FT: Add validation of Principal field

- Only included Anonymous users, AWS account (short and
  long format), user arn, role arn, and assume role arn

lib/policy/userPolicySchema.json

@@ -4,6 +4,34 @@
     "title": "AWS Policy schema.",
     "description": "This schema describes a user policy per AWS policy grammar rules",
     "definitions": {
+        "AWSprincipalItem": {
+            "oneOf": [
+                {
+                    "type": "string",
+                    "pattern": "^\\*$"
+                },
+                {
+                    "type": "string",
+                    "pattern": "^[0-9]{12}$"
+                },
+                {
+                    "type": "string",
+                    "pattern": "^arn:aws:iam::[0-9]{12}:root$"
+                },
+                {
+                    "type": "string",
+                    "pattern": "^arn:aws:iam::[0-9]{12}:user((\u002F)|(\u002F[\u0021-\u007F]+\u002F))[\\w+=,.@ -]{1,32}$"
+                },
+                {
+                    "type": "string",
+                    "pattern": "^arn:aws:iam::[0-9]{12}:role((\u002F)|(\u002F[\u0021-\u007F]+\u002F))[\\w+=,.@ -]{1,32}$"
+                },
+                {
+                    "type": "string",
+                    "pattern": "^arn:aws:sts::[0-9]{12}:assumed-role/[\\w+=,.@ -]{1,32}/[\\w+=,.@ -]{1,32}$"
+                }
+            ]
+        },
         "actionItem": {
             "type": "string",
             "pattern": "^[^*:]+:([^:])+|^\\*{1}$"
@@ -205,6 +233,22 @@
                                 "type": "string",
                                 "pattern": "^[a-zA-Z0-9]+$"
                             },
+                            "Principal": {
+                                "oneOf": [
+                                    {
+                                        "type": "string",
+                                        "pattern": "^\\*$"
+                                    },
+                                    {
+                                        "type": "object",
+                                        "properties": {
+                                            "AWS": {
+                                                "$ref": "#/definitions/AWSprincipalItem"
+                                            }
+                                        }
+                                    }
+                                ]
+                            },
                             "Effect": {
                                 "type": "string",
                                 "enum": [
@@ -308,6 +352,22 @@
                             "type": "string",
                             "pattern": "^[a-zA-Z0-9]+$"
                         },
+                        "Principal": {
+                            "oneOf": [
+                                {
+                                    "type": "string",
+                                    "pattern": "^\\*$"
+                                },
+                                {
+                                    "type": "object",
+                                    "properties": {
+                                        "AWS": {
+                                            "$ref": "#/definitions/AWSprincipalItem"
+                                        }
+                                    }
+                                }
+                            ]
+                        },
                         "Effect": {
                             "type": "string",
                             "enum": [

tests/unit/policy/test_policyValidator.js

@@ -341,3 +341,107 @@ describe('Policies validation - Statement::Condition_block', () => {
         check(policy, failRes());
     });
 });
+
+describe('Policies validation - Statement::Principal_block', () => {
+    it('should succeed for anonymous', () => {
+        policy.Statement.Principal = '*';
+        check(policy, successRes);
+    });
+
+    it('should suceed for valid account id', () => {
+        policy.Statement.Principal = { AWS: '234567890123' };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid account arn', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:root',
+        };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid user arn', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:user/im-an-username',
+        };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid user arn with path', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:user/im/a/path/im-an-username',
+        };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid role arn', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:role/im-a-role',
+        };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid role arn with path', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:role/im/a/path/im-a-role',
+        };
+        check(policy, successRes);
+    });
+
+    it('should succeed for valid asuume role arn', () => {
+        policy.Statement.Principal = {
+            AWS:
+                'arn:aws:sts::234567890123:assumed-role/im-a-role/im-a-session',
+        };
+        check(policy, successRes);
+    });
+
+    it('should fail for other string than anonymous', () => {
+        policy.Statement.Principal = 'arn:aws:iam::234567890123:user/im-a-user';
+        check(policy, failRes());
+    });
+
+    it('should fail for wrong format arn', () => {
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::wrong-account-id:root',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:s3::234567890123:root',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:wrong/arn',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: 'arn:scality:iam::234567890123:root',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:iam::234567890123:user/Not/Good#UserName',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: 'arn:aws:sts::234567890123:assumed-role/im/a/path' +
+                '/im-a-role/im-a-session',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS:
+                'arn:aws:iam::234567890123:assumed-role/im-a-role/im-a-session',
+        };
+        check(policy, failRes());
+    });
+
+    it('should fail for wrong account id', () => {
+        policy.Statement.Principal = {
+            AWS: 'fake-account-id',
+        };
+        check(policy, failRes());
+        policy.Statement.Principal = {
+            AWS: '1213425632145',
+        };
+        check(policy, failRes());
+    });
+});