definitions/AWSprincipalItem"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"Effect": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
|
|
@ -308,6 +352,22 @@
|
|||
"type": "string",
|
||||
"pattern": "^[a-zA-Z0-9]+$"
|
||||
},
|
||||
"Principal": {
|
||||
"oneOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"pattern": "^\\*$"
|
||||
},
|
||||
{
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"AWS": {
|
||||
"$ref": "#/definitions/AWSprincipalItem"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"Effect": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
|
|
|
|||
|
|
@ -341,3 +341,107 @@ describe('Policies validation - Statement::Condition_block', () => {
|
|||
check(policy, failRes());
|
||||
});
|
||||
});
|
||||
|
||||
describe('Policies validation - Statement::Principal_block', () => {
|
||||
it('should succeed for anonymous', () => {
|
||||
policy.Statement.Principal = '*';
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should suceed for valid account id', () => {
|
||||
policy.Statement.Principal = { AWS: '234567890123' };
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid account arn', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:root',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid user arn', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:user/im-an-username',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid user arn with path', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:user/im/a/path/im-an-username',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid role arn', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:role/im-a-role',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid role arn with path', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:role/im/a/path/im-a-role',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should succeed for valid asuume role arn', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS:
|
||||
'arn:aws:sts::234567890123:assumed-role/im-a-role/im-a-session',
|
||||
};
|
||||
check(policy, successRes);
|
||||
});
|
||||
|
||||
it('should fail for other string than anonymous', () => {
|
||||
policy.Statement.Principal = 'arn:aws:iam::234567890123:user/im-a-user';
|
||||
check(policy, failRes());
|
||||
});
|
||||
|
||||
it('should fail for wrong format arn', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::wrong-account-id:root',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:s3::234567890123:root',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:wrong/arn',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:scality:iam::234567890123:root',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:iam::234567890123:user/Not/Good#UserName',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'arn:aws:sts::234567890123:assumed-role/im/a/path' +
|
||||
'/im-a-role/im-a-session',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS:
|
||||
'arn:aws:iam::234567890123:assumed-role/im-a-role/im-a-session',
|
||||
};
|
||||
check(policy, failRes());
|
||||
});
|
||||
|
||||
it('should fail for wrong account id', () => {
|
||||
policy.Statement.Principal = {
|
||||
AWS: 'fake-account-id',
|
||||
};
|
||||
check(policy, failRes());
|
||||
policy.Statement.Principal = {
|
||||
AWS: '1213425632145',
|
||||
};
|
||||
check(policy, failRes());
|
||||
});
|
||||
});
|
||||
|
|
|
|||
Loading…
Reference in New Issue